openstack/openstack-ansible-haproxy_server
Code Issues Proposed changes

Fix service-redirect.j2 template

Browse Source 
This change fixes service-redirect.j2 template that was not working so
far, mainly by replacing:
- 'vip_bind' with 'vip_addres'
- 'item' with 'service'

Additionally, I removed `haproxy_tcp_upgrade_backend` support because
it's not really needed after haproxy separated service config was
implemented.

I also changed variable name `haproxy_tcp_upgrade_frontend` to
`haproxy_accept_both_protocols` to better describe what exactly it does.
Release note is not needed as ``haproxy_tcp_upgrade_frontend` was not
working properly before.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/884445

Change-Id: Iba9156c5b909f7b18599638db4471bab12794f0e
This commit is contained in:
Damian Dabrowski 2023-05-25 18:53:50 +02:00
parent d721633081
commit c1be49a95c
2 changed files with 53 additions and 73 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

94
templates/service-redirect.j2
View File

@ -1,93 +1,99 @@
{% set haproxy_http_front_port = haproxy_backend_port + 10000 %}
{% set haproxy_https_front_port = haproxy_backend_port + 20000 %}
{% set haproxy_http_front_port = (haproxy_backend_port | int) + 10000 %}
{% set haproxy_https_front_port = (haproxy_backend_port | int) + 20000 %}
# Redirect to direct request to HTTP or HTTPS frontend
frontend {{ item.service.haproxy_service_name }}-tcp-redirect-front-{{ loop.index }}
# Redirect request to HTTP or HTTPS frontend based on used protocol
frontend {{ service.haproxy_service_name }}-tcp-redirect-front-{{ loop.index }}
mode tcp
bind {{ vip_bind }}:{{ item.service.haproxy_port }}
bind {{ vip_address }}:{{ service.haproxy_port }}{{ (vip_interface is truthy) | ternary(' interface ' ~ vip_interface, '') }}
tcp-request inspect-delay 2s
tcp-request content accept if HTTP
tcp-request content accept if { req.ssl_hello_type 1 }
use_backend {{ value.backend_name | default(item.service.haproxy_service_name) }}-redirect-http-back-{{ loop.index }} if HTTP
default_backend {{ value.backend_name | default(item.service.haproxy_service_name) }}-redirect-https-back-{{ loop.index }}
use_backend {{ value.backend_name | default(service.haproxy_service_name) }}-redirect-http-back-{{ loop.index }} if HTTP
default_backend {{ value.backend_name | default(service.haproxy_service_name) }}-redirect-https-back-{{ loop.index }}
backend {{ value.backend_name | default(item.service.haproxy_service_name) }}-redirect-http-back-{{ loop.index }}
backend {{ value.backend_name | default(service.haproxy_service_name) }}-redirect-http-back-{{ loop.index }}
mode tcp
server {{ value.backend_name | default(item.service.haproxy_service_name) }}-http {{ vip_bind }}:{{ haproxy_http_front_port }}
server {{ value.backend_name | default(service.haproxy_service_name) }}-http {{ vip_address }}:{{ haproxy_http_front_port }}
backend {{ value.backend_name | default(item.service.haproxy_service_name) }}-redirect-https-back-{{ loop.index }}
backend {{ value.backend_name | default(service.haproxy_service_name) }}-redirect-https-back-{{ loop.index }}
mode tcp
server {{ value.backend_name | default(item.service.haproxy_service_name) }}-https {{ vip_bind }}:{{ haproxy_https_front_port }}
server {{ value.backend_name | default(service.haproxy_service_name) }}-https {{ vip_address }}:{{ haproxy_https_front_port }}
frontend {{ item.service.haproxy_service_name }}-http-front-{{ loop.index }}
bind {{ vip_bind }}:{{ haproxy_http_front_port }}
frontend {{ service.haproxy_service_name }}-http-front-{{ loop.index }}
bind {{ vip_address }}:{{ haproxy_http_front_port }}{{ (vip_interface is truthy) | ternary(' interface ' ~ vip_interface, '') }}
{% if request_option == "http" %}
option httplog
option forwardfor except 127.0.0.0/8
{% if item.service.haproxy_http_keepalive_mode is defined %}
option {{ item.service.haproxy_http_keepalive_mode }}
{% if service.haproxy_http_keepalive_mode is defined %}
option {{ service.haproxy_http_keepalive_mode }}
{% endif %}
{% elif request_option == "tcp" %}
option tcplog
{% endif %}
{% if item.service.haproxy_timeout_client is defined %}
timeout client {{ item.service.haproxy_timeout_client }}
{% if service.haproxy_timeout_client is defined %}
timeout client {{ service.haproxy_timeout_client }}
{% endif %}
{% if item.service.haproxy_allowlist_networks is defined %}
acl allow_list src 127.0.0.1/8 {{ item.service.haproxy_allowlist_networks | join(' ') }}
{% if service.haproxy_allowlist_networks is defined %}
acl allow_list src 127.0.0.1/8 {{ service.haproxy_allowlist_networks | join(' ') }}
tcp-request content accept if allow_list
tcp-request content reject
{% endif %}
{% if item.service.haproxy_acls is defined %}
