-
Notifications
You must be signed in to change notification settings - Fork 4
/
main.yml
98 lines (83 loc) · 3.76 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
---
# defaults file for haproxy
# Where haproxy will find its .pem concatenated files
haproxy_tls_dir: /etc/pki/tls/haproxy
# Where to host the temporary .crt before concatenating them
haproxy_tls_staging_dir: /etc/pki/tls/haproxy_staging
# Some default settings from haproxy
haproxy_maxconn: 4000
# Logging
# Do we want by default to log to /var/log/haproxy.log ?
haproxy_local_log: True
# Do we want to automatically open tcp/80 and tcp/443 through iptables
# If false, you can open yourself/fine-tune which ports to use and from which hosts/networks
# Useful for OCP deployments and tcp mode - see below
haproxy_public: True
# Default backend from haproxy_vhosts that would catch all requests without header/vhost
# Useful for a new node and so redirecting to a certbot/letscentrypt node
# Needs to be defined in the haproxy_vhosts or it will fail !
haproxy_default_backend: vhost1
# The type of proxy this proxy is for, Reverse Proxy or OCP (openshift) proxy.
# accepted values: 'revproxy', 'ocp
haproxy_type:
- revproxy
# If we are of the revproxy type, what are the IPs and http/https that we should bind to
haproxy_revproxy_bindips: ['*']
haproxy_revproxy_http_port: 80
haproxy_revproxy_https_port: 443
# If you need to connect to some specific random ports on backend nodes
# let's ensure we add these through selinux
# example:
# haproxy_selinux_ports:
# - 9090
# - 9091
haproxy_selinux_ports: []
# The environments dependent variables eg staging, prod etc
haproxy_ocp_envs:
- name: prod # The environment name
bindips: [] # If we are of the ocp type, what are the IPs that we should bind to for this environment
# The ansible group that contains nodes that we want to direct OCP master
# traffic into the cluster We expect the `ip` attribute to be set in the
# inventory hostvars, and we want this template to fail if we do not have this
# set in inventory
master_group:
# The ansible group that contains nodes that we want to direct OCP application
# traffic into the cluster. We expect the `ip` attribute to be set in the
# inventory hostvars, and we want this template to fail if we do not have `ip`
# set in inventory
app_group:
# List of vhosts served through haproxy
# Each one has specific different options like terminating TLS connection, or forward SNI or even custom ACL
haproxy_vhosts:
- name: vhost1
public_name: host.domain.com # easy vhost listening on http and https and simply forwarding to backend based on request, so http=>http, https=>https, no redirect (should be done by backend httpd if needed)
backend_nodes:
- name: backend1.internal
- name: backend2.internal
- name: vhost1-no-post
public_name: nopost.domain.com
# extra_config, if define will inject a block in jinja2 like for example denying POST requests to this vhost
extra_config: |+
acl valid_method method GET OPTION HEAD
http-request deny if !valid_method
backend_nodes:
- name: backend4.internal
- name: vhost2
public_name: host2.domain.com
backend_nodes:
- name: backend3.internal
tls_backend: False # Terminate the TLS connection, so https on haproxy, but http on backend
- name: 192.168.1.1
port: 81 # that backend node is listening on port 81 and not 80
tls_backend: False # 192.168.1.1 isn't listening on https, see above
- name: vhost3
public_name: openshift.domain.com
backend_nodes:
- name: openshift1
tls_backend_sni: True # Force sni passthrough for chained haproxy setup with openshift
tls_frontend_redirect: True # listens on http but redirects to https at haproxy level
# Zabbix templates/groups (monitoring)
zabbix_haproxy_templates:
- Template CentOS haproxy
zabbix_haproxy_groups:
- CentOS Haproxy nodes