feat(tests): add tls testing to prepare tls feature

defaults/main.yml

@@ -5,6 +5,7 @@ deploy_haproxy_version: latest
 
 deploy_haproxy_env_variables: {}
 deploy_haproxy_start_service: true
+deploy_haproxy_cert_dir: ""
 
 # docker-only options
 deploy_haproxy_extra_container_volumes: []
@@ -70,3 +71,4 @@ deploy_haproxy_listen:
       - acl health_check_ok nbsrv() ge 1
       - monitor-uri /health
       - http-request use-service prometheus-exporter if { path /metrics }
+      - 'http-response return 200 ''{"status": "ok"}'' if { path /health }'

molecule/default_vagrant/group_vars/all.yml

@@ -42,8 +42,8 @@ deploy_haproxy_backends:
       - option forwardfor
       - option httpchk
       - http-check send meth GET uri /
-      - server srv_nginx1 172.17.0.3:80 check inter 5s
-      - server srv_nginx2 172.17.0.2:80 check inter 5s
+      - server srv_nginx1 172.17.0.2:80 check inter 5s
+      - server srv_nginx2 172.17.0.3:80 check inter 5s
 
 # listen configuration blocks
 # the default values expose a monitoring listener on all interfaces on port 9000

molecule/with_tls_enabled_vagrant/converge.yml

@@ -0,0 +1,8 @@
+---
+- name: Converge
+  hosts: all
+  become: true
+  tasks:
+    - name: "Include ednxzu.deploy_haproxy"
+      ansible.builtin.include_role:
+        name: "ednxzu.deploy_haproxy"

molecule/with_tls_enabled_vagrant/group_vars/all.yml

@@ -0,0 +1,69 @@
+---
+deploy_haproxy_deploy_method: docker # deployment method, either host or docker
+deploy_haproxy_version: "2.8"
+
+deploy_haproxy_env_variables: {}
+deploy_haproxy_start_service: true
+
+# docker-only options
+deploy_haproxy_extra_container_volumes: []
+
+# Options from the "default" config block in haproxy.cfg
+# The default values here are usually set, but you can change any of them.
+deploy_haproxy_global:
+  - log /dev/log local0
+  - log /dev/log local1 notice
+  - stats socket {{ deploy_haproxy_socket }} level admin
+  - chroot {{ deploy_haproxy_chroot }}
+  - daemon
+  - description hashistack haproxy
+
+deploy_haproxy_defaults:
+  - log global
+  - mode http
+  - option httplog
+  - option dontlognull
+  - timeout connect 5000
+  - timeout client  5000
+  - timeout server  5000
+
+deploy_haproxy_frontends:
+  - name: default
+    options:
+      - description default frontend
+      - mode http
+      - bind :1024
+      - default_backend default
+
+deploy_haproxy_backends:
+  - name: default
+    options:
+      - description default backend
+      - option forwardfor
+      - option httpchk
+      - http-check send meth GET uri /
+      - server srv_nginx1 172.17.0.2:80 check inter 5s
+      - server srv_nginx2 172.17.0.3:80 check inter 5s
+
+# listen configuration blocks
+# the default values expose a monitoring listener on all interfaces on port 9000
+# /stats returns the haproxy dashboard (please change the user and password in the configuration)
+# /health returns a 200 OK response as long as haproxy is alive and well
+# /metrics returns prometheus metrics for the haproxy instance
+deploy_haproxy_listen:
+  - name: monitoring
+    options:
+      - bind :9000
+      - mode http
+      - option httpchk
+      - stats enable
+      - stats uri /stats
+      - stats refresh 30s
+      - stats show-desc
+      - stats show-legends
+      - stats auth admin:password
+      - http-check send meth GET uri /health ver HTTP/1.1 hdr Host localhost
+      - http-check expect status 200
+      - acl health_check_ok nbsrv() ge 1
+      - monitor-uri /health
+      - http-request use-service prometheus-exporter if { path /metrics }

