Refactor haproxy config (split by service) V2.0

Having all services in one giant haproxy file makes altering
configuration for a service both painful and dangerous. Each service
should be configured with a simple set of variables and rendered with a
single unified template.

Available are two new templates:

* haproxy_single_service_listen.cfg.j2: close to the original style, but
only one service per file
* haproxy_single_service_split.cfg.j2: using the newer haproxy syntax
for separated frontend and backend

For now the default will be the single listen block, for ease of
transition.

Change-Id: I6e237438fbc0aa3c89a3c8bd706a53b74e71904b

ansible/group_vars/all.yml

@@ -208,6 +208,7 @@ gnocchi_api_port: "8041"
 grafana_server_port: "3000"
 
 haproxy_stats_port: "1984"
+haproxy_monitor_port: "61313"
 
 heat_api_port: "8004"
 heat_api_cfn_port: "8000"

ansible/inventory/all-in-one

@@ -493,6 +493,12 @@ solum
 [solum-conductor:children]
 solum
 
+[solum-application-deployment:children]
+solum
+
+[solum-image-builder:children]
+solum
+
 # Mistral
 [mistral-api:children]
 mistral

ansible/inventory/multinode

@@ -509,6 +509,12 @@ solum
 [solum-conductor:children]
 solum
 
+[solum-application-deployment:children]
+solum
+
+[solum-image-builder:children]
+solum
+
 # Mistral
 [mistral-api:children]
 mistral

ansible/roles/aodh/defaults/main.yml

@@ -14,6 +14,17 @@ aodh_services:
       - "kolla_logs:/var/log/kolla/"
       - "{{ kolla_dev_repos_directory ~ '/aodh/aodh:/var/lib/kolla/venv/lib/python2.7/site-packages/aodh' if aodh_dev_mode | bool else '' }}"
     dimensions: "{{ aodh_api_dimensions }}"
+    haproxy:
+      aodh_api:
+        enabled: "{{ enable_aodh }}"
+        mode: "http"
+        external: false
+        port: "{{ aodh_api_port }}"
+      aodh_api_external:
+        enabled: "{{ enable_aodh }}"
+        mode: "http"
+        external: true
+        port: "{{ aodh_api_port }}"
   aodh-evaluator:
     container_name: aodh_evaluator
     group: aodh-evaluator

ansible/roles/aodh/tasks/loadbalancer.yml

@@ -0,0 +1,7 @@
+---
+- name: "Configure haproxy for {{ project_name }}"
+  import_role:
+    role: haproxy-config
+  vars:
+    project_services: "{{ aodh_services }}"
+  tags: always

ansible/roles/barbican/defaults/main.yml

@@ -14,6 +14,17 @@ barbican_services:
       - "kolla_logs:/var/log/kolla/"
       - "{{ kolla_dev_repos_directory ~ '/barbican/barbican:/var/lib/kolla/venv/lib/python2.7/site-packages/barbican' if barbican_dev_mode | bool else '' }}"
     dimensions: "{{ barbican_api_dimensions }}"
+    haproxy:
+      barbican_api:
+        enabled: "{{ enable_barbican }}"
+        mode: "http"
+        external: false
+        port: "{{ barbican_api_port }}"
+      barbican_api_external:
+        enabled: "{{ enable_barbican }}"
+        mode: "http"
+        external: true
+        port: "{{ barbican_api_port }}"
   barbican-keystone-listener:
     container_name: barbican_keystone_listener
     group: barbican-keystone-listener

ansible/roles/barbican/tasks/loadbalancer.yml

@@ -0,0 +1,7 @@
+---
+- name: "Configure haproxy for {{ project_name }}"
+  import_role:
+    role: haproxy-config
+  vars:
+    project_services: "{{ barbican_services }}"
+  tags: always

ansible/roles/blazar/defaults/main.yml

@@ -13,6 +13,17 @@ blazar_services:
       - "kolla_logs:/var/log/kolla/"
       - "{{ kolla_dev_repos_directory ~ '/blazar/blazar:/var/lib/kolla/venv/lib/python2.7/site-packages/blazar' if blazar_dev_mode | bool else '' }}"
     dimensions: "{{ blazar_api_dimensions }}"
+    haproxy:
+      blazar_api:
+        enabled: "{{ enable_blazar }}"
+        mode: "http"
+        external: false
+        port: "{{ blazar_api_port }}"
+      blazar_api_external:
+        enabled: "{{ enable_blazar }}"
+        mode: "http"
+        external: true
+        port: "{{ blazar_api_port }}"
   blazar-manager:
     container_name: blazar_manager
     group: blazar-manager

ansible/roles/blazar/tasks/loadbalancer.yml

@@ -0,0 +1,7 @@
+---
+- name: "Configure haproxy for {{ project_name }}"
+  import_role:
+    role: haproxy-config
+  vars:
+    project_services: "{{ blazar_services }}"
+  tags: always

ansible/roles/ceph/defaults/main.yml

@@ -1,6 +1,22 @@
 ---
 project_name: "ceph"
 
+ceph_services:
+  ceph-rgw:
+    group: ceph-rgw
+    enabled: "{{ enable_ceph_rgw|bool }}"
+    haproxy:
+      radosgw:
+        enabled: "{{ enable_ceph|bool and enable_ceph_rgw|bool }}"
+        mode: "http"
+        external: false
+        port: "{{ rgw_port }}"
+      radosgw_external:
+        enabled: "{{ enable_ceph|bool and enable_ceph_rgw|bool }}"
+        mode: "http"
+        external: true
+        port: "{{ rgw_port }}"
+
 
 ####################
 # Docker

ansible/roles/ceph/tasks/loadbalancer.yml

@@ -0,0 +1,7 @@
+---
+- name: "Configure haproxy for {{ project_name }}"
+  import_role:
+    role: haproxy-config
+  vars:
+    project_services: "{{ ceph_services }}"
+  tags: always

ansible/roles/cinder/defaults/main.yml

@@ -13,6 +13,17 @@ cinder_services:
       - "kolla_logs:/var/log/kolla/"
       - "{{ kolla_dev_repos_directory ~ '/cinder/cinder:/var/lib/kolla/venv/lib/python2.7/site-packages/cinder' if cinder_dev_mode | bool else '' }}"
     dimensions: "{{ cinder_api_dimensions }}"
+    haproxy:
+      cinder_api:
+        enabled: "{{ enable_cinder }}"
+        mode: "http"
+        external: false
+        port: "{{ cinder_api_port }}"
+      cinder_api_external:
+        enabled: "{{ enable_cinder }}"
+        mode: "http"
+        external: true
+        port: "{{ cinder_api_port }}"
   cinder-scheduler:
     container_name: cinder_scheduler
     group: cinder-scheduler

ansible/roles/cinder/tasks/loadbalancer.yml

@@ -0,0 +1,7 @@
+---
+- name: "Configure haproxy for {{ project_name }}"
+  import_role:
+    role: haproxy-config
+  vars:
+    project_services: "{{ cinder_services }}"
+  tags: always

ansible/roles/cloudkitty/defaults/main.yml

@@ -13,6 +13,17 @@ cloudkitty_services:
       - "kolla_logs:/var/log/kolla/"
       - "{{ kolla_dev_repos_directory ~ '/cloudkitty/cloudkitty:/var/lib/kolla/venv/lib/python2.7/site-packages/cloudkitty' if cloudkitty_dev_mode | bool else '' }}"
     dimensions: "{{ cloudkitty_api_dimensions }}"
+    haproxy:
+      cloudkitty_api:
+        enabled: "{{ enable_cloudkitty }}"
+        mode: "http"
+        external: false
+        port: "{{ cloudkitty_api_port }}"
+      cloudkitty_api_external:
+        enabled: "{{ enable_cloudkitty }}"
+        mode: "http"
+        external: true
+        port: "{{ cloudkitty_api_port }}"
   cloudkitty-processor:
     container_name: "cloudkitty_processor"
     group: "cloudkitty-processor"

ansible/roles/cloudkitty/tasks/loadbalancer.yml

@@ -0,0 +1,7 @@
+---
+- name: "Configure haproxy for {{ project_name }}"
+  import_role:
+    role: haproxy-config
+  vars:
+    project_services: "{{ cloudkitty_services }}"
+  tags: always

ansible/roles/congress/defaults/main.yml

@@ -13,6 +13,17 @@ congress_services:
       - "kolla_logs:/var/log/kolla/"
       - "{{ kolla_dev_repos_directory ~ '/congress/congress:/var/lib/kolla/venv/lib/python2.7/site-packages/congress' if congress_dev_mode | bool else '' }}"
     dimensions: "{{ congress_api_dimensions }}"
+    haproxy:
+      congress_api:
+        enabled: "{{ enable_congress }}"
+        mode: "http"
+        external: false
+        port: "{{ congress_api_port }}"
+      congress_api_external:
+        enabled: "{{ enable_congress }}"
+        mode: "http"
+        external: true
+        port: "{{ congress_api_port }}"
   congress-policy-engine:
     container_name: congress_policy_engine
     group: congress-policy-engine

ansible/roles/congress/tasks/loadbalancer.yml

@@ -0,0 +1,7 @@
+---
+- name: "Configure haproxy for {{ project_name }}"
+  import_role:
+    role: haproxy-config
+  vars:
+    project_services: "{{ congress_services }}"
+  tags: always

ansible/roles/designate/defaults/main.yml

@@ -13,6 +13,17 @@ designate_services:
       - "kolla_logs:/var/log/kolla/"
       - "{{ kolla_dev_repos_directory ~ '/designate/designate:/var/lib/kolla/venv/lib/python2.7/site-packages/designate' if designate_dev_mode | bool else '' }}"
     dimensions: "{{ designate_api_dimensions }}"
+    haproxy:
+      designate_api:
+        enabled: "{{ enable_designate }}"
+        mode: "http"
+        external: false
+        port: "{{ designate_api_port }}"
+      designate_api_external:
+        enabled: "{{ enable_designate }}"
+        mode: "http"
+        external: true
+        port: "{{ designate_api_port }}"
   designate-backend-bind9:
     container_name: designate_backend_bind9
     group: designate-backend-bind9

ansible/roles/designate/tasks/loadbalancer.yml

@@ -0,0 +1,7 @@
+---
+- name: "Configure haproxy for {{ project_name }}"
+  import_role:
+    role: haproxy-config
+  vars:
+    project_services: "{{ designate_services }}"
+  tags: always

ansible/roles/elasticsearch/defaults/main.yml

@@ -12,6 +12,14 @@ elasticsearch_services:
       - "/etc/localtime:/etc/localtime:ro"
       - "elasticsearch:/var/lib/elasticsearch/data"
     dimensions: "{{ elasticsearch_dimensions }}"
+    haproxy:
+      elasticsearch:
+        enabled: "{{ enable_elasticsearch }}"
+        mode: "http"
+        external: false
+        port: "{{ elasticsearch_port }}"
+        frontend_http_extra:
+          - "option dontlog-normal"
 
