openstack/openstack-ansible
Code Issues Proposed changes
openstack-ansible/inventory/group_vars/haproxy/haproxy.yml
Damian Dabrowski 930236d7d2 Implement separated haproxy service config 
All services placed behind haproxy include an additional playbook
responsible for creating their haproxy services.

Scope for some variables was changed to be more optimal.

Change-Id: I0eec358d982cc09dcb7e2c0045b9684c65876faf
2023-04-18 21:07:41 +02:00

126 lines
6.4 KiB
YAML
Raw Blame History

---
# Copyright 2016, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
haproxy_bind_on_non_local: "{{ (groups.haproxy | length) > 1 }}"
haproxy_use_keepalived: "{{ (groups.haproxy | length) > 1 }}"
keepalived_selinux_compile_rules:
- keepalived_ping
- keepalived_haproxy_pid_file
haproxy_ssl_letsencrypt_enable: false
haproxy_ssl_letsencrypt_acl:
letsencrypt-acl:
rule: "path_beg /.well-known/acme-challenge/"
backend_name: letsencrypt
# Ensure that the package state matches the global setting
haproxy_package_state: "{{ package_state }}"
# Variables to set security headers used by browsers
haproxy_security_headers_max_age: 31536000
# Set CSP headers to report only for testing
haproxy_security_headers_csp_report_only: False
haproxy_security_headers_csp: >
http-response set-header {{ haproxy_security_headers_csp_report_only | ternary('Content-Security-Policy-Report-Only', 'Content-Security-Policy') }} "
default-src 'self';
frame-ancestors 'none';
form-action 'self';
upgrade-insecure-requests;
style-src 'self' 'unsafe-inline';
script-src 'self' 'unsafe-inline' 'unsafe-eval';
child-src 'self' {{ external_lb_vip_address }}:{{ nova_spice_html5proxy_base_port }} {{ external_lb_vip_address }}:{{ nova_novncproxy_port }} {{ external_lb_vip_address }}:{{ nova_serialconsoleproxy_port }};
frame-src 'self' {{ external_lb_vip_address }}:{{ nova_spice_html5proxy_base_port }} {{ external_lb_vip_address }}:{{ nova_novncproxy_port }} {{ external_lb_vip_address }}:{{ nova_serialconsoleproxy_port }};
connect-src 'self' {{ external_lb_vip_address }}:* wss://{{ external_lb_vip_address }}:{{ ironic_console_port }};
img-src 'self' data:;
worker-src blob:;
"
# To disable security headers set to []
haproxy_security_headers:
- "http-response set-header Strict-Transport-Security \"max-age={{ haproxy_security_headers_max_age }}; includeSubDomains;\""
- 'http-response set-header X-Content-Type-Options "nosniff"'
- 'http-response set-header Referrer-Policy "same-origin"'
- 'http-response set-header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(self), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), midi=(), navigation-override=(self), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=(), clipboard-read=(self), clipboard-write=(self), gamepad=(), speaker-selection=()"'
haproxy_security_txt_service:
haproxy_backend_only: true
haproxy_service_name: security_txt
haproxy_backend_nodes: []
haproxy_balance_type: http
haproxy_service_enabled: "{{ haproxy_security_txt_content is truthy }}"
# https://sleeplessbeastie.eu/2020/05/11/how-to-serve-single-file-using-haproxy/
haproxy_backend_arguments:
- 'errorfile 503 /etc/haproxy/security.txt'
haproxy_map_entries:
- name: base_regex
entries:
- '.*/security.txt security_txt-back'
# haproxy 'base' frontend-only service that is used always deployed for port 80 redirect and 443
# this potentially supports horizon dashboard, security.txt and certbot
# plus any other user defined custom backend
haproxy_base_service:
haproxy_service_name: base
haproxy_frontend_only: true
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: true
haproxy_port: "{{ haproxy_ssl | ternary(443,80) }}"
haproxy_redirect_http_port: 80
haproxy_balance_type: http
haproxy_service_enabled: true
haproxy_redirect_scheme: "{{ (haproxy_ssl_letsencrypt_enable | bool and haproxy_ssl | bool) | ternary('https if !{ ssl_fc } !{ path_beg /.well-known/acme-challenge/ }', 'https if !{ ssl_fc }') }}"
haproxy_frontend_acls: "{{ (haproxy_ssl_letsencrypt_enable | bool and haproxy_ssl | bool) | ternary(haproxy_ssl_letsencrypt_acl, {}) }}"
haproxy_frontend_raw: "{{ (haproxy_ssl | bool and haproxy_security_headers is defined) | ternary( haproxy_security_headers + [ haproxy_horizon_csp | default(haproxy_security_headers_csp)], []) }}"
haproxy_maps:
- 'use_backend %[path,map_reg(/etc/haproxy/base_regex.map)]'
haproxy_map_entries:
- name: base_regex
entries:
- "#Regular expression map file - this comment is defined in the base frontend config"
# Handles LetsEncrypt HTTP-01 challenge
haproxy_letsencrypt_service:
haproxy_service_name: letsencrypt
haproxy_backend_nodes: "{{ groups['haproxy_all'] }}"
backend_rise: 1
backend_fall: 5
interval: 4000
haproxy_bind:
- 127.0.0.1
haproxy_port: "{{ haproxy_ssl_letsencrypt_certbot_backend_port }}"
haproxy_balance_type: http
haproxy_service_enabled: "{{ (haproxy_ssl_letsencrypt_enable | bool and haproxy_ssl | bool) }}"
# RGW backend is defined here as it might be referring to an external ceph cluster via 'ceph_rgws'
haproxy_ceph_rgw_service:
haproxy_service_name: ceph-rgw
haproxy_backend_nodes: "{{ (groups['ceph-rgw'] is defined and groups['ceph-rgw'] | length > 0) | ternary(groups['ceph-rgw'], ceph_rgws) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_balance_alg: source
haproxy_port: "{{ radosgw_service_port | default(7980) }}"
haproxy_balance_type: http
haproxy_backend_options:
- httpchk HEAD /
haproxy_backend_httpcheck_options:
- expect rstatus 200|405
haproxy_service_enabled: "{{ (groups['ceph-rgw'] is defined and groups['ceph-rgw'] | length > 0) or (ceph_rgws | length > 0) }}"
haproxy_default_services:
- "{{ haproxy_security_txt_service | combine(haproxy_security_txt_service_overrides | default({})) }}"
- "{{ haproxy_base_service | combine(haproxy_base_service_overrides | default({})) }}"
- "{{ haproxy_letsencrypt_service | combine(haproxy_letsencrypt_service_overrides | default({})) }}"
- "{{ haproxy_ceph_rgw_service | combine(haproxy_ceph_rgw_service_overrides | default({})) }}"
View Git Blame Copy Permalink