molecule/with_tls_enabled_vagrant/molecule.yml

@@ -0,0 +1,35 @@
+---
+dependency:
+  name: galaxy
+  options:
+    requirements-file: ./requirements.yml
+driver:
+  name: vagrant
+  provider:
+    name: libvirt
+platforms:
+  - name: instance
+    box: generic/${MOLECULE_TEST_OS}
+    cpus: 4
+    memory: 4096
+provisioner:
+  name: ansible
+  config_options:
+    defaults:
+      remote_tmp: /tmp/.ansible
+verifier:
+  name: ansible
+scenario:
+  name: with_tls_enabled_vagrant
+  test_sequence:
+    - dependency
+    - cleanup
+    - destroy
+    - syntax
+    - create
+    - prepare
+    - converge
+    - idempotence
+    - verify
+    - cleanup
+    - destroy

molecule/with_tls_enabled_vagrant/prepare.yml

@@ -0,0 +1,40 @@
+---
+- name: Prepare
+  hosts: all
+  become: true
+  tasks:
+    - name: "Include ednxzu.install_docker"
+      ansible.builtin.include_role:
+        name: ednxzu.install_docker
+      vars:
+        install_docker_python_packages: true
+
+    - name: "Generate self-signed certificates"  # noqa: run-once[task]
+      delegate_to: localhost
+      run_once: true
+      block:
+        - name: "Create temporary cert directory /tmp/haproxy-cert"
+          ansible.builtin.file:
+            path: "/tmp/haproxy-cert"
+            state: directory
+            owner: "root"
+            group: "root"
+            mode: "0777"
+
+        - name: "Create private key"
+          community.crypto.openssl_privatekey:
+            path: /tmp/haproxy-cert.key
+
+        - name: "Create certificate signing request"
+          community.crypto.openssl_csr_pipe:
+            privatekey_path: /tmp/haproxy-cert.key
+            common_name: haproxy.ansible.test
+            organization_name: Ansible, Inc.
+          register: csr
+
+        - name: "Create self-signed certificate from CSR"
+          community.crypto.x509_certificate:
+            path: /tmp/haproxy-cert/cert.pem
+            csr_content: "{{ csr.csr }}"
+            privatekey_path: /tmp/haproxy-cert.key
+            provider: selfsigned

molecule/with_tls_enabled_vagrant/requirements.yml

@@ -0,0 +1,6 @@
+---
+# requirements file for molecule
+roles:
+  - name: ednxzu.manage_repositories
+  - name: ednxzu.manage_apt_packages
+  - name: ednxzu.install_docker

molecule/with_tls_enabled_vagrant/verify.yml

@@ -0,0 +1,6 @@
+---
+- name: Verify
+  hosts: all
+  gather_facts: true
+  become: true
+  tasks:

tasks/configure.yml

@@ -21,3 +21,24 @@
   notify:
     - "systemctl-enable-haproxy"
     - "systemctl-restart-haproxy"
+
+- name: "Configure haproxy for TLS"
+  when: not deploy_haproxy_cert_dir == ''
+  block:
+    - name: "Create directory {{ deploy_haproxy_cert_dir_dst }}"
+      ansible.builtin.file:
+        path: "{{ deploy_haproxy_cert_dir_dst }}"
+        state: directory
+        owner: "{{ deploy_haproxy_user }}"
+        group: "{{ deploy_haproxy_group }}"
+        mode: "0755"
+
+    - name: "Copy TLS certificates"
+      ansible.builtin.template:
+        src: "{{ item }}"
+        dest: "{{ deploy_haproxy_cert_dir_dst }}/{{ (item | basename).split('.')[:-1] | join('.')}}"
+        owner: "{{ deploy_haproxy_user }}"
+        group: "{{ deploy_haproxy_group }}"
+        mode: "0600"
+      with_fileglob:
+        - "{{ deploy_haproxy_cert_dir }}/*"

vars/main.yml

@@ -1,8 +1,9 @@
 ---
 # vars file for deploy_haproxy
 deploy_haproxy_config_dir: /etc/haproxy
-deploy_haproxy_socket: /var/lib/haproxy/stats
 deploy_haproxy_chroot: /var/lib/haproxy
+deploy_haproxy_socket: "{{ deploy_haproxy_chroot }}/stats"
+deploy_haproxy_cert_dir_dst: "{{ deploy_haproxy_chroot }}/certs"
 deploy_haproxy_user: "{{ '99' if deploy_haproxy_deploy_method == 'docker' else 'haproxy' }}"
 deploy_haproxy_group: "{{ '99' if deploy_haproxy_deploy_method == 'docker' else 'haproxy' }}"
 deploy_haproxy_service_name: "haproxy{{ '_container' if deploy_haproxy_deploy_method == 'docker' }}"