WarlockFish/fedora-infra_ansible
1
0
Fork 0
mirror of https://pagure.io/fedora-infra/ansible.git synced 2026-04-29 21:10:20 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
be1b1503d64a2be5a1dfd32ebdda931679d1ebdb
fedora-infra_ansible/roles/haproxy/tasks/main.yml
Adam Williamson 9da2cfb6f2 haproxy: IPA certs don't depend on data center 
The IPA cert doesn't change when we move datacenters, because we
just replicate across. So it shouldn't have the datacenter in the
name. This should fix haproxy deployment (it was broken because
we didn't have an 'rdu3' file).

Signed-off-by: Adam Williamson <awilliam@redhat.com>
2025-07-03 11:55:59 -07:00

125 lines
3.5 KiB
YAML
Raw Blame History

---
# Tasks to set up haproxy
- name: Install needed packages
ansible.builtin.package: name={{ item }} state=present
with_items:
- haproxy
- socat
tags:
- packages
- haproxy
- name: Install haproxy/cfg
ansible.builtin.template: src={{ item.file }}
dest={{ item.dest }}
owner=root group=root mode=0600
with_items:
- { file: haproxy.cfg, dest: /etc/haproxy/haproxy.cfg }
notify:
- Restart haproxy
tags:
- haproxy
- name: Install limits.conf and 503.http
ansible.builtin.copy: src={{ item.file }}
dest={{ item.dest }}
owner=root group=root mode=0600
with_items:
- { file: limits.conf, dest: /etc/security/limits.conf }
- { file: 503.http, dest: /etc/haproxy/503.http }
tags:
- haproxy
- name: Install pem cert
ansible.builtin.copy: src={{ item.file }}
dest={{ item.dest }}
owner=root group=root mode=0600
with_items:
# this one does not necessarily change when we move DCs, due to replication
- { file: "ipa.{{env}}.pem", dest: /etc/haproxy/ipa.pem }
- { file: "ocp.{{env_short}}-rdu3.pem", dest: "/etc/haproxy/ocp-{{env_short}}.pem" }
- { file: "ocp.{{env_short}}-rdu3.pem", dest: "/etc/haproxy/ocp-{{env_short}}-rdu3.pem" }
tags:
- haproxy
- name: Install ocp api pem cert
ansible.builtin.copy: src={{ private }}/files/httpd/api-int.ocp{{ env_suffix }}.fedoraproject.org.pem
dest=/etc/haproxy/ocp4.pem
owner=root group=root mode=0600
tags:
- haproxy
- name: Install libsemanage
ansible.builtin.package:
state: present
name:
- libsemanage-python
tags:
- haproxy
- selinux
when: (ansible_distribution == 'RedHat' and ansible_distribution_major_version|int < 8) or (ansible_distribution_major_version|int < 30 and ansible_distribution == 'Fedora')
- name: Install libsemanage in a python3 manner
ansible.builtin.package:
state: present
name:
- python3-libsemanage
tags:
- haproxy
- selinux
when: (ansible_distribution_major_version|int >= 30 and ansible_distribution == 'Fedora') or (ansible_distribution == 'RedHat' and ansible_distribution_major_version|int >= 8)
- name: Turn on certain selinux booleans so haproxy can bind to ports
seboolean: name={{ item }} state=true persistent=true
with_items:
- haproxy_connect_any
tags:
- haproxy
- selinux
# These following four tasks are used for copying over our custom selinux
# module.
- name: Ensure a directory exists for our custom selinux module
ansible.builtin.file: dest=/usr/share/haproxy state=directory
tags:
- haproxy
- selinux
- name: Copy over our general haproxy selinux module
ansible.builtin.copy: src=selinux/fi-haproxy.pp dest=/usr/share/haproxy/fi-haproxy.pp
register: fi_haproxy_module
tags:
- haproxy
- selinux
- name: Check to see if its even installed yet
ansible.builtin.shell: semodule -l | grep fi-haproxy | wc -l
register: fi_haproxy_grep
check_mode: no
changed_when: "'0' in fi_haproxy_grep.stdout"
tags:
- haproxy
- selinux
- name: Install our general haproxy selinux module
ansible.builtin.command: semodule -i /usr/share/haproxy/fi-haproxy.pp
when: fi_haproxy_module is changed or fi_haproxy_grep is changed
tags:
- haproxy
- selinux
- name: Check haproxy cfg to make sure it is valid
ansible.builtin.command: haproxy -c -f /etc/haproxy/haproxy.cfg
check_mode: no
register: haproxyconfigcheck
changed_when: haproxyconfigcheck.rc != 0
tags:
- haproxy
- name: Make sure haproxy is awake and reporting for duty
service: name=haproxy state=started enabled=yes
tags:
- haproxy
Reference in New Issue View Git Blame Copy Permalink