This is an automated email from the ASF dual-hosted git repository.

machristie pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/airavata.git


The following commit(s) were added to refs/heads/master by this push:
     new 709493625c Ansible: fixes for haproxy configuration
709493625c is described below

commit 709493625c7ea8b7127473fd99804727697fe250
Author: Marcus Christie <[email protected]>
AuthorDate: Tue Jun 6 12:40:01 2023 -0400

    Ansible: fixes for haproxy configuration
---
 dev-tools/ansible/roles/api-orch/defaults/main.yml        |  7 ++++++-
 .../api-orch/files/prepareLetsEncryptCertificates.sh      |  1 +
 dev-tools/ansible/roles/api-orch/handlers/main.yml        |  3 ++-
 .../api-orch/tasks/haproxy/install_deps_Centos_7.yml      |  1 +
 dev-tools/ansible/roles/api-orch/tasks/main.yml           | 15 +++++++++++----
 dev-tools/ansible/roles/api-orch/templates/haproxy.cfg.j2 |  4 ++--
 6 files changed, 23 insertions(+), 8 deletions(-)

diff --git a/dev-tools/ansible/roles/api-orch/defaults/main.yml 
b/dev-tools/ansible/roles/api-orch/defaults/main.yml
index 1c7c2f9a28..0f6fa218b5 100644
--- a/dev-tools/ansible/roles/api-orch/defaults/main.yml
+++ b/dev-tools/ansible/roles/api-orch/defaults/main.yml
@@ -49,6 +49,11 @@ thrift_client_pool_abandoned_removal_enabled: false
 thrift_client_pool_abandoned_removal_logged: false
 
 api_server_public_hostname: "localhost"
-haproxy_conf_destination: "/etc/haproxy/haproxy.cfg"
 haproxy_api_server_ssl_cert: "/etc/ssl/{{ api_server_public_hostname }}/{{ 
api_server_public_hostname }}.pem"
 api_server_letsencrypt_ssl_cert: "/etc/letsencrypt/live/{{ 
api_server_public_hostname }}/cert.pem"
+haproxy_service_name:
+ CentOS_7: haproxy18
+ Rocky_8: haproxy
+haproxy_config_dir:
+ CentOS_7: /etc/haproxy18/
+ Rocky_8: /etc/haproxy/
diff --git 
a/dev-tools/ansible/roles/api-orch/files/prepareLetsEncryptCertificates.sh 
b/dev-tools/ansible/roles/api-orch/files/prepareLetsEncryptCertificates.sh
index ba99e0ac7d..81387518a5 100644
--- a/dev-tools/ansible/roles/api-orch/files/prepareLetsEncryptCertificates.sh
+++ b/dev-tools/ansible/roles/api-orch/files/prepareLetsEncryptCertificates.sh
@@ -8,6 +8,7 @@ for CERTIFICATE in `find /etc/letsencrypt/live/* -type d`; do
   CERTIFICATE=`basename $CERTIFICATE`
 
   # Combine certificate and private key to single file
+  mkdir -p /etc/ssl/$CERTIFICATE/
   cat /etc/letsencrypt/live/$CERTIFICATE/fullchain.pem 
/etc/letsencrypt/live/$CERTIFICATE/privkey.pem > 
/etc/ssl/$CERTIFICATE/$CERTIFICATE.pem
 
 done
diff --git a/dev-tools/ansible/roles/api-orch/handlers/main.yml 
b/dev-tools/ansible/roles/api-orch/handlers/main.yml
index 5ab12f6a36..08d9f9eafd 100644
--- a/dev-tools/ansible/roles/api-orch/handlers/main.yml
+++ b/dev-tools/ansible/roles/api-orch/handlers/main.yml
@@ -20,5 +20,6 @@
 
