openstack/kolla-ansible
Code Issues Proposed changes
kolla-ansible/ansible/roles/loadbalancer/tasks/precheck.yml
Michal Arbet 3f55994bb7 Fix TLS settings when letsencrypt turned on 
- Introduced `letsencrypt_managed_certs`
  variable to handle whether letsencrypt
  will generate internal, external or both
  certificates.
- Updated certificate generation logic to use
  `letsencrypt_managed_certs` conditionally,
  replacing the previous `enable_letsencrypt` boolean.
- Adjusted tasks and templates to support
  internal/external certificate management based
  on the new variable.
- Enhanced Let's Encrypt script (`letsencrypt-lego-run.sh.j2`)
  to handle both internal and external certificates depending
  on VIP configurations.
- Refined HAProxy configuration templates to correctly map
  certificates based on TLS settings and new management logic.

Closes-bug: #2076331

Change-Id: Id80c7823fcc5d934b7369c7c0722cd78188e2ccf
Co-Authored-By: Michal Arbet <michal.arbet@ultimum.io>
2024-11-25 20:07:01 +01:00

774 lines
23 KiB
YAML
Raw Blame History

---
- import_role:
name: service-precheck
vars:
service_precheck_services: "{{ loadbalancer_services }}"
service_name: "{{ project_name }}"
- name: Get container facts
become: true
kolla_container_facts:
action: get_containers
container_engine: "{{ kolla_container_engine }}"
name:
- haproxy
- proxysql
- keepalived
check_mode: false
register: container_facts
- name: Group hosts by whether they are running keepalived
group_by:
key: "keepalived_running_{{ container_facts['keepalived'] is defined }}"
changed_when: false
check_mode: false
when:
- enable_keepalived | bool
- inventory_hostname in groups['loadbalancer']
- name: Group hosts by whether they are running HAProxy
group_by:
key: "haproxy_running_{{ container_facts['haproxy'] is defined }}"
changed_when: false
check_mode: false
when:
- enable_haproxy | bool
- inventory_hostname in groups['loadbalancer']
- name: Group hosts by whether they are running ProxySQL
group_by:
key: "proxysql_running_{{ container_facts['proxysql'] is defined }}"
changed_when: false
check_mode: false
when:
- enable_proxysql | bool
- inventory_hostname in groups['loadbalancer']
- name: Set facts about whether we can run HAProxy and keepalived VIP prechecks
vars:
# NOTE(mgoddard): We can only reliably run this precheck if all hosts in
# the haproxy group are included in the batch. This may not be the case if
# using --limit or --serial.
all_hosts_in_batch: "{{ groups['loadbalancer'] | difference(ansible_play_batch) | list | length == 0 }}"
set_fact:
keepalived_vip_prechecks: "{{ all_hosts_in_batch and groups['keepalived_running_True'] is not defined }}"
haproxy_vip_prechecks: "{{ all_hosts_in_batch and groups['haproxy_running_True'] is not defined }}"
proxysql_vip_prechecks: "{{ all_hosts_in_batch and groups['proxysql_running_True'] is not defined }}"
- block:
- name: Checking if external haproxy certificate exists
run_once: true
stat:
path: "{{ kolla_external_fqdn_cert }}"
delegate_to: localhost
register: haproxy_cert_file
changed_when: false
- name: Assert that external haproxy certificate exists
run_once: true
assert:
that: haproxy_cert_file.stat.exists
fail_msg: "External haproxy certificate file is not found. It is configured via 'kolla_external_fqdn_cert'"
when:
- not kolla_externally_managed_cert | bool
- letsencrypt_managed_certs == 'internal' or letsencrypt_managed_certs == ''
- kolla_enable_tls_external | bool
- block:
- name: Checking if internal haproxy certificate exists
run_once: true
stat:
path: "{{ kolla_internal_fqdn_cert }}"
delegate_to: localhost
register: haproxy_internal_cert_file
changed_when: false