 
 ####################

ansible/roles/elasticsearch/tasks/loadbalancer.yml

@@ -0,0 +1,7 @@
+---
+- name: "Configure haproxy for {{ project_name }}"
+  import_role:
+    role: haproxy-config
+  vars:
+    project_services: "{{ elasticsearch_services }}"
+  tags: always

ansible/roles/freezer/defaults/main.yml

@@ -14,6 +14,17 @@ freezer_services:
       - "kolla_logs:/var/log/kolla/"
       - "{{ kolla_dev_repos_directory ~ '/freezer-api/freezer_api:/var/lib/kolla/venv/lib/python2.7/site-packages/freezer_api' if freezer_dev_mode | bool else '' }}"
     dimensions: "{{ freezer_api_dimensions }}"
+    haproxy:
+      freezer_api:
+        enabled: "{{ enable_freezer }}"
+        mode: "http"
+        external: false
+        port: "{{ freezer_api_port }}"
+      freezer_api_external:
+        enabled: "{{ enable_freezer }}"
+        mode: "http"
+        external: true
+        port: "{{ freezer_api_port }}"
   freezer-scheduler:
     container_name: freezer_scheduler
     group: freezer-scheduler

ansible/roles/freezer/tasks/loadbalancer.yml

@@ -0,0 +1,7 @@
+---
+- name: "Configure haproxy for {{ project_name }}"
+  import_role:
+    role: haproxy-config
+  vars:
+    project_services: "{{ freezer_services }}"
+  tags: always

ansible/roles/glance/defaults/main.yml

@@ -15,6 +15,27 @@ glance_services:
       - "{{ kolla_dev_repos_directory ~ '/glance/glance:/var/lib/kolla/venv/lib/python2.7/site-packages/glance' if glance_dev_mode | bool else '' }}"
       - "kolla_logs:/var/log/kolla/"
     dimensions: "{{ glance_api_dimensions }}"
+    haproxy:
+      glance_api:
+        enabled: "{{ enable_glance }}"
+        mode: "http"
+        external: false
+        port: "{{ glance_api_port }}"
+        frontend_http_extra:
+          - "timeout client {{ haproxy_glance_api_client_timeout }}"
+        backend_http_extra:
+          - "timeout server {{ haproxy_glance_api_server_timeout }}"
+        custom_member_list: "{{ haproxy_members.split(';') }}"
+      glance_api_external:
+        enabled: "{{ enable_glance }}"
+        mode: "http"
+        external: true
+        port: "{{ glance_api_port }}"
+        frontend_http_extra:
+          - "timeout client {{ haproxy_glance_api_client_timeout }}"
+        backend_http_extra:
+          - "timeout server {{ haproxy_glance_api_server_timeout }}"
+        custom_member_list: "{{ haproxy_members.split(';') }}"
   glance-registry:
     container_name: glance_registry
     group: glance-registry
@@ -27,6 +48,11 @@ glance_services:
       - "kolla_logs:/var/log/kolla/"
     dimensions: "{{ glance_registry_dimensions }}"
 
+####################
+# HAProxy
+####################
+haproxy_members: "{% for host in glance_api_hosts %}server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ glance_api_port }} check inter 2000 rise 2 fall 5;{% endfor %}"
+
 ####################
 # Notification
 ####################
@@ -66,6 +92,13 @@ glance_database_user: "{% if use_preconfigured_databases | bool and use_common_m
 glance_database_address: "{{ database_address }}:{{ database_port }}"
 
 
+####################
+# HAProxy
+####################
+haproxy_glance_api_client_timeout: "6h"
+haproxy_glance_api_server_timeout: "6h"
+
+
 ####################
 # Docker
 ####################

ansible/roles/glance/tasks/loadbalancer.yml

@@ -0,0 +1,7 @@
+---
+- name: "Configure haproxy for {{ project_name }}"
+  import_role:
+    role: haproxy-config
+  vars:
+    project_services: "{{ glance_services }}"
+  tags: always

ansible/roles/gnocchi/defaults/main.yml

@@ -13,6 +13,17 @@ gnocchi_services:
       - "gnocchi:/var/lib/gnocchi/"
       - "kolla_logs:/var/log/kolla/"
     dimensions: "{{ gnocchi_api_dimensions }}"
+    haproxy:
+      gnocchi_api:
+        enabled: "{{ enable_gnocchi }}"
+        mode: "http"
+        external: false
+        port: "{{ gnocchi_api_port }}"
+      gnocchi_api_external:
+        enabled: "{{ enable_gnocchi }}"
+        mode: "http"
+        external: true
+        port: "{{ gnocchi_api_port }}"
   gnocchi-metricd:
     container_name: gnocchi_metricd
     group: gnocchi-metricd

ansible/roles/gnocchi/tasks/loadbalancer.yml

@@ -0,0 +1,7 @@
+---
+- name: "Configure haproxy for {{ project_name }}"
+  import_role:
+    role: haproxy-config
+  vars:
+    project_services: "{{ gnocchi_services }}"
+  tags: always

ansible/roles/grafana/defaults/main.yml

@@ -13,6 +13,17 @@ grafana_services:
       - "grafana:/var/lib/grafana/"
       - "kolla_logs:/var/log/kolla/"
     dimensions: "{{ grafana_dimensions }}"
+    haproxy:
+      grafana_server:
+        enabled: "{{ enable_grafana }}"
+        mode: "http"
+        external: false
+        port: "{{ grafana_server_port }}"
+      grafana_server_external:
+        enabled: "{{ enable_grafana }}"
+        mode: "http"
+        external: true
+        port: "{{ grafana_server_port }}"
 
 ####################
 # Database

ansible/roles/grafana/tasks/loadbalancer.yml

@@ -0,0 +1,7 @@
+---
+- name: "Configure haproxy for {{ project_name }}"
+  import_role:
+    role: haproxy-config
+  vars:
+    project_services: "{{ grafana_services }}"
+  tags: always

ansible/roles/haproxy-config/defaults/main.yml

@@ -0,0 +1,13 @@
+---
+haproxy_service_template: "haproxy_single_service_listen.cfg.j2"
+
+# Extra frontend/backend options (additive with locally defined options)
+haproxy_frontend_http_extra:
+  - "option httplog"
+  - "option forwardfor"
+haproxy_frontend_tcp_extra:
+  - "option tcplog"
+haproxy_backend_http_extra: []
+haproxy_backend_tcp_extra: []
+
+haproxy_health_check: "check inter 2000 rise 2 fall 5"

ansible/roles/haproxy-config/handlers/main.yml

@@ -0,0 +1,17 @@
+---
+- name: Restart haproxy container
+  become: true
+  kolla_docker:
+    action: "restart_container"
+    name: haproxy
+  when:
+    - kolla_action != "config"
+    - inventory_hostname in groups['haproxy']
+    - enable_haproxy | bool
+  notify:
+    - Waiting for haproxy to start
+
+- name: Waiting for haproxy to start
+  wait_for:
+    host: "{{ api_interface_address }}"
+    port: "{{ haproxy_stats_port }}"

ansible/roles/haproxy-config/tasks/main.yml

@@ -0,0 +1,21 @@
+---
+- name: "Copying over {{ project_name }} haproxy config"
+  vars:
+    service: "{{ item.value }}"
+    haproxy_templates:
+      - "{{ node_custom_config }}/haproxy-config/{{ inventory_hostname }}/{{ haproxy_service_template }}"
+      - "{{ node_custom_config }}/haproxy-config/{{ haproxy_service_template }}"
+      - "templates/{{ haproxy_service_template }}"
+    template_file: "{{ query('first_found', haproxy_templates) | first }}"
+  template:
+    src: "{{ template_file }}"
+    dest: "{{ node_config_directory }}/haproxy/services.d/{{ item.key }}.cfg"
+    mode: "0660"
+  become: true
+  when:
+    - service.enabled | bool
+    - service.haproxy is defined
+    - enable_haproxy | bool
+  with_dict: "{{ project_services }}"
+  notify:
+    - Restart haproxy container

