Speaker,
Red Hatter,
open sourcerer

Building a load balanced Ansible Tower cluster

Load balancing Ansible Tower cluster

As you might know, I do a bit of YouTubing. One video request I got a couple of times, was to do a video about clustering Ansible Tower behind a load balancer.

As I had never done that before myself, it sounded interesting, so I did it.

Video is here:

In the video, I use a playbook that I promised to put up somewhere, so here it is:

---
- name: configure Tower cluster
  hosts: tower
  become: yes
  vars:
    custom_config: |
      BROADCAST_WEBSOCKET_PROTOCOL = 'http'
      BROADCAST_WEBSOCKET_PORT = 80
      USE_X_FORWARDED_PORT = True
      USE_X_FORWARDED_HOST = True
    tower_base_url: http://main.nontoonyt.lan
    proxy_ip_allowed_list:
      - 192.168.122.8
    remote_host_headers:
      - HTTP_X_FORWARDED_FOR
      - REMOTE_ADDR
      - REMOTE_HOST
    tower_username: admin
    tower_password: redhat123

  tasks:
    # https://access.redhat.com/solutions/5228651 and
    # https://docs.ansible.com/ansible-tower/3.8.3/html/installandreference/proxy-support.html
    - name: drop in configuration file for web sockets over port 80
      ansible.builtin.copy:
        content: ""
        dest: /etc/tower/conf.d/custom.py
        mode: 0640
        owner: root
        group: awx
      notify: restart ansible-tower

    - name: configure tower remote host headers
      ansible.tower.tower_settings:
        name: REMOTE_HOST_HEADERS
        value: ""
        tower_host: http://127.0.0.1
        tower_username: ""
        tower_password: ""
      run_once: yes

    - name: configure proxy ip allowed list
      ansible.tower.tower_settings:
        name: PROXY_IP_ALLOWED_LIST
        value: ""
        tower_host: http://127.0.0.1
        tower_username: ""
        tower_password: ""
      run_once: yes

    - name: configure tower base url
      ansible.tower.tower_settings:
        name: TOWER_URL_BASE
        value: ""
        tower_host: http://127.0.0.1
        tower_username: ""
        tower_password: ""
      run_once: yes

  handlers:
    - name: restart ansible-tower
      ansible.builtin.service:
        name: ansible-tower
        state: restarted

Same goes for the haproxy configuration file I use to set this up:

global
    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    user        haproxy
    group       haproxy
    daemon
    tune.ssl.default-dh-param 2048

    # turn on stats unix socket
    stats socket /var/lib/haproxy/stats

#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
    mode                    http
    option                  redispatch
    option                  contstats
    retries                 3
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    option                  forwardfor

#---------------------------------------------------------------------

listen stats
    bind :9000
    mode http
    option forwardfor       except 127.0.0.0/8
    stats enable
    stats uri /
    stats refresh 3s

frontend tower_fe
    bind *:443 ssl crt /etc/haproxy/haproxy.pem
    default_backend tower_be

backend tower_be
    balance roundrobin
    server tower1_http 192.168.122.161:80 maxconn 100 check weight 6
    server tower2_http 192.168.122.201:80 maxconn 100 check weight 1
    server tower3_http 192.168.122.144:80 maxconn 100 check weight 1
    server tower4_http 192.168.122.80:80  maxconn 100 check weight 1
    server tower5_http 192.168.122.89:80  maxconn 100 check weight 1

If you do this installation, make sure you initiate the Tower installation with:

./setup.sh -e nginx_disable_https=true -- -b

Check out the video if you want to learn more!

Cheers!