summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--manifests/haproxy.pp865
-rw-r--r--manifests/haproxy/endpoint.pp120
-rw-r--r--manifests/keepalived.pp144
-rw-r--r--manifests/loadbalancer.pp674
-rw-r--r--manifests/loadbalancer/endpoint.pp45
5 files changed, 1201 insertions, 647 deletions
diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp
new file mode 100644
index 0000000..9d07fa9
--- /dev/null
+++ b/manifests/haproxy.pp
@@ -0,0 +1,865 @@
+# Copyright 2014 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+# == Class: tripleo::haproxy
+#
+# Configure HAProxy for TripleO.
+#
+# === Parameters:
+#
+# [*keepalived*]
+# Whether to configure keepalived to manage the VIPs or not.
+# Defaults to true
+#
+# [*haproxy_service_manage*]
+# Will be passed as value for service_manage to HAProxy module.
+# Defaults to true
+#
+# [*haproxy_global_maxconn*]
+# The value to use as maxconn in the HAProxy global config section.
+# Defaults to 20480
+#
+# [*haproxy_default_maxconn*]
+# The value to use as maxconn in the HAProxy default config section.
+# Defaults to 4096
+#
+# [*haproxy_default_timeout*]
+# The value to use as timeout in the HAProxy default config section.
+# Defaults to [ 'http-request 10s', 'queue 1m', 'connect 10s', 'client 1m', 'server 1m', 'check 10s' ]
+#
+# [*haproxy_listen_bind_param*]
+# A list of params to be added to the HAProxy listener bind directive. By
+# default the 'transparent' param is added but it should be cleared if
+# one of the *_virtual_ip addresses is a wildcard, eg. 0.0.0.0
+# Defaults to [ 'transparent' ]
+#
+# [*haproxy_member_options*]
+# The default options to use for the HAProxy balancer members.
+# Defaults to [ 'check', 'inter 2000', 'rise 2', 'fall 5' ]
+#
+# [*haproxy_log_address*]
+# The IPv4, IPv6 or filesystem socket path of the syslog server.
+# Defaults to '/dev/log'
+#
+# [*controller_host*]
+# (Deprecated)Host or group of hosts to load-balance the services
+# Can be a string or an array.
+# Defaults to undef
+#
+# [*controller_hosts*]
+# IPs of host or group of hosts to load-balance the services
+# Can be a string or an array.
+# Defaults to undef
+#
+# [*controller_hosts_names*]
+# Names of host or group of hosts to load-balance the services
+# Can be a string or an array.
+# Defaults to undef
+#
+# [*controller_virtual_ip*]
+# Control IP or group of IPs to bind the pools
+# Can be a string or an array.
+# Defaults to undef
+#
+# [*public_virtual_ip*]
+# Public IP or group of IPs to bind the pools
+# Can be a string or an array.
+# Defaults to undef
+# [*haproxy_stats_user*]
+#
+# Username for haproxy stats authentication.
+# A string.
+# Defaults to 'admin'
+#
+# [*haproxy_stats_password*]
+# Password for haproxy stats authentication. When set, authentication is
+# enabled on the haproxy stats endpoint.
+# A string.
+# Defaults to undef
+#
+# [*service_certificate*]
+# Filename of an HAProxy-compatible certificate and key file
+# When set, enables SSL on the public API endpoints using the specified file.
+# Defaults to undef
+#
+# [*internal_certificate*]
+# Filename of an HAProxy-compatible certificate and key file
+# When set, enables SSL on the internal API endpoints using the specified file.
+# Defaults to undef
+#
+# [*ssl_cipher_suite*]
+# The default string describing the list of cipher algorithms ("cipher suite")
+# that are negotiated during the SSL/TLS handshake for all "bind" lines. This
+# value comes from the Fedora system crypto policy.
+# Defaults to '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES'
+#
+# [*ssl_options*]
+# String that sets the default ssl options to force on all "bind" lines.