ansible/roles/haproxy-config/templates/haproxy_single_service_listen.cfg.j2

@@ -0,0 +1,91 @@
+#jinja2: lstrip_blocks: True
+{%- set tls_bind_info = 'ssl crt /etc/haproxy/haproxy.pem' if kolla_enable_tls_external|bool else '' %}
+
+{%- macro userlist_macro(service_name, auth_user, auth_pass) %}
+userlist {{ service_name }}-user
+  user {{ auth_user }} insecure-password {{ auth_pass }}
+{% endmacro %}
+
+{%- macro listen_macro(service_name, service_port, service_mode, external,
+                       haproxy_http_extra, haproxy_tcp_extra, host_group,
+                       custom_member_list, auth_user, auth_pass) %}
+listen {{ service_name }}
+    {% if service_mode == 'redirect' %}
+    mode http
+    {% else %}
+    mode {{ service_mode }}
+    {% endif %}
+    {% if service_mode == 'http' %}
+        {# Set up auth if required #}
+        {% if auth_user and auth_pass %}
+    acl auth_acl http_auth({{ service_name }}-user)
+    http-request auth realm basicauth unless auth_acl
+        {% endif %}
+    {# Delete any pre-populated XFP header #}
+    http-request del-header X-Forwarded-Proto
+        {% for http_option in haproxy_http_extra %}
+    {{ http_option }}
+        {% endfor %}
+    {% elif service_mode == 'tcp' %}
+        {% for tcp_option in haproxy_tcp_extra %}
+    {{ tcp_option }}
+        {% endfor %}
+    {% endif %}
+    {% set tls_option = '' %}
+    {% if external|bool %}
+        {% set vip_address = kolla_external_vip_address %}
+        {% if service_mode == 'http' %}
+            {% set tls_option = tls_bind_info %}
+    {# Replace the XFP header for external https requests #}
+    http-request set-header X-Forwarded-Proto https if { ssl_fc }
+        {% endif %}
+    {% else %}
+        {% set vip_address = kolla_internal_vip_address %}
+    {% endif %}
+    {{ "bind %s:%s %s"|e|format(vip_address, service_port, tls_option)|trim() }}
+    {# Redirect mode sets a redirect scheme instead of members #}
+    {% if service_mode == 'redirect' %}
+    redirect scheme https code 301 if !{ ssl_fc }
+    {% else %}
+        {% if custom_member_list is not none %}
+            {% for custom_member in custom_member_list %}
+    {{ custom_member }}
+            {% endfor %}
+        {% else %}
+            {% for host in groups[host_group] %}
+                {% set api_interface = "ansible_%s"|format(hostvars[host]['api_interface']) %}
+                {% set host_name = hostvars[host]['ansible_hostname'] %}
+                {% set host_ip = hostvars[host][api_interface]['ipv4']['address'] %}
+    server {{ host_name }} {{ host_ip }}:{{ service_port }} {{ haproxy_health_check }}
+            {% endfor %}
+        {% endif %}
+    {% endif %}
+{% endmacro %}
+
+{%- set haproxy = service.haproxy|default({}) %}
+{%- for haproxy_name, haproxy_service in haproxy.items() %}
+    {# External defaults to false #}
+    {% set external = haproxy_service.external|default(false)|bool %}
+    {# Skip anything that is external when the external vip is not enabled #}
+    {% if haproxy_service.enabled|bool and (not external or haproxy_enable_external_vip|bool)%}
+        {# Here we define variables and their defaults #}
+        {# Custom member list can use jinja to generate a semicolon separated list #}
+        {% set custom_member_list = haproxy_service.custom_member_list|default(none) %}
+        {# Mode defaults to http #}
+        {% set mode = haproxy_service.mode|default('http') %}
+        {# Use the parent host group but allow it to be overridden #}
+        {% set host_group = haproxy_service.host_group|default(service.group) %}
+        {# Additional options can be defined in config, and are additive to the global extras #}
+        {% set haproxy_tcp_extra = haproxy_service.frontend_tcp_extra|default([]) + haproxy_service.backend_tcp_extra|default([]) + haproxy_frontend_tcp_extra + haproxy_backend_tcp_extra %}
+        {% set haproxy_http_extra = haproxy_service.frontend_http_extra|default([]) + haproxy_service.backend_http_extra|default([]) + haproxy_frontend_http_extra + haproxy_backend_http_extra %}
+        {# Allow for basic auth #}
+        {% set auth_user = haproxy_service.auth_user|default() %}
+        {% set auth_pass = haproxy_service.auth_pass|default() %}
+        {% if auth_user and auth_pass %}
+{{ userlist_macro(haproxy_name, auth_user, auth_pass) }}
+        {% endif %}
+{{ listen_macro(haproxy_name, haproxy_service.port, mode, external,
+                haproxy_http_extra, haproxy_tcp_extra, host_group,
+                custom_member_list, auth_user, auth_pass) }}
+    {% endif %}
+{%- endfor -%}

ansible/roles/haproxy-config/templates/haproxy_single_service_split.cfg.j2

@@ -0,0 +1,118 @@
+#jinja2: lstrip_blocks: True
+{%- set tls_bind_info = 'ssl crt /etc/haproxy/haproxy.pem' if kolla_enable_tls_external|bool else '' %}
+
+{%- macro userlist_macro(service_name, auth_user, auth_pass) %}
+userlist {{ service_name }}-user
+  user {{ auth_user }} insecure-password {{ auth_pass }}
+{% endmacro %}
+
+{%- macro frontend_macro(service_name, service_port, service_mode, external,
+                         frontend_http_extra, frontend_tcp_extra) %}
+frontend {{ service_name }}_front
+    {% if service_mode == 'redirect' %}
+    mode http
+    {% else %}
+    mode {{ service_mode }}
+    {% endif %}
+    {% if service_mode == 'http' %}
+    {# Delete any pre-populated XFP header #}
+    http-request del-header X-Forwarded-Proto
+        {% for http_option in frontend_http_extra %}
+    {{ http_option }}
+        {% endfor %}
+    {% elif service_mode == 'tcp' %}
+        {% for tcp_option in frontend_tcp_extra %}
+    {{ tcp_option }}
+        {% endfor %}
+    {% endif %}
+    {% set tls_option = '' %}
+    {% if external|bool %}
+        {% set vip_address = kolla_external_vip_address %}
+        {% if service_mode == 'http' %}
+            {% set tls_option = tls_bind_info %}
+    {# Replace the XFP header for external https requests #}
+    http-request set-header X-Forwarded-Proto https if { ssl_fc }
+        {% endif %}
+    {% else %}
+        {% set vip_address = kolla_internal_vip_address %}
+    {% endif %}
+    {{ "bind %s:%s %s"|e|format(vip_address, service_port, tls_option)|trim() }}
+    {# Redirect mode sets a redirect scheme instead of a backend #}
+    {% if service_mode == 'redirect' %}
+    redirect scheme https code 301 if !{ ssl_fc }
+    {% else %}
+    default_backend {{ service_name }}_back
+    {% endif %}
+{% endmacro %}
+
+{%- macro backend_macro(service_name, service_port, service_mode, host_group,
+                        custom_member_list, backend_http_extra,
+                        backend_tcp_extra, auth_user, auth_pass) %}
+backend {{ service_name }}_back
+    {% if service_mode == 'redirect' %}
+    mode http
+    {% else %}
+    mode {{ service_mode }}
+    {% endif %}
+    {% if service_mode == 'http' %}
+        {# Set up auth if required #}
+        {% if auth_user and auth_pass %}
+    acl auth_acl http_auth({{ service_name }}-user)
+    http-request auth realm basicauth unless auth_acl
+        {% endif %}
+        {% for http_option in backend_http_extra %}
+    {{ http_option }}
+        {% endfor %}
+    {% elif service_mode == 'tcp' %}
+        {% for tcp_option in backend_tcp_extra %}
+    {{ tcp_option }}
+        {% endfor %}
+    {% endif %}
+    {% if custom_member_list is not none %}
+        {% for custom_member in custom_member_list %}
+    {{ custom_member }}
+        {% endfor %}
+    {% else %}
+        {% for host in groups[host_group] %}
+            {% set api_interface = "ansible_%s"|format(hostvars[host]['api_interface']) %}
+            {% set host_name = hostvars[host]['ansible_hostname'] %}
+            {% set host_ip = hostvars[host][api_interface]['ipv4']['address'] %}
+    server {{ host_name }} {{ host_ip }}:{{ service_port }} {{ haproxy_health_check }}
+        {% endfor %}
+    {% endif %}
+{% endmacro %}
+
+{%- set haproxy = service.haproxy|default({}) %}
+{%- for haproxy_name, haproxy_service in haproxy.items() %}
+    {# External defaults to false #}
+    {% set external = haproxy_service.external|default(false)|bool %}
+    {# Skip anything that is external when the external vip is not enabled #}
+    {% if haproxy_service.enabled|bool and (not external or haproxy_enable_external_vip|bool)%}
+        {# Here we define variables and their defaults #}
+        {# Custom member list can use jinja to generate a semicolon separated list #}
+        {% set custom_member_list = haproxy_service.custom_member_list|default() %}
+        {# Mode defaults to http #}
+        {% set mode = haproxy_service.mode|default('http') %}
+        {# Use the parent host group but allow it to be overridden #}
+        {% set host_group = haproxy_service.host_group|default(service.group) %}
+        {# Additional options can be defined in config, and are additive to the global extras #}
+        {% set frontend_tcp_extra = haproxy_service.frontend_tcp_extra|default([]) + haproxy_frontend_tcp_extra %}
+        {% set backend_tcp_extra = haproxy_service.backend_tcp_extra|default([]) %}
+        {% set frontend_http_extra = haproxy_service.frontend_http_extra|default([]) + haproxy_frontend_http_extra %}
+        {% set backend_http_extra = haproxy_service.backend_http_extra|default([]) %}
+        {# Allow for basic auth #}
+        {% set auth_user = haproxy_service.auth_user|default() %}
+        {% set auth_pass = haproxy_service.auth_pass|default() %}
+        {% if auth_user and auth_pass %}
+{{ userlist_macro(haproxy_name, auth_user, auth_pass) }}
+        {% endif %}
+{{ frontend_macro(haproxy_name, haproxy_service.port, mode, external,
+                  frontend_http_extra, frontend_tcp_extra) }}
+        {# Redirect (to https) is a special case, as it does not include a backend #}
+        {% if haproxy_service.mode != 'redirect' %}
+{{ backend_macro(haproxy_name, haproxy_service.port, mode, host_group,
+                 custom_member_list, backend_http_extra, backend_tcp_extra,
+                 auth_user, auth_pass) }}
+        {% endif %}
+    {% endif %}
+{%- endfor -%}

ansible/roles/haproxy/defaults/main.yml

@@ -38,27 +38,12 @@ haproxy_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{{ docker_
 haproxy_tag: "{{ openstack_release }}"
 haproxy_image_full: "{{ haproxy_image }}:{{ haproxy_tag }}"
 
-haproxy_client_timeout: "1m"
-haproxy_server_timeout: "1m"
-
-# Check http://www.haproxy.org/download/1.5/doc/configuration.txt for available options
-haproxy_defaults_balance: "roundrobin"
-
-haproxy_glance_api_client_timeout: "6h"
-haproxy_glance_api_server_timeout: "6h"
-
-haproxy_outward_rabbitmq_client_timeout: "1h"
-haproxy_outward_rabbitmq_server_timeout: "1h"
-
 syslog_server: "{{ api_interface_address }}"
 syslog_haproxy_facility: "local1"
 
 # Traffic mode. Valid options are [ multicast, unicast ]
 keepalived_traffic_mode: "multicast"
 
-haproxy_listen_tcp_extra: []
-haproxy_listen_http_extra: []
-
 # Extended global configuration, optimization options.
 haproxy_max_connections: 4000
 haproxy_processes: 1
@@ -66,3 +51,14 @@ haproxy_process_cpu_map: "no"
 
 haproxy_dimensions: "{{ default_container_dimensions }}"
 keepalived_dimensions: "{{ default_container_dimensions }}"
+
+# Default timeout values
+haproxy_http_request_timeout: "10s"
+haproxy_queue_timeout: "1m"
+haproxy_connect_timeout: "10s"
+haproxy_client_timeout: "1m"
+haproxy_server_timeout: "1m"
+haproxy_check_timeout: "10s"
+
+# Check http://www.haproxy.org/download/1.5/doc/configuration.txt for available options
+haproxy_defaults_balance: "roundrobin"

ansible/roles/haproxy/handlers/main.yml

@@ -3,8 +3,6 @@
   vars:
     service_name: "haproxy"
     service: "{{ haproxy_services[service_name] }}"
-    config_json: "{{ haproxy_config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
-    haproxy_container: "{{ check_haproxy_containers.results|selectattr('item.key', 'equalto', service_name)|first }}"
   become: true
   kolla_docker:
     action: "recreate_or_restart_container"
@@ -18,19 +16,13 @@
     - kolla_action != "config"
     - inventory_hostname in groups[service.group]
     - service.enabled | bool
-    - config_json.changed | bool
-      or haproxy_cfg.changed | bool
-      or haproxy_pem.changed | bool
-      or haproxy_container.changed | bool
   notify:
-    - Waiting for virtual IP to appear
+    - Waiting for haproxy to start
 
