ceph-ansible/roles/ceph-rgw-loadbalancer/templates/haproxy.cfg.j2

# {{ ansible_managed  }}
global
    log         127.0.0.1 local2

    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     8000
    user        haproxy
    group       haproxy
    daemon
    stats socket /var/lib/haproxy/stats
{% if haproxy_frontend_ssl_certificate %}
    tune.ssl.default-dh-param {{ haproxy_ssl_dh_param }}
    ssl-default-bind-ciphers {{ haproxy_ssl_ciphers | join(':') }}
    ssl-default-bind-options {{ haproxy_ssl_options | join(' ') }}
{% endif %}
defaults
    mode                    http
    log                     global
    option                  httplog
    option                  dontlognull
    option http-server-close
    option forwardfor       except 127.0.0.0/8
    option                  redispatch
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn                 8000

frontend rgw-frontend
{% if haproxy_frontend_ssl_certificate %}
    bind *:{{ haproxy_frontend_ssl_port }} ssl crt {{ haproxy_frontend_ssl_certificate }}
{% else %}
    bind *:{{ haproxy_frontend_port }}
{% endif %}
    default_backend rgw-backend

# when running in an selinux environment, selinux restricts the ports that haproxy can
# connect to to:
#  * 80, 81, 443, 488, 8008, 8009, 8443, 9000 (http_port_t) and,
#  * 8080, 8118, 8123, 10001-10010 (http_cache_port_t)
#
# Practically speaking, it would be preferable (and perhaps easier) to configure the
# rgw daemons to listen on ports 10001-10010 and configure haproxy here to match.
#
# Alternatively you can add other unused ports to http_port_t or http_cache_port_t
# with, e.g.: `semanage port -a -t http_cache_port_t -p tcp 8085`
# (Note that ports 8081-8084 are already taken and can't be used for haproxy.)
#
backend rgw-backend
    option forwardfor
    balance static-rr
    option httpchk HEAD /
{% for host in groups[rgw_group_name] %}
{% for instance in hostvars[host]['rgw_instances'] %}
	server {{ 'server-' + hostvars[host]['ansible_facts']['hostname'] + '-' + instance['instance_name'] }} {{ instance['radosgw_address'] }}:{{ instance['radosgw_frontend_port'] }} weight 100 check
{% endfor %}
{% endfor %}
Add role definitions of ceph-rgw-loadbalancer This add support for rgw loadbalancer based on HAProxy and Keepalived. We define a single role ceph-rgw-loadbalancer and include HAProxy and Keepalived configurations all in this. A single haproxy backend is used to balance all RGW instances and a single frontend is exported via a single port, default 80. Keepalived is used to maintain the high availability of all haproxy instances. You are free to use any number of VIPs. A single VIP is shared across all keepalived instances and there will be one master for one VIP, selected sequentially, and others serve as backups. This assumes that each keepalived instance is on the same node as one haproxy instance and we use a simple check script to detect the state of each haproxy instance and trigger the VIP failover upon its failure. Signed-off-by: guihecheng <guihecheng@cmiot.chinamobile.com> 2019-04-04 10:54:41 +08:00			`# {{ ansible_managed }}`
			`global`
			`log 127.0.0.1 local2`

