Compare commits
No commits in common. "main" and "v1.0.0" have entirely different histories.
20 changed files with 342 additions and 452 deletions
|
@ -1,18 +0,0 @@
|
|||
---
|
||||
on: [push]
|
||||
jobs:
|
||||
lint:
|
||||
runs-on: docker
|
||||
container:
|
||||
image: code.waks.be/nishiki/molecule:docker
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- run: ansible-lint .
|
||||
- run: yamllint .
|
||||
molecule:
|
||||
runs-on: docker
|
||||
container:
|
||||
image: code.waks.be/nishiki/molecule:docker
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- run: molecule test
|
1
.gitignore
vendored
1
.gitignore
vendored
|
@ -1,2 +1 @@
|
|||
.kitchen/*
|
||||
*.pyc
|
||||
|
|
|
@ -1,10 +0,0 @@
|
|||
---
|
||||
image: nishiki/molecule:docker
|
||||
|
||||
before_script:
|
||||
- molecule --version
|
||||
|
||||
molecule:
|
||||
stage: test
|
||||
script:
|
||||
- molecule test
|
27
.kitchen.yml
Normal file
27
.kitchen.yml
Normal file
|
@ -0,0 +1,27 @@
|
|||
---
|
||||
driver:
|
||||
name: docker_cli
|
||||
|
||||
transport:
|
||||
name: docker_cli
|
||||
|
||||
provisioner:
|
||||
name: ansible_playbook
|
||||
hosts: localhost
|
||||
require_ansible_repo: false
|
||||
require_ansible_omnibus: false
|
||||
require_chef_for_busser: true
|
||||
ansible_verbose: false
|
||||
ansible_inventory: ./test/integration/inventory
|
||||
|
||||
platforms:
|
||||
- name: debian-10
|
||||
driver_config:
|
||||
image: "nishiki/debian10:ansible-<%= ENV['ANSIBLE_VERSION'] ? ENV['ANSIBLE_VERSION'] : '2.8' %>"
|
||||
command: /bin/systemd
|
||||
volume:
|
||||
- /sys/fs/cgroup:/sys/fs/cgroup:ro
|
||||
security_opt: seccomp=unconfined
|
||||
|
||||
suites:
|
||||
- name: default
|
|
@ -2,11 +2,11 @@
|
|||
extends: default
|
||||
|
||||
ignore: |
|
||||
.kitchen*
|
||||
.kitchen/*
|
||||
vendor/
|
||||
.forgejo/
|
||||
|
||||
rules:
|
||||
line-length:
|
||||
max: 120
|
||||
level: warning
|
||||
truthy: false
|
||||
|
|
32
CHANGELOG.md
32
CHANGELOG.md
|
@ -5,38 +5,6 @@ Which is based on [Keep A Changelog](http://keepachangelog.com/)
|
|||
|
||||
## [Unreleased]
|
||||
|
||||
### Added
|
||||
|
||||
- add support alpn in bind option
|
||||
- add error files
|
||||
- use multiple ssl certificates on one frontend
|
||||
- test: add support debian 12
|
||||
|
||||
### Changed
|
||||
|
||||
- test: use personal docker registry
|
||||
|
||||
### Removed
|
||||
|
||||
- test: remove support debian 10
|
||||
|
||||
## v1.1.0 - 2021-08-15
|
||||
|
||||
### Added
|
||||
|
||||
- add userlist
|
||||
- can specify the haproxy repository
|
||||
- add resolvers configuration
|
||||
- add debian11 support
|
||||
- add IPs lists
|
||||
|
||||
### Changed
|
||||
|
||||
- change default group for stat socket
|
||||
- reload haproxy after certificate change
|
||||
- chore: use FQCN for module name
|
||||
- test: replace kitchen to molecule
|
||||
|
||||
## v1.0.0 - 2019-11-09
|
||||
|
||||
### Added
|
||||
|
|
8
Gemfile
Normal file
8
Gemfile
Normal file
|
@ -0,0 +1,8 @@
|
|||
source 'https://rubygems.org'
|
||||
|
||||
group :development do
|
||||
gem 'kitchen-ansible'
|
||||
gem 'kitchen-docker_cli'
|
||||
gem 'rubocop', '0.50.0'
|
||||
gem 'test-kitchen'
|
||||
end
|
130
Gemfile.lock
Normal file
130
Gemfile.lock