 - name: Restart keepalived container
   vars:
     service_name: "keepalived"
     service: "{{ haproxy_services[service_name] }}"
-    config_json: "{{ haproxy_config_jsons.results|selectattr('item.key', 'equalto', service_name)|first }}"
-    keepalived_container: "{{ check_haproxy_containers.results|selectattr('item.key', 'equalto', service_name)|first }}"
   become: true
   kolla_docker:
     action: "recreate_or_restart_container"
@@ -44,26 +36,15 @@
     - kolla_action != "config"
     - inventory_hostname in groups[service.group]
     - service.enabled | bool
-    - config_json.changed | bool
-      or keepalived_conf.changed | bool
-      or keepalived_container.changed | bool
   notify:
     - Waiting for virtual IP to appear
 
-- name: Ensuring latest haproxy config is used
-  command: docker exec haproxy /usr/local/bin/kolla_ensure_haproxy_latest_config
-  register: status
-  changed_when: status.stdout.find('changed') != -1
-  when:
-    - kolla_action != "config"
-    - haproxy_config_jsons.changed | bool
-      or haproxy_cfg.changed | bool
-      or haproxy_pem.changed | bool
+- name: Waiting for haproxy to start
+  wait_for:
+    host: "{{ api_interface_address }}"
+    port: "{{ haproxy_monitor_port }}"
 
 - name: Waiting for virtual IP to appear
   wait_for:
     host: "{{ kolla_internal_vip_address }}"
-    port: "{{ database_port }}"
-  when:
-    - enable_mariadb | bool
-      or enable_external_mariadb_load_balancer | bool
+    port: "{{ haproxy_monitor_port }}"

ansible/roles/haproxy/tasks/config.yml

@@ -20,20 +20,32 @@
     - item.value.enabled | bool
   with_dict: "{{ haproxy_services }}"
 
+- name: Ensuring service config subdir exists
+  vars:
+    service: "{{ haproxy_services['haproxy'] }}"
+  file:
+    path: "{{ node_config_directory }}/haproxy/services.d"
+    state: "directory"
+    owner: "{{ config_owner_user }}"
+    group: "{{ config_owner_group }}"
+    mode: "0770"
+  become: true
+  when:
+    - inventory_hostname in groups[service.group]
+    - service.enabled | bool
+
 - name: Copying over config.json files for services
   template:
     src: "{{ item.key }}.json.j2"
     dest: "{{ node_config_directory }}/{{ item.key }}/config.json"
     mode: "0660"
   become: true
-  register: haproxy_config_jsons
   when:
     - inventory_hostname in groups[item.value.group]
     - item.value.enabled | bool
   with_dict: "{{ haproxy_services }}"
   notify:
     - "Restart {{ item.key }} container"
-    - Ensuring latest haproxy config is used
 
 - name: Copying over haproxy.cfg
   vars:
@@ -43,17 +55,15 @@
     dest: "{{ node_config_directory }}/haproxy/haproxy.cfg"
     mode: "0660"
   become: true
-  register: haproxy_cfg
   when:
     - inventory_hostname in groups[service.group]
     - service.enabled | bool
   with_first_found:
-    - "{{ node_custom_config }}/haproxy/{{ inventory_hostname }}/haproxy.cfg"
-    - "{{ node_custom_config }}/haproxy/haproxy.cfg"
-    - "haproxy.cfg.j2"
+    - "{{ node_custom_config }}/haproxy/{{ inventory_hostname }}/haproxy_main.cfg"
+    - "{{ node_custom_config }}/haproxy/haproxy_main.cfg"
+    - "haproxy_main.cfg.j2"
   notify:
     - Restart haproxy container
-    - Ensuring latest haproxy config is used
 
 - name: Copying over keepalived.conf
   vars:
@@ -63,7 +73,6 @@
     dest: "{{ node_config_directory }}/keepalived/keepalived.conf"
     mode: "0660"
   become: true
-  register: keepalived_conf
   when:
     - inventory_hostname in groups[service.group]
     - service.enabled | bool
@@ -82,7 +91,6 @@
     dest: "{{ node_config_directory }}/haproxy/{{ item }}"
     mode: "0660"
   become: true
-  register: haproxy_pem
   when:
     - kolla_enable_tls_external | bool
     - inventory_hostname in groups[service.group]
@@ -91,7 +99,24 @@
     - "haproxy.pem"
   notify:
     - Restart haproxy container
-    - Ensuring latest haproxy config is used
+
+- name: Copying over haproxy start script
+  vars:
+    service: "{{ haproxy_services['haproxy'] }}"
+  template:
+    src: "{{ item }}"
+    dest: "{{ node_config_directory }}/haproxy/haproxy_run.sh"
+    mode: "0770"
+  become: true
+  when:
+    - inventory_hostname in groups[service.group]
+    - service.enabled | bool
+  with_first_found:
+    - "{{ node_custom_config }}/haproxy/{{ inventory_hostname }}/haproxy_run.sh"
+    - "{{ node_custom_config }}/haproxy/haproxy_run.sh"
+    - "haproxy_run.sh.j2"
+  notify:
+    - Restart haproxy container
 
 - name: Check haproxy containers
   become: true
@@ -103,7 +128,6 @@
     volumes: "{{ item.value.volumes }}"
     dimensions: "{{ item.value.dimensions }}"
     privileged: "{{ item.value.privileged | default(False) }}"
-  register: check_haproxy_containers
   when:
     - kolla_action != "config"
     - inventory_hostname in groups[item.value.group]

ansible/roles/haproxy/tasks/precheck.yml

@@ -108,7 +108,7 @@
 
 - name: Checking free port for HAProxy stats
   wait_for:
-    host: "{{ kolla_internal_vip_address }}"
+    host: "{{ api_interface_address }}"
     port: "{{ haproxy_stats_port }}"
     connect_timeout: 1
     timeout: 1
@@ -118,6 +118,31 @@
     - container_facts['haproxy'] is not defined
     - inventory_hostname in groups['haproxy']
 
+- name: Checking free port for HAProxy monitor (api interface)
+  wait_for:
+    host: "{{ api_interface_address }}"
+    port: "{{ haproxy_monitor_port }}"
+    connect_timeout: 1
+    timeout: 1
+    state: stopped
+  when:
+    - enable_haproxy | bool
+    - container_facts['haproxy'] is not defined
+    - inventory_hostname in groups['haproxy']
+
+- name: Checking free port for HAProxy monitor (vip interface)
+  wait_for:
+    host: "{{ kolla_internal_vip_address }}"
+    port: "{{ haproxy_monitor_port }}"
+    connect_timeout: 1
+    timeout: 1
+    state: stopped
+  when:
+    - enable_haproxy | bool
+    - container_facts['haproxy'] is not defined
+    - inventory_hostname in groups['haproxy']
+    - api_interface_address != kolla_internal_vip_address
+
 - name: Checking if kolla_internal_vip_address is in the same network as api_interface on all nodes
   command: ip -4 -o addr show dev {{ api_interface }}
   register: ip_addr_output

ansible/roles/haproxy/templates/haproxy.json.j2

@@ -1,13 +1,24 @@
-{% set haproxy_cmd='/usr/sbin/haproxy -W -db' if kolla_base_distro in ['ubuntu']  else '/usr/sbin/haproxy-systemd-wrapper' %}
 {
-    "command": "{{ haproxy_cmd }} -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid",
+    "command": "/etc/haproxy/haproxy_run.sh",
     "config_files": [
+        {
+            "source": "{{ container_config_directory }}/haproxy_run.sh",
+            "dest": "/etc/haproxy/haproxy_run.sh",
+            "owner": "root",
+            "perm": "0700"
+        },
         {
             "source": "{{ container_config_directory }}/haproxy.cfg",
             "dest": "/etc/haproxy/haproxy.cfg",
             "owner": "root",
             "perm": "0600"
         },
+        {
+            "source": "{{ container_config_directory }}/services.d/",
+            "dest": "/etc/haproxy/services.d",
+            "owner": "root",
+            "perm": "0700"
+        },
         {
             "source": "{{ container_config_directory }}/haproxy.pem",
             "dest": "/etc/haproxy/haproxy.pem",

ansible/roles/haproxy/templates/haproxy_main.cfg.j2

@@ -0,0 +1,49 @@
+#jinja2: lstrip_blocks: True
+global
+    chroot /var/lib/haproxy
+    user haproxy
+    group haproxy
+    daemon
+    log {{ syslog_server }}:{{ syslog_udp_port }} {{ syslog_haproxy_facility }}
+    maxconn {{ haproxy_max_connections }}
+    nbproc {{ haproxy_processes }}
+    {% if haproxy_processes > 1 and haproxy_process_cpu_map | bool %}
+        {% for cpu_idx in range(0, haproxy_processes) %}
+    cpu-map {{ cpu_idx + 1 }} {{ cpu_idx }}
+        {% endfor %}
+    {% endif %}
+    stats socket /var/lib/kolla/haproxy/haproxy.sock group kolla mode 660
+    {% if kolla_enable_tls_external | bool %}
+    ssl-default-bind-ciphers DEFAULT:!MEDIUM:!3DES
+    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
+    tune.ssl.default-dh-param 4096
+    {% endif %}
+
+defaults
+    log global
+    option redispatch
+    retries 3
+    timeout http-request {{ haproxy_http_request_timeout }}
+    timeout queue {{ haproxy_queue_timeout }}
+    timeout connect {{ haproxy_connect_timeout }}
+    timeout client {{ haproxy_client_timeout }}
+    timeout server {{ haproxy_server_timeout }}
+    timeout check {{ haproxy_check_timeout }}
+    balance {{ haproxy_defaults_balance }}
+
+listen stats
+   bind {{ api_interface_address }}:{{ haproxy_stats_port }}
+   mode http
+   stats enable
+   stats uri /
+   stats refresh 15s
+   stats realm Haproxy\ Stats
+   stats auth {{ haproxy_user }}:{{ haproxy_password }}
+
+frontend status
+    bind {{ api_interface_address }}:{{ haproxy_monitor_port }}
+    {% if api_interface_address != kolla_internal_vip_address %}
+    bind {{ kolla_internal_vip_address }}:{{ haproxy_monitor_port }}
+    {% endif %}
+    mode http
+    monitor-uri /