{% for key, value in item.service.haproxy_acls.items() %}
{% if service.haproxy_acls is defined %}
{% for key, value in service.haproxy_acls.items() %}
acl {{ key }} {{ value.rule }}
{% if not item.service.haproxy_frontend_only | default(false) %}
use_backend {{ value.backend_name | default(item.service.haproxy_service_name) }}-back if {{ key }}
{% if not service.haproxy_frontend_only | default(false) %}
use_backend {{ value.backend_name | default(service.haproxy_service_name) }}-back if {{ key }}
{% endif %}
{% endfor %}
{% endif %}
mode {{ item.service.haproxy_balance_type }}
{% if not item.service.haproxy_frontend_only | default(false) %}
default_backend {{ item.service.haproxy_service_name }}-back
{% for entry in service.haproxy_maps | default([]) %}
{{ entry }}
{% endfor %}
mode {{ service.haproxy_balance_type }}
{% if (not service.haproxy_frontend_only | default(false)) or ((service.haproxy_default_backend is defined) and (service.haproxy_default_backend | length > 0)) %}
default_backend {{ service.haproxy_default_backend | default(service.haproxy_service_name) }}-back
{% endif %}
{% for entry in item.service.haproxy_frontend_raw|default([]) %}
{% for entry in (service.haproxy_frontend_raw|default([])) + haproxy_frontend_extra_raw %}
{{ entry }}
{% endfor %}
frontend {{ item.service.haproxy_service_name }}-https-front-{{ loop.index }}
bind {{ vip_bind }}:{{ haproxy_https_front_port }} ssl crt {{ haproxy_ssl_cert_path }}/haproxy_{{ ansible_facts['hostname'] }}-{{ vip_bind }}.pem
frontend {{ service.haproxy_service_name }}-https-front-{{ loop.index }}
bind {{ vip_address }}:{{ haproxy_https_front_port }}{{ (vip_interface is truthy) | ternary(' interface ' ~ vip_interface, '') }} ssl crt {{ haproxy_ssl_cert_path }}/haproxy_{{ ansible_facts['hostname'] }}-{{ vip_address }}.pem
{% if request_option == "http" %}
option httplog
option forwardfor except 127.0.0.0/8
{% if item.service.haproxy_http_keepalive_mode is defined %}
option {{ item.service.haproxy_http_keepalive_mode }}
{% if service.haproxy_http_keepalive_mode is defined %}
option {{ service.haproxy_http_keepalive_mode }}
{% endif %}
{% elif request_option == "tcp" %}
option tcplog
{% endif %}
{% if item.service.haproxy_timeout_client is defined %}
timeout client {{ item.service.haproxy_timeout_client }}
{% if service.haproxy_timeout_client is defined %}
timeout client {{ service.haproxy_timeout_client }}
{% endif %}
{% if item.service.haproxy_allowlist_networks is defined %}
acl allow_list src 127.0.0.1/8 {{ item.service.haproxy_allowlist_networks | join(' ') }}
{% if service.haproxy_allowlist_networks is defined %}
acl allow_list src 127.0.0.1/8 {{ service.haproxy_allowlist_networks | join(' ') }}
tcp-request content accept if allow_list
tcp-request content reject
{% endif %}
{% if item.service.haproxy_acls is defined %}
{% for key, value in item.service.haproxy_acls.items() %}
{% if service.haproxy_acls is defined %}
{% for key, value in service.haproxy_acls.items() %}
acl {{ key }} {{ value.rule }}
{% if not item.service.haproxy_frontend_only | default(false) %}
use_backend {{ value.backend_name | default(item.service.haproxy_service_name) }}-back if {{ key }}
{% if not service.haproxy_frontend_only | default(false) %}
use_backend {{ value.backend_name | default(service.haproxy_service_name) }}-back if {{ key }}
{% endif %}
{% endfor %}
{% endif %}
{% if (item.service.haproxy_ssl | default(false) | bool) and request_option == 'http' and (loop.index == 1 or vip_bind in extra_lb_tls_vip_addresses or (item.service.haproxy_ssl_all_vips | default(false) | bool and vip_bind not in extra_lb_vip_addresses)) %}
{% for entry in service.haproxy_maps | default([]) %}
{{ entry }}
{% endfor %}
{% if (service.haproxy_ssl | default(false) | bool) and request_option == 'http' and (loop.index == 1 or vip_address in extra_lb_tls_vip_addresses or (service.haproxy_ssl_all_vips | default(false) | bool and vip_address not in extra_lb_vip_addresses)) %}
http-request add-header X-Forwarded-Proto https
{% endif %}
mode {{ item.service.haproxy_balance_type }}
{% if not item.service.haproxy_frontend_only | default(false) %}
default_backend {{ item.service.haproxy_service_name }}-back
mode {{ service.haproxy_balance_type }}
{% if (not service.haproxy_frontend_only | default(false)) or ((service.haproxy_default_backend is defined) and (service.haproxy_default_backend | length > 0)) %}
default_backend {{ service.haproxy_default_backend | default(service.haproxy_service_name) }}-back
{% endif %}
{% for entry in item.service.haproxy_frontend_raw|default([]) %}
{% for entry in (service.haproxy_frontend_raw|default([])) + haproxy_frontend_extra_raw %}
{{ entry }}
{% endfor %}

