devops-coop / ansible-haproxy Goto Github PK

View Code? Open in Web Editor NEW

95.0 11.0 98.0 138 KB

Installs and configure HAProxy

License: Apache License 2.0

Ruby 63.46% Makefile 3.53% Python 33.00%

ansible haproxy

ansible-haproxy's People

Contributors

Stargazers

Watchers

Forkers

abajosh arkan modcloth arrivu scottrobertson rafecolton aklamio blurrcat ahaitoute mobula9 dlip yamb00 lavatoaster r-daneel pieterlexis pdeaudney trumant logic855 snerdish aarnet nathanielks noirbee zeflat rajivreddy pbruna jonhatalla benwebber ara4sh dvianello gsfjohnson j4w3d reminec jwaibel aaronkvanmeerten cnupp petzah mbainter stevenleroux cloudxtreme bwits undergreen lazy404 fw8 telstra-digital rodjers yleisradio dekhtyarev rickapichairuk rastandy cloudscale-ch nexcess pawelnowak aarnaud jlec lenosi mathieumd justindh lairdm forsingh kuuji stuwil rastaman iflowfor8hours bennyt2 sebanuss fishman datalonet flusher himani93 stone-payments gsmember ladamalina wangsha rebelcodebase svazist khanu cdyangzhenyu pandatk laurosn creditcardscom chrislmayes rodrigolins muzi-bootstrap alexandre2602 paysera intechsa quoc-trinh

ansible-haproxy's Issues

suggestion: keep master branch stable

Hello guys,
Just a little suggestion. A good practice on Github is to keep the master branch clean with the last stable release and create a "dev" branch.
Anyway, thanks for you work in this Ansible role.

Not on ansible galaxy

Hi There,

I see that you have a meta file for ansible galaxy but I don't seem to be able to find this package on there.

Is this intended?

template error while templating string: no test named 'false'

Getting this when trying to run. This worked on a previous version of ansible, not sure which version it was though (sorry).

I have not changed any haproxy_global stuff

TASK: [info.haproxy | Ensure chroot directory exists] *************************
fatal: [lb0.example.com] => template error while templating string: no test named 'false'

FATAL: all hosts have already failed -- aborting

ansible-playbook --version
# => ansible-playbook 1.8.2

Enable stats section in all proxies (backend, frontend, listen)

Will close #35 and partially resolve #49.

Flexible way to add parameters into template files

when preparing variable files, such as global, defaults, frontend, backend, listen, etc. I stuck with some parameters or options which are not defined in these template files.

There are so many parameters in haproxy, and we are not possible to include them all.

So will it be fine to add an extra part to include all parameters directly if they are not defined. Such as:

{% if item.extra is defined %}
{% for parameter in item.extra %}
    {{ parameter }}
{% endfor %}
{% endif -%}

We need add it in all template files.

Then you will easily add more.

haproxy_global:
    extra: 
       - tune.ssl.default-dh-param 2048
       - more parameter and options.

@PierrePaul

Your options? If you are happy with this idea, I will prepare the pull request.

Looking new maintainer(s)

Our company is not using this role anymore and cannot commit to maintaining it. We are looking for an individual or organization that would take over the maintenance.

global.cfg using flatten is broken, returning list instead of dict

So this is a weird one, I'm getting this:

TASK [devops-coop.haproxy : Build up the global config] *************************************************************************************************************************************
fatal: [host]: FAILED! => {"changed": false, "msg": "AnsibleUndefinedVariable: 'list object' has no attribute 'items'"}

With much head-scratching, I found this is happening at the end of the template, when dealing with the tune option. I've discovered this:

[anotherhost] TASK: devops-coop.haproxy : Build up the global config (debug)> p task_vars['haproxy_global']
{u'chroot': u'/var/lib/haproxy',
 u'daemon': True,
 u'group': u'haproxy',
 u'log': [{u'address': u'/dev/log', u'facility': u'local0'},
          {u'address': u'/dev/log',
           u'facility': u'local1',
           u'level': u'notice'}],
 u'ssl_default_bind_ciphers': u'{{ _haproxy_ssl_ciphers }}',
 u'ssl_default_bind_options': u'{{ _haproxy_ssl_options }}',
 u'ssl_default_server_ciphers': u'{{ _haproxy_ssl_ciphers }}',
 u'ssl_default_server_options': u'{{ _haproxy_ssl_options }}',
 u'tune': {u'ssl': {u'default-dh-param': 2048}},
 u'user': u'haproxy'}