ansible/roles/haproxy/templates/haproxy_run.sh.j2

@@ -0,0 +1,10 @@
+#!/bin/bash -x
+{% set haproxy_cmd='/usr/sbin/haproxy -W -db' if kolla_base_distro in ['ubuntu']  else '/usr/sbin/haproxy-systemd-wrapper' %}
+
+# We need to run haproxy with one `-f` for each service, because including an
+# entire config directory was not a feature until version 1.7 of HAProxy.
+# So, append "-f $cfg" to the haproxy command for each service file.
+# This will run haproxy_cmd *exactly once*.
+find /etc/haproxy/services.d/ -mindepth 1 -print0 | \
+    xargs -0 -Icfg echo -f cfg | \
+    xargs {{ haproxy_cmd }} -p /run/haproxy.pid -f /etc/haproxy/haproxy.cfg

ansible/roles/heat/defaults/main.yml

@@ -13,6 +13,17 @@ heat_services:
       - "{{ kolla_dev_repos_directory ~ '/heat/heat:/var/lib/kolla/venv/lib/python2.7/site-packages/heat' if heat_dev_mode | bool else '' }}"
       - "kolla_logs:/var/log/kolla/"
     dimensions: "{{ heat_api_dimensions }}"
+    haproxy:
+      heat_api:
+        enabled: "{{ enable_heat }}"
+        mode: "http"
+        external: false
+        port: "{{ heat_api_port }}"
+      heat_api_external:
+        enabled: "{{ enable_heat }}"
+        mode: "http"
+        external: true
+        port: "{{ heat_api_port }}"
   heat-api-cfn:
     container_name: heat_api_cfn
     group: heat-api-cfn
@@ -24,6 +35,17 @@ heat_services:
       - "{{ kolla_dev_repos_directory ~ '/heat/heat:/var/lib/kolla/venv/lib/python2.7/site-packages/heat' if heat_dev_mode | bool else '' }}"
       - "kolla_logs:/var/log/kolla/"
     dimensions: "{{ heat_api_cfn_dimensions }}"
+    haproxy:
+      heat_api_cfn:
+        enabled: "{{ enable_heat }}"
+        mode: "http"
+        external: false
+        port: "{{ heat_api_cfn_port }}"
+      heat_api_cfn_external:
+        enabled: "{{ enable_heat }}"
+        mode: "http"
+        external: true
+        port: "{{ heat_api_cfn_port }}"
   heat-engine:
     container_name: heat_engine
     group: heat-engine

ansible/roles/heat/tasks/loadbalancer.yml

@@ -0,0 +1,7 @@
+---
+- name: "Configure haproxy for {{ project_name }}"
+  import_role:
+    role: haproxy-config
+  vars:
+    project_services: "{{ heat_services }}"
+  tags: always

ansible/roles/horizon/defaults/main.yml

@@ -43,6 +43,26 @@ horizon_services:
       - "kolla_logs:/var/log/kolla/"
       - "/tmp:/tmp"
     dimensions: "{{ horizon_dimensions }}"
+    haproxy:
+      horizon:
+        enabled: "{{ enable_horizon }}"
+        mode: "http"
+        external: false
+        port: "{{ horizon_port }}"
+        frontend_http_extra:
+          - "balance source"
+      horizon_external:
+        enabled: "{{ enable_horizon }}"
+        mode: "http"
+        external: true
+        port: "{% if kolla_enable_tls_external|bool %}443{% else %}{{ horizon_port }}{% endif %}"
+        frontend_http_extra:
+          - "balance source"
+      horizon_external_redirect:
+        enabled: "{{ enable_horizon|bool and kolla_enable_tls_external|bool }}"
+        mode: "redirect"
+        external: true
+        port: "{{ horizon_port }}"
 horizon_keystone_domain_choices:
   Default: default
 

ansible/roles/horizon/tasks/loadbalancer.yml

@@ -0,0 +1,7 @@
+---
+- name: "Configure haproxy for {{ project_name }}"
+  import_role:
+    role: haproxy-config
+  vars:
+    project_services: "{{ horizon_services }}"
+  tags: always

ansible/roles/influxdb/defaults/main.yml

@@ -13,6 +13,17 @@ influxdb_services:
       - "influxdb:/var/lib/influxdb"
       - "kolla_logs:/var/log/kolla/"
     dimensions: "{{ influxdb_dimensions }}"
+    haproxy:
+      influxdb_admin:
+        enabled: "{{ enable_influxdb }}"
+        mode: "http"
+        external: false
+        port: "{{ influxdb_admin_port }}"
+      influxdb_http:
+        enabled: "{{ enable_influxdb }}"
+        mode: "http"
+        external: false
+        port: "{{ influxdb_http_port }}"
 
 
 ####################

ansible/roles/influxdb/tasks/loadbalancer.yml

@@ -0,0 +1,7 @@
+---
+- name: "Configure haproxy for {{ project_name }}"
+  import_role:
+    role: haproxy-config
+  vars:
+    project_services: "{{ influxdb_services }}"
+  tags: always

ansible/roles/ironic/defaults/main.yml

@@ -13,6 +13,17 @@ ironic_services:
       - "kolla_logs:/var/log/kolla"
       - "{{ kolla_dev_repos_directory ~ '/ironic/ironic:/var/lib/kolla/venv/lib/python2.7/site-packages/ironic' if ironic_dev_mode | bool else '' }}"
     dimensions: "{{ ironic_api_dimensions }}"
+    haproxy:
+      ironic_api:
+        enabled: "{{ enable_ironic }}"
+        mode: "http"
+        external: false
+        port: "{{ ironic_api_port }}"
+      ironic_api_external:
+        enabled: "{{ enable_ironic }}"
+        mode: "http"
+        external: true
+        port: "{{ ironic_api_port }}"
   ironic-conductor:
     container_name: ironic_conductor
     group: ironic-conductor
@@ -44,6 +55,17 @@ ironic_services:
       - "kolla_logs:/var/log/kolla"
       - "{{ kolla_dev_repos_directory ~ '/ironic-inspector/ironic_inspector:/var/lib/kolla/venv/lib/python2.7/site-packages/ironic_inspector' if ironic_dev_mode | bool else '' }}"
     dimensions: "{{ ironic_inspector_dimensions }}"
+    haproxy:
+      ironic_inspector:
+        enabled: "{{ enable_ironic }}"
+        mode: "http"
+        external: false
+        port: "{{ ironic_inspector_port }}"
+      ironic_inspector_external:
+        enabled: "{{ enable_ironic }}"
+        mode: "http"
+        external: true
+        port: "{{ ironic_inspector_port }}"
   ironic-pxe:
     container_name: ironic_pxe
     group: ironic-pxe

ansible/roles/ironic/tasks/loadbalancer.yml

@@ -0,0 +1,7 @@
+---
+- name: "Configure haproxy for {{ project_name }}"
+  import_role:
+    role: haproxy-config
+  vars:
+    project_services: "{{ ironic_services }}"
+  tags: always

ansible/roles/karbor/defaults/main.yml

@@ -12,6 +12,17 @@ karbor_services:
       - "/etc/localtime:/etc/localtime:ro"
       - "kolla_logs:/var/log/kolla/"
     dimensions: "{{ karbor_api_dimensions }}"
+    haproxy:
+      karbor_api:
+        enabled: "{{ enable_karbor }}"
+        mode: "http"
+        external: false
+        port: "{{ karbor_api_port }}"
+      karbor_api_external:
+        enabled: "{{ enable_karbor }}"
+        mode: "http"
+        external: true
+        port: "{{ karbor_api_port }}"
   karbor-protection:
     container_name: karbor_protection
     group: karbor-protection

ansible/roles/karbor/tasks/loadbalancer.yml

@@ -0,0 +1,7 @@
+---
+- name: "Configure haproxy for {{ project_name }}"
+  import_role:
+    role: haproxy-config
+  vars:
+    project_services: "{{ karbor_services }}"
+  tags: always

ansible/roles/keystone/defaults/main.yml

@@ -14,6 +14,22 @@ keystone_services:
       - "kolla_logs:/var/log/kolla/"
       - "{% if keystone_token_provider == 'fernet' %}keystone_fernet_tokens:/etc/keystone/fernet-keys{% endif %}"
     dimensions: "{{ keystone_dimensions }}"
+    haproxy:
+      keystone_internal:
+        enabled: "{{ enable_keystone }}"
+        mode: "http"
+        external: false
+        port: "{{ keystone_public_port }}"
+      keystone_external:
+        enabled: "{{ enable_keystone }}"
+        mode: "http"
+        external: true
+        port: "{{ keystone_public_port }}"
+      keystone_admin:
+        enabled: "{{ enable_keystone }}"
+        mode: "http"
+        external: false
+        port: "{{ keystone_admin_port }}"
   keystone-ssh:
     container_name: "keystone_ssh"
     group: "keystone"

ansible/roles/keystone/tasks/loadbalancer.yml

@@ -0,0 +1,7 @@
+---
+- name: "Configure haproxy for {{ project_name }}"
+  import_role:
+    role: haproxy-config
+  vars:
+    project_services: "{{ keystone_services }}"
+  tags: always

ansible/roles/kibana/defaults/main.yml

@@ -12,6 +12,21 @@ kibana_services:
       - "/etc/localtime:/etc/localtime:ro"
       - "kolla_logs:/var/log/kolla/"
     dimensions: "{{ kibana_dimensions }}"
+    haproxy:
+      kibana:
+        enabled: "{{ enable_kibana }}"
+        mode: "http"
+        external: false
+        port: "{{ kibana_server_port }}"
+        auth_user: "{{ kibana_user }}"
+        auth_pass: "{{ kibana_password }}"
+      kibana_external:
+        enabled: "{{ enable_kibana }}"
+        mode: "http"
+        external: true
+        port: "{{ kibana_server_port }}"
+        auth_user: "{{ kibana_user }}"
+        auth_pass: "{{ kibana_password }}"
 
