ansible/roles/haproxy/tasks/main.yml

---
# Tasks to set up haproxy

- name: Install needed packages
  ansible.builtin.package: name={{ item }} state=present
  with_items:
  - haproxy
  - socat
  tags:
  - packages
  - haproxy

- name: Install haproxy/cfg
  ansible.builtin.template: src={{ item.file }}
        dest={{ item.dest }}
        owner=root group=root mode=0600
  with_items:
  - { file: haproxy.cfg, dest: /etc/haproxy/haproxy.cfg }
  notify:
  - Restart haproxy
  tags:
  - haproxy

- name: Install limits.conf and 503.http
  ansible.builtin.copy: src={{ item.file }}
        dest={{ item.dest }}
        owner=root group=root mode=0600
  with_items:
  - { file: limits.conf, dest: /etc/security/limits.conf }
  - { file: 503.http, dest: /etc/haproxy/503.http }
  tags:
  - haproxy

- name: Install pem cert
  ansible.builtin.copy: src={{ item.file }}
        dest={{ item.dest }}
        owner=root group=root mode=0600
  with_items:
  - { file: "ipa.{{env}}-iad2.pem", dest: /etc/haproxy/ipa.pem }
  - { file: "ocp.{{env_short}}-iad2.pem", dest: "/etc/haproxy/ocp-{{env_short}}.pem" }
  tags:
  - haproxy

- name: Install ocp api pem cert
  ansible.builtin.copy: src={{ private }}/files/httpd/api-int.ocp{{ env_suffix }}.fedoraproject.org.pem
        dest=/etc/haproxy/ocp4.pem
        owner=root group=root mode=0600
  tags:
  - haproxy

- name: Install libsemanage
  ansible.builtin.package:
    state: present
    name:
    - libsemanage-python
  tags:
  - haproxy
  - selinux
  when: (ansible_distribution == 'RedHat' and ansible_distribution_major_version|int < 8) or (ansible_distribution_major_version|int < 30 and ansible_distribution == 'Fedora')

- name: Install libsemanage in a python3 manner
  ansible.builtin.package:
    state: present
    name:
    - python3-libsemanage
  tags:
  - haproxy
  - selinux
  when: (ansible_distribution_major_version|int >= 30 and ansible_distribution == 'Fedora') or (ansible_distribution == 'RedHat' and ansible_distribution_major_version|int >= 8)

- name: Turn on certain selinux booleans so haproxy can bind to ports
  seboolean: name={{ item }} state=true persistent=true
  with_items:
  - haproxy_connect_any
  tags:
  - haproxy
  - selinux

# These following four tasks are used for copying over our custom selinux
# module.
- name: Ensure a directory exists for our custom selinux module
  ansible.builtin.file: dest=/usr/share/haproxy state=directory
  tags:
  - haproxy
  - selinux

- name: Copy over our general haproxy selinux module
  ansible.builtin.copy: src=selinux/fi-haproxy.pp dest=/usr/share/haproxy/fi-haproxy.pp
  register: fi_haproxy_module
  tags:
  - haproxy
  - selinux

- name: Check to see if its even installed yet
  ansible.builtin.shell: semodule -l | grep fi-haproxy | wc -l
  register: fi_haproxy_grep
  check_mode: no
  changed_when: "'0' in fi_haproxy_grep.stdout"
  tags:
  - haproxy
  - selinux

- name: Install our general haproxy selinux module
  ansible.builtin.command: semodule -i /usr/share/haproxy/fi-haproxy.pp
  when: fi_haproxy_module is changed or fi_haproxy_grep is changed
  tags:
  - haproxy
  - selinux


- name: Check haproxy cfg to make sure it is valid
  ansible.builtin.command: haproxy -c -f /etc/haproxy/haproxy.cfg
  check_mode: no
  register: haproxyconfigcheck
  changed_when: haproxyconfigcheck.rc != 0
  tags:
  - haproxy

- name: Make sure haproxy is awake and reporting for duty
  service: name=haproxy state=started enabled=yes
  tags:
  - haproxy
Start working on the haproxy role 2014-12-07 23:35:44 +00:00			`---`
			`# Tasks to set up haproxy`