+# Defaults to 'no-sslv3'
+#
+# [*haproxy_stats_certificate*]
+# Filename of an HAProxy-compatible certificate and key file
+# When set, enables SSL on the haproxy stats endpoint using the specified file.
+# Defaults to undef
+#
+# [*keystone_admin*]
+# (optional) Enable or not Keystone Admin API binding
+# Defaults to false
+#
+# [*keystone_public*]
+# (optional) Enable or not Keystone Public API binding
+# Defaults to false
+#
+# [*neutron*]
+# (optional) Enable or not Neutron API binding
+# Defaults to false
+#
+# [*cinder*]
+# (optional) Enable or not Cinder API binding
+# Defaults to false
+#
+# [*manila*]
+# (optional) Enable or not Manila API binding
+# Defaults to false
+#
+# [*sahara*]
+# (optional) Enable or not Sahara API binding
+# defaults to false
+#
+# [*trove*]
+# (optional) Enable or not Trove API binding
+# defaults to false
+#
+# [*glance_api*]
+# (optional) Enable or not Glance API binding
+# Defaults to false
+#
+# [*glance_registry*]
+# (optional) Enable or not Glance registry binding
+# Defaults to false
+#
+# [*nova_osapi*]
+# (optional) Enable or not Nova API binding
+# Defaults to false
+#
+# [*nova_metadata*]
+# (optional) Enable or not Nova metadata binding
+# Defaults to false
+#
+# [*nova_novncproxy*]
+# (optional) Enable or not Nova novncproxy binding
+# Defaults to false
+#
+# [*ceilometer*]
+# (optional) Enable or not Ceilometer API binding
+# Defaults to false
+#
+# [*aodh*]
+# (optional) Enable or not Aodh API binding
+# Defaults to false
+#
+# [*gnocchi*]
+# (optional) Enable or not Gnocchi API binding
+# Defaults to false
+#
+# [*swift_proxy_server*]
+# (optional) Enable or not Swift API binding
+# Defaults to false
+#
+# [*heat_api*]
+# (optional) Enable or not Heat API binding
+# Defaults to false
+#
+# [*heat_cloudwatch*]
+# (optional) Enable or not Heat Cloudwatch API binding
+# Defaults to false
+#
+# [*heat_cfn*]
+# (optional) Enable or not Heat CFN API binding
+# Defaults to false
+#
+# [*horizon*]
+# (optional) Enable or not Horizon dashboard binding
+# Defaults to false
+#
+# [*ironic*]
+# (optional) Enable or not Ironic API binding
+# Defaults to false
+#
+# [*mysql*]
+# (optional) Enable or not MySQL Galera binding
+# Defaults to false
+#
+# [*mysql_clustercheck*]
+# (optional) Enable check via clustercheck for mysql
+# Defaults to false
+#
+# [*rabbitmq*]
+# (optional) Enable or not RabbitMQ binding
+# Defaults to false
+#
+# [*redis*]
+# (optional) Enable or not Redis binding
+# Defaults to false
+#
+# [*redis_password*]
+# (optional) Password for Redis authentication, eventually needed by the
+# specific monitoring we do from HAProxy for Redis
+# Defaults to undef
+#
+# [*midonet_api*]
+# (optional) Enable or not MidoNet API binding
+# Defaults to false
+#
+# [*service_ports*]
+# (optional) Hash that contains the values to override from the service ports
+# The available keys to modify the services' ports are:
+# 'aodh_api_port' (Defaults to 8042)
+# 'aodh_api_ssl_port' (Defaults to 13042)
+# 'ceilometer_api_port' (Defaults to 8777)
+# 'ceilometer_api_ssl_port' (Defaults to 13777)
+# 'cinder_api_port' (Defaults to 8776)