 
 ####################

ansible/roles/kibana/tasks/loadbalancer.yml

@@ -0,0 +1,7 @@
+---
+- name: "Configure haproxy for {{ project_name }}"
+  import_role:
+    role: haproxy-config
+  vars:
+    project_services: "{{ kibana_services }}"
+  tags: always

ansible/roles/magnum/defaults/main.yml

@@ -15,6 +15,17 @@ magnum_services:
       - "{{ kolla_dev_repos_directory ~ '/magnum/magnum:/var/lib/kolla/venv/lib/python2.7/site-packages/magnum' if magnum_dev_mode | bool else '' }}"
       - "kolla_logs:/var/log/kolla/"
     dimensions: "{{ magnum_api_dimensions }}"
+    haproxy:
+      magnum_api:
+        enabled: "{{ enable_magnum }}"
+        mode: "http"
+        external: false
+        port: "{{ magnum_api_port }}"
+      magnum_api_external:
+        enabled: "{{ enable_magnum }}"
+        mode: "http"
+        external: true
+        port: "{{ magnum_api_port }}"
   magnum-conductor:
     container_name: magnum_conductor
     group: magnum-conductor

ansible/roles/magnum/tasks/loadbalancer.yml

@@ -0,0 +1,7 @@
+---
+- name: "Configure haproxy for {{ project_name }}"
+  import_role:
+    role: haproxy-config
+  vars:
+    project_services: "{{ magnum_services }}"
+  tags: always

ansible/roles/manila/defaults/main.yml

@@ -13,6 +13,17 @@ manila_services:
       - "kolla_logs:/var/log/kolla/"
       - "{{ kolla_dev_repos_directory ~ '/manila/manila:/var/lib/kolla/venv/lib/python2.7/site-packages/manila' if manila_dev_mode | bool else '' }}"
     dimensions: "{{ manila_api_dimensions }}"
+    haproxy:
+      manila_api:
+        enabled: "{{ enable_manila }}"
+        mode: "http"
+        external: false
+        port: "{{ manila_api_port }}"
+      manila_api_external:
+        enabled: "{{ enable_manila }}"
+        mode: "http"
+        external: true
+        port: "{{ manila_api_port }}"
   manila-scheduler:
     container_name: "manila_scheduler"
     group: "manila-scheduler"

ansible/roles/manila/tasks/loadbalancer.yml

@@ -0,0 +1,7 @@
+---
+- name: "Configure haproxy for {{ project_name }}"
+  import_role:
+    role: haproxy-config
+  vars:
+    project_services: "{{ manila_services }}"
+  tags: always

ansible/roles/mariadb/defaults/main.yml

@@ -13,7 +13,30 @@ mariadb_services:
       - "mariadb:/var/lib/mysql"
       - "kolla_logs:/var/log/kolla/"
     dimensions: "{{ mariadb_dimensions }}"
-
+    haproxy:
+      mariadb:
+        enabled: "{{ enable_mariadb|bool and not enable_external_mariadb_load_balancer|bool }}"
+        mode: "tcp"
+        port: "{{ mariadb_port }}"
+        frontend_tcp_extra:
+          - "option clitcpka"
+          - "timeout client 3600s"
+        backend_tcp_extra:
+          - "option srvtcpka"
+          - "timeout server 3600s"
+          - "option mysql-check user haproxy post-41"
+        custom_member_list: "{{ internal_haproxy_members.split(';') }}"
+      mariadb_external_lb:
+        enabled: "{{ enable_mariadb|bool and enable_external_mariadb_load_balancer|bool }}"
+        mode: "tcp"
+        port: "{{ mariadb_port }}"
+        frontend_tcp_extra:
+          - "option clitcpka"
+          - "timeout client 3600s"
+        backend_tcp_extra:
+          - "option srvtcpka"
+          - "timeout server 3600s"
+        custom_member_list: "{{ external_haproxy_members.split(';') }}"
 
 ####################
 # Database
@@ -21,6 +44,12 @@ mariadb_services:
 database_cluster_name: "openstack"
 database_max_timeout: 120
 
+####################
+# HAProxy
+####################
+internal_haproxy_members: "{% for host in groups['mariadb'] %}server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ mariadb_port }} check inter 2000 rise 2 fall 5{% if not loop.first %} backup{% endif %};{% endfor %}"
+external_haproxy_members: "{% for host in groups['mariadb'] %}server {{ host }} {{ host }}:{{ mariadb_port }} check inter 2000 rise 2 fall 5{% if not loop.first %} backup{% endif %};{% endfor %}"
+
 ####################
 # Docker
 ####################

ansible/roles/mariadb/tasks/loadbalancer.yml

@@ -0,0 +1,7 @@
+---
+- name: "Configure haproxy for {{ project_name }}"
+  import_role:
+    role: haproxy-config
+  vars:
+    project_services: "{{ mariadb_services }}"
+  tags: always

ansible/roles/memcached/defaults/main.yml

@@ -11,7 +11,23 @@ memcached_services:
       - "{{ node_config_directory }}/memcached/:{{ container_config_directory }}/:ro"
       - "/etc/localtime:/etc/localtime:ro"
     dimensions: "{{ memcached_dimensions }}"
+    haproxy:
+      memcached:
+        enabled: "{{ enable_memcached|bool and enable_haproxy_memcached|bool }}"
+        mode: "tcp"
+        port: "{{ memcached_port }}"
+        frontend_tcp_extra:
+          - "option clitcpka"
+          - "timeout client 3600s"
+        backend_tcp_extra:
+          - "option srvtcpka"
+          - "timeout server 3600s"
+        custom_member_list: "{{ haproxy_members.split(';') }}"
 
+####################
+# HAProxy
+####################
+haproxy_members: "{% for host in groups['memcached'] %}server {{ host }} {{ host }}:{{ memcached_port }} check inter 2000 rise 2 fall 5{% if not loop.first %} backup{% endif %};{% endfor %}"
 
 ####################
 # Docker

ansible/roles/memcached/tasks/loadbalancer.yml

@@ -0,0 +1,7 @@
+---
+- name: "Configure haproxy for {{ project_name }}"
+  import_role:
+    role: haproxy-config
+  vars:
+    project_services: "{{ memcached_services }}"
+  tags: always

ansible/roles/mistral/defaults/main.yml

@@ -13,6 +13,17 @@ mistral_services:
       - "kolla_logs:/var/log/kolla/"
       - "{{ kolla_dev_repos_directory ~ '/mistral/mistral:/var/lib/kolla/venv/lib/python2.7/site-packages/mistral' if mistral_dev_mode | bool else '' }}"
     dimensions: "{{ mistral_api_dimensions }}"
+    haproxy:
+      mistral_api:
+        enabled: "{{ enable_mistral }}"
+        mode: "http"
+        external: false
+        port: "{{ mistral_api_port }}"
+      mistral_api_external:
+        enabled: "{{ enable_mistral }}"
+        mode: "http"
+        external: true
+        port: "{{ mistral_api_port }}"
   mistral-engine:
     container_name: mistral_engine
     group: mistral-engine

ansible/roles/mistral/tasks/loadbalancer.yml

@@ -0,0 +1,7 @@
+---
+- name: "Configure haproxy for {{ project_name }}"
+  import_role:
+    role: haproxy-config
+  vars:
+    project_services: "{{ mistral_services }}"
+  tags: always

ansible/roles/monasca/defaults/main.yml

@@ -10,6 +10,17 @@ monasca_services:
       - "/etc/localtime:/etc/localtime:ro"
       - "kolla_logs:/var/log/kolla"
     dimensions: "{{ monasca_api_dimensions }}"
+    haproxy:
+      monasca_api:
+        enabled: "{{ enable_monasca }}"
+        mode: "http"
+        external: false
+        port: "{{ monasca_api_port }}"
+      monasca_api_external:
+        enabled: "{{ enable_monasca }}"
+        mode: "http"
+        external: true
+        port: "{{ monasca_api_port }}"
   monasca-log-api:
     container_name: monasca_log_api
     group: monasca-log-api
@@ -20,6 +31,17 @@ monasca_services:
       - "/etc/localtime:/etc/localtime:ro"
       - "kolla_logs:/var/log/kolla"
     dimensions: "{{ monasca_log_api_dimensions }}"
+    haproxy:
+      monasca_log_api:
+        enabled: "{{ enable_monasca }}"
+        mode: "http"
+        external: false
+        port: "{{ monasca_log_api_port }}"
+      monasca_log_api_external:
+        enabled: "{{ enable_monasca }}"
+        mode: "http"
+        external: true
+        port: "{{ monasca_log_api_port }}"
   monasca-log-transformer:
     container_name: monasca_log_transformer
     group: monasca-log-transformer

ansible/roles/monasca/tasks/loadbalancer.yml

@@ -0,0 +1,7 @@
+---
+- name: "Configure haproxy for {{ project_name }}"
+  import_role:
+    role: haproxy-config
+  vars:
+    project_services: "{{ monasca_services }}"
+  tags: always

ansible/roles/mongodb/defaults/main.yml

@@ -14,6 +14,12 @@ mongodb_services:
       - "kolla_logs:/var/log/kolla/"
       - "mongodb:/var/lib/mongodb"
     dimensions: "{{ mongodb_dimensions }}"
+    haproxy:
+      mongodb:
+        enabled: "{{ enable_mongodb }}"
+        mode: "http"
+        external: false
+        port: "{{ mongodb_port }}"
 
 
 ####################

ansible/roles/mongodb/tasks/loadbalancer.yml

@@ -0,0 +1,7 @@
+---
+- name: "Configure haproxy for {{ project_name }}"
+  import_role:
+    role: haproxy-config
+  vars:
+    project_services: "{{ mongodb_services }}"
+  tags: always

ansible/roles/murano/defaults/main.yml

@@ -13,6 +13,17 @@ murano_services:
       - "/etc/localtime:/etc/localtime:ro"
       - "kolla_logs:/var/log/kolla/"
     dimensions: "{{ murano_api_dimensions }}"
+    haproxy:
+      murano_api:
+        enabled: "{{ enable_murano }}"
+        mode: "http"
+        external: false
+        port: "{{ murano_api_port }}"
+      murano_api_external:
+        enabled: "{{ enable_murano }}"
+        mode: "http"
+        external: true
+        port: "{{ murano_api_port }}"
   murano-engine:
     container_name: murano_engine
     group: murano-engine

ansible/roles/murano/tasks/loadbalancer.yml

@@ -0,0 +1,7 @@
+---
+- name: "Configure haproxy for {{ project_name }}"
+  import_role:
+    role: haproxy-config
+  vars:
+    project_services: "{{ murano_services }}"
+  tags: always

ansible/roles/neutron/defaults/main.yml

@@ -13,6 +13,19 @@ neutron_services:
       - "/etc/localtime:/etc/localtime:ro"
       - "kolla_logs:/var/log/kolla/"
     dimensions: "{{ neutron_server_dimensions }}"
+    haproxy:
+      neutron_server:
+        enabled: "{{ enable_neutron }}"
+        mode: "http"
+        external: false
+        port: "{{ neutron_server_port }}"
+        frontend_http_extra:
+          - "option http-tunnel"
+      neutron_server_external:
+        enabled: "{{ enable_neutron }}"
+        mode: "http"
+        external: true
+        port: "{{ neutron_server_port }}"
   neutron-openvswitch-agent:
     container_name: "neutron_openvswitch_agent"
     image: "{{ neutron_openvswitch_agent_image_full }}"

