openstack/openstack-ansible
Code Issues Proposed changes

Restore an ability for HAProxy to bind on interal IP

Browse Source 
According to the docs [1], there is an ability for HAProxy to bind
specifically on IP-address, "while preserving the names for TLS-
certificates and endpoint URIs".

For internal endpoint this supposed to be done by setting
`internal_lb_vip_address` and `haproxy_bind_internal_lb_vip_address`
but was broken due to the fact that for:
* `haproxy_galera_service`
* `haproxy_opendaylight_neutron_service`
* `haproxy_opendaylight_websocket_service`
* `haproxy_nova_api_metadata_service`
* `haproxy_rabbitmq_service`
* `haproxy_repo_service`
`haproxy_bind` was explicitly set to `[internal_lb_vip_address]` and
overriding `haproxy_bind_internal_lb_vip_address` would result in
wrong certificate paths (with FQDN in names, which does not exist)
for these frontends.

[1] https://docs.openstack.org/openstack-ansible-haproxy_server/latest/configure-haproxy.html#overriding-the-address-haproxy-will-bind-to

Change-Id: I92953a14dd311a60b169165c5a8e61dd98466033
This commit is contained in:
Danila Balagansky 2023-05-30 11:53:00 +03:00
parent aa558cc368
commit 64054e4cad
5 changed files with 6 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
inventory/group_vars/galera_all.yml
View File

@ -58,7 +58,7 @@ haproxy_galera_service:
haproxy_service_name: galera
haproxy_backend_nodes: "{{ (groups['galera_all'] | default([]))[:1] }}" # list expected
haproxy_backup_nodes: "{{ (groups['galera_all'] | default([]))[1:] }}"
haproxy_bind: "{{ [internal_lb_vip_address] }}"
haproxy_bind: "{{ [haproxy_bind_internal_lb_vip_address | default(internal_lb_vip_address)] }}"
haproxy_port: 3306
haproxy_check_port: 9200
haproxy_balance_type: tcp

4
inventory/group_vars/neutron_all/haproxy_service.yml
View File

@ -32,7 +32,7 @@ haproxy_neutron_server_service:
haproxy_opendaylight_neutron_service:
haproxy_service_name: opendaylight-neutron
haproxy_backend_nodes: "{{ groups['neutron_server'] | default([]) }}"
haproxy_bind: "{{ [internal_lb_vip_address] }}"
haproxy_bind: "{{ [haproxy_bind_internal_lb_vip_address | default(internal_lb_vip_address)] }}"
haproxy_port: 8180
haproxy_balance_type: tcp
haproxy_timeout_client: 5000s
@ -43,7 +43,7 @@ haproxy_opendaylight_neutron_service:
haproxy_opendaylight_websocket_service:
haproxy_service_name: opendaylight-websocket
haproxy_backend_nodes: "{{ groups['neutron_server'] | default([]) }}"
haproxy_bind: "{{ [internal_lb_vip_address] }}"
haproxy_bind: "{{ [haproxy_bind_internal_lb_vip_address | default(internal_lb_vip_address)] }}"
haproxy_port: 8185
haproxy_balance_type: tcp
haproxy_timeout_client: 5000s

2
inventory/group_vars/nova_all/haproxy_service.yml
View File

@ -24,7 +24,7 @@ haproxy_nova_metadata_allowlist_networks: "{{ haproxy_allowlist_networks }}"
haproxy_nova_api_metadata_service:
haproxy_service_name: nova_api_metadata
haproxy_backend_nodes: "{{ groups['nova_api_metadata'] | default([]) }}"
haproxy_bind: "{{ [internal_lb_vip_address] }}"
haproxy_bind: "{{ [haproxy_bind_internal_lb_vip_address | default(internal_lb_vip_address)] }}"
haproxy_port: 8775
haproxy_ssl: "{{ haproxy_ssl_all_vips }}"
haproxy_balance_type: http

2
inventory/group_vars/rabbitmq_all.yml
View File

@ -41,7 +41,7 @@ haproxy_rabbitmq_service:
haproxy_ssl: "{{ rabbitmq_management_ssl | bool }}"
haproxy_backend_ssl: "{{ rabbitmq_management_ssl | bool }}"
haproxy_backend_ca: False
haproxy_bind: "{{ [internal_lb_vip_address] }}"
haproxy_bind: "{{ [haproxy_bind_internal_lb_vip_address | default(internal_lb_vip_address)] }}"
haproxy_port: "{{ (rabbitmq_management_ssl | bool) | ternary(15671, 15672) }}"
haproxy_balance_type: http
haproxy_backend_options:

2
inventory/group_vars/repo_all.yml
View File

@ -34,7 +34,7 @@ openstack_repo_server_enable_glusterfs: True
haproxy_repo_service:
haproxy_service_name: repo_all
haproxy_backend_nodes: "{{ groups['repo_all'] | default([]) }}"
haproxy_bind: "{{ [internal_lb_vip_address] }}"
haproxy_bind: "{{ [haproxy_bind_internal_lb_vip_address | default(internal_lb_vip_address)] }}"
haproxy_port: 8181
haproxy_ssl: "{{ haproxy_ssl_all_vips }}"
haproxy_balance_type: http