			`chroot /var/lib/haproxy`
			`pidfile /var/run/haproxy.pid`
			`maxconn 8000`
			`user haproxy`
			`group haproxy`
			`daemon`
			`stats socket /var/lib/haproxy/stats`
ceph-rgw-loadbalancer: Fix SSL newline issue The ad7a5da commit introduced a regression when using TLS on haproxy via the haproxy_frontend_ssl_certificate variable. This cause the "stats socket" and the "tune.ssl.default-dh-param" parameters to be on the same line resulting haproxy failing to start. [ALERT] 351/140240 (21388) : parsing [xxxxx] : 'stats socket' : unknown keyword 'tune.ssl.default-dh-param'. Registered [ALERT] 351/140240 (21388) : Fatal errors found in configuration. Fixes: #4869 Signed-off-by: Florian Faltermeier <florian.faltermeier@uibk.ac.at> 2019-12-18 21:31:57 +08:00			`{% if haproxy_frontend_ssl_certificate %}`
Add option for HAproxy to act a SSL frontend termination point for loadbalanced RGW instances. Signed-off-by: Stanley Lam <stanleylam_604@hotmail.com> 2019-11-22 06:40:51 +08:00			`tune.ssl.default-dh-param {{ haproxy_ssl_dh_param }}`
			`ssl-default-bind-ciphers {{ haproxy_ssl_ciphers \| join(':') }}`
			`ssl-default-bind-options {{ haproxy_ssl_options \| join(' ') }}`
			`{% endif %}`
Add role definitions of ceph-rgw-loadbalancer This add support for rgw loadbalancer based on HAProxy and Keepalived. We define a single role ceph-rgw-loadbalancer and include HAProxy and Keepalived configurations all in this. A single haproxy backend is used to balance all RGW instances and a single frontend is exported via a single port, default 80. Keepalived is used to maintain the high availability of all haproxy instances. You are free to use any number of VIPs. A single VIP is shared across all keepalived instances and there will be one master for one VIP, selected sequentially, and others serve as backups. This assumes that each keepalived instance is on the same node as one haproxy instance and we use a simple check script to detect the state of each haproxy instance and trigger the VIP failover upon its failure. Signed-off-by: guihecheng <guihecheng@cmiot.chinamobile.com> 2019-04-04 10:54:41 +08:00			`defaults`
			`mode http`
			`log global`
			`option httplog`
			`option dontlognull`
			`option http-server-close`
			`option forwardfor except 127.0.0.0/8`
			`option redispatch`
			`retries 3`
			`timeout http-request 10s`
			`timeout queue 1m`
			`timeout connect 10s`
			`timeout client 1m`
			`timeout server 1m`
			`timeout http-keep-alive 10s`
			`timeout check 10s`
			`maxconn 8000`

			`frontend rgw-frontend`
Add option for HAproxy to act a SSL frontend termination point for loadbalanced RGW instances. Signed-off-by: Stanley Lam <stanleylam_604@hotmail.com> 2019-11-22 06:40:51 +08:00			`{% if haproxy_frontend_ssl_certificate %}`
			`bind *:{{ haproxy_frontend_ssl_port }} ssl crt {{ haproxy_frontend_ssl_certificate }}`
			`{% else %}`
Add role definitions of ceph-rgw-loadbalancer This add support for rgw loadbalancer based on HAProxy and Keepalived. We define a single role ceph-rgw-loadbalancer and include HAProxy and Keepalived configurations all in this. A single haproxy backend is used to balance all RGW instances and a single frontend is exported via a single port, default 80. Keepalived is used to maintain the high availability of all haproxy instances. You are free to use any number of VIPs. A single VIP is shared across all keepalived instances and there will be one master for one VIP, selected sequentially, and others serve as backups. This assumes that each keepalived instance is on the same node as one haproxy instance and we use a simple check script to detect the state of each haproxy instance and trigger the VIP failover upon its failure. Signed-off-by: guihecheng <guihecheng@cmiot.chinamobile.com> 2019-04-04 10:54:41 +08:00			`bind *:{{ haproxy_frontend_port }}`
Add option for HAproxy to act a SSL frontend termination point for loadbalanced RGW instances. Signed-off-by: Stanley Lam <stanleylam_604@hotmail.com> 2019-11-22 06:40:51 +08:00			`{% endif %}`
Add role definitions of ceph-rgw-loadbalancer This add support for rgw loadbalancer based on HAProxy and Keepalived. We define a single role ceph-rgw-loadbalancer and include HAProxy and Keepalived configurations all in this. A single haproxy backend is used to balance all RGW instances and a single frontend is exported via a single port, default 80. Keepalived is used to maintain the high availability of all haproxy instances. You are free to use any number of VIPs. A single VIP is shared across all keepalived instances and there will be one master for one VIP, selected sequentially, and others serve as backups. This assumes that each keepalived instance is on the same node as one haproxy instance and we use a simple check script to detect the state of each haproxy instance and trigger the VIP failover upon its failure. Signed-off-by: guihecheng <guihecheng@cmiot.chinamobile.com> 2019-04-04 10:54:41 +08:00			`default_backend rgw-backend`