ansible/roles/neutron/tasks/loadbalancer.yml

@@ -0,0 +1,7 @@
+---
+- name: "Configure haproxy for {{ project_name }}"
+  import_role:
+    role: haproxy-config
+  vars:
+    project_services: "{{ neutron_services }}"
+  tags: always

ansible/roles/nova/defaults/main.yml

@@ -47,6 +47,17 @@ nova_services:
       - "kolla_logs:/var/log/kolla/"
       - "{{ kolla_dev_repos_directory ~ '/nova/nova:/var/lib/kolla/venv/lib/python2.7/site-packages/nova' if nova_dev_mode | bool else '' }}"
     dimensions: "{{ placement_api_dimensions }}"
+    haproxy:
+      placement_api:
+        enabled: "{{ enable_nova }}"
+        mode: "http"
+        external: false
+        port: "{{ placement_api_port }}"
+      placement_api_external:
+        enabled: "{{ enable_nova }}"
+        mode: "http"
+        external: true
+        port: "{{ placement_api_port }}"
   nova-api:
     container_name: "nova_api"
     group: "nova-api"
@@ -60,6 +71,33 @@ nova_services:
       - "kolla_logs:/var/log/kolla/"
       - "{{ kolla_dev_repos_directory ~ '/nova/nova:/var/lib/kolla/venv/lib/python2.7/site-packages/nova' if nova_dev_mode | bool else '' }}"
     dimensions: "{{ nova_api_dimensions }}"
+    haproxy:
+      nova_api:
+        enabled: "{{ enable_nova }}"
+        mode: "http"
+        external: false
+        port: "{{ nova_api_port }}"
+      nova_api_external:
+        enabled: "{{ enable_nova }}"
+        mode: "http"
+        external: true
+        port: "{{ nova_api_port }}"
+      nova_metadata:
+        enabled: "{{ enable_nova }}"
+        mode: "http"
+        external: false
+        port: "{{ nova_metadata_port }}"
+      nova_metadata_external:
+        enabled: "{{ enable_nova }}"
+        mode: "http"
+        external: true
+        port: "{{ nova_metadata_port }}"
+      nova_rdp:
+        enabled: "{{ enable_nova|bool and nova_console == 'rdp' }}"
+        mode: "http"
+        external: false
+        port: "{{ rdp_port }}"
+        host_group: "hyperv"
   nova-consoleauth:
     container_name: "nova_consoleauth"
     group: "nova-consoleauth"
@@ -82,6 +120,19 @@ nova_services:
       - "kolla_logs:/var/log/kolla/"
       - "{{ kolla_dev_repos_directory ~ '/nova/nova:/var/lib/kolla/venv/lib/python2.7/site-packages/nova' if nova_dev_mode | bool else '' }}"
     dimensions: "{{ nova_novncproxy_dimensions }}"
+    haproxy:
+      nova_novncproxy:
+        enabled: "{{ enable_nova|bool and nova_console == 'novnc' }}"
+        mode: "http"
+        external: false
+        port: "{{ nova_novncproxy_port }}"
+        backend_http_extra:
+          - "timeout tunnel 1h"
+      nova_novncproxy_external:
+        enabled: "{{ enable_nova|bool and nova_console == 'novnc' }}"
+        mode: "http"
+        external: true
+        port: "{{ nova_novncproxy_port }}"
   nova-scheduler:
     container_name: "nova_scheduler"
     group: "nova-scheduler"
@@ -104,6 +155,17 @@ nova_services:
       - "kolla_logs:/var/log/kolla/"
       - "{{ kolla_dev_repos_directory ~ '/nova/nova:/var/lib/kolla/venv/lib/python2.7/site-packages/nova' if nova_dev_mode | bool else '' }}"
     dimensions: "{{ nova_spicehtml5proxy_dimensions }}"
+    haproxy:
+      nova_spicehtml5proxy:
+        enabled: "{{ enable_nova|bool and nova_console == 'spice' }}"
+        mode: "http"
+        external: false
+        port: "{{ nova_spicehtml5proxy_port }}"
+      nova_spicehtml5proxy_external:
+        enabled: "{{ enable_nova|bool and nova_console == 'spice' }}"
+        mode: "http"
+        external: true
+        port: "{{ nova_spicehtml5proxy_port }}"
   nova-serialproxy:
     container_name: "nova_serialproxy"
     group: "nova-serialproxy"
@@ -115,6 +177,17 @@ nova_services:
       - "kolla_logs:/var/log/kolla/"
       - "{{ kolla_dev_repos_directory ~ '/nova/nova:/var/lib/kolla/venv/lib/python2.7/site-packages/nova' if nova_dev_mode | bool else '' }}"
     dimensions: "{{ nova_serialproxy_dimensions }}"
+    haproxy:
+      nova_serialconsole_proxy:
+        enabled: "{{ enable_nova|bool and enable_nova_serialconsole_proxy|bool }}"
+        mode: "http"
+        external: false
+        port: "{{ nova_serialproxy_port }}"
+      nova_serialconsole_proxy_external:
+        enabled: "{{ enable_nova|bool and enable_nova_serialconsole_proxy|bool }}"
+        mode: "http"
+        external: true
+        port: "{{ nova_serialproxy_port }}"
   nova-conductor:
     container_name: "nova_conductor"
     group: "nova-conductor"

ansible/roles/nova/tasks/loadbalancer.yml

@@ -0,0 +1,7 @@
+---
+- name: "Configure haproxy for {{ project_name }}"
+  import_role:
+    role: haproxy-config
+  vars:
+    project_services: "{{ nova_services }}"
+  tags: always

ansible/roles/octavia/defaults/main.yml

@@ -12,6 +12,17 @@ octavia_services:
       - "/etc/localtime:/etc/localtime:ro"
       - "kolla_logs:/var/log/kolla/"
     dimensions: "{{ octavia_api_dimensions }}"
+    haproxy:
+      octavia_api:
+        enabled: "{{ enable_octavia }}"
+        mode: "http"
+        external: false
+        port: "{{ octavia_api_port }}"
+      octavia_api_external:
+        enabled: "{{ enable_octavia }}"
+        mode: "http"
+        external: true
+        port: "{{ octavia_api_port }}"
   octavia-health-manager:
     container_name: octavia_health_manager
     group: octavia-health-manager

ansible/roles/octavia/tasks/loadbalancer.yml

@@ -0,0 +1,7 @@
+---
+- name: "Configure haproxy for {{ project_name }}"
+  import_role:
+    role: haproxy-config
+  vars:
+    project_services: "{{ octavia_services }}"
+  tags: always

ansible/roles/opendaylight/defaults/main.yml

@@ -14,6 +14,33 @@ opendaylight_services:
       - "/etc/localtime:/etc/localtime:ro"
       - "kolla_logs:/var/log/kolla/"
     dimensions: "{{ opendaylight_dimensions }}"
+    haproxy:
+      opendaylight_api:
+        enabled: "{{ enable_opendaylight }}"
+        mode: "http"
+        port: "{{ opendaylight_haproxy_restconf_port }}"
+        backend_http_extra:
+          - "balance source"
+        custom_member_list: "{{ api_haproxy_members.split(';') }}"
+      opendaylight_api_backup:
+        enabled: "{{ enable_opendaylight }}"
+        mode: "http"
+        port: "{{ opendaylight_haproxy_restconf_port_backup }}"
+        backend_http_extra:
+          - "balance source"
+        custom_member_list: "{{ backup_api_haproxy_members.split(';') }}"
+      opendaylight_websocket:
+        enabled: "{{ enable_opendaylight }}"
+        mode: "http"
+        port: "{{ opendaylight_websocket_port }}"
+        backend_http_extra:
+          - "balance source"
+
+####################
+# HAProxy
+####################
+api_haproxy_members: "{% for host in groups['opendaylight'] %}server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ opendaylight_restconf_port }} check inter 2000 rise 2 fall 5;{% endfor %}"
+backup_api_haproxy_members: "{% for host in groups['opendaylight'] %}server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ opendaylight_restconf_port_backup }} check inter 2000 rise 2 fall 5;{% endfor %}"
 
 ####################
 # Docker

ansible/roles/opendaylight/tasks/loadbalancer.yml

@@ -0,0 +1,7 @@
+---
+- name: "Configure haproxy for {{ project_name }}"
+  import_role:
+    role: haproxy-config
+  vars:
+    project_services: "{{ opendaylight_services }}"
+  tags: always

ansible/roles/panko/defaults/main.yml

@@ -12,6 +12,17 @@ panko_services:
       - "/etc/localtime:/etc/localtime:ro"
       - "kolla_logs:/var/log/kolla/"
     dimensions: "{{ panko_api_dimensions }}"
+    haproxy:
+      panko_api:
+        enabled: "{{ enable_panko }}"
+        mode: "http"
+        external: false
+        port: "{{ panko_api_port }}"
+      panko_api_external:
+        enabled: "{{ enable_panko }}"
+        mode: "http"
+        external: true
+        port: "{{ panko_api_port }}"
 
 
 ####################

ansible/roles/panko/tasks/loadbalancer.yml

@@ -0,0 +1,7 @@
+---
+- name: "Configure haproxy for {{ project_name }}"
+  import_role:
+    role: haproxy-config
+  vars:
+    project_services: "{{ panko_services }}"
+  tags: always

ansible/roles/prometheus/defaults/main.yml

@@ -13,6 +13,12 @@ prometheus_services:
       - "prometheus:/var/lib/prometheus"
       - "kolla_logs:/var/log/kolla/"
     dimensions: "{{ prometheus_server_dimensions }}"
+    haproxy:
+      prometheus_server:
+        enabled: "{{ enable_prometheus }}"
+        mode: "http"
+        external: false
+        port: "{{ prometheus_port }}"
   prometheus-node-exporter:
     container_name: prometheus_node_exporter
     group: prometheus-node-exporter
@@ -83,6 +89,21 @@ prometheus_services:
       - "kolla_logs:/var/log/kolla/"
       - "prometheus:/var/lib/prometheus"
     dimensions: "{{ prometheus_alertmanager_dimensions }}"
+    haproxy:
+      prometheus_alertmanager:
+        enabled: "{{ enable_prometheus_alertmanager }}"
+        mode: "http"
+        external: false
+        port: "{{ prometheus_alertmanager_port }}"
+        auth_user: "{{ prometheus_alertmanager_user }}"
+        auth_pass: "{{ prometheus_alertmanager_password }}"
+      prometheus_alertmanager_external:
+        enabled: "{{ enable_prometheus_alertmanager }}"
+        mode: "http"
+        external: true
+        port: "{{ prometheus_alertmanager_port }}"
+        auth_user: "{{ prometheus_alertmanager_user }}"
+        auth_pass: "{{ prometheus_alertmanager_password }}"
 