Normal file
|
@ -0,0 +1,130 @@
|
|||
GEM
|
||||
remote: https://rubygems.org/
|
||||
specs:
|
||||
ast (2.4.0)
|
||||
bcrypt_pbkdf (1.0.1)
|
||||
builder (3.2.3)
|
||||
ed25519 (1.2.4)
|
||||
equatable (0.6.1)
|
||||
erubis (2.7.0)
|
||||
ffi (1.11.1)
|
||||
gssapi (1.3.0)
|
||||
ffi (>= 1.0.1)
|
||||
gyoku (1.3.1)
|
||||
builder (>= 2.1.2)
|
||||
httpclient (2.8.3)
|
||||
kitchen-ansible (0.50.1)
|
||||
net-ssh (>= 3)
|
||||
test-kitchen (>= 1.4)
|
||||
kitchen-docker_cli (0.19.0)
|
||||
test-kitchen (>= 1.3)
|
||||
license-acceptance (1.0.13)
|
||||
pastel (~> 0.7)
|
||||
tomlrb (~> 1.2)
|
||||
tty-box (~> 0.3)
|
||||
tty-prompt (~> 0.18)
|
||||
little-plugger (1.1.4)
|
||||
logging (2.2.2)
|
||||
little-plugger (~> 1.1)
|
||||
multi_json (~> 1.10)
|
||||
mixlib-install (3.11.21)
|
||||
mixlib-shellout
|
||||
mixlib-versioning
|
||||
thor
|
||||
mixlib-shellout (3.0.7)
|
||||
mixlib-versioning (1.2.7)
|
||||
multi_json (1.14.1)
|
||||
necromancer (0.5.0)
|
||||
net-scp (2.0.0)
|
||||
net-ssh (>= 2.6.5, < 6.0.0)
|
||||
net-ssh (5.2.0)
|
||||
net-ssh-gateway (2.0.0)
|
||||
net-ssh (>= 4.0.0)
|
||||
nori (2.6.0)
|
||||
parallel (1.18.0)
|
||||
parser (2.6.5.0)
|
||||
ast (~> 2.4.0)
|
||||
pastel (0.7.3)
|
||||
equatable (~> 0.6)
|
||||
tty-color (~> 0.5)
|
||||
powerpack (0.1.2)
|
||||
rainbow (2.2.2)
|
||||
rake
|
||||
rake (13.0.0)
|
||||
rubocop (0.50.0)
|
||||
parallel (~> 1.10)
|
||||
parser (>= 2.3.3.1, < 3.0)
|
||||
powerpack (~> 0.1)
|
||||
rainbow (>= 2.2.2, < 3.0)
|
||||
ruby-progressbar (~> 1.7)
|
||||
unicode-display_width (~> 1.0, >= 1.0.1)
|
||||
ruby-progressbar (1.10.1)
|
||||
rubyntlm (0.6.2)
|
||||
rubyzip (1.3.0)
|
||||
strings (0.1.6)
|
||||
strings-ansi (~> 0.1)
|
||||
unicode-display_width (~> 1.5)
|
||||
unicode_utils (~> 1.4)
|
||||
strings-ansi (0.1.0)
|
||||
test-kitchen (2.3.3)
|
||||
bcrypt_pbkdf (~> 1.0)
|
||||
ed25519 (~> 1.2)
|
||||
license-acceptance (~> 1.0, >= 1.0.11)
|
||||
mixlib-install (~> 3.6)
|
||||
mixlib-shellout (>= 1.2, < 4.0)
|
||||
net-scp (>= 1.1, < 3.0)
|
||||
net-ssh (>= 2.9, < 6.0)
|
||||
net-ssh-gateway (>= 1.2, < 3.0)
|
||||
thor (~> 0.19)
|
||||
winrm (~> 2.0)
|
||||
winrm-elevated (~> 1.0)
|
||||
winrm-fs (~> 1.1)
|
||||
thor (0.20.3)
|
||||
tomlrb (1.2.8)
|
||||
tty-box (0.5.0)
|
||||
pastel (~> 0.7.2)
|
||||
strings (~> 0.1.6)
|
||||
tty-cursor (~> 0.7)
|
||||
tty-color (0.5.0)
|
||||
tty-cursor (0.7.0)
|
||||
tty-prompt (0.19.0)
|
||||
necromancer (~> 0.5.0)
|
||||
pastel (~> 0.7.0)
|
||||
tty-reader (~> 0.6.0)
|
||||
tty-reader (0.6.0)
|
||||
tty-cursor (~> 0.7)
|
||||
tty-screen (~> 0.7)
|
||||
wisper (~> 2.0.0)
|
||||
tty-screen (0.7.0)
|
||||
unicode-display_width (1.6.0)
|
||||
unicode_utils (1.4.0)
|
||||
winrm (2.3.2)
|
||||
builder (>= 2.1.2)
|
||||
erubis (~> 2.7)
|
||||
gssapi (~> 1.2)
|
||||
gyoku (~> 1.0)
|
||||
httpclient (~> 2.2, >= 2.2.0.2)
|
||||
logging (>= 1.6.1, < 3.0)
|
||||
nori (~> 2.0)
|
||||
rubyntlm (~> 0.6.0, >= 0.6.1)
|
||||
winrm-elevated (1.1.1)
|
||||
winrm (~> 2.0)
|
||||
winrm-fs (~> 1.0)
|
||||
winrm-fs (1.3.2)
|
||||
erubis (~> 2.7)
|
||||
logging (>= 1.6.1, < 3.0)
|
||||
rubyzip (~> 1.1)
|
||||
winrm (~> 2.0)
|
||||
wisper (2.0.1)
|
||||
|
||||
PLATFORMS
|
||||
ruby
|
||||
|
||||
DEPENDENCIES
|
||||
