diff --git a/defaults/main.yml b/defaults/main.yml index 630e8e1..12bf2d9 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -5,6 +5,7 @@ deploy_haproxy_version: latest deploy_haproxy_env_variables: {} deploy_haproxy_start_service: true +deploy_haproxy_cert_dir: "" # docker-only options deploy_haproxy_extra_container_volumes: [] @@ -70,3 +71,4 @@ deploy_haproxy_listen: - acl health_check_ok nbsrv() ge 1 - monitor-uri /health - http-request use-service prometheus-exporter if { path /metrics } + - 'http-response return 200 ''{"status": "ok"}'' if { path /health }' diff --git a/molecule/default_vagrant/group_vars/all.yml b/molecule/default_vagrant/group_vars/all.yml index 3d23529..46d6165 100644 --- a/molecule/default_vagrant/group_vars/all.yml +++ b/molecule/default_vagrant/group_vars/all.yml @@ -42,8 +42,8 @@ deploy_haproxy_backends: - option forwardfor - option httpchk - http-check send meth GET uri / - - server srv_nginx1 172.17.0.3:80 check inter 5s - - server srv_nginx2 172.17.0.2:80 check inter 5s + - server srv_nginx1 172.17.0.2:80 check inter 5s + - server srv_nginx2 172.17.0.3:80 check inter 5s # listen configuration blocks # the default values expose a monitoring listener on all interfaces on port 9000 diff --git a/molecule/with_tls_enabled_vagrant/converge.yml b/molecule/with_tls_enabled_vagrant/converge.yml new file mode 100644 index 0000000..433aaa7 --- /dev/null +++ b/molecule/with_tls_enabled_vagrant/converge.yml @@ -0,0 +1,8 @@ +--- +- name: Converge + hosts: all + become: true + tasks: + - name: "Include ednxzu.deploy_haproxy" + ansible.builtin.include_role: + name: "ednxzu.deploy_haproxy" diff --git a/molecule/with_tls_enabled_vagrant/group_vars/all.yml b/molecule/with_tls_enabled_vagrant/group_vars/all.yml new file mode 100644 index 0000000..46d6165 --- /dev/null +++ b/molecule/with_tls_enabled_vagrant/group_vars/all.yml @@ -0,0 +1,69 @@ +--- +deploy_haproxy_deploy_method: docker # deployment method, either host or docker +deploy_haproxy_version: "2.8" + +deploy_haproxy_env_variables: {} +deploy_haproxy_start_service: true + +# docker-only options +deploy_haproxy_extra_container_volumes: [] + +# Options from the "default" config block in haproxy.cfg +# The default values here are usually set, but you can change any of them. +deploy_haproxy_global: + - log /dev/log local0 + - log /dev/log local1 notice + - stats socket {{ deploy_haproxy_socket }} level admin + - chroot {{ deploy_haproxy_chroot }} + - daemon + - description hashistack haproxy + +deploy_haproxy_defaults: + - log global + - mode http + - option httplog + - option dontlognull + - timeout connect 5000 + - timeout client 5000 + - timeout server 5000 + +deploy_haproxy_frontends: + - name: default + options: + - description default frontend + - mode http + - bind :1024 + - default_backend default + +deploy_haproxy_backends: + - name: default + options: + - description default backend + - option forwardfor + - option httpchk + - http-check send meth GET uri / + - server srv_nginx1 172.17.0.2:80 check inter 5s + - server srv_nginx2 172.17.0.3:80 check inter 5s + +# listen configuration blocks +# the default values expose a monitoring listener on all interfaces on port 9000 +# /stats returns the haproxy dashboard (please change the user and password in the configuration) +# /health returns a 200 OK response as long as haproxy is alive and well +# /metrics returns prometheus metrics for the haproxy instance +deploy_haproxy_listen: + - name: monitoring + options: + - bind :9000 + - mode http + - option httpchk + - stats enable + - stats uri /stats + - stats refresh 30s + - stats show-desc + - stats show-legends + - stats auth admin:password + - http-check send meth GET uri /health ver HTTP/1.1 hdr Host localhost + - http-check expect status 200 + - acl health_check_ok nbsrv() ge 1 + - monitor-uri /health + - http-request use-service prometheus-exporter if { path /metrics } diff --git a/molecule/with_tls_enabled_vagrant/molecule.yml b/molecule/with_tls_enabled_vagrant/molecule.yml new file mode 100644 index 0000000..d6c4d14 --- /dev/null +++ b/molecule/with_tls_enabled_vagrant/molecule.yml @@ -0,0 +1,35 @@ +--- +dependency: + name: galaxy + options: + requirements-file: ./requirements.yml +driver: + name: vagrant + provider: + name: libvirt +platforms: + - name: instance + box: generic/${MOLECULE_TEST_OS} + cpus: 4 + memory: 4096 +provisioner: + name: ansible + config_options: + defaults: + remote_tmp: /tmp/.ansible +verifier: + name: ansible +scenario: + name: with_tls_enabled_vagrant + test_sequence: + - dependency + - cleanup + - destroy + - syntax + - create + - prepare + - converge + - idempotence + - verify + - cleanup + - destroy diff --git a/molecule/with_tls_enabled_vagrant/prepare.yml b/molecule/with_tls_enabled_vagrant/prepare.yml new file mode 100644 index 0000000..23cc548 --- /dev/null +++ b/molecule/with_tls_enabled_vagrant/prepare.yml @@ -0,0 +1,40 @@ +--- +- name: Prepare + hosts: all + become: true + tasks: + - name: "Include ednxzu.install_docker" + ansible.builtin.include_role: + name: ednxzu.install_docker + vars: + install_docker_python_packages: true + + - name: "Generate self-signed certificates" # noqa: run-once[task] + delegate_to: localhost + run_once: true + block: + - name: "Create temporary cert directory /tmp/haproxy-cert" + ansible.builtin.file: + path: "/tmp/haproxy-cert" + state: directory + owner: "root" + group: "root" + mode: "0777" + + - name: "Create private key" + community.crypto.openssl_privatekey: + path: /tmp/haproxy-cert.key + + - name: "Create certificate signing request" + community.crypto.openssl_csr_pipe: + privatekey_path: /tmp/haproxy-cert.key + common_name: haproxy.ansible.test + organization_name: Ansible, Inc. + register: csr + + - name: "Create self-signed certificate from CSR" + community.crypto.x509_certificate: + path: /tmp/haproxy-cert/cert.pem + csr_content: "{{ csr.csr }}" + privatekey_path: /tmp/haproxy-cert.key + provider: selfsigned diff --git a/molecule/with_tls_enabled_vagrant/requirements.yml b/molecule/with_tls_enabled_vagrant/requirements.yml new file mode 100644 index 0000000..1316891 --- /dev/null +++ b/molecule/with_tls_enabled_vagrant/requirements.yml @@ -0,0 +1,6 @@ +--- +# requirements file for molecule +roles: + - name: ednxzu.manage_repositories + - name: ednxzu.manage_apt_packages + - name: ednxzu.install_docker diff --git a/molecule/with_tls_enabled_vagrant/verify.yml b/molecule/with_tls_enabled_vagrant/verify.yml new file mode 100644 index 0000000..ec450ea --- /dev/null +++ b/molecule/with_tls_enabled_vagrant/verify.yml @@ -0,0 +1,6 @@ +--- +- name: Verify + hosts: all + gather_facts: true + become: true + tasks: diff --git a/tasks/configure.yml b/tasks/configure.yml index 67bd40f..583b9b0 100644 --- a/tasks/configure.yml +++ b/tasks/configure.yml @@ -21,3 +21,24 @@ notify: - "systemctl-enable-haproxy" - "systemctl-restart-haproxy" + +- name: "Configure haproxy for TLS" + when: not deploy_haproxy_cert_dir == '' + block: + - name: "Create directory {{ deploy_haproxy_cert_dir_dst }}" + ansible.builtin.file: + path: "{{ deploy_haproxy_cert_dir_dst }}" + state: directory + owner: "{{ deploy_haproxy_user }}" + group: "{{ deploy_haproxy_group }}" + mode: "0755" + + - name: "Copy TLS certificates" + ansible.builtin.template: + src: "{{ item }}" + dest: "{{ deploy_haproxy_cert_dir_dst }}/{{ (item | basename).split('.')[:-1] | join('.')}}" + owner: "{{ deploy_haproxy_user }}" + group: "{{ deploy_haproxy_group }}" + mode: "0600" + with_fileglob: + - "{{ deploy_haproxy_cert_dir }}/*" diff --git a/vars/main.yml b/vars/main.yml index 67aff92..c8229ba 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,8 +1,9 @@ --- # vars file for deploy_haproxy deploy_haproxy_config_dir: /etc/haproxy -deploy_haproxy_socket: /var/lib/haproxy/stats deploy_haproxy_chroot: /var/lib/haproxy +deploy_haproxy_socket: "{{ deploy_haproxy_chroot }}/stats" +deploy_haproxy_cert_dir_dst: "{{ deploy_haproxy_chroot }}/certs" deploy_haproxy_user: "{{ '99' if deploy_haproxy_deploy_method == 'docker' else 'haproxy' }}" deploy_haproxy_group: "{{ '99' if deploy_haproxy_deploy_method == 'docker' else 'haproxy' }}" deploy_haproxy_service_name: "haproxy{{ '_container' if deploy_haproxy_deploy_method == 'docker' }}"