Victoria Series Release Notes¶
18.0.0.0b1-116¶
New Features¶
Multiple HAProxy nodes can now be deployed in an HA configuration with keepalived and LetsEncrypt certificates. Certbot can be treated as a backend service for haproxy and acme-challenge requests from LetsEncrypt can be directed to whichever HAProxy server is running a certificate renewal. New variables are defined for frontend ACLs and options to be passed to Certbot which enable this new feature, but the majority of the required configuration is done via the existing HAProxy service setup. An example is provided in the documentation.
It is now possible to have a service which only have a frontend. by using haproxy_frontend_only inside your service.
Add the possibility to have a haproxy_frontend_raw entry to control haproxy config for the frontend, the entry will be literally copied in to the service. You can set a list under the key haproxy_frontend_raw
Added new variable
haproxy_hatop_install
, that allows to conditionally enable or disable hatop installation.
Added variable haproxy_ssl_letsencrypt_certbot_challenge which is default to http-01. As for now really tested in only http-01 but we keep door open for adding support for more challanges, like dns-01. For http-01 all required arguments are passed, but oth other challanges you might want to use haproxy_ssl_letsencrypt_setup_extra_params to pass missing arguments.
If Horizon dashboard of OSA installation has a public FQDN, is it now possible to use LetsEncrypt certification service. Certificate will be generated within HAProxy installation and a cron entry to renew the certificate daily will be setup. Note that there is no certificate distribution implementation at this time, so this will only work for a single haproxy-server environment.
Upgrade Notes¶
Variable
haproxy_hatop_downloader
has been removed, Deployers supposed to usehaproxy_hatop_download_url
override if needed to install in deployments with limited internet connection.
There’s no need in providing neither http-01-address nor http-01-port options with haproxy_ssl_letsencrypt_setup_extra_params, as they are now configured with corresponding variables haproxy_ssl_letsencrypt_certbot_bind_address and haproxy_ssl_letsencrypt_certbot_backend_port
Security Issues¶
The default TLS version has been set to force-tlsv12. This only allows version 1.2 of the protocol to be used when terminating or creating TLS connections. You can change the value with the haproxy_ssl_bind_options variable.
Bug Fixes¶
Fixed inconsistency in
haproxy_frontend_raw
key naming between documentation and service template. Previously, template generation was expectinghaproxy_raw
instead of thehaproxy_frontend_raw
.
17.0.0.0b3¶
New Features¶
HAProxy services that use backend nodes that are not in the Ansible inventory can now be specified manually by setting
haproxy_backend_nodes
to a list ofname
andip_addr
settings.
Deployers can set a refresh interval for haproxy’s stats page by setting the
haproxy_stats_refresh_interval
variable. The default value is60
, which causes haproxy to refresh the stats page every 60 seconds.
17.0.0.0b1¶
Upgrade Notes¶
The following variables have been removed from the
haproxy_server
role as they are no longer necessary or used. - haproxy_repo - haproxy_gpg_keys - haproxy_required_distro_packages
16.0.0.0b2¶
New Features¶
The new option haproxy_backend_arguments can be utilized to add arbitrary options to a HAProxy backend like tcp-check or http-check.
16.0.0.0b1¶
New Features¶
Haproxy-server role allows to set up tunable parameters. For doing that it is necessary to set up a dictionary of options in the config files, mentioning those which have to be changed (defaults for the remaining ones are programmed in the template). Also “maxconn” global option made to be tunable.
Upgrade Notes¶
The
haproxy_bufsize
variable has been removed and made a part of thehaproxy_tuning_params
dictionary.
15.0.0.0b1¶
Bug Fixes¶
SSLv3 is now disabled in the haproxy daemon configuration by default.
Setting the haproxy_bind list on a service is now used as an override to the other VIPs defined in the environment. Previously it was being treated as an append to the other VIPs so there was no path to override the VIP binds for a service. For example, haproxy_bind could be used to bind a service to the internal VIP only.
The haproxy daemon is now able to bind to any port on CentOS 7. The
haproxy_connect_any
SELinux boolean is now set toon
.
14.0.0.0b3¶
Upgrade Notes¶
The variable
haproxy_pre_packages
has been renamed tohaproxy_required_distro_packages
.
The variable
haproxy_packages
has been renamed tohaproxy_distro_packages
.