kitchen-ansible
|
||||
kitchen-docker_cli
|
||||
rubocop (= 0.50.0)
|
||||
test-kitchen
|
||||
|
||||
BUNDLED WITH
|
||||
2.0.2
|
94
README.md
94
README.md
|
@ -1,21 +1,17 @@
|
|||
# Ansible role: Haproxy
|
||||
|
||||
[![Version](https://img.shields.io/badge/latest_version-1.1.0-green.svg)](https://code.waks.be/nishiki/ansible-role-haproxy/releases)
|
||||
[![License](https://img.shields.io/badge/license-Apache--2.0-blue.svg)](https://code.waks.be/nishiki/ansible-role-haproxy/src/branch/main/LICENSE)
|
||||
[![Build](https://code.waks.be/nishiki/ansible-role-haproxy/actions/workflows/molecule.yml/badge.svg?branch=main)](https://code.waks.be/nishiki/ansible-role-haproxy/actions?workflow=molecule.yml)
|
||||
[![Version](https://img.shields.io/badge/latest_version-1.0.0-green.svg)](https://git.yaegashi.fr/nishiki/ansible-role-haproxy/releases)
|
||||
[![License](https://img.shields.io/badge/license-Apache--2.0-blue.svg)](https://git.yaegashi.fr/nishiki/ansible-role-haproxy/src/branch/master/LICENSE)
|
||||
|
||||
Install and configure haproxy
|
||||
|
||||
## Requirements
|
||||
|
||||
- Ansible >= 2.10
|
||||
- Debian
|
||||
- Bullseye
|
||||
- Bookworm
|
||||
* Ansible >= 2.8
|
||||
* Debian Buster
|
||||
|
||||
## Role variables
|
||||
|
||||
- `haproxy_apt_release` - set the apt release to use (default: `ansible_distribution_release`)
|
||||
- `haproxy_global` - hash with the global configuration
|
||||
|
||||
```
|
||||
|
@ -75,14 +71,6 @@ Install and configure haproxy
|
|||
- 'uri /haproxy_stats'
|
||||
```
|
||||
|
||||
- `haproxy_resolvers` - hash with the resolvers configuration
|
||||
|
||||
```
|
||||
dns:
|
||||
local:
|
||||
- dns1 127.0.0.1:53
|
||||
```
|
||||
|
||||
- `haproxy_frontends` - hash with the frontends configuration
|
||||
|
||||
```
|
||||
|
@ -91,9 +79,6 @@ Install and configure haproxy
|
|||
ip: '*'
|
||||
port: 443
|
||||
ssl:
|
||||
cert:
|
||||
- /etc/haproxy/ssl1.pem
|
||||
- /etc/haproxy/ssl2.pem
|
||||
default_backend: backend-app
|
||||
frontend-http:
|
||||
bind:
|
||||
|
@ -107,11 +92,9 @@ Install and configure haproxy
|
|||
acl:
|
||||
- acl_test1-https hdr(host) test1.example.net
|
||||
- acl_test2-https hdr(host) test2.example.net
|
||||
- acl_blacklist src -f /etc/haproxy/blacklist.list
|
||||
use_backend:
|
||||
- backend-app if acl_test1-https
|
||||
- backend-app if acl_test2-https
|
||||
- backend-app if acl_test1-https acl_blacklist
|
||||
```
|
||||
|
||||
- `haproxy_backends` - hash with the backend configuration
|
||||
|
@ -132,26 +115,6 @@ Install and configure haproxy
|
|||
- host2 127.0.0.1:80 check maxconn 1000 inter 15s
|
||||
```
|
||||
|
||||
- `haproxy_ips_lists` - hash with the ips list to use in haproxy
|
||||
|
||||
```
|
||||
blacklist:
|
||||
- 192.168.0.0/16
|
||||
- 172.10.10.0/24
|
||||
public_withlist:
|
||||
- 8.8.8.8
|
||||
```
|
||||
|
||||
- `haproxy_userlists` - hash with the userlist for basic auth
|
||||
|
||||
```
|
||||
restricted:
|
||||
group:
|
||||
- admin
|
||||
user:
|
||||
- admin password 84375611a53741f7e94b09eb49127f41 groups admin
|
||||
```
|
||||
|
||||
- `haproxy_ssl_certificates` - hash with ssl certificates to copy
|
||||
|
||||
```
|
||||
|
@ -163,32 +126,6 @@ Install and configure haproxy
|
|||
.....