- name: Assert that internal haproxy certificate exists
run_once: true
assert:
that: haproxy_internal_cert_file.stat.exists
fail_msg: "Internal haproxy certificate file is not found. It is configured via 'kolla_internal_fqdn_cert'"
when:
- not kolla_externally_managed_cert | bool
- letsencrypt_managed_certs == 'external' or letsencrypt_managed_certs == ''
- kolla_enable_tls_internal | bool
- name: Checking the kolla_external_vip_interface is present
assert:
that: kolla_external_vip_interface in ansible_facts.interfaces
fail_msg: "Please check the kolla_external_vip_interface property - interface {{ kolla_external_vip_interface }} not found"
when:
- haproxy_enable_external_vip | bool
- name: Checking the kolla_external_vip_interface is active
assert:
that: hostvars[inventory_hostname].ansible_facts[kolla_external_vip_interface | replace('-', '_')]['active']
fail_msg: "Please check the kolla_external_vip_interface settings - interface {{ kolla_external_vip_interface }} is not active"
when:
- haproxy_enable_external_vip | bool
# NOTE(hrw): let assume that each supported host OS has ping with ipv4/v6 support
- name: Checking if kolla_internal_vip_address and kolla_external_vip_address are not pingable from any node
command: "ping -c 3 {{ item }}"
register: ping_output
changed_when: false
failed_when: ping_output.rc != 1
check_mode: false
with_items:
- "{{ kolla_internal_vip_address }}"
- "{{ kolla_external_vip_address }}"
when:
- enable_keepalived | bool
- keepalived_vip_prechecks
- enable_haproxy | bool
- name: Checking free port for HAProxy stats
wait_for:
host: "{{ api_interface_address }}"
port: "{{ haproxy_stats_port }}"
connect_timeout: 1
timeout: 1
state: stopped
when:
- enable_haproxy | bool
- container_facts['haproxy'] is not defined
- inventory_hostname in groups['loadbalancer']
- name: Checking free port for HAProxy monitor (api interface)
wait_for:
host: "{{ api_interface_address }}"
port: "{{ haproxy_monitor_port }}"
connect_timeout: 1
timeout: 1
state: stopped
when:
- enable_haproxy | bool
- container_facts['haproxy'] is not defined
- inventory_hostname in groups['loadbalancer']
- name: Checking free port for HAProxy monitor (vip interface)
wait_for:
host: "{{ kolla_internal_vip_address }}"
port: "{{ haproxy_monitor_port }}"
connect_timeout: 1
timeout: 1
state: stopped
when:
- enable_haproxy | bool
- haproxy_vip_prechecks
- inventory_hostname in groups['loadbalancer']
- api_interface_address != kolla_internal_vip_address
- name: Checking free port for ProxySQL admin (api interface)
wait_for:
host: "{{ api_interface_address }}"
port: "{{ proxysql_admin_port }}"
connect_timeout: 1
timeout: 1
state: stopped
when:
- enable_proxysql | bool
- container_facts['proxysql'] is not defined
- inventory_hostname in groups['loadbalancer']
- name: Checking free port for ProxySQL admin (vip interface)
wait_for:
host: "{{ kolla_internal_vip_address }}"
port: "{{ proxysql_admin_port }}"
connect_timeout: 1
timeout: 1
state: stopped
when:
- enable_proxysql | bool
- proxysql_vip_prechecks
- inventory_hostname in groups['loadbalancer']
- api_interface_address != kolla_internal_vip_address
- name: Checking free port for ProxySQL prometheus exporter (api interface)
wait_for:
host: "{{ api_interface_address }}"
port: "{{ proxysql_prometheus_exporter_port }}"
connect_timeout: 1
timeout: 1
state: stopped
when:
- enable_proxysql | bool
- enable_prometheus_proxysql_exporter | bool
- container_facts['proxysql'] is not defined
- inventory_hostname in groups['loadbalancer']
- name: Checking free port for ProxySQL prometheus exporter (vip interface)
wait_for:
host: "{{ kolla_internal_vip_address }}"