 ---
 - name: restart haproxy
-  service: name=haproxy state=reloaded enabled=yes
+  service: name={{ haproxy_service_name[ansible_distribution + "_" + 
ansible_distribution_major_version]}} state=reloaded enabled=yes
   become: yes
+  become_user: root
diff --git 
a/dev-tools/ansible/roles/api-orch/tasks/haproxy/install_deps_Centos_7.yml 
b/dev-tools/ansible/roles/api-orch/tasks/haproxy/install_deps_Centos_7.yml
index ee115be015..9776dd4eea 100644
--- a/dev-tools/ansible/roles/api-orch/tasks/haproxy/install_deps_Centos_7.yml
+++ b/dev-tools/ansible/roles/api-orch/tasks/haproxy/install_deps_Centos_7.yml
@@ -23,6 +23,7 @@
 - name: yum install haproxy18 (Centos 7)
   yum: name=haproxy18 state=present
   become: true
+  become_user: root
 
 
 ...
diff --git a/dev-tools/ansible/roles/api-orch/tasks/main.yml 
b/dev-tools/ansible/roles/api-orch/tasks/main.yml
index 9399c01805..3128c8a926 100644
--- a/dev-tools/ansible/roles/api-orch/tasks/main.yml
+++ b/dev-tools/ansible/roles/api-orch/tasks/main.yml
@@ -96,7 +96,7 @@
 - name: copy prepareLetsEncryptCertificates.sh script
   copy:
     src: prepareLetsEncryptCertificates.sh
-    dest: "/etc/haproxy/"
+    dest: "{{ haproxy_config_dir[ansible_distribution + '_' + 
ansible_distribution_major_version]}}"
     mode: 755
   become_user: root
 
@@ -112,26 +112,33 @@
   when: not stat_api_server_ssl_cert_result.stat.exists
 
 - name: set certificate renewal post-hook
-  command: certbot renew --force-renewal --installer null --standalone 
--post-hook "/etc/haproxy/prepareLetsEncryptCertificates.sh && systemctl reload 
haproxy.service" --quiet
+  command: certbot renew --force-renewal --installer null --standalone 
--post-hook "{{ haproxy_config_dir[ansible_distribution + '_' + 
ansible_distribution_major_version]}}/prepareLetsEncryptCertificates.sh && 
systemctl reload {{ haproxy_service_name[ansible_distribution + '_' + 
ansible_distribution_major_version]}}.service" --quiet
   become_user: root
   # Renewal might fail due to rate limiting, which is fine since we only need 
to set the post-hook
   ignore_errors: true
 
 # Use HAProxy to proxy SSL port to non-SSL port
+- name: allow haproxy to bind to TCP ports
+  seboolean:
+    name: haproxy_connect_any
+    state: yes
+    persistent: yes
+  become_user: root
+  when: ansible_os_family == "RedHat"
 
 - name: Install HAProxy
   include_tasks: haproxy/install_deps_{{ ansible_distribution }}_{{ 
ansible_distribution_major_version }}.yml
 
 - name: Copy HAProxy config file
   template: src=haproxy.cfg.j2
-            dest={{ haproxy_conf_destination }}
+            dest={{ haproxy_config_dir[ansible_distribution + "_" + 
ansible_distribution_major_version]}}/haproxy.cfg
             backup=true
   become_user: root
   notify:
     - restart haproxy
 
 - name: start haproxy
-  service: name=haproxy state=started enabled=yes daemon_reload=yes
+  service: name={{ haproxy_service_name[ansible_distribution + "_" + 
ansible_distribution_major_version]}} state=started enabled=yes 
daemon_reload=yes
   become: true
   become_user: root
 
diff --git a/dev-tools/ansible/roles/api-orch/templates/haproxy.cfg.j2 
b/dev-tools/ansible/roles/api-orch/templates/haproxy.cfg.j2
index 202ff8c0d3..d7352896ae 100644
--- a/dev-tools/ansible/roles/api-orch/templates/haproxy.cfg.j2
+++ b/dev-tools/ansible/roles/api-orch/templates/haproxy.cfg.j2
@@ -36,8 +36,8 @@ global
     stats socket /var/lib/haproxy/stats
 
     # utilize system-wide crypto-policies
-    ssl-default-bind-ciphers PROFILE=SYSTEM
-    ssl-default-server-ciphers PROFILE=SYSTEM
+    # ssl-default-bind-ciphers PROFILE=SYSTEM
+    # ssl-default-server-ciphers PROFILE=SYSTEM
 
 #---------------------------------------------------------------------
 # common defaults that all the 'listen' and 'backend' sections will

Reply via email to