32
templates/service.j2
View File

@ -46,9 +46,9 @@ bind {{ vip_address }}:{{ service.haproxy_redirect_http_port }}{{ (vip_interface
{% endif %}
{% endif %}
{# TODO: remove if and section inside if after HTTPS upgrade #}
{# During an upgrade of internal frontends from HTTP to HTTPS, need to accept both HTTP and HTTPS until client config has been changed #}
{% if (service.haproxy_tcp_upgrade_frontend | default(false)) and (service.haproxy_ssl_all_vips | default(false)) %}
{# service-redirect.j2 allows frontend to handle both HTTP and HTTPS connections. #}
{# This is especially useful during HTTP->HTTPS service endpoint transition. #}
{% if service.haproxy_accept_both_protocols | default(false) %}
{% include 'service-redirect.j2' %}
{% else %}
frontend {{ service.haproxy_service_name }}-front-{{ loop.index }}
@ -165,32 +165,6 @@ backend {{ service.haproxy_service_name }}-back
{% set _ = entry.append(option) %}
{% endfor %}
{{ entry | join(' ') }}
{# TODO: remove if and section inside if after HTTPS upgrade #}
{# During an upgrade of backends from HTTP to HTTPS, need to uses both HTTP and HTTPS backends until backends have been changed #}
{% if service.haproxy_tcp_upgrade_backend | default(false) and service.haproxy_backend_ssl | default(false) %}
{% set entry = [] %}
{% set _ = entry.append("server") %}
{% set _ = entry.append((host_name.name | default(host_name)) + "-http" | string) %}
{% set _ = entry.append((host_name.ip_addr | default(ip_addr)) + ":" + haproxy_backend_port | string) %}
{% set _ = entry.append("check") %}
{% set _ = entry.append("port") %}
{% set _ = entry.append(haproxy_check_port | string) %}
{% set _ = entry.append("inter") %}
{% set _ = entry.append(service.interval|default(haproxy_interval) | string) %}
{% set _ = entry.append("rise") %}
{% set _ = entry.append(service.backend_rise|default(haproxy_rise | string)) %}
{% set _ = entry.append("fall") %}
{% set _ = entry.append(service.backend_fall|default(haproxy_fall | string)) %}
{% set backend_server_options = service.haproxy_backend_server_options|default([]) %}
{% for option in backend_server_options %}
{% set _ = entry.append(option) %}
{% endfor %}
{% set backend_per_server_options = host_name.backend_server_options|default([]) %}
{% for option in backend_per_server_options %}
{% set _ = entry.append(option) %}
{% endfor %}
{{ entry | join(' ') }}
{% endif %}
{% endfor %}
{% for host_name in service.haproxy_backup_nodes|default([]) %}