+# 'cinder_api_ssl_port' (Defaults to 13776)
+# 'glance_api_port' (Defaults to 9292)
+# 'glance_api_ssl_port' (Defaults to 13292)
+# 'glance_registry_port' (Defaults to 9191)
+# 'gnocchi_api_port' (Defaults to 8041)
+# 'gnocchi_api_ssl_port' (Defaults to 13041)
+# 'heat_api_port' (Defaults to 8004)
+# 'heat_api_ssl_port' (Defaults to 13004)
+# 'heat_cfn_port' (Defaults to 8000)
+# 'heat_cfn_ssl_port' (Defaults to 13005)
+# 'heat_cw_port' (Defaults to 8003)
+# 'heat_cw_ssl_port' (Defaults to 13003)
+# 'ironic_api_port' (Defaults to 6385)
+# 'ironic_api_ssl_port' (Defaults to 13385)
+# 'keystone_admin_api_port' (Defaults to 35357)
+# 'keystone_admin_api_ssl_port' (Defaults to 13357)
+# 'keystone_public_api_port' (Defaults to 5000)
+# 'keystone_public_api_ssl_port' (Defaults to 13000)
+# 'manila_api_port' (Defaults to 8786)
+# 'manila_api_ssl_port' (Defaults to 13786)
+# 'neutron_api_port' (Defaults to 9696)
+# 'neutron_api_ssl_port' (Defaults to 13696)
+# 'nova_api_port' (Defaults to 8774)
+# 'nova_api_ssl_port' (Defaults to 13774)
+# 'nova_metadata_port' (Defaults to 8775)
+# 'nova_novnc_port' (Defaults to 6080)
+# 'nova_novnc_ssl_port' (Defaults to 13080)
+# 'sahara_api_port' (Defaults to 8386)
+# 'sahara_api_ssl_port' (Defaults to 13386)
+# 'swift_proxy_port' (Defaults to 8080)
+# 'swift_proxy_ssl_port' (Defaults to 13808)
+# 'trove_api_port' (Defaults to 8779)
+# 'trove_api_ssl_port' (Defaults to 13779)
+# Defaults to {}
+#
+class tripleo::haproxy (
+ $controller_virtual_ip,
+ $public_virtual_ip,
+ $keepalived = true,
+ $haproxy_service_manage = true,
+ $haproxy_global_maxconn = 20480,
+ $haproxy_default_maxconn = 4096,
+ $haproxy_default_timeout = [ 'http-request 10s', 'queue 1m', 'connect 10s', 'client 1m', 'server 1m', 'check 10s' ],
+ $haproxy_listen_bind_param = [ 'transparent' ],
+ $haproxy_member_options = [ 'check', 'inter 2000', 'rise 2', 'fall 5' ],
+ $haproxy_log_address = '/dev/log',
+ $haproxy_stats_user = 'admin',
+ $haproxy_stats_password = undef,
+ $controller_host = undef,
+ $controller_hosts = undef,
+ $controller_hosts_names = undef,
+ $service_certificate = undef,
+ $internal_certificate = undef,
+ $ssl_cipher_suite = '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES',
+ $ssl_options = 'no-sslv3',
+ $haproxy_stats_certificate = undef,
+ $keystone_admin = false,
+ $keystone_public = false,
+ $neutron = false,
+ $cinder = false,
+ $sahara = false,
+ $trove = false,
+ $manila = false,
+ $glance_api = false,
+ $glance_registry = false,
+ $nova_osapi = false,
+ $nova_metadata = false,
+ $nova_novncproxy = false,
+ $ceilometer = false,
+ $aodh = false,
+ $gnocchi = false,
+ $swift_proxy_server = false,
+ $heat_api = false,
+ $heat_cloudwatch = false,
+ $heat_cfn = false,
+ $horizon = false,
+ $ironic = false,
+ $mysql = false,
+ $mysql_clustercheck = false,
+ $rabbitmq = false,
+ $redis = false,
+ $redis_password = undef,
+ $midonet_api = false,
+ $service_ports = {}
+) {
+ $default_service_ports = {
+ aodh_api_port => 8042,
+ aodh_api_ssl_port => 13042,
+ ceilometer_api_port => 8777,
+ ceilometer_api_ssl_port => 13777,
+ cinder_api_port => 8776,
