first commit

handlers/main.yml

@@ -0,0 +1,4 @@
+- name: Reload haproxy
+  service:
+    name: haproxy
+    state: reloaded

tasks/firewalld.yml

@@ -0,0 +1,46 @@
+- name: Ensure firewalld is enabled
+  service:
+    name: firewalld
+    enabled: true
+    state: started
+
+- name: Set external interface
+  firewalld:
+    state: enabled
+    interface: eth1
+    zone: external
+    permanent: yes
+    immediate: yes
+
+- name: Set internal interface
+  firewalld:
+    state: enabled
+    interface: eth2
+    zone: internal
+    permanent: yes
+    immediate: yes
+
+- name: Open firewalld ports
+  firewalld:
+    port: "{{ item.port }}"
+    state: enabled
+    zone: "{{ item.zone }}"
+    immediate: yes
+    permanent: yes
+  loop:
+    - port: 80/tcp
+      zone: external
+    - port: 443/tcp
+      zone: external
+    - port: 80/tcp
+      zone: internal
+    - port: 443/tcp
+      zone: internal
+    - port: 22623/tcp
+      zone: internal
+    - port: 8000/tcp
+      zone: internal
+    - port: 6443/tcp
+      zone: internal
+    - port: 6443/tcp
+      zone: external

tasks/haproxy.yml

@@ -0,0 +1,36 @@
+- name: Enable epel
+  yum:
+    name: epel-release 
+
+- name: Install haproxy
+  yum:
+    name: haproxy
+
+- name: python selinux package
+  yum:
+    name: python3-libselinux, policycoreutils-python-utils
+
+- name: Allow haproxy to connect to any port
+  seboolean:
+    name: haproxy_connect_any
+    persistent: yes
+    state: yes
+
+- name: Allow haproxy to listen on required ports
+  seport:
+    setype: http_port_t
+    ports: ["80", "443", "6443", "22623"]
+    proto: tcp
+
+- name: Haproxy configuration
+  template:
+    src: haproxy.cfg.j2
+    dest: /etc/haproxy/haproxy.cfg
+    mode: 0644
+  notify: Reload haproxy
+
+- name: Haproxy service
+  service:
+    name: haproxy
+    enabled: true
+    state: started

tasks/main.yml

@@ -0,0 +1,10 @@
+- name: Enable ipv4 forwarding
+  sysctl:
+    name: net.ipv4.ip_forward
+    value: '1'
+    sysctl_set: yes
+    state: present
+    reload: yes
+
+- import_tasks: firewalld.yml
+- import_tasks: haproxy.yml

templates/haproxy.cfg.j2

@@ -0,0 +1,115 @@
+#---------------------------------------------------------------------
+# Example configuration for a possible web application.  See the
+# full configuration options online.
+#
+#   https://www.haproxy.org/download/1.8/doc/configuration.txt
+#
+#---------------------------------------------------------------------
+
+#---------------------------------------------------------------------
+# Global settings
+#---------------------------------------------------------------------
+global
+    # to have these messages end up in /var/log/haproxy.log you will
+    # need to:
+    #
+    # 1) configure syslog to accept network log events.  This is done
+    #    by adding the '-r' option to the SYSLOGD_OPTIONS in
+    #    /etc/sysconfig/syslog
+    #
+    # 2) configure local2 events to go to the /var/log/haproxy.log
+    #   file. A line like the following can be added to
+    #   /etc/sysconfig/syslog
+    #
+    #    local2.*                       /var/log/haproxy.log
+    #
+    log         127.0.0.1 local2
+
+    chroot      /var/lib/haproxy
+    pidfile     /var/run/haproxy.pid
+    maxconn     4000
+    user        haproxy
+    group       haproxy
+    daemon
+
+    # turn on stats unix socket
+    stats socket /var/lib/haproxy/stats
+
+    # utilize system-wide crypto-policies
+    ssl-default-bind-ciphers PROFILE=SYSTEM
+    ssl-default-server-ciphers PROFILE=SYSTEM
+
+#---------------------------------------------------------------------
+# common defaults that all the 'listen' and 'backend' sections will
+# use if not designated in their block
+#---------------------------------------------------------------------
+defaults
+    mode                    http
+    log                     global
+#    option                  httplog
+    option                  dontlognull
+    option http-server-close
+#    option forwardfor       except 127.0.0.0/8
+    option                  redispatch
+    retries                 3
+    timeout http-request    10s
+    timeout queue           1m
+    timeout connect         10s
+    timeout client          1m
+    timeout server          1m
+    timeout http-keep-alive 10s
+    timeout check           10s
+    maxconn                 3000
+
+#---------------------------------------------------------------------
+# main frontend which proxys to the backends
+#---------------------------------------------------------------------
+frontend api
+    bind *:6443
+    mode tcp
+    default_backend api
+
+frontend machineconfig
+    bind *:22623
+    mode tcp
+    default_backend machineconfig
+
+frontend web
+    bind *:80
+    mode tcp
+    default_backend nodes-web
+
+frontend websecure
+    bind *:443
+    mode tcp
+    default_backend nodes-websecure
+
+backend api
+    mode tcp
+    option ssl-hello-chk
+    balance roundrobin
+    server bootstrap 10.32.101.3:6443 check
+    server master0  10.32.101.4:6443 check
+
+backend machineconfig
+    mode tcp
+    option ssl-hello-chk
+    balance roundrobin
+    server bootstrap 10.32.101.3:22623 check
+    server master0  10.32.101.4:22623 check
+
+backend nodes-web
+    mode tcp
+    option httpchk GET /_______internal_router_healthz
+    balance roundrobin
+    server worker0  10.32.101.5:80 check
+    server worker1  10.32.101.6:80 check
+    server worker2  10.32.101.7:80 check
+
+backend nodes-websecure
+    mode tcp
+    option ssl-hello-chk
+    balance roundrobin
+    server worker0  10.32.101.5:443 check
+    server worker1  10.32.101.6:443 check
+    server worker2  10.32.101.7:443 check