36640a8f43
This change adds support for SSL to the haproxy role. When enabled, this implements/upgrades haproxy to v1.5.x from a PPA. * A new boolean variable called 'haproxy_ssl' enables/disables the configuration of SSL for the haproxy service. * A new variable called 'haproxy_ssl_self_signed_subject' has been implemented to allow the user to override the certificate properties, such as the CN and subjectAltName. * A new variable called 'haproxy_cert_regen' has been implemented to allow the user to regenerate the self-signed certificate used for the SSL endpoint. * SSL will only be enabled for a load balanced service if haproxy_ssl is true in the service vars. This has only been implemented for the Keystone service endpoints in this patch. * The keystone admin service endpoint will only have SSL enabled if keystone_service_adminuri_proto == 'https'. * The keystone internal/public service endpoint will only have SSL enabled if keystone_service_publicuri_proto == 'https'. Implements: blueprint keystone-federation Change-Id: I069f1a0f928feb754816b7d450929fb62df66244
55 lines
1.9 KiB
YAML
55 lines
1.9 KiB
YAML
---
|
|
# Copyright 2014, Rackspace US, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
- name: Install haproxy
|
|
hosts: haproxy_hosts
|
|
max_fail_percentage: 20
|
|
user: root
|
|
pre_tasks:
|
|
- name: Remove legacy haproxy configuration files
|
|
file:
|
|
dest: "/etc/haproxy/conf.d/{{ item }}"
|
|
state: "absent"
|
|
with_items:
|
|
- "keystone_internal"
|
|
when: internal_lb_vip_address == external_lb_vip_address
|
|
tags:
|
|
- haproxy-service-config
|
|
post_tasks:
|
|
- name: Add keystone internal endpoint config
|
|
include: roles/haproxy_server/tasks/haproxy_service_config.yml
|
|
when: internal_lb_vip_address != external_lb_vip_address
|
|
vars:
|
|
haproxy_service_configs:
|
|
- service:
|
|
haproxy_service_name: keystone_internal
|
|
haproxy_backend_nodes: "{{ groups['keystone_all'] }}"
|
|
haproxy_bind: "{{ internal_lb_vip_address }}"
|
|
haproxy_port: 5000
|
|
haproxy_ssl: "{% if haproxy_ssl | bool and keystone_service_internaluri_proto == 'https' %}true{% else %}false{% endif %}"
|
|
haproxy_balance_type: http
|
|
haproxy_backend_options:
|
|
- "forwardfor"
|
|
- "httpchk"
|
|
- "httplog"
|
|
tags:
|
|
- haproxy-service-config
|
|
roles:
|
|
- { role: "haproxy_server", tags: [ "haproxy-server" ] }
|
|
vars_files:
|
|
- vars/configs/haproxy_config.yml
|
|
vars:
|
|
is_metal: "{{ properties.is_metal|default(false) }}"
|