port: "{{ proxysql_prometheus_exporter_port }}"
connect_timeout: 1
timeout: 1
state: stopped
when:
- enable_proxysql | bool
- enable_prometheus_proxysql_exporter | bool
- proxysql_vip_prechecks
- inventory_hostname in groups['loadbalancer']
- api_interface_address != kolla_internal_vip_address
# FIXME(yoctozepto): this req seems arbitrary, they need not be, just routable is fine
- name: Checking if kolla_internal_vip_address is in the same network as api_interface on all nodes
become: true
command: ip -o addr show dev {{ api_interface }}
register: ip_addr_output
changed_when: false
failed_when: >-
( ip_addr_output is failed or
kolla_internal_vip_address | ipaddr(ip_addr_output.stdout.split()[3]) is none)
check_mode: false
when:
- enable_haproxy | bool
- enable_keepalived | bool
- container_facts['keepalived'] is not defined
- inventory_hostname in groups['loadbalancer']
- name: Getting haproxy stat
become: true
shell: echo "show stat" | {{ kolla_container_engine }} exec -i haproxy socat unix-connect:/var/lib/kolla/haproxy/haproxy.sock stdio # noqa risky-shell-pipe
register: haproxy_stat_shell
changed_when: false
check_mode: false
when: container_facts['haproxy'] is defined
- name: Setting haproxy stat fact
set_fact:
haproxy_stat: "{{ haproxy_stat_shell.stdout | default('') }}"
- name: Checking free port for Aodh API HAProxy
wait_for:
host: "{{ kolla_internal_vip_address }}"
port: "{{ aodh_api_port }}"
connect_timeout: 1
timeout: 1
state: stopped
when:
- enable_aodh | bool
- inventory_hostname in groups['loadbalancer']
- haproxy_stat.find('aodh_api') == -1
- haproxy_vip_prechecks
- name: Checking free port for Barbican API HAProxy
wait_for:
host: "{{ kolla_internal_vip_address }}"
port: "{{ barbican_api_port }}"
connect_timeout: 1
timeout: 1
state: stopped
when:
- enable_barbican | bool
- inventory_hostname in groups['loadbalancer']
- haproxy_stat.find('barbican_api') == -1
- haproxy_vip_prechecks
- name: Checking free port for Blazar API HAProxy
wait_for:
host: "{{ kolla_internal_vip_address }}"
port: "{{ blazar_api_port }}"
connect_timeout: 1
timeout: 1
state: stopped
when:
- enable_blazar | bool
- inventory_hostname in groups['loadbalancer']
- haproxy_stat.find('blazar_api') == -1
- haproxy_vip_prechecks
- name: Checking free port for Ceph RadosGW HAProxy
wait_for:
host: "{{ kolla_internal_vip_address }}"
port: "{{ ceph_rgw_port }}"
connect_timeout: 1
timeout: 1
state: stopped
when:
- enable_ceph_rgw | bool
- enable_ceph_rgw_loadbalancer | bool
- inventory_hostname in groups['loadbalancer']
- haproxy_stat.find('radosgw') == -1
- haproxy_vip_prechecks
- name: Checking free port for Cinder API HAProxy
wait_for:
host: "{{ kolla_internal_vip_address }}"
port: "{{ cinder_api_port }}"
connect_timeout: 1
timeout: 1
state: stopped
when:
- enable_cinder | bool
- inventory_hostname in groups['loadbalancer']
- haproxy_stat.find('cinder_api') == -1
- haproxy_vip_prechecks
- name: Checking free port for Cloudkitty API HAProxy
wait_for:
host: "{{ kolla_internal_vip_address }}"
port: "{{ cloudkitty_api_port }}"
connect_timeout: 1
timeout: 1
state: stopped
when:
- enable_cloudkitty | bool
- inventory_hostname in groups['loadbalancer']
- haproxy_stat.find('cloudkitty_api') == -1
- haproxy_vip_prechecks
- name: Checking free port for Cyborg API HAProxy
wait_for:
host: "{{ kolla_internal_vip_address }}"
port: "{{ cyborg_api_port }}"
connect_timeout: 1
timeout: 1
state: stopped
when:
- enable_cyborg | bool
- inventory_hostname in groups['loadbalancer']
- haproxy_stat.find('cyborg_api') == -1
- haproxy_vip_prechecks
- name: Checking free port for Designate API HAProxy
wait_for:
host: "{{ kolla_internal_vip_address }}"
port: "{{ designate_api_port }}"
connect_timeout: 1
timeout: 1
state: stopped
when:
- enable_designate | bool
- inventory_hostname in groups['loadbalancer']
- haproxy_stat.find('designate_api') == -1
- haproxy_vip_prechecks
- name: Checking free port for Glance API HAProxy
wait_for:
host: "{{ kolla_internal_vip_address }}"
port: "{{ glance_api_port }}"
connect_timeout: 1
timeout: 1
state: stopped
when:
- enable_glance | bool
- inventory_hostname in groups['loadbalancer']
- haproxy_stat.find('glance_api') == -1
- haproxy_vip_prechecks
- name: Checking free port for Gnocchi API HAProxy
wait_for:
host: "{{ kolla_internal_vip_address }}"
port: "{{ gnocchi_api_port }}"
connect_timeout: 1
timeout: 1
state: stopped
when:
- enable_gnocchi | bool
- inventory_hostname in groups['loadbalancer']
- haproxy_stat.find('gnocchi_api') == -1
- haproxy_vip_prechecks
- name: Checking free port for Grafana server HAProxy
wait_for:
host: "{{ kolla_internal_vip_address }}"
port: "{{ grafana_server_port }}"
connect_timeout: 1
timeout: 1
state: stopped
when:
- enable_grafana | bool
- inventory_hostname in groups['loadbalancer']
- haproxy_stat.find('grafana_server') == -1
- haproxy_vip_prechecks
- name: Checking free port for Heat API HAProxy
wait_for:
host: "{{ kolla_internal_vip_address }}"
port: "{{ heat_api_port }}"
connect_timeout: 1
timeout: 1
state: stopped
when:
- enable_heat | bool
- inventory_hostname in groups['loadbalancer']
- haproxy_stat.find('heat_api') == -1
- haproxy_vip_prechecks
- name: Checking free port for Heat API CFN HAProxy
wait_for:
host: "{{ kolla_internal_vip_address }}"
port: "{{ heat_api_cfn_port }}"
connect_timeout: 1
timeout: 1
state: stopped
when:
- enable_heat | bool
- inventory_hostname in groups['loadbalancer']
- haproxy_stat.find('heat_api_cfn') == -1
- haproxy_vip_prechecks
- name: Checking free port for Horizon HAProxy
wait_for:
host: "{{ kolla_internal_vip_address }}"
port: "{{ horizon_port }}"
connect_timeout: 1
timeout: 1
state: stopped
when:
- enable_horizon | bool
- inventory_hostname in groups['loadbalancer']
- haproxy_stat.find('horizon') == -1
- haproxy_vip_prechecks
- name: Checking free port for Ironic API HAProxy
wait_for:
host: "{{ kolla_internal_vip_address }}"
port: "{{ ironic_api_port }}"
connect_timeout: 1
timeout: 1
state: stopped
when:
- enable_ironic | bool
- inventory_hostname in groups['loadbalancer']
- haproxy_stat.find('ironic_api') == -1
- haproxy_vip_prechecks
- name: Checking free port for Ironic Inspector HAProxy
wait_for:
host: "{{ kolla_internal_vip_address }}"
port: "{{ ironic_inspector_port }}"
connect_timeout: 1
timeout: 1
state: stopped
when:
- enable_ironic | bool
- inventory_hostname in groups['loadbalancer']
- haproxy_stat.find('ironic_inspector') == -1
- haproxy_vip_prechecks
- name: Checking free port for Keystone Internal HAProxy
wait_for:
host: "{{ kolla_internal_vip_address }}"
port: "{{ keystone_public_port }}"
connect_timeout: 1
timeout: 1
state: stopped
when:
- enable_keystone | bool
- inventory_hostname in groups['loadbalancer']
- haproxy_stat.find('keystone_internal') == -1
- haproxy_vip_prechecks
- name: Checking free port for Keystone Public HAProxy
wait_for:
host: "{{ kolla_external_vip_address }}"
port: "{{ keystone_public_port }}"
connect_timeout: 1
timeout: 1
state: stopped
when:
- haproxy_enable_external_vip | bool
- enable_keystone | bool
- inventory_hostname in groups['loadbalancer']
- haproxy_stat.find('keystone_external') == -1
- haproxy_vip_prechecks
- name: Checking free port for Magnum API HAProxy
wait_for:
host: "{{ kolla_internal_vip_address }}"
port: "{{ magnum_api_port }}"