|
||||
```
|
||||
|
||||
- `haproxy_http_errors` - hash with http error groups
|
||||
|
||||
```
|
||||
test:
|
||||
503: test-503
|
||||
```
|
||||
|
||||
- `haproxy_http_errors_file` - hash with http error files
|
||||
|
||||
```
|
||||
test-503: |
|
||||
HTTP/1.1 503 Service Unavailable
|
||||
Cache-Control: no-cache
|
||||
Connection: close
|
||||
Content-Type: text/html
|
||||
|
||||
<!DOCTYPE html>
|
||||
<html lang="en">
|
||||
<body>
|
||||
<main>
|
||||
This is my custom 503 page
|
||||
</main>
|
||||
</body>
|
||||
</html>
|
||||
```
|
||||
|
||||
## How to use
|
||||
|
||||
```
|
||||
|
@ -199,12 +136,25 @@ Install and configure haproxy
|
|||
|
||||
## Development
|
||||
|
||||
### Test with molecule and docker
|
||||
### Test syntax with yamllint
|
||||
|
||||
- install [docker](https://docs.docker.com/engine/installation/)
|
||||
- install `python3` and `python3-pip`
|
||||
- install molecule and dependencies `pip3 install molecule 'molecule[docker]' docker ansible-lint testinfra yamllint`
|
||||
- run `molecule test`
|
||||
* install `python` and `python-pip`
|
||||
* install yamllint `pip install yamllint`
|
||||
* run `yamllint .`
|
||||
|
||||
### Test syntax with ansible-lint
|
||||
|
||||
* install `python` and `python-pip`
|
||||
* install yamllint `pip install ansible-lint`
|
||||
* run `ansible-lint .`
|
||||
|
||||
### Tests with docker
|
||||
|
||||
* install [docker](https://docs.docker.com/engine/installation/)
|
||||
* install ruby
|
||||
* install bundler `gem install bundler`
|
||||
* install dependencies `bundle install`
|
||||
* run the tests `kitchen test`
|
||||
|
||||
## License
|
||||
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
haproxy_apt_release: "{{ ansible_distribution_release }}"
|
||||
haproxy_stats_username: admin
|
||||
haproxy_stats_password: secret
|
||||
|
||||
haproxy_global: {}
|
||||
haproxy_default_global:
|
||||
log-send-hostname: true
|
||||
|
@ -11,8 +11,8 @@ haproxy_default_global:
|
|||
user: haproxy
|
||||
group: haproxy
|
||||
daemon: true
|
||||
stats: socket /var/lib/haproxy/stats group haproxy mode 660
|
||||
haproxy_full_global: "{{ haproxy_default_global | combine(haproxy_global) }}"
|
||||
stats: socket /var/lib/haproxy/stats
|
||||
haproxy_full_global: '{{ haproxy_default_global|combine(haproxy_global) }}'
|
||||
|
||||
haproxy_defaults: {}
|
||||
haproxy_default_defaults:
|
||||
|
@ -34,7 +34,7 @@ haproxy_default_defaults:
|
|||
- http-keep-alive 10s
|
||||
- check 10s
|
||||
maxconn: 4096
|
||||
haproxy_full_defaults: "{{ haproxy_default_defaults | combine(haproxy_defaults) }}"
|
||||
haproxy_full_defaults: '{{ haproxy_default_defaults|combine(haproxy_defaults) }}'
|
||||
|
||||
haproxy_listen_stats: {}
|
||||
haproxy_default_listen_stats:
|
||||
|
@ -49,18 +49,13 @@ haproxy_default_listen_stats:
|
|||
- connect 30s
|
||||
- queue 30s
|
||||
stats:
|
||||
- "refresh 5s"
|
||||
- "show-node"
|
||||
- "realm Haproxy\ Statistics"
|
||||
- "auth {{ haproxy_stats_username }}:{{ haproxy_stats_password }}"
|
||||
- "uri /haproxy_stats"
|
||||
haproxy_full_listen_stats: "{{ haproxy_default_listen_stats | combine(haproxy_listen_stats, recursive=True) }}"
|
||||
- 'refresh 5s'
|
||||
- 'show-node'
|
||||
- 'realm Haproxy\ Statistics'
|
||||
- 'auth {{ haproxy_stats_username }}:{{ haproxy_stats_password }}'
|
||||
- 'uri /haproxy_stats'
|
||||
haproxy_full_listen_stats: '{{ haproxy_default_listen_stats|combine(haproxy_listen_stats, recursive=True) }}'
|
||||
|
||||
haproxy_frontends: {}
|
||||
haproxy_backends: {}
|
||||
haproxy_ssl_certificates: {}
|
||||
haproxy_ips_lists: {}
|
||||
haproxy_resolvers: {}
|
||||
haproxy_userlists: {}
|
||||
haproxy_http_errors: {}