+ cinder_api_ssl_port => 13776,
+ glance_api_port => 9292,
+ glance_api_ssl_port => 13292,
+ glance_registry_port => 9191,
+ gnocchi_api_port => 8041,
+ gnocchi_api_ssl_port => 13041,
+ heat_api_port => 8004,
+ heat_api_ssl_port => 13004,
+ heat_cfn_port => 8000,
+ heat_cfn_ssl_port => 13005,
+ heat_cw_port => 8003,
+ heat_cw_ssl_port => 13003,
+ ironic_api_port => 6385,
+ ironic_api_ssl_port => 13385,
+ keystone_admin_api_port => 35357,
+ keystone_admin_api_ssl_port => 13357,
+ keystone_public_api_port => 5000,
+ keystone_public_api_ssl_port => 13000,
+ manila_api_port => 8786,
+ manila_api_ssl_port => 13786,
+ neutron_api_port => 9696,
+ neutron_api_ssl_port => 13696,
+ nova_api_port => 8774,
+ nova_api_ssl_port => 13774,
+ nova_metadata_port => 8775,
+ nova_novnc_port => 6080,
+ nova_novnc_ssl_port => 13080,
+ sahara_api_port => 8386,
+ sahara_api_ssl_port => 13386,
+ swift_proxy_port => 8080,
+ swift_proxy_ssl_port => 13808,
+ trove_api_port => 8779,
+ trove_api_ssl_port => 13779,
+ }
+ $ports = merge($default_service_ports, $service_ports)
+
+ if !$controller_host and !$controller_hosts {
+ fail('$controller_hosts or $controller_host (now deprecated) is a mandatory parameter')
+ }
+ if $controller_hosts {
+ $controller_hosts_real = any2array($controller_hosts)
+ } else {
+ warning('$controller_host has been deprecated in favor of $controller_hosts')
+ $controller_hosts_real = any2array($controller_host)
+ }
+
+ if !$controller_hosts_names {
+ $controller_hosts_names_real = any2array($controller_hosts_real)
+ } else {
+ $controller_hosts_names_real = any2array($controller_hosts_names)
+ }
+
+ # This code will be removed once we switch undercloud and overcloud to use both haproxy & keepalived roles.
+ if $keepalived {
+ include ::tripleo::keepalived
+ }
+
+ # TODO(bnemec): When we have support for SSL on private and admin endpoints,
+ # have the haproxy stats endpoint use that certificate by default.
+ if $haproxy_stats_certificate {
+ $haproxy_stats_bind_certificate = $haproxy_stats_certificate
+ }
+
+ $horizon_vip = hiera('horizon_vip', $controller_virtual_ip)
+ if $service_certificate {
+ # NOTE(jaosorior): If the horizon_vip and the public_virtual_ip are the
+ # same, the first option takes precedence. Which is the case when network
+ # isolation is not enabled. This is not a problem as both options are
+ # identical. If network isolation is enabled, this works correctly and
+ # will add a TLS binding to both the horizon_vip and the
+ # public_virtual_ip.
+ # Even though for the public_virtual_ip the port 80 is listening, we
+ # redirect to https in the horizon_options below.
+ $horizon_bind_opts = {
+ "${horizon_vip}:80" => $haproxy_listen_bind_param,
+ "${horizon_vip}:443" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
+ "${public_virtual_ip}:80" => $haproxy_listen_bind_param,
+ "${public_virtual_ip}:443" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
+ }
+ $horizon_options = {
+ 'cookie' => 'SERVERID insert indirect nocache',
+ 'rsprep' => '^Location:\ http://(.*) Location:\ https://\1',
+ # NOTE(jaosorior): We always redirect to https for the public_virtual_ip.