Fix name[casing] ansible-lint issues fix 1900 failures of the following case issue: `name[casing]: All names should start with an uppercase letter.` Signed-off-by: Ryan Lerch <rlerch@redhat.com> 2025-01-14 20:18:57 +10:00			`- name: Install needed packages`
ansiblelint fixes - fqcn[action-core] - package to ansible.builtin.package Replaces many references to package: with ansible.builtin.package Signed-off-by: Ryan Lerch <rlerch@redhat.com> 2024-12-19 13:22:42 +10:00			`ansible.builtin.package: name={{ item }} state=present`
Start working on the haproxy role 2014-12-07 23:35:44 +00:00			`with_items:`
			`- haproxy`
haproxy: install socat for dynamic stats/control of haproxy Signed-off-by: Kevin Fenzi <kevin@scrye.com> 2022-06-06 12:22:35 -07:00			`- socat`
Start working on the haproxy role 2014-12-07 23:35:44 +00:00			`tags:`
			`- packages`
Tag up the base haproxy role. 2015-01-06 19:35:41 +00:00			`- haproxy`
Start working on the haproxy role 2014-12-07 23:35:44 +00:00
Fix name[casing] ansible-lint issues fix 1900 failures of the following case issue: `name[casing]: All names should start with an uppercase letter.` Signed-off-by: Ryan Lerch <rlerch@redhat.com> 2025-01-14 20:18:57 +10:00			`- name: Install haproxy/cfg`
ansiblelint fixes - fqcn[action-core] - template to ansible.builtin.template Replaces references to template: with ansible.builtin.template Signed-off-by: Ryan Lerch <rlerch@redhat.com> 2025-01-13 12:24:19 +10:00			`ansible.builtin.template: src={{ item.file }}`
Start working on the haproxy role 2014-12-07 23:35:44 +00:00			`dest={{ item.dest }}`
			`owner=root group=root mode=0600`
			`with_items:`
			`- { file: haproxy.cfg, dest: /etc/haproxy/haproxy.cfg }`
Gotta actually start the thing. 2015-01-06 19:40:05 +00:00			`notify:`
Use first uppercase letter for all handlers This will unify all the handlers to use first uppercase letter for ansible-lint to stop complaining. I went through all `notify:` occurrences and fixed them by running ``` set TEXT "text_to_replace"; set REPLACEMENT "replacement_text"; git grep -rlz "$TEXT" . \| xargs -0 sed -i "s/$TEXT/$REPLACEMENT/g" ``` Then I went through all the changes and removed the ones that wasn't expected to be changed. Fixes https://pagure.io/fedora-infrastructure/issue/12391 Signed-off-by: Michal Konecny <mkonecny@redhat.com> 2025-02-07 13:51:07 +01:00			`- Restart haproxy`
Gotta actually start the thing. 2015-01-06 19:40:05 +00:00			`tags:`
			`- haproxy`

Fix name[casing] ansible-lint issues fix 1900 failures of the following case issue: `name[casing]: All names should start with an uppercase letter.` Signed-off-by: Ryan Lerch <rlerch@redhat.com> 2025-01-14 20:18:57 +10:00			`- name: Install limits.conf and 503.http`
ansiblelint fixes-- fqcn[action-core] - copy to ansible.builtin.copy Replaces many references to 'copy' with ansible.builtin.copy Signed-off-by: Ryan Lerch <rlerch@redhat.com> 2024-12-18 08:23:28 +10:00			`ansible.builtin.copy: src={{ item.file }}`
Start working on the haproxy role 2014-12-07 23:35:44 +00:00			`dest={{ item.dest }}`
			`owner=root group=root mode=0600`
			`with_items:`
			`- { file: limits.conf, dest: /etc/security/limits.conf }`
			`- { file: 503.http, dest: /etc/haproxy/503.http }`
Tag up the base haproxy role. 2015-01-06 19:35:41 +00:00			`tags:`
			`- haproxy`
Selinux boolean for haproxy. 2015-01-06 19:45:58 +00:00
Fix name[casing] ansible-lint issues fix 1900 failures of the following case issue: `name[casing]: All names should start with an uppercase letter.` Signed-off-by: Ryan Lerch <rlerch@redhat.com> 2025-01-14 20:18:57 +10:00			`- name: Install pem cert`
ansiblelint fixes-- fqcn[action-core] - copy to ansible.builtin.copy Replaces many references to 'copy' with ansible.builtin.copy Signed-off-by: Ryan Lerch <rlerch@redhat.com> 2024-12-18 08:23:28 +10:00			`ansible.builtin.copy: src={{ item.file }}`
Proxy IPA through haproxy Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-08-04 21:23:07 +00:00			`dest={{ item.dest }}`
			`owner=root group=root mode=0600`
			`with_items:`
Revert "haproxy: adjust names on files to use .stg" This reverts commit 8b1f44206df09c71e20fc2f150a7332784418783. 2021-08-13 16:37:13 -07:00			`- { file: "ipa.{{env}}-iad2.pem", dest: /etc/haproxy/ipa.pem }`
haproxy: tweak filename for ocp certs Signed-off-by: Kevin Fenzi <kevin@scrye.com> 2021-08-19 16:13:33 -07:00			`- { file: "ocp.{{env_short}}-iad2.pem", dest: "/etc/haproxy/ocp-{{env_short}}.pem" }`
Proxy IPA through haproxy Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-08-04 21:23:07 +00:00			`tags:`
			`- haproxy`