|
||||
haproxy_http_error_files: {}
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
- name: Reload haproxy
|
||||
ansible.builtin.service:
|
||||
- name: reload haproxy
|
||||
service:
|
||||
name: haproxy
|
||||
state: reloaded
|
||||
|
|
|
@ -1,19 +1,16 @@
|
|||
---
|
||||
galaxy_info:
|
||||
role_name: haproxy
|
||||
namespace: nishiki
|
||||
author: Adrien Waksberg
|
||||
description: Install and configure Haproxy
|
||||
company: Adrien Waksberg
|
||||
license: Apache2
|
||||
|
||||
min_ansible_version: "2.10"
|
||||
min_ansible_version: 2.8
|
||||
|
||||
platforms:
|
||||
- name: Debian
|
||||
versions:
|
||||
- bullseye
|
||||
- bookworm
|
||||
- 10
|
||||
|
||||
galaxy_tags:
|
||||
- haproxy
|
||||
|
|
|
@ -1,106 +0,0 @@
|
|||
---
|
||||
- name: Converge
|
||||
hosts: all
|
||||
roles:
|
||||
- ansible-role-haproxy
|
||||
vars:
|
||||
haproxy_http_errors:
|
||||
test:
|
||||
503: test
|
||||
haproxy_http_error_files:
|
||||
test: |
|
||||
HTTP/1.1 503 Service Unavailable
|
||||
Cache-Control: no-cache
|
||||
Connection: close
|
||||
Content-Type: text/html
|
||||
|
||||
<!DOCTYPE html>
|
||||
<html lang="en">
|
||||
<body>
|
||||
<main>
|
||||
This is my custom 503 page
|
||||
</main>
|
||||
</body>
|
||||
</html>
|
||||
haproxy_ssl_certificates:
|
||||
www-example-com: |
|
||||
-----BEGIN CERTIFICATE-----
|
||||
test
|
||||
haproxy_ips_lists:
|
||||
blacklist:
|
||||
- 172.10.0.0/16
|
||||
- 192.168.1.1
|
||||
haproxy_resolvers:
|
||||
dns:
|
||||
nameserver: dns1 127.0.0.1:53
|
||||
haproxy_userlists:
|
||||
restricted:
|
||||
group:
|
||||
- admin
|
||||
user:
|
||||
- admin insecure-password password groups admin
|
||||
haproxy_frontends:
|
||||
main:
|
||||
bind:
|
||||
ip: '*'
|
||||
port: 5000
|
||||
alpn: h2,http/1.1
|
||||
acl:
|
||||
- url_static path_beg -i /static /images /javascript /stylesheets
|
||||
- url_static path_end -i .jpg .gif .png .css .js
|
||||
frontend-test-https:
|
||||
bind:
|
||||
ip: '*'
|
||||
port: 80
|
||||
mode: http
|
||||
default_backend: backend-test-https
|
||||
option:
|
||||
- 'forwardfor except 127.0.0.0/8'
|
||||
- 'httplog'
|
||||
- 'http-server-close'
|
||||
acl:
|
||||
- acl_test1-https hdr(host) test1.example.net
|
||||
- acl_test2-https hdr(host) test2.example.net
|
||||
- acl_blacklist src -f /etc/haproxy/blacklist.list
|
||||
- acl_auth_path path -i /auth/
|
||||
- acl_auth http_auth(restricted)
|
||||
errorfiles: test
|
||||
http-request:
|
||||
- auth realm restricted if acl_auth_path !acl_auth
|
||||
- return status 200 content-type "text/plain" string "Good" if acl_auth_path
|
||||
use_backend:
|
||||
- backend-test-https if acl_test1-https
|
||||
- backend-test-resolver if acl_test2-https
|
||||
- backend-test-https if acl_test1-https acl_blacklist
|
||||
haproxy_backends:
|
||||
backend-test-https:
|
||||
mode: http
|
||||
balance: roundrobin
|
||||
stick-table: type ip size 512k expire 30m
|
||||
stick: on src
|
||||
option:
|
||||
- 'ssl-hello-chk'
|
||||
- 'tcp-check'
|
||||
- 'log-health-checks'
|
||||
- 'forwardfor header X-Forwarded-For'
|
||||
server:
|
||||
- host1 127.0.0.1:443 ssl verify none check maxconn 1000 inter 15s
|
||||
- host2 127.0.0.1:443 ssl verify none check maxconn 1000 inter 15s
|
||||
backend-test-resolver:
|
||||
mode: http
|
||||
balance: roundrobin
|
||||
stick-table: type ip size 512k expire 30m
|
||||
stick: on src
|
||||
option:
|
||||
- 'ssl-hello-chk'
|
||||
server:
|
||||
- google.fr google.com:443 ssl verify none check resolvers dns init-addr none
|
||||
|
||||
pre_tasks:
|
||||
- name: add backports repository
|
||||
ansible.builtin.apt_repository:
|
||||
repo: 'deb http://deb.debian.org/debian {{ ansible_distribution_release }}-backports main'