Ok, tune is a dict of dicts, good. Lets feed this by hand:

(ansible)host [05:22 PM] [j:1] ~/ansible $ cd roles/devops-coop.haproxy/filter_plugins/
(ansible)host [05:22 PM] [j:1] ~/.../roles/devops-coop.haproxy/filter_plugins $ ipython

In [2]: import flatten
In [9]: h = {u'chroot': u'/var/lib/haproxy',
   ...:  u'daemon': True,
   ...:  u'group': u'haproxy',
   ...:  u'log': [{u'address': u'/dev/log', u'facility': u'local0'},
   ...:           {u'address': u'/dev/log',
   ...:            u'facility': u'local1',
   ...:            u'level': u'notice'}],
   ...:  u'ssl_default_bind_ciphers': u'{{ _haproxy_ssl_ciphers }}',
   ...:  u'ssl_default_bind_options': u'{{ _haproxy_ssl_options }}',
   ...:  u'ssl_default_server_ciphers': u'{{ _haproxy_ssl_ciphers }}',
   ...:  u'ssl_default_server_options': u'{{ _haproxy_ssl_options }}',
   ...:  u'tune': {u'ssl': {u'default-dh-param': 2048}},
   ...:  u'user': u'haproxy'}

In [11]: h['tune']
Out[11]: {u'ssl': {u'default-dh-param': 2048}}

In [12]: for param, value in flatten.flatten(h['tune']).items():
    print param, value
   ....:     
ssl.default-dh-param 2048

All good thus far. Now with some debugging in the template:

haproxy_global.tune | flatten | type_debug: list
--
haproxy_global.tune | type_debug: dict
--
haproxy_global.tune | flatten: [u'ssl']
--
    haproxy_global.tune: {u'ssl': {u'default-dh-param': 2048}}
--
haproxy_global pretty print:
{u'chroot': u'/var/lib/haproxy',
 u'daemon': True,
 u'group': u'haproxy',
 u'log': [{u'address': u'/dev/log', u'facility': u'local0'},
          {u'address': u'/dev/log',
           u'facility': u'local1',
           u'level': u'notice'}],
 u'ssl_default_bind_ciphers': u'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS',
 u'ssl_default_bind_options': u'no-sslv3 no-tls-tickets',
 u'ssl_default_server_ciphers': u'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS',                                                     u'ssl_default_server_options': u'no-sslv3 no-tls-tickets',                                                                                                                                   u'tune': {u'ssl': {u'default-dh-param': 2048}},                                                                                                                                              u'user': u'haproxy'}

Very odd! Perhaps custom filters to jinja always return lists or something?!?

I'm running Ansible devel, and only just installed your role.

custom repo useless ?

Hello,

I'm wondering why are you using a custom repo ppa:vbernat ?

Removing this entry, fully works on debian jessie, with haproxy 1.5.8

Get error when run with dry-run

Run fine with this role, but got error when run with dry-run (--check)

TASK [haproxy : Add epel repo] *************************************************
fatal: [10_61_136_24]: FAILED! => {"failed": true, "msg": "The conditional check 'ansible_pkg_mgr == 'yum' and epel_repo_check.rc != 0' failed. The error was: error while evaluating conditional (ansible_pkg_mgr == 'yum' and epel_repo_check.rc != 0): 'dict object' has no attribute 'rc'\n\nThe error appears to have been in '/Users/bill/telstra/projects/MC/ansible-orchestration/roles.galaxy/haproxy/tasks/install.yml': line 34, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: 'Add epel repo'\n  ^ here\n"}

msg: The conditional check 'ansible_pkg_mgr == 'yum' and epel_repo_check.rc != 0' failed. The error was: error while evaluating conditional (ansible_pkg_mgr == 'yum' and epel_repo_check.rc != 0): 'dict object' has no attribute 'rc'

The error appears to have been in '/Users/bill/telstra/projects/MC/ansible-orchestration/roles.galaxy/haproxy/tasks/install.yml': line 34, column 3, but may
be elsewhere in the file depending on the exact syntax problem.

