From 75371ddaa548fdf2e21ef3cd42c66a9cec8eae9e Mon Sep 17 00:00:00 2001
From: Logan V <logan2211@gmail.com>
Date: Sat, 4 Feb 2017 16:40:32 -0600
Subject: [PATCH] Configurable haproxy network whitelists

Enable easier configuration of haproxy_whitelist_networks instead
of requiring that the operator override the entire
haproxy_default_services dict.

Change-Id: Idaf2125dc71c13d348844dc875a881789b489cbf
---
 .../inventory/group_vars/haproxy_all.yml      | 13 +++++++
 playbooks/vars/configs/haproxy_config.yml     | 35 ++++---------------
 2 files changed, 20 insertions(+), 28 deletions(-)

diff --git a/playbooks/inventory/group_vars/haproxy_all.yml b/playbooks/inventory/group_vars/haproxy_all.yml
index 69552db547..dc814c1a84 100644
--- a/playbooks/inventory/group_vars/haproxy_all.yml
+++ b/playbooks/inventory/group_vars/haproxy_all.yml
@@ -18,3 +18,16 @@ haproxy_use_keepalived: "{% if groups.haproxy|length > 1 %}True{% else %}False{%
 
 # Ensure that the package state matches the global setting
 haproxy_package_state: "{{ package_state }}"
+
+haproxy_whitelist_networks:
+  - 192.168.0.0/16
+  - 172.16.0.0/12
+  - 10.0.0.0/8
+
+haproxy_galera_whitelist_networks: "{{ haproxy_whitelist_networks }}"
+haproxy_glance_registry_whitelist_networks: "{{ haproxy_whitelist_networks }}"
+haproxy_keystone_admin_whitelist_networks: "{{ haproxy_whitelist_networks }}"
+haproxy_nova_metadata_whitelist_networks: "{{ haproxy_whitelist_networks }}"
+haproxy_rabbitmq_management_whitelist_networks: "{{ haproxy_whitelist_networks }}"
+haproxy_repo_git_whitelist_networks: "{{ haproxy_whitelist_networks }}"
+haproxy_repo_cache_whitelist_networks: "{{ haproxy_whitelist_networks }}"
diff --git a/playbooks/vars/configs/haproxy_config.yml b/playbooks/vars/configs/haproxy_config.yml
index 01b25c19f5..c09a661841 100644
--- a/playbooks/vars/configs/haproxy_config.yml
+++ b/playbooks/vars/configs/haproxy_config.yml
@@ -23,10 +23,7 @@ haproxy_default_services:
       haproxy_timeout_server: 5000s
       haproxy_backend_options:
         - "mysql-check user {{ galera_monitoring_user }}"
-      haproxy_whitelist_networks:
-        - 192.168.0.0/16
-        - 172.16.0.0/12
-        - 10.0.0.0/8
+      haproxy_whitelist_networks: "{{ haproxy_galera_whitelist_networks }}"
   - service:
       haproxy_service_name: repo_git
       haproxy_backend_nodes: "{{ groups['repo_all'] | default([]) }}"
@@ -35,10 +32,7 @@ haproxy_default_services:
       haproxy_balance_type: tcp
       haproxy_backend_options:
         - tcp-check
-      haproxy_whitelist_networks:
-        - 192.168.0.0/16
-        - 172.16.0.0/12
-        - 10.0.0.0/8
+      haproxy_whitelist_networks: "{{ haproxy_repo_git_whitelist_networks }}"
   - service:
       haproxy_service_name: repo_all
       haproxy_backend_nodes: "{{ groups['repo_all'] | default([]) }}"
@@ -56,10 +50,7 @@ haproxy_default_services:
       haproxy_balance_type: http
       haproxy_backend_options:
         - "httpchk HEAD /acng-report.html"
-      haproxy_whitelist_networks:
-        - 192.168.0.0/16
-        - 172.16.0.0/12
-        - 10.0.0.0/8
+      haproxy_whitelist_networks: "{{ haproxy_repo_cache_whitelist_networks }}"
   - service:
       haproxy_service_name: glance_api
       haproxy_backend_nodes: "{{ groups['glance_api'] | default([]) }}"
@@ -76,10 +67,7 @@ haproxy_default_services:
       haproxy_balance_type: http
       haproxy_backend_options:
         - "httpchk /healthcheck"
-      haproxy_whitelist_networks:
-        - 192.168.0.0/16
-        - 172.16.0.0/12
-        - 10.0.0.0/8
+      haproxy_whitelist_networks: "{{ haproxy_glance_registry_whitelist_networks }}"
   - service:
       haproxy_service_name: gnocchi
       haproxy_backend_nodes: "{{ groups['gnocchi_all'] | default([]) }}"
@@ -128,10 +116,7 @@ haproxy_default_services:
       haproxy_balance_type: "http"
       haproxy_backend_options:
         - "httpchk HEAD /"
-      haproxy_whitelist_networks:
-        - 192.168.0.0/16
-        - 172.16.0.0/12
-        - 10.0.0.0/8
+      haproxy_whitelist_networks: "{{ haproxy_keystone_admin_whitelist_networks }}"
   - service:
       haproxy_service_name: neutron_server
       haproxy_backend_nodes: "{{ groups['neutron_server'] | default([]) }}"
@@ -148,10 +133,7 @@ haproxy_default_services:
       haproxy_balance_type: http
       haproxy_backend_options:
         - "httpchk HEAD /"
-      haproxy_whitelist_networks:
-        - 192.168.0.0/16
-        - 172.16.0.0/12
-        - 10.0.0.0/8
+      haproxy_whitelist_networks: "{{ haproxy_nova_metadata_whitelist_networks }}"
   - service:
       haproxy_service_name: nova_api_os_compute
       haproxy_backend_nodes: "{{ groups['nova_api_os_compute'] | default([]) }}"
@@ -249,10 +231,7 @@ haproxy_default_services:
       haproxy_balance_type: http
       haproxy_backend_options:
         - "httpchk HEAD /"
-      haproxy_whitelist_networks:
-        - 192.168.0.0/16
-        - 172.16.0.0/12
-        - 10.0.0.0/8
+      haproxy_whitelist_networks: "{{ haproxy_rabbitmq_management_whitelist_networks }}"
   - service:
       haproxy_service_name: magnum
       haproxy_backend_nodes: "{{ groups['magnum_all'] | default([]) }}"