b1b0923af0
Our openshift 3.11 cluster(s) served us long and well. Now we have everything finally moved to the openshift 4 clusters (fas2 was the last holdout). We can finally retire this. :) 🎉🥂 Signed-off-by: Kevin Fenzi <kevin@scrye.com>
123 lines
3.2 KiB
YAML
123 lines
3.2 KiB
YAML
---
|
|
# Tasks to set up haproxy
|
|
|
|
- name: install needed packages
|
|
package: name={{ item }} state=present
|
|
with_items:
|
|
- haproxy
|
|
- socat
|
|
tags:
|
|
- packages
|
|
- haproxy
|
|
|
|
- name: install haproxy/cfg
|
|
template: src={{ item.file }}
|
|
dest={{ item.dest }}
|
|
owner=root group=root mode=0600
|
|
with_items:
|
|
- { file: haproxy.cfg, dest: /etc/haproxy/haproxy.cfg }
|
|
notify:
|
|
- restart haproxy
|
|
tags:
|
|
- haproxy
|
|
|
|
- name: install limits.conf and 503.http
|
|
copy: src={{ item.file }}
|
|
dest={{ item.dest }}
|
|
owner=root group=root mode=0600
|
|
with_items:
|
|
- { file: limits.conf, dest: /etc/security/limits.conf }
|
|
- { file: 503.http, dest: /etc/haproxy/503.http }
|
|
tags:
|
|
- haproxy
|
|
|
|
- name: install pem cert
|
|
copy: src={{ item.file }}
|
|
dest={{ item.dest }}
|
|
owner=root group=root mode=0600
|
|
with_items:
|
|
- { file: "ipa.{{env}}-iad2.pem", dest: /etc/haproxy/ipa.pem }
|
|
- { file: "ocp.{{env_short}}-iad2.pem", dest: "/etc/haproxy/ocp-{{env_short}}.pem" }
|
|
tags:
|
|
- haproxy
|
|
|
|
- name: install ocp api pem cert
|
|
copy: src={{ private }}/files/httpd/api-int.ocp{{ env_suffix }}.fedoraproject.org.pem
|
|
dest=/etc/haproxy/ocp4.pem
|
|
owner=root group=root mode=0600
|
|
tags:
|
|
- haproxy
|
|
|
|
- name: install libsemanage
|
|
package:
|
|
state: present
|
|
name:
|
|
- libsemanage-python
|
|
tags:
|
|
- haproxy
|
|
- selinux
|
|
when: (ansible_distribution == 'RedHat' and ansible_distribution_major_version|int < 8) or (ansible_distribution_major_version|int < 30 and ansible_distribution == 'Fedora')
|
|
|
|
- name: install libsemanage in a python3 manner
|
|
package:
|
|
state: present
|
|
name:
|
|
- python3-libsemanage
|
|
tags:
|
|
- haproxy
|
|
- selinux
|
|
when: (ansible_distribution_major_version|int >= 30 and ansible_distribution == 'Fedora') or (ansible_distribution == 'RedHat' and ansible_distribution_major_version|int >= 8)
|
|
|
|
- name: Turn on certain selinux booleans so haproxy can bind to ports
|
|
seboolean: name={{ item }} state=true persistent=true
|
|
with_items:
|
|
- haproxy_connect_any
|
|
tags:
|
|
- haproxy
|
|
- selinux
|
|
|
|
# These following four tasks are used for copying over our custom selinux
|
|
# module.
|
|
- name: ensure a directory exists for our custom selinux module
|
|
file: dest=/usr/share/haproxy state=directory
|
|
tags:
|
|
- haproxy
|
|
- selinux
|
|
|
|
- name: copy over our general haproxy selinux module
|
|
copy: src=selinux/fi-haproxy.pp dest=/usr/share/haproxy/fi-haproxy.pp
|
|
register: fi_haproxy_module
|
|
tags:
|
|
- haproxy
|
|
- selinux
|
|
|
|
- name: check to see if its even installed yet
|
|
shell: semodule -l | grep fi-haproxy | wc -l
|
|
register: fi_haproxy_grep
|
|
check_mode: no
|
|
changed_when: "'0' in fi_haproxy_grep.stdout"
|
|
tags:
|
|
- haproxy
|
|
- selinux
|
|
|
|
- name: install our general haproxy selinux module
|
|
command: semodule -i /usr/share/haproxy/fi-haproxy.pp
|
|
when: fi_haproxy_module is changed or fi_haproxy_grep is changed
|
|
tags:
|
|
- haproxy
|
|
- selinux
|
|
|
|
|
|
- name: check haproxy cfg to make sure it is valid
|
|
command: haproxy -c -f /etc/haproxy/haproxy.cfg
|
|
check_mode: no
|
|
register: haproxyconfigcheck
|
|
changed_when: haproxyconfigcheck.rc != 0
|
|
tags:
|
|
- haproxy
|
|
|
|
- name: Make sure haproxy is awake and reporting for duty
|
|
service: name=haproxy state=started enabled=yes
|
|
tags:
|
|
- haproxy
|
|
|