The offending line appears to be:


- name: 'Add epel repo'
  ^ here

    to retry, use: --limit @front_end_lb.retry

PLAY RECAP *********************************************************************

templates/frontend.cfg does not match vars

The templates/frontend.cfg, lines 34-40, also needs correction. default_backend is not a required option, but this code will save default_backend to the frontends.cfg regardless of whether the variable is set or not. Furthermore, there is no 'item' at this point, so item.default_backend doesn't exist. Finally, there is no 'backends' in the vars either, so 'item.backends' will never be defined, and the code in lines 35-40 will never get processed.

Template implies bind: is a string not a list

The vars/main.yml, line 41, needs to change. As of this commit, bind is an array. This template implies that it is a string.

sudo shouldn't be used

Ansible warns about the sudo: yes flag in install.yml:

[DEPRECATION WARNING]: Instead of sudo/sudo_user, use become/become_user and make sure become_method is 'sudo' 
(default).
This feature will be removed in a future release.

I think it is safe to assume the haproxy role is run with superuser rights, so it doesn't make much sense to have the flag there.

several warnings in ansible 2.0.x

tasks/install.yml

[DEPRECATION WARNING]: Instead of sudo/sudo_user, use become/become_user and make sure become_method is 'sudo' (default).
This feature will be removed in a future release. Deprecation
 warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.

TASK [haproxy : Check epel repo] ***********************************************
 [WARNING]: Consider using yum module rather than running yum

TASK [haproxy : Build up the listen sections] **********************************
[DEPRECATION WARNING]: Using bare variables is deprecated. Update your playbooks so that the environment value uses the full variable syntax ('{{haproxy_listen}}').
This feature will
be removed in a future release. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.

idempotence not met?

Forgive me if i see it wrong, but when i run this role again on the same machine it keeps on saying "changed" while its the same config. So in the end i have 13 changes on my host while nothing has changed. Is this because your "building" the config which doesn't have any means to guarantee idempotence?

Replace proxy json_query expression with filter plugin

json_query depends on jmespath, which may not be available on all systems.

We can replace this expression with a portable filter plugin instead.

Breaking change due to json_query dependency

After that commt: e91947d I started to get messages: fatal: [lb1.prometheus.n1.nato]: FAILED! => {"failed": true, "msg": "The conditional check '(item.path | basename) not in (haproxy_frontends | json_query('[*].name') | map('regex_replace', '(.*)', '\\\\1.cfg') | list)' failed. The error was: You need to install \"jmespath\" prior to running json_query filter\n\nThe error appears to have been in '/builds/continuous-delivery/prometheus-ansible-deploy/roles/FloeDesignTechnologies.haproxy/tasks/configure.yml': line 17, column 3, but may\nbe elsewhere in the file depending on the exact syntax problem.\n\nThe offending line appears to be:\n\n\n- name: \"Remove unmanaged files for the frontends\"\n ^ here\n"}

Using docker from alpine v3.4 with installing pythin with apk --update add python py-pip.
I know that I need just to install some python lib to fix it, but couldnt u add tag before that commit so I could checkout version I need in more human-readable way? (without commit hash, v1.1 like or smthing)

AnsibleUndefinedVariable: 'macros' is undefined

Maybe the commit 106a0a5 introduce a breaking change.

Short message is:

"msg": "AnsibleUndefinedVariable: 'macros' is undefined"

With all the details:

failed: [my_server] (item={u'http_request': [{u'action': u'add-header', u'param': u'X-Forwarded-Proto https', u'condition': u'if { ssl_fc }'}, {u'action': u'add-header', u'param': u'X-Forwarded-Ssl on', u'condition': u'if { ssl_fc }'}], u'description': u"Notre beau stock d'objets", u'name': u'bk_nexus', u'servers': [{u'ip': u'10.0.1.13', u'params': [u'check'], u'name': u'nexus1', u'port': u'8081'}, {u'ip': u'10.0.1.113', u'params': [u'check', u'backup'], u'name': u'nexus2', u'port': u'8081'}]}) => {"failed": true, "item": {"description": "Notre beau stock d'objets", "http_request": [{"action": "add-header", "condition": "if { ssl_fc }", "param": "X-Forwarded-Proto https"}, {"action": "add-header", "condition": "if { ssl_fc }", "param": "X-Forwarded-Ssl on"}], "name": "bk_nexus", "servers": [{"ip": "10.0.1.13", "name": "nexus1", "params": ["check"], "port": "8081"}, {"ip": "10.0.1.113", "name": "nexus2", "params": ["check", "backup"], "port": "8081"}]}, "msg": "AnsibleUndefinedVariable: 'macros' is undefined"}