|
||||
|
||||
- name: update apt cache
|
||||
ansible.builtin.apt:
|
||||
update_cache: true
|
|
@ -1,28 +0,0 @@
|
|||
---
|
||||
driver:
|
||||
name: docker
|
||||
platforms:
|
||||
- name: debian12
|
||||
image: code.waks.be/nishiki/molecule:debian12
|
||||
privileged: true
|
||||
volumes:
|
||||
- /sys/fs/cgroup:/sys/fs/cgroup:rw
|
||||
cgroupns_mode: host
|
||||
command: /bin/systemd
|
||||
capabilities:
|
||||
- SYS_ADMIN
|
||||
- name: debian11
|
||||
image: code.waks.be/nishiki/molecule:debian11
|
||||
privileged: true
|
||||
volumes:
|
||||
- /sys/fs/cgroup:/sys/fs/cgroup:rw
|
||||
cgroupns_mode: host
|
||||
command: /bin/systemd
|
||||
capabilities:
|
||||
- SYS_ADMIN
|
||||
lint: |
|
||||
set -e
|
||||
yamllint .
|
||||
ansible-lint .
|
||||
verifier:
|
||||
name: testinfra
|
|
@ -1,57 +0,0 @@
|
|||
import testinfra.utils.ansible_runner
|
||||
|
||||
def test_packages(host):
|
||||
package = host.package('haproxy')
|
||||
assert package.is_installed
|
||||
|
||||
def test_config_file(host):
|
||||
path = host.file('/etc/haproxy/haproxy.cfg')
|
||||
assert path.exists
|
||||
assert path.is_file
|
||||
assert path.user == 'root'
|
||||
assert path.group == 'root'
|
||||
assert path.mode == 0o640
|
||||
assert path.contains('bind \\*:5000 alpn h2,http/1.1')
|
||||
assert path.contains('server host1 127.0.0.1:443 ssl verify none check maxconn 1000 inter 15s')
|
||||
assert path.contains('resolvers dns')
|
||||
|
||||
def test_certificate_file(host):
|
||||
path = host.file('/etc/haproxy/www-example-com.pem')
|
||||
assert path.exists
|
||||
assert path.is_file
|
||||
assert path.user == 'root'
|
||||
assert path.group == 'root'
|
||||
assert path.mode == 0o600
|
||||
assert path.contains('test')
|
||||
|
||||
def test_ips_list_file(host):
|
||||
path = host.file('/etc/haproxy/blacklist.list')
|
||||
assert path.exists
|
||||
assert path.is_file
|
||||
assert path.user == 'root'
|
||||
assert path.group == 'root'
|
||||
assert path.mode == 0o644
|
||||
assert path.contains('172.10.0.0/16\n192.168.1.1')
|
||||
|
||||
def test_service(host):
|
||||
service = host.service('haproxy')
|
||||
assert service.is_running
|
||||
assert service.is_enabled
|
||||
|
||||
def test_sockets(host):
|
||||
for port in [80, 5000]:
|
||||
socket = host.socket('tcp://0.0.0.0:%d' % (port))
|
||||
assert socket.is_listening
|
||||
|
||||
def test_auth(host):
|
||||
cmd = host.run('curl -v -u admin:password http://127.0.0.1/auth/')
|
||||
assert cmd.succeeded
|
||||
assert cmd.stdout == 'Good'
|
||||
cmd = host.run('curl -v -u admin:badpassword http://127.0.0.1/auth/')
|
||||
assert cmd.succeeded
|
||||
assert '401 Unauthorized' in cmd.stdout
|
||||
|
||||
def test_error_file(host):
|
||||
cmd = host.run('curl -v http://127.0.0.1/')
|
||||
assert cmd.succeeded
|
||||
assert 'This is my custom 503 page' in cmd.stdout
|
|
@ -1,71 +1,36 @@
|
|||
---
|
||||
- name: Install package
|
||||
ansible.builtin.apt:
|
||||
name:
|
||||
- haproxy
|
||||
default_release: "{{ haproxy_apt_release }}"
|
||||
- name: install Haproxy
|
||||
package:
|
||||
name: haproxy
|
||||
retries: 2
|
||||
register: result
|
||||
until: result is succeeded
|
||||
tags: haproxy
|
||||
|
||||
- name: Copy ssl certificates
|
||||
ansible.builtin.copy:
|
||||
content: "{{ item.value }}"
|
||||
dest: "/etc/haproxy/{{ item.key }}.pem"
|
||||
- name: copy ssl certificates
|
||||
copy:
|
||||
content: '{{ item.value }}'
|
||||
dest: /etc/haproxy/{{ item.key }}.pem
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0600"
|
||||
loop: "{{ haproxy_ssl_certificates | dict2items }}"
|
||||
mode: 0600
|
||||
loop: '{{ haproxy_ssl_certificates|dict2items }}'
|