+ 'redirect' => "scheme https code 301 if { hdr(host) -i ${public_virtual_ip} } !{ ssl_fc }",
+ 'option' => 'forwardfor',
+ }
+ } else {
+ $horizon_bind_opts = {
+ "${horizon_vip}:80" => $haproxy_listen_bind_param,
+ "${public_virtual_ip}:80" => $haproxy_listen_bind_param,
+ }
+ $horizon_options = {
+ 'cookie' => 'SERVERID insert indirect nocache',
+ 'option' => 'forwardfor',
+ }
+ }
+
+ if $haproxy_stats_bind_certificate {
+ $haproxy_stats_bind_opts = {
+ "${controller_virtual_ip}:1993" => union($haproxy_listen_bind_param, ['ssl', 'crt', $haproxy_stats_bind_certificate]),
+ }
+ } else {
+ $haproxy_stats_bind_opts = {
+ "${controller_virtual_ip}:1993" => $haproxy_listen_bind_param,
+ }
+ }
+
+ $mysql_vip = hiera('mysql_vip', $controller_virtual_ip)
+ $mysql_bind_opts = {
+ "${mysql_vip}:3306" => $haproxy_listen_bind_param,
+ }
+
+ $rabbitmq_vip = hiera('rabbitmq_vip', $controller_virtual_ip)
+ $rabbitmq_bind_opts = {
+ "${rabbitmq_vip}:5672" => $haproxy_listen_bind_param,
+ }
+
+ $redis_vip = hiera('redis_vip', $controller_virtual_ip)
+ $redis_bind_opts = {
+ "${redis_vip}:6379" => $haproxy_listen_bind_param,
+ }
+
+ class { '::haproxy':
+ service_manage => $haproxy_service_manage,
+ global_options => {
+ 'log' => "${haproxy_log_address} local0",
+ 'pidfile' => '/var/run/haproxy.pid',
+ 'user' => 'haproxy',
+ 'group' => 'haproxy',
+ 'daemon' => '',
+ 'maxconn' => $haproxy_global_maxconn,
+ 'ssl-default-bind-ciphers' => $ssl_cipher_suite,
+ 'ssl-default-bind-options' => $ssl_options,
+ },
+ defaults_options => {
+ 'mode' => 'tcp',
+ 'log' => 'global',
+ 'retries' => '3',
+ 'timeout' => $haproxy_default_timeout,
+ 'maxconn' => $haproxy_default_maxconn,
+ },
+ }
+
+ Tripleo::Haproxy::Endpoint {
+ haproxy_listen_bind_param => $haproxy_listen_bind_param,
+ member_options => $haproxy_member_options,
+ public_certificate => $service_certificate,
+ internal_certificate => $internal_certificate,
+ }
+
+ $stats_base = ['enable', 'uri /']
+ if $haproxy_stats_password {
+ $stats_config = union($stats_base, ["auth ${haproxy_stats_user}:${haproxy_stats_password}"])
+ } else {
+ $stats_config = $stats_base
+ }
+ haproxy::listen { 'haproxy.stats':
+ bind => $haproxy_stats_bind_opts,
+ mode => 'http',
+ options => {
+ 'stats' => $stats_config,
+ },
+ collect_exported => false,
+ }
+
+ if $keystone_admin {
+ ::tripleo::haproxy::endpoint { 'keystone_admin':
+ public_virtual_ip => $public_virtual_ip,
+ internal_ip => hiera('keystone_admin_api_vip', $controller_virtual_ip),
+ service_port => $ports[keystone_admin_api_port],
+ ip_addresses => hiera('keystone_admin_api_node_ips', $controller_hosts_real),
+ server_names => $controller_hosts_names_real,
+ mode => 'http',
+ listen_options => {
+ 'http-request' => [
+ 'set-header X-Forwarded-Proto https if { ssl_fc }',
+ 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
+ },
+ public_ssl_port => $ports[keystone_admin_api_ssl_port],
+ }
+ }
+
+ if $keystone_public {
+ ::tripleo::haproxy::endpoint { 'keystone_public':
+ public_virtual_ip => $public_virtual_ip,
+ internal_ip => hiera('keystone_public_api_vip', $controller_virtual_ip),
+ service_port => $ports[keystone_public_api_port],