connect_timeout: 1
timeout: 1
state: stopped
when:
- enable_magnum | bool
- inventory_hostname in groups['loadbalancer']
- haproxy_stat.find('magnum_api') == -1
- haproxy_vip_prechecks
- name: Checking free port for Manila API HAProxy
wait_for:
host: "{{ kolla_internal_vip_address }}"
port: "{{ manila_api_port }}"
connect_timeout: 1
timeout: 1
state: stopped
when:
- enable_manila | bool
- inventory_hostname in groups['loadbalancer']
- haproxy_stat.find('manila_api') == -1
- haproxy_vip_prechecks
- name: Checking free port for MariaDB HAProxy/ProxySQL
wait_for:
host: "{{ kolla_internal_vip_address }}"
port: "{{ database_port }}"
connect_timeout: 1
timeout: 1
state: stopped
when:
- enable_mariadb | bool
- inventory_hostname in groups['loadbalancer']
- haproxy_stat.find('mariadb') == -1
- haproxy_vip_prechecks or proxysql_vip_prechecks
- name: Checking free port for Masakari API HAProxy
wait_for:
host: "{{ kolla_internal_vip_address }}"
port: "{{ masakari_api_port }}"
connect_timeout: 1
timeout: 1
state: stopped
when:
- enable_masakari | bool
- inventory_hostname in groups['loadbalancer']
- haproxy_stat.find('masakari_api') == -1
- haproxy_vip_prechecks
- name: Checking free port for Mistral API HAProxy
wait_for:
host: "{{ kolla_internal_vip_address }}"
port: "{{ mistral_api_port }}"
connect_timeout: 1
timeout: 1
state: stopped
when:
- enable_mistral | bool
- inventory_hostname in groups['loadbalancer']
- haproxy_stat.find('mistral_api') == -1
- haproxy_vip_prechecks
- name: Checking free port for Neutron Server HAProxy
wait_for:
host: "{{ kolla_internal_vip_address }}"
port: "{{ neutron_server_port }}"
connect_timeout: 1
timeout: 1
state: stopped
when:
- enable_neutron | bool
- inventory_hostname in groups['loadbalancer']
- haproxy_stat.find('neutron_server') == -1
- haproxy_vip_prechecks
- name: Checking free port for Nova API HAProxy
wait_for:
host: "{{ kolla_internal_vip_address }}"
port: "{{ nova_api_port }}"
connect_timeout: 1
timeout: 1
state: stopped
when:
- enable_nova | bool
- inventory_hostname in groups['loadbalancer']
- haproxy_stat.find('nova_api') == -1
- haproxy_vip_prechecks
- name: Checking free port for Nova Metadata HAProxy
wait_for:
host: "{{ kolla_internal_vip_address }}"
port: "{{ nova_metadata_port }}"
connect_timeout: 1
timeout: 1
state: stopped
when:
- enable_nova | bool
- inventory_hostname in groups['loadbalancer']
- haproxy_stat.find('nova_metadata') == -1
- haproxy_vip_prechecks
- name: Checking free port for Nova NoVNC HAProxy
wait_for:
host: "{{ kolla_internal_vip_address }}"
port: "{{ nova_novncproxy_port }}"
connect_timeout: 1
timeout: 1
state: stopped
when:
- enable_nova | bool
- nova_console == 'novnc'
- inventory_hostname in groups['loadbalancer']
- haproxy_stat.find('nova_novncproxy') == -1
- haproxy_vip_prechecks
- name: Checking free port for Nova Serial Proxy HAProxy
wait_for:
host: "{{ kolla_internal_vip_address }}"
port: "{{ nova_serialproxy_port }}"
connect_timeout: 1
timeout: 1
state: stopped
when:
- enable_nova | bool
- haproxy_stat.find('nova_serialconsole_proxy') == -1
- enable_nova_serialconsole_proxy | bool
- inventory_hostname in groups['loadbalancer']
- haproxy_vip_prechecks
- name: Checking free port for Nova Spice HTML5 HAProxy
wait_for:
host: "{{ kolla_internal_vip_address }}"
port: "{{ nova_spicehtml5proxy_port }}"
connect_timeout: 1
timeout: 1
state: stopped
when:
- enable_nova | bool
- nova_console == 'spice'
- inventory_hostname in groups['loadbalancer']
- haproxy_stat.find('nova_spicehtml5proxy') == -1
- haproxy_vip_prechecks
- name: Checking free port for Nova Placement API HAProxy
wait_for:
host: "{{ kolla_internal_vip_address }}"
