ara | File #323: ...openstack-ansible/inventory/group_vars/nova_all/haproxy

/home/zuul/src/opendev.org/openstack/openstack-ansible/playbooks/setup-infrastructure.yml

Execution

Date 08 Dec 2025 13:33:24 +0000

Duration 00:06:14.05

Controller aio1.openstack.local

User root

Versions

Ansible 2.18.6

ara 1.7.4 / 1.7.4

Python 3.12.3

Summary

2 Hosts

374 Tasks

364 Results

37 Plays

208 Files

0 Records

check:False tags:all

Date
08 Dec 2025 13:33:24 +0000
Path
/home/zuul/src/opendev.org/openstack/openstack-ansible/playbooks/setup-infrastructure.yml

Argument	Value
version	None
verbosity	0
private_key_file	None
remote_user	None
connection	openstack.osa.ssh
timeout	None
ssh_common_args	None
sftp_extra_args	None
scp_extra_args	None
ssh_extra_args	None
ask_pass	False
connection_password_file	None
force_handlers	True
flush_cache	False
become	False
become_method	sudo
become_user	None
become_ask_pass	False
become_password_file	None
tags	['all']
skip_tags	[]
check	False
diff	False
inventory	['/home/zuul/src/opendev.org/openstack/openstack-ansible/inventory/dynamic_inventory.py', '/home/zuul/src/opendev.org/openstack/openstack-ansible/inventory/inventory.ini', '/etc/openstack_deploy/inventory.ini']
listhosts	False
subset	None
extra_vars	Not saved by ARA as configured by 'ignored_arguments'
vault_ids	[]
ask_vault_pass	False
vault_password_files	[]
forks	8
module_path	None
syntax	False
listtasks	False
listtags	False
step	False
start_at_task	None
args	['setup-infrastructure.yml']

File: /home/zuul/src/opendev.org/openstack/openstack-ansible/inventory/group_vars/nova_all/haproxy_service.yml

---
# Copyright 2023, Cleura AB
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

# By default the nova console service on HAProxy is configured in HTTP mode to
# allow for more fine grained control. But if the SSL connection is terminated
# on the nova console container it has to be run in TCP mode.
haproxy_nova_console_http_mode: "{{ not (nova_console_user_ssl_cert is defined
                                         and nova_console_user_ssl_key is defined) }}"

haproxy_nova_metadata_allowlist_networks: "{{ haproxy_allowlist_networks }}"

haproxy_nova_healthcheck_hdr: 'hdr User-Agent "osa-proxy-healthcheck"'

haproxy_nova_api_metadata_service:
  haproxy_service_name: nova_api_metadata
  haproxy_backend_nodes: "{{ groups['nova_api_metadata'] | default([]) }}"
  haproxy_bind: >-
    {{ [{
          'address': haproxy_bind_internal_lb_vip_address | default(internal_lb_vip_address),
          'interface': haproxy_bind_internal_lb_vip_interface | default('')
    }] }}
  haproxy_port: 8775
  haproxy_ssl: "{{ haproxy_ssl_all_vips }}"
  haproxy_balance_type: http
  haproxy_backend_httpcheck_options:
    - "{{ 'send ' ~ haproxy_nova_healthcheck_hdr ~  ' meth HEAD' }}"
  haproxy_allowlist_networks: "{{ haproxy_nova_metadata_allowlist_networks }}"
  haproxy_backend_ssl: "{{ nova_backend_ssl | default(openstack_service_backend_ssl) }}"
  haproxy_backend_ca: "{{ nova_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}"
  haproxy_accept_both_protocols: "{{ nova_accept_both_protocols | default(openstack_service_accept_both_protocols) }}"
  haproxy_service_enabled: "{{ groups['nova_api_metadata'] is defined and groups['nova_api_metadata'] | length > 0 }}"

haproxy_nova_api_compute_service:
  haproxy_service_name: nova_api_os_compute
  haproxy_backend_nodes: "{{ groups['nova_api_os_compute'] | default([]) }}"
  haproxy_ssl: "{{ haproxy_ssl }}"
  haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
  haproxy_port: 8774
  haproxy_balance_type: http
  haproxy_backend_httpcheck_options:
    - "{{ 'send ' ~ haproxy_nova_healthcheck_hdr ~  ' meth HEAD' }}"
  haproxy_backend_ssl: "{{ nova_backend_ssl | default(openstack_service_backend_ssl) }}"
  haproxy_backend_ca: "{{ nova_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}"
  haproxy_accept_both_protocols: "{{ nova_accept_both_protocols | default(openstack_service_accept_both_protocols) }}"
  haproxy_service_enabled: "{{ groups['nova_api_os_compute'] is defined and groups['nova_api_os_compute'] | length > 0 }}"

