2 files changed, 112 insertions, 0 deletions
diff --git a/roles/openshift_loadbalancer/tasks/firewall.yml b/roles/openshift_loadbalancer/tasks/firewall.yml
new file mode 100644
index 000000000..7d6e8ff36
--- /dev/null
+++ b/roles/openshift_loadbalancer/tasks/firewall.yml
@@ -0,0 +1,40 @@
+---
+- when: r_openshift_loadbalancer_firewall_enabled | bool and not r_openshift_loadbalancer_use_firewalld | bool
+  block:
+  - name: Add iptables allow rules
+    os_firewall_manage_iptables:
+      name: "{{ item.service }}"
+      action: add
+      protocol: "{{ item.port.split('/')[1] }}"
+      port: "{{ item.port.split('/')[0] }}"
+    when: item.cond | default(True)
+    with_items: "{{ r_openshift_loadbalancer_os_firewall_allow }}"
+
+  - name: Remove iptables rules
+    os_firewall_manage_iptables:
+      name: "{{ item.service }}"
+      action: remove
+      protocol: "{{ item.port.split('/')[1] }}"
+      port: "{{ item.port.split('/')[0] }}"
+    when: item.cond | default(True)
+    with_items: "{{ r_openshift_loadbalancer_os_firewall_deny }}"
+
+- when: r_openshift_loadbalancer_firewall_enabled | bool and r_openshift_loadbalancer_use_firewalld | bool
+  block:
+  - name: Add firewalld allow rules
+    firewalld:
+      port: "{{ item.port }}"
+      permanent: true
+      immediate: true
+      state: enabled
+    when: item.cond | default(True)
+    with_items: "{{ r_openshift_loadbalancer_os_firewall_allow }}"
+
+  - name: Remove firewalld allow rules
+    firewalld:
+      port: "{{ item.port }}"
+      permanent: true
+      immediate: true
+      state: disabled
+    when: item.cond | default(True)
+    with_items: "{{ r_openshift_loadbalancer_os_firewall_deny }}"
diff --git a/roles/openshift_loadbalancer/tasks/main.yml b/roles/openshift_loadbalancer/tasks/main.yml
new file mode 100644
index 000000000..69b061fc5
--- /dev/null
+++ b/roles/openshift_loadbalancer/tasks/main.yml
@@ -0,0 +1,72 @@
+---
+- name: setup firewall
+  include: firewall.yml
+  static: yes
+
+- name: Install haproxy
+  package: name=haproxy state=present
+  when: not openshift.common.is_containerized | bool
+
+- name: Pull haproxy image
+  command: >
+    docker pull {{ openshift.common.router_image }}:{{ openshift_image_tag }}
+  when: openshift.common.is_containerized | bool
+
+- name: Create config directory for haproxy
+  file:
+    path: /etc/haproxy
+    state: directory
+  when: openshift.common.is_containerized | bool
+
+- name: Create the systemd unit files
+  template:
+    src: "haproxy.docker.service.j2"
+    dest: "/etc/systemd/system/haproxy.service"
+  when: openshift.common.is_containerized | bool
+  notify: restart haproxy
+
+- name: Configure systemd service directory for haproxy
+  file:
+    path: /etc/systemd/system/haproxy.service.d
+    state: directory
+  when: not openshift.common.is_containerized | bool
+
+# Work around ini_file create option in 2.2 which defaults to no
+- name: Create limits.conf file
+  file:
+    dest: /etc/systemd/system/haproxy.service.d/limits.conf
+    state: touch
+    mode: 0660
+    owner: root
+    group: root
+  changed_when: false
+  when: not openshift.common.is_containerized | bool
+
+- name: Configure the nofile limits for haproxy
+  ini_file:
+    dest: /etc/systemd/system/haproxy.service.d/limits.conf
+    section: Service
+    option: LimitNOFILE
+    value: "{{ openshift_loadbalancer_limit_nofile | default(100000) }}"
+  notify: restart haproxy
+  when: not openshift.common.is_containerized | bool
+
+- name: Configure haproxy
+  template:
+    src: haproxy.cfg.j2
+    dest: /etc/haproxy/haproxy.cfg
+    owner: root
+    group: root
+    mode: 0644
+  notify: restart haproxy
+
+- name: Enable and start haproxy
+  systemd:
+    name: haproxy
+    state: started
+    enabled: yes
+    daemon_reload: yes
+  register: start_result
+
+- set_fact:
+    haproxy_start_result_changed: "{{ start_result | changed }}"