Fix name[casing] ansible-lint issues fix 1900 failures of the following case issue: `name[casing]: All names should start with an uppercase letter.` Signed-off-by: Ryan Lerch <rlerch@redhat.com> 2025-01-14 20:18:57 +10:00			`- name: Install ocp api pem cert`
ansiblelint fixes-- fqcn[action-core] - copy to ansible.builtin.copy Replaces many references to 'copy' with ansible.builtin.copy Signed-off-by: Ryan Lerch <rlerch@redhat.com> 2024-12-18 08:23:28 +10:00			`ansible.builtin.copy: src={{ private }}/files/httpd/api-int.ocp{{ env_suffix }}.fedoraproject.org.pem`
haproxy: add staging ocp cert for api-int haproxy needs to terminate ssl for the api part of the ocp cluster. We can't do this in apache without listening for non standard ports and that could be a mess, so terminate ssl here and talk into the cluster Signed-off-by: Kevin Fenzi <kevin@scrye.com> 2021-08-09 10:49:21 -07:00			`dest=/etc/haproxy/ocp4.pem`
			`owner=root group=root mode=0600`
			`tags:`
			`- haproxy`
metrics-for-apps: add ocp4 prod CA cert to haproxy Signed-off-by: David Kirwan <dkirwan@redhat.com> 2021-09-08 12:32:42 +09:00
Fix name[casing] ansible-lint issues fix 1900 failures of the following case issue: `name[casing]: All names should start with an uppercase letter.` Signed-off-by: Ryan Lerch <rlerch@redhat.com> 2025-01-14 20:18:57 +10:00			`- name: Install libsemanage`
ansiblelint fixes - fqcn[action-core] - package to ansible.builtin.package Replaces many references to package: with ansible.builtin.package Signed-off-by: Ryan Lerch <rlerch@redhat.com> 2024-12-19 13:22:42 +10:00			`ansible.builtin.package:`
install libsemanage a few more times because twice is not enough Signed-off-by: Rick Elrod <relrod@redhat.com> 2019-12-05 22:21:11 +00:00			`state: present`
			`name:`
			`- libsemanage-python`
Selinux boolean for haproxy. 2015-01-06 19:45:58 +00:00			`tags:`
fix tags Signed-off-by: Rick Elrod <relrod@redhat.com> 2019-12-05 22:54:36 +00:00			`- haproxy`
install libsemanage a few more times because twice is not enough Signed-off-by: Rick Elrod <relrod@redhat.com> 2019-12-05 22:21:11 +00:00			`- selinux`
			`when: (ansible_distribution == 'RedHat' and ansible_distribution_major_version\|int < 8) or (ansible_distribution_major_version\|int < 30 and ansible_distribution == 'Fedora')`

Fix name[casing] ansible-lint issues fix 1900 failures of the following case issue: `name[casing]: All names should start with an uppercase letter.` Signed-off-by: Ryan Lerch <rlerch@redhat.com> 2025-01-14 20:18:57 +10:00			`- name: Install libsemanage in a python3 manner`
ansiblelint fixes - fqcn[action-core] - package to ansible.builtin.package Replaces many references to package: with ansible.builtin.package Signed-off-by: Ryan Lerch <rlerch@redhat.com> 2024-12-19 13:22:42 +10:00			`ansible.builtin.package:`
install libsemanage a few more times because twice is not enough Signed-off-by: Rick Elrod <relrod@redhat.com> 2019-12-05 22:21:11 +00:00			`state: present`
			`name:`
			`- python3-libsemanage`
			`tags:`
fix tags Signed-off-by: Rick Elrod <relrod@redhat.com> 2019-12-05 22:54:36 +00:00			`- haproxy`
Selinux boolean for haproxy. 2015-01-06 19:45:58 +00:00			`- selinux`
install libsemanage a few more times because twice is not enough Signed-off-by: Rick Elrod <relrod@redhat.com> 2019-12-05 22:21:11 +00:00			`when: (ansible_distribution_major_version\|int >= 30 and ansible_distribution == 'Fedora') or (ansible_distribution == 'RedHat' and ansible_distribution_major_version\|int >= 8)`
Selinux boolean for haproxy. 2015-01-06 19:45:58 +00:00
			`- name: Turn on certain selinux booleans so haproxy can bind to ports`
			`seboolean: name={{ item }} state=true persistent=true`
			`with_items:`
			`- haproxy_connect_any`
			`tags:`
			`- haproxy`
			`- selinux`
A custom selinux module for our haproxy setup. 2015-01-06 19:53:19 +00:00
			`# These following four tasks are used for copying over our custom selinux`
			`# module.`
Fix name[casing] ansible-lint issues fix 1900 failures of the following case issue: `name[casing]: All names should start with an uppercase letter.` Signed-off-by: Ryan Lerch <rlerch@redhat.com> 2025-01-14 20:18:57 +10:00			`- name: Ensure a directory exists for our custom selinux module`
ansiblelint fixes-- fqcn[action-core] - file to ansible.builtin.file Replaces many references to file: with ansible.builtin.file Signed-off-by: Ryan Lerch <rlerch@redhat.com> 2024-12-17 15:31:55 +10:00			`ansible.builtin.file: dest=/usr/share/haproxy state=directory`
A custom selinux module for our haproxy setup. 2015-01-06 19:53:19 +00:00			`tags:`
			`- haproxy`
			`- selinux`