haproxy_nova_spice_console_service:
  haproxy_service_name: nova_spice_console
  haproxy_backend_nodes: "{{ groups['nova_console'] | default([]) }}"
  haproxy_ssl: "{{ haproxy_ssl }}"
  haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
  haproxy_port: "{{ nova_spice_html5proxy_base_port | default('6082') }}"
  haproxy_balance_type: "{{ haproxy_nova_console_http_mode | ternary('http', 'tcp') }}"
  haproxy_timeout_client: 60m
  haproxy_timeout_server: 60m
  haproxy_balance_alg: source
  haproxy_backend_httpcheck_options: "{{ haproxy_nova_console_http_mode | ternary(['send ' ~ haproxy_nova_healthcheck_hdr ~ ' meth HEAD uri /spice_auto.html', 'expect status 200'], []) }}"
  haproxy_backend_ssl: "{{ nova_backend_ssl | default(openstack_service_backend_ssl) }}"
  haproxy_backend_ca: "{{ nova_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}"
  haproxy_accept_both_protocols: "{{ nova_accept_both_protocols | default(openstack_service_accept_both_protocols) }}"
  haproxy_service_enabled: "{{ groups['nova_console'] is defined and groups['nova_console'] | length > 0 and 'spice' in nova_console_proxy_types }}"
  haproxy_frontend_raw:
    - "http-request deny if { path,url_dec -m sub /. }"

haproxy_nova_serial_console_service:
  haproxy_service_name: nova_serial_console
  haproxy_backend_nodes: "{{ groups['nova_console'] | default([]) + ((ironic_console_type == 'serialconsole') | ternary(groups['ironic_console'] | default([]), [])) }}"
  haproxy_ssl: "{{ haproxy_ssl }}"
  haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
  haproxy_port: "{{ nova_serialconsoleproxy_port | default('6083') }}"
  haproxy_balance_type: "{{ haproxy_nova_console_http_mode | ternary('http', 'tcp') }}"
  haproxy_timeout_client: 60m
  haproxy_timeout_server: 60m
  haproxy_balance_alg: source
  haproxy_backend_httpcheck_options: "{{ haproxy_nova_console_http_mode | ternary(['send ' ~ haproxy_nova_healthcheck_hdr ~ ' meth HEAD', 'expect status 405'], []) }}"
  haproxy_backend_ssl: "{{ nova_backend_ssl | default(openstack_service_backend_ssl) }}"
  haproxy_backend_ca: "{{ nova_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}"
  haproxy_accept_both_protocols: "{{ nova_accept_both_protocols | default(openstack_service_accept_both_protocols) }}"
  haproxy_service_enabled: "{{ (groups['nova_console'] is defined and groups['nova_console'] | length > 0 and 'serialconsole' in nova_console_proxy_types) or
                               (groups['ironic_console'] is defined and groups['ironic_console'] | length > 0 and 'serialconsole' in nova_console_proxy_types) }}"
  haproxy_frontend_raw:
    - "http-request deny if { path,url_dec -m sub /. }"

haproxy_nova_novnc_console_service:
  haproxy_service_name: nova_novnc_console
  haproxy_backend_nodes: "{{ groups['nova_console'] | default([]) }}"
  haproxy_ssl: "{{ haproxy_ssl }}"
  haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
  haproxy_port: "{{ nova_novncproxy_port | default('6080') }}"
  haproxy_balance_type: "{{ haproxy_nova_console_http_mode | ternary('http', 'tcp') }}"
  haproxy_timeout_client: 60m
  haproxy_timeout_server: 60m
  haproxy_balance_alg: source
  haproxy_backend_httpcheck_options: "{{ haproxy_nova_console_http_mode | ternary(['send ' ~ haproxy_nova_healthcheck_hdr ~ ' meth HEAD uri /vnc.html', 'expect status 200'], []) }}"
  haproxy_backend_ssl: "{{ nova_backend_ssl | default(openstack_service_backend_ssl) }}"
  haproxy_backend_ca: "{{ nova_haproxy_backend_ca | default(openstack_haproxy_backend_ca) }}"
  haproxy_accept_both_protocols: "{{ nova_accept_both_protocols | default(openstack_service_accept_both_protocols) }}"
  haproxy_service_enabled: "{{ groups['nova_console'] is defined and groups['nova_console'] | length > 0 and 'novnc' in nova_console_proxy_types }}"
  haproxy_frontend_raw:
    - "http-request deny if { path,url_dec -m sub /. }"

# NOTE(jrosser) Clean up legacy console haproxy configs from previous releases
haproxy_nova_console_service:
  haproxy_service_name: nova_console
  haproxy_service_enabled: False

haproxy_nova_ironic_console_service:
  haproxy_service_name: nova_ironic_console
  haproxy_service_enabled: False

nova_haproxy_services:
  - "{{ haproxy_nova_api_metadata_service | combine(haproxy_nova_api_metadata_service_overrides | default({})) }}"
  - "{{ haproxy_nova_api_compute_service | combine(haproxy_nova_api_compute_service_overrides | default({})) }}"
  - "{{ haproxy_nova_spice_console_service | combine(haproxy_nova_spice_console_service_overrides | default({})) }}"
  - "{{ haproxy_nova_novnc_console_service | combine(haproxy_nova_novnc_console_service_overrides | default({})) }}"
  - "{{ haproxy_nova_serial_console_service | combine(haproxy_nova_serial_console_service_overrides | default({})) }}"
  - "{{ haproxy_nova_console_service | combine(haproxy_nova_console_service_overrides | default({})) }}"
  - "{{ haproxy_nova_ironic_console_service | combine(haproxy_nova_ironic_console_service_overrides | default({})) }}"

Playbook #3

File: /home/zuul/src/opendev.org/openstack/openstack-ansible/inventory/group_vars/nova_all/haproxy_service.yml