rgw-loadbalancer: Update haproxy.cfg.j2 haproxy gets an AVC when configured to connect to port 8081 This commit adds a snippet regarding haproxy in a selinux environment Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1923890 Signed-off-by: Kaleb S KEITHLEY <kkeithle@redhat.com> 2021-03-10 05:10:35 +08:00			`# when running in an selinux environment, selinux restricts the ports that haproxy can`
			`# connect to to:`
			`# * 80, 81, 443, 488, 8008, 8009, 8443, 9000 (http_port_t) and,`
			`# * 8080, 8118, 8123, 10001-10010 (http_cache_port_t)`
			`#`
			`# Practically speaking, it would be preferable (and perhaps easier) to configure the`
			`# rgw daemons to listen on ports 10001-10010 and configure haproxy here to match.`
			`#`
			`# Alternatively you can add other unused ports to http_port_t or http_cache_port_t`
			# with, e.g.: `semanage port -a -t http_cache_port_t -p tcp 8085`
			`# (Note that ports 8081-8084 are already taken and can't be used for haproxy.)`
			`#`
Add role definitions of ceph-rgw-loadbalancer This add support for rgw loadbalancer based on HAProxy and Keepalived. We define a single role ceph-rgw-loadbalancer and include HAProxy and Keepalived configurations all in this. A single haproxy backend is used to balance all RGW instances and a single frontend is exported via a single port, default 80. Keepalived is used to maintain the high availability of all haproxy instances. You are free to use any number of VIPs. A single VIP is shared across all keepalived instances and there will be one master for one VIP, selected sequentially, and others serve as backups. This assumes that each keepalived instance is on the same node as one haproxy instance and we use a simple check script to detect the state of each haproxy instance and trigger the VIP failover upon its failure. Signed-off-by: guihecheng <guihecheng@cmiot.chinamobile.com> 2019-04-04 10:54:41 +08:00			`backend rgw-backend`
			`option forwardfor`
			`balance static-rr`
Enable HAProxy backend checks for Ceph RGW Add the `check` option to server definitions to enable basic HAProxy health checks for Ceph RADOS gateway backends. Currently traffic will be forwarded to unhealthly `radosgw.service` servers. These changes resolve the issue. Signed-off-by: Niko Smeds nikosmeds@gmail.com 2020-03-06 06:24:56 +08:00			`option httpchk HEAD /`
Add role definitions of ceph-rgw-loadbalancer This add support for rgw loadbalancer based on HAProxy and Keepalived. We define a single role ceph-rgw-loadbalancer and include HAProxy and Keepalived configurations all in this. A single haproxy backend is used to balance all RGW instances and a single frontend is exported via a single port, default 80. Keepalived is used to maintain the high availability of all haproxy instances. You are free to use any number of VIPs. A single VIP is shared across all keepalived instances and there will be one master for one VIP, selected sequentially, and others serve as backups. This assumes that each keepalived instance is on the same node as one haproxy instance and we use a simple check script to detect the state of each haproxy instance and trigger the VIP failover upon its failure. Signed-off-by: guihecheng <guihecheng@cmiot.chinamobile.com> 2019-04-04 10:54:41 +08:00			`{% for host in groups[rgw_group_name] %}`
			`{% for instance in hostvars[host]['rgw_instances'] %}`
Use ansible_facts It has come to our attention that using ansible_* vars that are populated with INJECT_FACTS_AS_VARS=True is not very performant. In order to be able to support setting that to off, we need to update the references to use ansible_facts[<thing>] instead of ansible_<thing>. Related: ansible#73654 Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1935406 Signed-off-by: Alex Schultz <aschultz@redhat.com> 2021-03-03 22:43:50 +08:00			`server {{ 'server-' + hostvars[host]['ansible_facts']['hostname'] + '-' + instance['instance_name'] }} {{ instance['radosgw_address'] }}:{{ instance['radosgw_frontend_port'] }} weight 100 check`
Add role definitions of ceph-rgw-loadbalancer This add support for rgw loadbalancer based on HAProxy and Keepalived. We define a single role ceph-rgw-loadbalancer and include HAProxy and Keepalived configurations all in this. A single haproxy backend is used to balance all RGW instances and a single frontend is exported via a single port, default 80. Keepalived is used to maintain the high availability of all haproxy instances. You are free to use any number of VIPs. A single VIP is shared across all keepalived instances and there will be one master for one VIP, selected sequentially, and others serve as backups. This assumes that each keepalived instance is on the same node as one haproxy instance and we use a simple check script to detect the state of each haproxy instance and trigger the VIP failover upon its failure. Signed-off-by: guihecheng <guihecheng@cmiot.chinamobile.com> 2019-04-04 10:54:41 +08:00			`{% endfor %}`
			`{% endfor %}`