 ####################
 # Database

ansible/roles/prometheus/tasks/loadbalancer.yml

@@ -0,0 +1,7 @@
+---
+- name: "Configure haproxy for {{ project_name }}"
+  import_role:
+    role: haproxy-config
+  vars:
+    project_services: "{{ prometheus_services }}"
+  tags: always

ansible/roles/rabbitmq/defaults/main.yml

@@ -22,6 +22,34 @@ rabbitmq_services:
       - "{{ project_name }}:/var/lib/rabbitmq/"
       - "kolla_logs:/var/log/kolla/"
     dimensions: "{{ rabbitmq_dimensions }}"
+    haproxy:
+      rabbitmq_management:
+        enabled: "{{ enable_rabbitmq }}"
+        mode: "http"
+        port: "{{ rabbitmq_management_port }}"
+        host_group: "rabbitmq"
+      rabbitmq_outward_management:
+        enabled: "{{ enable_outward_rabbitmq }}"
+        mode: "http"
+        port: "{{ outward_rabbitmq_management_port }}"
+        host_group: "outward-rabbitmq"
+      rabbitmq_outward_external:
+        enabled: "{{ enable_outward_rabbitmq }}"
+        mode: "tcp"
+        external: true
+        port: "{{ outward_rabbitmq_port }}"
+        host_group: "outward-rabbitmq"
+        frontend_tcp_extra:
+          - "timeout client {{ haproxy_outward_rabbitmq_client_timeout }}"
+        backend_tcp_extra:
+          - "timeout server {{ haproxy_outward_rabbitmq_server_timeout }}"
+
+
+####################
+# HAProxy
+####################
+haproxy_outward_rabbitmq_client_timeout: "1h"
+haproxy_outward_rabbitmq_server_timeout: "1h"
 
 
 ####################

ansible/roles/rabbitmq/tasks/loadbalancer.yml

@@ -0,0 +1,7 @@
+---
+- name: "Configure haproxy for {{ project_name }}"
+  import_role:
+    role: haproxy-config
+  vars:
+    project_services: "{{ rabbitmq_services }}"
+  tags: always

ansible/roles/sahara/defaults/main.yml

@@ -14,6 +14,17 @@ sahara_services:
       - "kolla_logs:/var/log/kolla/"
       - "{{ kolla_dev_repos_directory ~ '/sahara/sahara:/var/lib/kolla/venv/lib/python2.7/site-packages/sahara' if sahara_dev_mode | bool else '' }}"
     dimensions: "{{ sahara_api_dimensions }}"
+    haproxy:
+      sahara_api:
+        enabled: "{{ enable_sahara }}"
+        mode: "http"
+        external: false
+        port: "{{ sahara_api_port }}"
+      sahara_api_external:
+        enabled: "{{ enable_sahara }}"
+        mode: "http"
+        external: true
+        port: "{{ sahara_api_port }}"
   sahara-engine:
     container_name: sahara_engine
     group: sahara-engine

ansible/roles/sahara/tasks/loadbalancer.yml

@@ -0,0 +1,7 @@
+---
+- name: "Configure haproxy for {{ project_name }}"
+  import_role:
+    role: haproxy-config
+  vars:
+    project_services: "{{ sahara_services }}"
+  tags: always

ansible/roles/searchlight/defaults/main.yml

@@ -12,6 +12,17 @@ searchlight_services:
       - "/etc/localtime:/etc/localtime:ro"
       - "kolla_logs:/var/log/kolla/"
     dimensions: "{{ searchlight_api_dimensions }}"
+    haproxy:
+      searchlight_api:
+        enabled: "{{ enable_searchlight }}"
+        mode: "http"
+        external: false
+        port: "{{ searchlight_api_port }}"
+      searchlight_api_external:
+        enabled: "{{ enable_searchlight }}"
+        mode: "http"
+        external: true
+        port: "{{ searchlight_api_port }}"
   searchlight-listener:
     container_name: searchlight_listener
     group: searchlight-listener

ansible/roles/searchlight/tasks/loadbalancer.yml

@@ -0,0 +1,7 @@
+---
+- name: "Configure haproxy for {{ project_name }}"
+  import_role:
+    role: haproxy-config
+  vars:
+    project_services: "{{ searchlight_services }}"
+  tags: always

ansible/roles/senlin/defaults/main.yml

@@ -13,6 +13,17 @@ senlin_services:
       - "kolla_logs:/var/log/kolla/"
       - "{{ kolla_dev_repos_directory ~ '/senlin/senlin:/var/lib/kolla/venv/lib/python2.7/site-packages/senlin' if senlin_dev_mode | bool else '' }}"
     dimensions: "{{ senlin_api_dimensions }}"
+    haproxy:
+      senlin_api:
+        enabled: "{{ enable_senlin }}"
+        mode: "http"
+        external: false
+        port: "{{ senlin_api_port }}"
+      senlin_api_external:
+        enabled: "{{ enable_senlin }}"
+        mode: "http"
+        external: true
+        port: "{{ senlin_api_port }}"
   senlin-engine:
     container_name: senlin_engine
     group: senlin-engine

ansible/roles/senlin/tasks/loadbalancer.yml

@@ -0,0 +1,7 @@
+---
+- name: "Configure haproxy for {{ project_name }}"
+  import_role:
+    role: haproxy-config
+  vars:
+    project_services: "{{ senlin_services }}"
+  tags: always

ansible/roles/skydive/defaults/main.yml

@@ -12,6 +12,17 @@ skydive_services:
       - "/etc/localtime:/etc/localtime:ro"
       - "kolla_logs:/var/log/kolla/"
     dimensions: "{{ skydive_analyzer_dimensions }}"
+    haproxy:
+      skydive_server:
+        enabled: "{{ enable_skydive }}"
+        mode: "http"
+        external: false
+        port: "{{ skydive_analyzer_port }}"
+      skydive_server_external:
+        enabled: "{{ enable_skydive }}"
+        mode: "http"
+        external: true
+        port: "{{ skydive_analyzer_port }}"
   skydive-agent:
     container_name: skydive_agent
     group: skydive-agent

ansible/roles/skydive/tasks/loadbalancer.yml

@@ -0,0 +1,7 @@
+---
+- name: "Configure haproxy for {{ project_name }}"
+  import_role:
+    role: haproxy-config
+  vars:
+    project_services: "{{ skydive_services }}"
+  tags: always

ansible/roles/solum/defaults/main.yml

@@ -35,6 +35,31 @@ solum_services:
       - "kolla_logs:/var/log/kolla/"
       - "{{ kolla_dev_repos_directory ~ '/solum/solum:/var/lib/kolla/venv/lib/python2.7/site-packages/solum' if solum_dev_mode | bool else '' }}"
     dimensions: "{{ solum_deployer_dimensions }}"
+    haproxy:
+      solum_application_deployment:
+        enabled: "{{ enable_solum }}"
+        mode: "http"
+        external: false
+        port: "{{ solum_application_deployment_port }}"
+        host_group: "solum-application-deployment"
+      solum_application_deployment_external:
+        enabled: "{{ enable_solum }}"
+        mode: "http"
+        external: true
+        port: "{{ solum_application_deployment_port }}"
+        host_group: "solum-application-deployment"
+      solum_image_builder:
+        enabled: "{{ enable_solum }}"
+        mode: "http"
+        external: false
+        port: "{{ solum_image_builder_port }}"
+        host_group: "solum-image-builder"
+      solum_image_builder_external:
+        enabled: "{{ enable_solum }}"
+        mode: "http"
+        external: true
+        port: "{{ solum_image_builder_port }}"
+        host_group: "solum-image-builder"
   solum-conductor:
     container_name: solum_conductor
     group: solum-conductor
@@ -47,7 +72,6 @@ solum_services:
       - "{{ kolla_dev_repos_directory ~ '/solum/solum:/var/lib/kolla/venv/lib/python2.7/site-packages/solum' if solum_dev_mode | bool else '' }}"
     dimensions: "{{ solum_conductor_dimensions }}"
 
-
 ####################
 # Database
 ####################

ansible/roles/solum/tasks/loadbalancer.yml

@@ -0,0 +1,7 @@
+---
+- name: "Configure haproxy for {{ project_name }}"
+  import_role:
+    role: haproxy-config
+  vars:
+    project_services: "{{ solum_services }}"
+  tags: always

ansible/roles/swift/defaults/main.yml

@@ -1,6 +1,22 @@
 ---
 project_name: "swift"
 
+swift_services:
+  swift-api:
+    group: swift-proxy-server
+    enabled: true
+    haproxy:
+      swift_api:
+        enabled: "{{ enable_swift }}"
+        mode: "http"
+        external: false
+        port: "{{ swift_proxy_server_port }}"
+      swift_api_external:
+        enabled: "{{ enable_swift }}"
+        mode: "http"
+        external: true
+        port: "{{ swift_proxy_server_port }}"
+
 ####################
 # Docker
 ####################

ansible/roles/swift/tasks/loadbalancer.yml

@@ -0,0 +1,7 @@
+---
+- name: "Configure haproxy for {{ project_name }}"
+  import_role:
+    role: haproxy-config
+  vars:
+    project_services: "{{ swift_services }}"
+  tags: always

ansible/roles/tacker/defaults/main.yml

@@ -13,6 +13,17 @@ tacker_services:
       - "/etc/localtime:/etc/localtime:ro"
       - "kolla_logs:/var/log/kolla/"
     dimensions: "{{ tacker_server_dimensions }}"
+    haproxy:
+      tacker_server:
+        enabled: "{{ enable_tacker }}"
+        mode: "http"
+        external: false
+        port: "{{ tacker_server_port }}"
+      tacker_server_external:
+        enabled: "{{ enable_tacker }}"
+        mode: "http"
+        external: true
+        port: "{{ tacker_server_port }}"
   tacker-conductor:
     container_name: "tacker_conductor"
     group: "tacker-conductor"

ansible/roles/tacker/tasks/loadbalancer.yml

@@ -0,0 +1,7 @@
+---
+- name: "Configure haproxy for {{ project_name }}"
+  import_role:
+    role: haproxy-config
+  vars:
+    project_services: "{{ tacker_services }}"
+  tags: always