Allow specifying unique-id-format and unique-id-header

HAProxy has a very neat feature:

https://cbonte.github.io/haproxy-dconv/1.6/configuration.html#4.2-unique-id-format
https://cbonte.github.io/haproxy-dconv/1.6/configuration.html#4.2-unique-id-header

Not sure if it's currently possible to add these options. If not, it should be configurable.

tasks are marked as changed always

This galaxy roles work nicely that I can use directly without modification. Good job. 👍

But when repeatly run the ansible playbook, most tasks are still marked as changed

Any suggestions to get ride of it? I'd like to get all OK status in the end.

TASK [haproxy : Empty the folder if not already empty] *************************
changed: [10_1_1_2]

cmd: find /etc/haproxy/compiled -name *.cfg -exec rm -f {} ;

start: 2016-05-17 17:05:40.986202

end: 2016-05-17 17:05:40.992326

delta: 0:00:00.006124

TASK [haproxy : Build up the global config] ************************************
changed: [10_1_1_2]

TASK [haproxy : Build up the default config] ***********************************
changed: [10_1_1_2]

TASK [haproxy : Assemble the backends configuration file] **********************
changed: [10_1_1_2]

msg: OK

TASK [haproxy : Assemble the frontends configuration file] *********************
changed: [10_1_1_2]

msg: OK

TASK [haproxy : Assemble the listen sections configuration file] ***************
changed: [10_1_1_2]

msg: OK

TASK [haproxy : Assemble the userlists sections configuration file] ************
changed: [10_1_1_2]

msg: OK

Test suite

Are you interested to a mini test suite (with TravisCI) following this guide ?
https://www.jeffgeerling.com/blog/testing-ansible-roles-travis-ci-github

It will check :

Syntax error in role
Idempotences
Install / restart haproxy with sample configuration like in ./test/integration/default/default.yml
Get a HTTP 200 response on haproxy Stats URI

Versioned releases

Would it be possible to get a versioned release of this role? Its important for many users to be able to lock down the role to a specific version, instead of always pulling the master branch.

According to the Galaxy Docs, this should be as easy as just adding tags in GitHub.

If you applied any tags to your repository, Galaxy will automatically display a “version” for each tag. This means users users can choose the version (tag) to download.
...
To import new tags, you can trigger a re-import from the “Your Roles” page anytime.

This allows users to lock in a specific release in their requirements.yml like so:

- src: info.haproxy
  version: v0.1

Users cannot specify error files on Alpine or CentOS

CentOS and Alpine don't ship error files (or don't place them in the locations found in defaults.yml). In the defaults.cfg template, we do not configure errorfile directives on these distributions:

ansible-haproxy/templates/defaults.cfg

Lines 52 to 58 in 0dac057

    
           {% if ansible_distribution != 'CentOS' and ansible_distribution != 'Alpine' %} 
        
           {% if haproxy_defaults.errorfile is defined %} 
        
           {% for item in haproxy_defaults.errorfile %} 
        
               errorfile {{ item.code }} {{ item.file }} 
        
           {% endfor %} 
        
           {% endif -%} 
        
           {% endif -%}

This prevents users on those distributions from declaring error files using this role.

We need to allow the user to specify that they want to configure the files if they've provided them outside this role.

feature request - resolvers dns

In version 1.6.x, new session resolvers was added to support DNS name service and dynamic IP backend.

https://cbonte.github.io/haproxy-dconv/configuration-1.6.html#5.3.2

So we need add it to templates as:

Example of a resolvers section (with default values):

   resolvers mydns
     nameserver dns1 10.0.0.1:53
     nameserver dns2 10.0.0.2:53
     resolve_retries       3
     timeout retry         1s
     hold valid           10s

raise this first, and will implement it soon.