+ ip_addresses => hiera('keystone_public_api_node_ips', $controller_hosts_real),
+ server_names => $controller_hosts_names_real,
+ mode => 'http',
+ listen_options => {
+ 'http-request' => [
+ 'set-header X-Forwarded-Proto https if { ssl_fc }',
+ 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
+ },
+ public_ssl_port => $ports[keystone_public_api_ssl_port],
+ }
+ }
+
+ if $neutron {
+ ::tripleo::haproxy::endpoint { 'neutron':
+ public_virtual_ip => $public_virtual_ip,
+ internal_ip => hiera('neutron_api_vip', $controller_virtual_ip),
+ service_port => $ports[neutron_api_port],
+ ip_addresses => hiera('neutron_api_node_ips', $controller_hosts_real),
+ server_names => $controller_hosts_names_real,
+ public_ssl_port => $ports[neutron_api_ssl_port],
+ }
+ }
+
+ if $cinder {
+ ::tripleo::haproxy::endpoint { 'cinder':
+ public_virtual_ip => $public_virtual_ip,
+ internal_ip => hiera('cinder_api_vip', $controller_virtual_ip),
+ service_port => $ports[cinder_api_port],
+ ip_addresses => hiera('cinder_api_node_ips', $controller_hosts_real),
+ server_names => $controller_hosts_names_real,
+ mode => 'http',
+ listen_options => {
+ 'http-request' => [
+ 'set-header X-Forwarded-Proto https if { ssl_fc }',
+ 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
+ },
+ public_ssl_port => $ports[cinder_api_ssl_port],
+ }
+ }
+
+ if $manila {
+ ::tripleo::haproxy::endpoint { 'manila':
+ public_virtual_ip => $public_virtual_ip,
+ internal_ip => hiera('manila_api_vip', $controller_virtual_ip),
+ service_port => $ports[manila_api_port],
+ ip_addresses => hiera('manila_api_node_ips', $controller_hosts_real),
+ server_names => $controller_hosts_names_real,
+ public_ssl_port => $ports[manila_api_ssl_port],
+ }
+ }
+
+ if $sahara {
+ ::tripleo::haproxy::endpoint { 'sahara':
+ public_virtual_ip => $public_virtual_ip,
+ internal_ip => hiera('sahara_api_vip', $controller_virtual_ip),
+ service_port => $ports[sahara_api_port],
+ ip_addresses => hiera('sahara_api_node_ips', $controller_hosts_real),
+ server_names => $controller_hosts_names_real,
+ public_ssl_port => $ports[sahara_api_ssl_port],
+ }
+ }
+
+ if $trove {
+ ::tripleo::haproxy::endpoint { 'trove':
+ public_virtual_ip => $public_virtual_ip,
+ internal_ip => hiera('trove_api_vip', $controller_virtual_ip),
+ service_port => $ports[trove_api_port],
+ ip_addresses => hiera('trove_api_node_ips', $controller_hosts_real),
+ server_names => $controller_hosts_names_real,
+ public_ssl_port => $ports[trove_api_ssl_port],
+ }
+ }
+
+ if $glance_api {
+ ::tripleo::haproxy::endpoint { 'glance_api':
+ public_virtual_ip => $public_virtual_ip,
+ internal_ip => hiera('glance_api_vip', $controller_virtual_ip),
+ service_port => $ports[glance_api_port],
+ ip_addresses => hiera('glance_api_node_ips', $controller_hosts_real),
+ server_names => $controller_hosts_names_real,
+ public_ssl_port => $ports[glance_api_ssl_port],
+ }
+ }
+
+ if $glance_registry {
+ ::tripleo::haproxy::endpoint { 'glance_registry':
+ internal_ip => hiera('glance_registry_vip', $controller_virtual_ip),
+ service_port => $ports[glance_registry_port],
+ ip_addresses => hiera('glance_registry_node_ips', $controller_hosts_real),
+ server_names => $controller_hosts_names_real,