Fix name[casing] ansible-lint issues fix 1900 failures of the following case issue: `name[casing]: All names should start with an uppercase letter.` Signed-off-by: Ryan Lerch <rlerch@redhat.com> 2025-01-14 20:18:57 +10:00			`- name: Copy over our general haproxy selinux module`
ansiblelint fixes-- fqcn[action-core] - copy to ansible.builtin.copy Replaces many references to 'copy' with ansible.builtin.copy Signed-off-by: Ryan Lerch <rlerch@redhat.com> 2024-12-18 08:23:28 +10:00			`ansible.builtin.copy: src=selinux/fi-haproxy.pp dest=/usr/share/haproxy/fi-haproxy.pp`
A custom selinux module for our haproxy setup. 2015-01-06 19:53:19 +00:00			`register: fi_haproxy_module`
			`tags:`
			`- haproxy`
			`- selinux`

Fix name[casing] ansible-lint issues fix 1900 failures of the following case issue: `name[casing]: All names should start with an uppercase letter.` Signed-off-by: Ryan Lerch <rlerch@redhat.com> 2025-01-14 20:18:57 +10:00			`- name: Check to see if its even installed yet`
ansiblelint fixes - fqcn[action-core] - shell to ansible.builtin.shell Replaces references to shell: with ansible.builtin.shell Signed-off-by: Ryan Lerch <rlerch@redhat.com> 2024-12-19 16:42:30 +10:00			`ansible.builtin.shell: semodule -l \| grep fi-haproxy \| wc -l`
A custom selinux module for our haproxy setup. 2015-01-06 19:53:19 +00:00			`register: fi_haproxy_grep`
In ansible 2.2 always_run is depreciated. Switch to check_mode. 2016-11-01 16:29:49 +00:00			`check_mode: no`
A custom selinux module for our haproxy setup. 2015-01-06 19:53:19 +00:00			`changed_when: "'0' in fi_haproxy_grep.stdout"`
			`tags:`
			`- haproxy`
			`- selinux`

Fix name[casing] ansible-lint issues fix 1900 failures of the following case issue: `name[casing]: All names should start with an uppercase letter.` Signed-off-by: Ryan Lerch <rlerch@redhat.com> 2025-01-14 20:18:57 +10:00			`- name: Install our general haproxy selinux module`
ansiblelint fixes-- fqcn[action-core] - command to ansible.builtin.command Replaces many references to command: with ansible.builtin.command Signed-off-by: Ryan Lerch <rlerch@redhat.com> 2024-12-19 11:22:24 +10:00			`ansible.builtin.command: semodule -i /usr/share/haproxy/fi-haproxy.pp`
first cut at changing all the old \|changed to is changed per ansible deprecations 2018-05-07 23:51:48 +00:00			`when: fi_haproxy_module is changed or fi_haproxy_grep is changed`
A custom selinux module for our haproxy setup. 2015-01-06 19:53:19 +00:00			`tags:`
			`- haproxy`
			`- selinux`
Only check haproxy configs and start after everything is in place Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2015-08-19 01:18:31 +00:00

Fix name[casing] ansible-lint issues fix 1900 failures of the following case issue: `name[casing]: All names should start with an uppercase letter.` Signed-off-by: Ryan Lerch <rlerch@redhat.com> 2025-01-14 20:18:57 +10:00			`- name: Check haproxy cfg to make sure it is valid`
ansiblelint fixes-- fqcn[action-core] - command to ansible.builtin.command Replaces many references to command: with ansible.builtin.command Signed-off-by: Ryan Lerch <rlerch@redhat.com> 2024-12-19 11:22:24 +10:00			`ansible.builtin.command: haproxy -c -f /etc/haproxy/haproxy.cfg`
In ansible 2.2 always_run is depreciated. Switch to check_mode. 2016-11-01 16:29:49 +00:00			`check_mode: no`
Only check haproxy configs and start after everything is in place Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2015-08-19 01:18:31 +00:00			`register: haproxyconfigcheck`
			`changed_when: haproxyconfigcheck.rc != 0`
			`tags:`
			`- haproxy`

			`- name: Make sure haproxy is awake and reporting for duty`
			`service: name=haproxy state=started enabled=yes`
			`tags:`
			`- haproxy`