Missing [global] variables (ssl-default-server-options, ssl-default-server-ciphers)

PR is coming :)

Defaults log

There's a difference between the documentation and the template:
https://github.com/FloeDesignTechnologies/ansible-haproxy/blob/master/vars/main.yml#L26
https://github.com/FloeDesignTechnologies/ansible-haproxy/blob/master/templates/defaults.cfg#L6-L8

By the way, in this template implementation if we want to generated in the /etc/haproxy/haproxy.cfg this line:

defaults
  log global

We have to code the yaml file:

haproxy_defaults:
  log:
    - address: global
      facility: ' '

This trick is a bit uggly. Maybe (like you did for default_backend and use_backend) you can add something in order to code like that:

haproxy_defaults:
  log: global

Use haproxy 1.5

It would be good if we could use HAProxy 1.5:

add-apt-repository ppa:vbernat/haproxy-1.5

Error while evaluating conditional: ansible_lsb.codename

Changes introduced in pull request #21 seem to break this module on Cent OS 7 with the following error:

`TASK: [haproxy | Add haproxy apt repo] ****************************************
fatal: [192.168.1.2] => error while evaluating conditional: ansible_lsb.codename == "wheezy"

FATAL: all hosts have already failed -- aborting`

ansible --version
ansible 1.8.4

Some indentations are broken

I have an indentation problem with some variables :

[defaults]
maxconn var is unindentated

[backend & frontend]
http-response and http-request have wrong indentation

PR is coming :)

Prepare 2.0 release

Merge existing pull requests
Fix Ansible 2 deprecation warnings
Drop support for SmartOS
Adopt SemVer
Configure test harness for CentOS and Ubuntu
Stop managing EPEL. We can ask users to configure it themselves (i.e., suggest geerlingguy.epel or add that role in as a dependency.
Implement #35, #39, #40, and #43 in ways that are compatible with the new API.

Typo in templates/listen.cfg

In lines 39-43 of this file, the template reads 'except' in multiple places. The correct text for this is 'expect'. This typo prevents a user from setting up http checking when using the listen directive.

Allow user to override HAProxy package name

IUS offers HAProxy 1.6 and 1.7 as haproxy16u and haproxy17u, respectively.

include_vars could do something like:

- include_vars:
    # returns {"_haproxy_package_name": "haproxy"}
    - "{{ ansible_distribution }}.yml"

Then we can install HAProxy like so:

- package:
    name: "{{ haproxy_package_name | default(_haproxy_package_name) }}"

haproxy_listen:
  - name: ssl
    bind: "{{ ansible_default_ipv4.address }}"
    ssl:
      cert: /etc/pki/tls/certs/ssl.pem no-sslv3

But I got this:

listen ssl
   bind 1 ssl crt /etc/pki/tls/certs/ssl.pem no-sslv3
   bind 0 ssl crt /etc/pki/tls/certs/ssl.pem no-sslv3
   bind . ssl crt /etc/pki/tls/certs/ssl.pem no-sslv3
   bind 1 ssl crt /etc/pki/tls/certs/ssl.pem no-sslv3
   bind . ssl crt /etc/pki/tls/certs/ssl.pem no-sslv3
   bind 1 ssl crt /etc/pki/tls/certs/ssl.pem no-sslv3
   bind . ssl crt /etc/pki/tls/certs/ssl.pem no-sslv3
   bind 2 ssl crt /etc/pki/tls/certs/ssl.pem no-sslv3

should be:

listen ssl
   bind 10.1.1.2 ssl crt /etc/pki/tls/certs/ssl.pem no-sslv3

Do not template EPEL repo

Install the epel-release package instead:

https://fedoraproject.org/wiki/EPEL#How_can_I_use_these_extra_packages.3F

Set distribution variables with `include_vars`

Use this standard pattern instead of set_fact:

- name: Load a variable file based on the OS type, or a default if not found. Using free-form to specify the file.
  include_vars: "{{ item }}"
  with_first_found:
    - "{{ ansible_distribution }}.yml"
    - "{{ ansible_os_family }}.yml"
    - "default.yml

Role is not idempotent

While check mode works as expected and displays a proper diff between old and new configs, executing the role will always rewrite the configuration directories.

This does not actually break things, but seems like poor design.

Is there a particular reason why there is a removal task before writing the configuration files?

If there is concern about leftovers, why not just leave out those that will be written?

Also, it would be better to use the file module instead of running find, I think.

	{% if ansible_distribution != 'CentOS' and ansible_distribution != 'Alpine' %}
	{% if haproxy_defaults.errorfile is defined %}
	{% for item in haproxy_defaults.errorfile %}
	errorfile {{ item.code }} {{ item.file }}
	{% endfor %}
	{% endif -%}
	{% endif -%}