Configurable haproxy network whitelists

Enable easier configuration of haproxy_whitelist_networks instead of requiring that the operator override the entire haproxy_default_services dict. Change-Id: Idaf2125dc71c13d348844dc875a881789b489cbf
2017-02-04 16:40:32 -06:00 · 2017-02-04 16:40:32 -06:00 · 75371ddaa5
commit 75371ddaa5
parent 773245e447
2 changed files with 20 additions and 28 deletions
--- a/playbooks/inventory/group_vars/haproxy_all.yml
+++ b/playbooks/inventory/group_vars/haproxy_all.yml
@ -18,3 +18,16 @@ haproxy_use_keepalived: "{% if groups.haproxy|length > 1 %}True{% else %}False{%

 # Ensure that the package state matches the global setting
 haproxy_package_state: "{{ package_state }}"
+
+haproxy_whitelist_networks:
+  - 192.168.0.0/16
+  - 172.16.0.0/12
+  - 10.0.0.0/8
+
+haproxy_galera_whitelist_networks: "{{ haproxy_whitelist_networks }}"
+haproxy_glance_registry_whitelist_networks: "{{ haproxy_whitelist_networks }}"
+haproxy_keystone_admin_whitelist_networks: "{{ haproxy_whitelist_networks }}"
+haproxy_nova_metadata_whitelist_networks: "{{ haproxy_whitelist_networks }}"
+haproxy_rabbitmq_management_whitelist_networks: "{{ haproxy_whitelist_networks }}"
+haproxy_repo_git_whitelist_networks: "{{ haproxy_whitelist_networks }}"
+haproxy_repo_cache_whitelist_networks: "{{ haproxy_whitelist_networks }}"
--- a/playbooks/vars/configs/haproxy_config.yml
+++ b/playbooks/vars/configs/haproxy_config.yml
@ -23,10 +23,7 @@ haproxy_default_services:
      haproxy_timeout_server: 5000s
      haproxy_backend_options:
        - "mysql-check user {{ galera_monitoring_user }}"
-      haproxy_whitelist_networks:
-        - 192.168.0.0/16
-        - 172.16.0.0/12
-        - 10.0.0.0/8
+      haproxy_whitelist_networks: "{{ haproxy_galera_whitelist_networks }}"
  - service:
      haproxy_service_name: repo_git
      haproxy_backend_nodes: "{{ groups['repo_all'] | default([]) }}"
@ -35,10 +32,7 @@ haproxy_default_services:
      haproxy_balance_type: tcp
      haproxy_backend_options:
        - tcp-check
-      haproxy_whitelist_networks:
-        - 192.168.0.0/16
-        - 172.16.0.0/12
-        - 10.0.0.0/8
+      haproxy_whitelist_networks: "{{ haproxy_repo_git_whitelist_networks }}"
  - service:
      haproxy_service_name: repo_all
      haproxy_backend_nodes: "{{ groups['repo_all'] | default([]) }}"
@ -56,10 +50,7 @@ haproxy_default_services:
      haproxy_balance_type: http
      haproxy_backend_options:
        - "httpchk HEAD /acng-report.html"
-      haproxy_whitelist_networks:
-        - 192.168.0.0/16
-        - 172.16.0.0/12
-        - 10.0.0.0/8
+      haproxy_whitelist_networks: "{{ haproxy_repo_cache_whitelist_networks }}"
  - service:
      haproxy_service_name: glance_api
      haproxy_backend_nodes: "{{ groups['glance_api'] | default([]) }}"
@ -76,10 +67,7 @@ haproxy_default_services:
      haproxy_balance_type: http
      haproxy_backend_options:
        - "httpchk /healthcheck"
-      haproxy_whitelist_networks:
-        - 192.168.0.0/16
-        - 172.16.0.0/12
-        - 10.0.0.0/8
+      haproxy_whitelist_networks: "{{ haproxy_glance_registry_whitelist_networks }}"
  - service:
      haproxy_service_name: gnocchi
      haproxy_backend_nodes: "{{ groups['gnocchi_all'] | default([]) }}"
@ -128,10 +116,7 @@ haproxy_default_services:
      haproxy_balance_type: "http"
      haproxy_backend_options:
        - "httpchk HEAD /"
-      haproxy_whitelist_networks:
-        - 192.168.0.0/16
-        - 172.16.0.0/12
-        - 10.0.0.0/8
+      haproxy_whitelist_networks: "{{ haproxy_keystone_admin_whitelist_networks }}"
  - service:
      haproxy_service_name: neutron_server
      haproxy_backend_nodes: "{{ groups['neutron_server'] | default([]) }}"
@ -148,10 +133,7 @@ haproxy_default_services:
      haproxy_balance_type: http
      haproxy_backend_options:
        - "httpchk HEAD /"
-      haproxy_whitelist_networks:
-        - 192.168.0.0/16
-        - 172.16.0.0/12
-        - 10.0.0.0/8
+      haproxy_whitelist_networks: "{{ haproxy_nova_metadata_whitelist_networks }}"
  - service:
      haproxy_service_name: nova_api_os_compute
      haproxy_backend_nodes: "{{ groups['nova_api_os_compute'] | default([]) }}"
@ -249,10 +231,7 @@ haproxy_default_services:
      haproxy_balance_type: http
      haproxy_backend_options:
        - "httpchk HEAD /"
-      haproxy_whitelist_networks:
-        - 192.168.0.0/16
-        - 172.16.0.0/12
-        - 10.0.0.0/8
+      haproxy_whitelist_networks: "{{ haproxy_rabbitmq_management_whitelist_networks }}"
  - service:
      haproxy_service_name: magnum
      haproxy_backend_nodes: "{{ groups['magnum_all'] | default([]) }}"