||||
no_log: true
|
||||
notify: Reload haproxy
|
||||
tags: haproxy
|
||||
|
||||
- name: Copy IPs lists
|
||||
ansible.builtin.copy:
|
||||
content: "{{ item.value | join('\n') }}"
|
||||
dest: "/etc/haproxy/{{ item.key }}.list"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
loop: "{{ haproxy_ips_lists | dict2items }}"
|
||||
loop_control:
|
||||
label: "{{ item.key }}"
|
||||
notify: Reload haproxy
|
||||
tags: haproxy
|
||||
|
||||
- name: Create http errors directory
|
||||
ansible.builtin.file:
|
||||
path: "/etc/haproxy/errors"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0755"
|
||||
state: directory
|
||||
tags: haproxy
|
||||
|
||||
- name: Copy http errors file
|
||||
ansible.builtin.copy:
|
||||
content: "{{ item.value }}"
|
||||
dest: "/etc/haproxy/errors/{{ item.key }}.http"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
loop: "{{ haproxy_http_error_files | dict2items }}"
|
||||
loop_control:
|
||||
label: "{{ item.key }}"
|
||||
notify: Reload haproxy
|
||||
tags: haproxy
|
||||
|
||||
- name: Copy config file
|
||||
ansible.builtin.template:
|
||||
- name: copy config file
|
||||
template:
|
||||
src: haproxy.cfg.j2
|
||||
dest: /etc/haproxy/haproxy.cfg
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0640"
|
||||
mode: 0640
|
||||
validate: haproxy -c -f %s
|
||||
notify: Reload haproxy
|
||||
notify: reload haproxy
|
||||
tags: haproxy
|
||||
|
||||
- name: Enable ans start service
|
||||
ansible.builtin.service:
|
||||
- name: enable ans start service
|
||||
service:
|
||||
name: haproxy
|
||||
enabled: true
|
||||
state: started
|
||||
|
|
|
@ -41,44 +41,11 @@ listen stats
|
|||
{% endif %}
|
||||
{% endfor %}
|
||||
|
||||
{% for resolver, config in haproxy_resolvers.items() %}
|
||||
resolvers {{ resolver }}
|
||||
{% for key, value in config.items() %}
|
||||
{% if value is iterable and value is not string %}
|
||||
{% for option in value %}
|
||||
{{ key }} {{ option }}
|
||||
{% endfor %}
|
||||
{% else %}
|
||||
{{ key }} {{ value }}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
|
||||
{% endfor %}
|
||||
{% for http_error_name, config in haproxy_http_errors.items() %}
|
||||
http-errors {{ http_error_name }}
|
||||
{% for status_code, file in config.items() %}
|
||||
errorfile {{ status_code }} /etc/haproxy/errors/{{ file }}.http
|
||||
{% endfor %}
|
||||
|
||||
{% endfor %}
|
||||
{% for userlist, config in haproxy_userlists.items() %}
|
||||
userlist {{ userlist }}
|
||||
{% for key, value in config.items() %}
|
||||
{% if value is iterable and value is not string %}
|
||||
{% for option in value %}
|
||||
{{ key }} {{ option }}
|
||||
{% endfor %}
|
||||
{% else %}
|
||||
{{ key }} {{ value }}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
|
||||
{% endfor %}
|
||||
{% for frontend, config in haproxy_frontends.items() %}
|
||||
frontend {{ frontend }}
|
||||
{% for key, value in config.items() %}
|
||||
{% for key, value in config.items()|sort if key != 'acl' and key != 'use_backend' %}
|
||||
{% if key == "bind" %}
|
||||
bind {{ value["ip"] }}:{{ value["port"] }}{% if value["alpn"] is defined %} alpn {{ value["alpn"] }}{% endif %}{% if value["ssl"] is defined %} ssl{% if value["ssl"]["ciphers"] is defined %} ciphers {{ value["ssl"]["ciphers"]|join(':') }}{% endif %}{% if value["ssl"]["crt"]%} crt {% if value["ssl"]["crt"] is string %}{{ value["ssl"]["crt"] }}{% else %}{{ value["ssl"]["crt"]|join(' crt ') }}{% endif %}{% endif %}
|
||||
bind {{ value["ip"] }}:{{ value["port"] }}{% if value["ssl"] is defined %} ssl{% if value["ssl"]["ciphers"] is defined %} ciphers {{ value["ssl"]["ciphers"]|join(':') }}{% endif %}{% if value["ssl"]["crt"]%} crt {{ value["ssl"]["crt"] }}{% endif %}
