diff options
| author |   Jenkins <jenkins@review.openstack.org> | 2017-08-17 16:08:27 +0000 |
|---|---|---|
| committer |   Gerrit Code Review <review@openstack.org> | 2017-08-17 16:08:27 +0000 |
| commit | 7485822e86ecea2834dd5669a88abcc981664a0b (patch) | |
| tree | 86bf20c0ed7033225f7e3538fecd82bbf270d1fe | |
| parent | 37da5edb7b7034c8871872701029c95b55a130de (diff) | |
| parent | 5222b8d920d5b5b2e87004c10808b6bea597720a (diff) | |
Merge "Remove extra keystone admin haproxy listen and allow TLS"
| -rw-r--r-- | manifests/haproxy.pp | 20 | ||||
| -rw-r--r-- | manifests/haproxy/endpoint.pp | 25 |
2 files changed, 27 insertions, 18 deletions
diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp index a3d088a..0933831 100644 --- a/manifests/haproxy.pp +++ b/manifests/haproxy.pp @@ -520,7 +520,6 @@ # 'ironic_inspector_port' (Defaults to 5050) # 'ironic_inspector_ssl_port' (Defaults to 13050) # 'keystone_admin_api_port' (Defaults to 35357) -# 'keystone_admin_api_ssl_port' (Defaults to 13357) # 'keystone_public_api_port' (Defaults to 5000) # 'keystone_public_api_ssl_port' (Defaults to 13000) # 'manila_api_port' (Defaults to 8786) @@ -708,7 +707,6 @@ class tripleo::haproxy ( ironic_inspector_port => 5050, ironic_inspector_ssl_port => 13050, keystone_admin_api_port => 35357, - keystone_admin_api_ssl_port => 13357, keystone_public_api_port => 5000, keystone_public_api_ssl_port => 13000, manila_api_port => 8786, @@ -894,16 +892,14 @@ class tripleo::haproxy ( if $keystone_admin { ::tripleo::haproxy::endpoint { 'keystone_admin': - public_virtual_ip => $public_virtual_ip, - internal_ip => hiera('keystone_admin_api_vip', $controller_virtual_ip), - service_port => $ports[keystone_admin_api_port], - ip_addresses => hiera('keystone_admin_api_node_ips', $controller_hosts_real), - server_names => hiera('keystone_admin_api_node_names', $controller_hosts_names_real), - mode => 'http', - listen_options => merge($default_listen_options, { 'option' => [ 'httpchk GET /v3' ] }), - public_ssl_port => $ports[keystone_admin_api_ssl_port], - service_network => $keystone_admin_network, - member_options => union($haproxy_member_options, $internal_tls_member_options), + internal_ip => hiera('keystone_admin_api_vip', $controller_virtual_ip), + service_port => $ports[keystone_admin_api_port], + ip_addresses => hiera('keystone_admin_api_node_ips', $controller_hosts_real), + server_names => hiera('keystone_admin_api_node_names', $controller_hosts_names_real), + mode => 'http', + listen_options => merge($default_listen_options, { 'option' => [ 'httpchk GET /v3' ] }), + service_network => $keystone_admin_network, + member_options => union($haproxy_member_options, $internal_tls_member_options), } } diff --git a/manifests/haproxy/endpoint.pp b/manifests/haproxy/endpoint.pp index bc00f2d..4436e19 100644 --- a/manifests/haproxy/endpoint.pp +++ b/manifests/haproxy/endpoint.pp @@ -140,15 +140,28 @@ define tripleo::haproxy::endpoint ( if !$service_network { fail("The service_network for this service is undefined. Can't configure TLS for the internal network.") } - # NOTE(jaosorior): The key of the internal_certificates_specs hash must - # must match the convention haproxy-<network name> or else this - # will fail. Futherly, it must contain the path that we'll use under - # 'service_pem'. - $internal_cert_path = $internal_certificates_specs["haproxy-${service_network}"]['service_pem'] + + if $service_network == 'external' and $public_certificate { + # NOTE(jaosorior): This service has been configured to use the external + # network. We should use the public certificate in this case. + $internal_cert_path = $public_certificate + } else { + # NOTE(jaosorior): This service is configured for the internal network. + # We use the certificate spec hash. The key of the + # internal_certificates_specs hash must must match the convention + # haproxy-<network name> or else this will fail. Futherly, it must + # contain the path that we'll use under 'service_pem'. + $internal_cert_path = $internal_certificates_specs["haproxy-${service_network}"]['service_pem'] + } $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"), union($haproxy_listen_bind_param, ['ssl', 'crt', $internal_cert_path])) } else { - $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"), $haproxy_listen_bind_param) + if $service_network == 'external' and $public_certificate { + $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"), + union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate])) + } else { + $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"), $haproxy_listen_bind_param) + } } $bind_opts = merge($internal_bind_opts, $public_bind_opts) |