port: "{{ placement_api_port }}"
connect_timeout: 1
timeout: 1
state: stopped
when:
- enable_nova | bool
- inventory_hostname in groups['loadbalancer']
- haproxy_stat.find('placement_api') == -1
- haproxy_vip_prechecks
- name: Checking free port for Octavia API HAProxy
wait_for:
host: "{{ kolla_internal_vip_address }}"
port: "{{ octavia_api_port }}"
connect_timeout: 1
timeout: 1
state: stopped
when:
- enable_octavia | bool
- inventory_hostname in groups['loadbalancer']
- haproxy_stat.find('octavia_api') == -1
- haproxy_vip_prechecks
- name: Checking free port for OpenSearch HAProxy
wait_for:
host: "{{ kolla_internal_vip_address }}"
port: "{{ opensearch_port }}"
connect_timeout: 1
timeout: 1
state: stopped
when:
- enable_opensearch | bool
- inventory_hostname in groups['loadbalancer']
- haproxy_stat.find('opensearch') == -1
- haproxy_vip_prechecks
- name: Checking free port for OpenSearch Dashboards HAProxy
wait_for:
host: "{{ kolla_internal_vip_address }}"
port: "{{ opensearch_dashboards_port }}"
connect_timeout: 1
timeout: 1
state: stopped
when:
- enable_opensearch_dashboards | bool
- inventory_hostname in groups['loadbalancer']
- haproxy_stat.find('opensearch_dashboards') == -1
- haproxy_vip_prechecks
- name: Checking free port for RabbitMQ Management HAProxy
wait_for:
host: "{{ kolla_internal_vip_address }}"
port: "{{ rabbitmq_management_port }}"
connect_timeout: 1
timeout: 1
state: stopped
when:
- enable_rabbitmq | bool
- inventory_hostname in groups['loadbalancer']
- haproxy_stat.find('rabbitmq_management') == -1
- haproxy_vip_prechecks
- name: Checking free port for Swift Proxy Server HAProxy
wait_for:
host: "{{ kolla_internal_vip_address }}"
port: "{{ swift_proxy_server_port }}"
connect_timeout: 1
timeout: 1
state: stopped
when:
- enable_swift | bool
- inventory_hostname in groups['loadbalancer']
- haproxy_stat.find('swift_api') == -1
- haproxy_vip_prechecks
- name: Checking free port for Tacker Server HAProxy
wait_for:
host: "{{ kolla_internal_vip_address }}"
port: "{{ tacker_server_port }}"
connect_timeout: 1
timeout: 1
state: stopped
when:
- enable_tacker | bool
- inventory_hostname in groups['loadbalancer']
- haproxy_stat.find('tacker_server') == -1
- haproxy_vip_prechecks
- name: Checking free port for Trove API HAProxy
wait_for:
host: "{{ kolla_internal_vip_address }}"
port: "{{ trove_api_port }}"
connect_timeout: 1
timeout: 1
state: stopped
when:
- enable_trove | bool
- inventory_hostname in groups['loadbalancer']
- haproxy_stat.find('trove_api') == -1
- haproxy_vip_prechecks
- name: Checking free port for Watcher API HAProxy
wait_for:
host: "{{ kolla_internal_vip_address }}"
port: "{{ watcher_api_port }}"
connect_timeout: 1
timeout: 1
state: stopped
when:
- enable_watcher | bool
- inventory_hostname in groups['loadbalancer']
- haproxy_stat.find('watcher_api') == -1
- haproxy_vip_prechecks
- name: Checking free port for Zun API HAProxy
wait_for:
host: "{{ kolla_internal_vip_address }}"
port: "{{ zun_api_port }}"
connect_timeout: 1
timeout: 1
state: stopped
when:
- enable_zun | bool
- inventory_hostname in groups['loadbalancer']
- haproxy_stat.find('zun_api') == -1
- haproxy_vip_prechecks
- name: Firewalld checks
block:
- name: Check if firewalld is running # noqa command-instead-of-module
become: true
command:
cmd: "systemctl is-active firewalld"
register: firewalld_is_active
changed_when: false
failed_when: false
check_mode: false
- name: Fail if firewalld is not running
fail:
msg: >-
firewalld is not running.
Please install and configure firewalld.
when:
- firewalld_is_active.rc != 0
when:
- enable_external_api_firewalld | bool
View Git Blame Copy Permalink