|
||||
{% endif %}
|
||||
|
||||
{% elif value is iterable and value is not string %}
|
||||
|
@ -89,6 +56,16 @@ frontend {{ frontend }}
|
|||
{{ key }} {{ value }}
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
{% if 'acl' in config %}
|
||||
{% for option in config['acl'] %}
|
||||
acl {{ option }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
{% if 'use_backend' in config %}
|
||||
{% for option in config['use_backend'] %}
|
||||
use_backend {{ option }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
||||
|
||||
{% endfor %}
|
||||
|
||||
|
|
49
test/integration/default/default.yml
Normal file
49
test/integration/default/default.yml
Normal file
|
@ -0,0 +1,49 @@
|
|||
---
|
||||
- hosts: localhost
|
||||
connection: local
|
||||
vars:
|
||||
haproxy_ssl_certificates:
|
||||
www-example-com: |
|
||||
-----BEGIN CERTIFICATE-----
|
||||
test
|
||||
haproxy_frontends:
|
||||
main:
|
||||
bind:
|
||||
ip: '*'
|
||||
port: 5000
|
||||
acl:
|
||||
- url_static path_beg -i /static /images /javascript /stylesheets
|
||||
- url_static path_end -i .jpg .gif .png .css .js
|
||||
frontend-test-https:
|
||||
bind:
|
||||
ip: 127.0.0.1
|
||||
port: 80
|
||||
mode: http
|
||||
default_backend: backend-test-https
|
||||
option:
|
||||
- 'forwardfor except 127.0.0.0/8'
|
||||
- 'httplog'
|
||||
- 'http-server-close'
|
||||
acl:
|
||||
- acl_test1-https hdr(host) test1.example.net
|
||||
- acl_test2-https hdr(host) test2.example.net
|
||||
use_backend:
|
||||
- backend-test-https if acl_test1-https
|
||||
- backend-test-https if acl_test2-https
|
||||
haproxy_backends:
|
||||
backend-test-https:
|
||||
mode: http
|
||||
balance: roundrobin
|
||||
stick-table: type ip size 512k expire 30m
|
||||
stick: on src
|
||||
option:
|
||||
- 'ssl-hello-chk'
|
||||
- 'tcp-check'
|
||||
- 'log-health-checks'
|
||||
- 'forwardfor header X-Forwarded-For'
|
||||
server:
|
||||
- host1 127.0.0.1:443 ssl verify none check maxconn 1000 inter 15s
|
||||
- host2 127.0.0.1:443 ssl verify none check maxconn 1000 inter 15s
|
||||
|
||||
roles:
|
||||
- ansible-role-haproxy
|
43
test/integration/default/serverspec/default_spec.rb
Normal file
43
test/integration/default/serverspec/default_spec.rb
Normal file
|
@ -0,0 +1,43 @@
|
|||
require 'serverspec'
|
||||
|
||||
set :backend, :exec
|
||||
|
||||
puts
|
||||
puts '================================'
|
||||
puts %x(ansible --version)
|
||||
puts '================================'
|
||||
|
||||
describe package('haproxy') do
|
||||
it { should be_installed }
|
||||
end
|
||||
|
||||
describe file('/etc/haproxy/haproxy.cfg') do
|
||||
it { should be_file }
|
||||
it { should be_mode 640 }
|
||||
it { should be_owned_by 'root' }
|
||||
it { should be_grouped_into 'root' }
|
||||
it { should contain 'server host1 127.0.0.1:443 ssl verify none check maxconn 1000 inter 15s' }
|
||||
end
|
||||
|
||||
describe file('/etc/haproxy/www-example-com.pem') do
|
||||
it { should be_file }
|
||||
it { should be_mode 600 }
|
||||
it { should be_owned_by 'root' }
|
||||
it { should be_grouped_into 'root' }
|
||||
it { should contain 'test' }
|
||||
end
|
||||
|
||||
describe service('haproxy') do
|
||||
it { should be_enabled }
|
||||
it { should be_running.under('systemd') }
|
||||
end
|
||||
|
||||
[80, 5000].each do |port|
|
||||
describe port(port) do
|
||||
it { should be_listening.with('tcp') }
|
||||
end
|
||||
end
|
||||
|
||||
describe command('haproxy -c -f /etc/haproxy/haproxy.cfg') do
|
||||
its(:exit_status) { should eq 0 }
|
||||
end
|
1
test/integration/inventory
Normal file
1
test/integration/inventory
Normal file
|
@ -0,0 +1 @@
|
|||
localhost
|
Loading…
Reference in a new issue