openstack/kolla-ansible
Code Issues Proposed changes
949360642f
kolla-ansible/ansible/roles/haproxy-config/templates/haproxy_single_service_split.cfg.j2
Jim Rollenhagen 3ea51cefe9 Allow separate listen port in haproxy-config templates 
This allows a service to pass in a different listening port than haproxy
listens on for the service. This allows haproxy to live on the same
network interface as the services, and will be used by services in
subsequent changes.

Change-Id: Id1d2429a4c800628cb43e0fb7d2b69131e71ee1c
Implements: blueprint service-hostnames
2018-12-27 15:45:50 -05:00

121 lines
5.3 KiB
Django/Jinja
Raw Blame History

#jinja2: lstrip_blocks: True
{%- set tls_bind_info = 'ssl crt /etc/haproxy/haproxy.pem' if kolla_enable_tls_external|bool else '' %}
{%- macro userlist_macro(service_name, auth_user, auth_pass) %}
userlist {{ service_name }}-user
user {{ auth_user }} insecure-password {{ auth_pass }}
{% endmacro %}
{%- macro frontend_macro(service_name, service_port, service_mode, external,
frontend_http_extra, frontend_tcp_extra) %}
frontend {{ service_name }}_front
{% if service_mode == 'redirect' %}
mode http
{% else %}
mode {{ service_mode }}
{% endif %}
{% if service_mode == 'http' %}
{# Delete any pre-populated XFP header #}
http-request del-header X-Forwarded-Proto
{% for http_option in frontend_http_extra %}
{{ http_option }}
{% endfor %}
{% elif service_mode == 'tcp' %}
{% for tcp_option in frontend_tcp_extra %}
{{ tcp_option }}
{% endfor %}
{% endif %}
{% set tls_option = '' %}
{% if external|bool %}
{% set vip_address = kolla_external_vip_address %}
{% if service_mode == 'http' %}
{% set tls_option = tls_bind_info %}
{# Replace the XFP header for external https requests #}
http-request set-header X-Forwarded-Proto https if { ssl_fc }
{% endif %}
{% else %}
{% set vip_address = kolla_internal_vip_address %}
{% endif %}
{{ "bind %s:%s %s"|e|format(vip_address, service_port, tls_option)|trim() }}
{# Redirect mode sets a redirect scheme instead of a backend #}
{% if service_mode == 'redirect' %}
redirect scheme https code 301 if !{ ssl_fc }
{% else %}
default_backend {{ service_name }}_back
{% endif %}
{% endmacro %}
{%- macro backend_macro(service_name, listen_port, service_mode, host_group,
custom_member_list, backend_http_extra,
backend_tcp_extra, auth_user, auth_pass) %}
backend {{ service_name }}_back
{% if service_mode == 'redirect' %}
mode http
{% else %}
mode {{ service_mode }}
{% endif %}
{% if service_mode == 'http' %}
{# Set up auth if required #}
{% if auth_user and auth_pass %}
acl auth_acl http_auth({{ service_name }}-user)
http-request auth realm basicauth unless auth_acl
{% endif %}
{% for http_option in backend_http_extra %}
{{ http_option }}
{% endfor %}
{% elif service_mode == 'tcp' %}
{% for tcp_option in backend_tcp_extra %}
{{ tcp_option }}
{% endfor %}
{% endif %}
{% if custom_member_list is not none %}
{% for custom_member in custom_member_list %}
{{ custom_member }}
{% endfor %}
{% else %}
{% for host in groups[host_group] %}
{% set api_interface = "ansible_%s"|format(hostvars[host]['api_interface']) %}
{% set host_name = hostvars[host]['ansible_hostname'] %}
{% set host_ip = hostvars[host][api_interface]['ipv4']['address'] %}
server {{ host_name }} {{ host_ip }}:{{ listen_port }} {{ haproxy_health_check }}
{% endfor %}
{% endif %}
{% endmacro %}
{%- set haproxy = service.haproxy|default({}) %}
{%- for haproxy_name, haproxy_service in haproxy.items() %}
{# External defaults to false #}
{% set external = haproxy_service.external|default(false)|bool %}
{# Skip anything that is external when the external vip is not enabled #}
{% if haproxy_service.enabled|bool and (not external or haproxy_enable_external_vip|bool)%}
{# Here we define variables and their defaults #}
{# services can be listening on a different port than haproxy #}
{% set listen_port = haproxy_service.listen_port|default(haproxy_service.port) %}
{# Custom member list can use jinja to generate a semicolon separated list #}
{% set custom_member_list = haproxy_service.custom_member_list|default() %}
{# Mode defaults to http #}
{% set mode = haproxy_service.mode|default('http') %}
{# Use the parent host group but allow it to be overridden #}
{% set host_group = haproxy_service.host_group|default(service.group) %}
{# Additional options can be defined in config, and are additive to the global extras #}
{% set frontend_tcp_extra = haproxy_service.frontend_tcp_extra|default([]) + haproxy_frontend_tcp_extra %}
{% set backend_tcp_extra = haproxy_service.backend_tcp_extra|default([]) %}
{% set frontend_http_extra = haproxy_service.frontend_http_extra|default([]) + haproxy_frontend_http_extra %}
{% set backend_http_extra = haproxy_service.backend_http_extra|default([]) %}
{# Allow for basic auth #}
{% set auth_user = haproxy_service.auth_user|default() %}
{% set auth_pass = haproxy_service.auth_pass|default() %}
{% if auth_user and auth_pass %}
{{ userlist_macro(haproxy_name, auth_user, auth_pass) }}
{% endif %}
{{ frontend_macro(haproxy_name, haproxy_service.port, mode, external,
frontend_http_extra, frontend_tcp_extra) }}
{# Redirect (to https) is a special case, as it does not include a backend #}
{% if haproxy_service.mode != 'redirect' %}
{{ backend_macro(haproxy_name, listen_port, mode, host_group,
custom_member_list, backend_http_extra, backend_tcp_extra,
auth_user, auth_pass) }}
{% endif %}
{% endif %}
{%- endfor -%}
View Git Blame Copy Permalink