+ }
+ }
+
+ $nova_api_vip = hiera('nova_api_vip', $controller_virtual_ip)
+ if $nova_osapi {
+ ::tripleo::haproxy::endpoint { 'nova_osapi':
+ public_virtual_ip => $public_virtual_ip,
+ internal_ip => $nova_api_vip,
+ service_port => $ports[nova_api_port],
+ ip_addresses => hiera('nova_api_node_ips', $controller_hosts_real),
+ server_names => $controller_hosts_names_real,
+ mode => 'http',
+ listen_options => {
+ 'http-request' => [
+ 'set-header X-Forwarded-Proto https if { ssl_fc }',
+ 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
+ },
+ public_ssl_port => $ports[nova_api_ssl_port],
+ }
+ }
+
+ if $nova_metadata {
+ ::tripleo::haproxy::endpoint { 'nova_metadata':
+ internal_ip => hiera('nova_metadata_vip', $controller_virtual_ip),
+ service_port => $ports[nova_metadata_port],
+ ip_addresses => hiera('nova_metadata_node_ips', $controller_hosts_real),
+ server_names => $controller_hosts_names_real,
+ }
+ }
+
+ if $nova_novncproxy {
+ ::tripleo::haproxy::endpoint { 'nova_novncproxy':
+ public_virtual_ip => $public_virtual_ip,
+ internal_ip => $nova_api_vip,
+ service_port => $ports[nova_novnc_port],
+ ip_addresses => hiera('nova_api_node_ips', $controller_hosts_real),
+ server_names => $controller_hosts_names_real,
+ listen_options => {
+ 'balance' => 'source',
+ 'timeout' => [ 'tunnel 1h' ],
+ },
+ public_ssl_port => $ports[nova_novnc_ssl_port],
+ }
+ }
+
+ if $ceilometer {
+ ::tripleo::haproxy::endpoint { 'ceilometer':
+ public_virtual_ip => $public_virtual_ip,
+ internal_ip => hiera('ceilometer_api_vip', $controller_virtual_ip),
+ service_port => $ports[ceilometer_api_port],
+ ip_addresses => hiera('ceilometer_api_node_ips', $controller_hosts_real),
+ server_names => $controller_hosts_names_real,
+ public_ssl_port => $ports[ceilometer_api_ssl_port],
+ }
+ }
+
+ if $aodh {
+ ::tripleo::haproxy::endpoint { 'aodh':
+ public_virtual_ip => $public_virtual_ip,
+ internal_ip => hiera('aodh_api_vip', $controller_virtual_ip),
+ service_port => $ports[aodh_api_port],
+ ip_addresses => hiera('aodh_api_node_ips', $controller_hosts_real),
+ server_names => $controller_hosts_names_real,
+ public_ssl_port => $ports[aodh_api_ssl_port],
+ }
+ }
+
+ if $gnocchi {
+ ::tripleo::haproxy::endpoint { 'gnocchi':
+ public_virtual_ip => $public_virtual_ip,
+ internal_ip => hiera('gnocchi_api_vip', $controller_virtual_ip),
+ service_port => $ports[gnocchi_api_port],
+ ip_addresses => hiera('gnocchi_api_node_ips', $controller_hosts_real),
+ server_names => $controller_hosts_names_real,
+ public_ssl_port => $ports[gnocchi_api_ssl_port],
+ }
+ }
+
+ if $swift_proxy_server {
+ ::tripleo::haproxy::endpoint { 'swift_proxy_server':
+ public_virtual_ip => $public_virtual_ip,
+ internal_ip => hiera('swift_proxy_vip', $controller_virtual_ip),
+ service_port => $ports[swift_proxy_port],
+ ip_addresses => hiera('swift_proxy_node_ips', $controller_hosts_real),
+ server_names => $controller_hosts_names_real,
+ public_ssl_port => $ports[swift_proxy_ssl_port],
+ }
+ }
+
+ $heat_api_vip = hiera('heat_api_vip', $controller_virtual_ip)
+ $heat_ip_addresses = hiera('heat_api_node_ips', $controller_hosts_real)
+ $heat_base_options = {
+ 'http-request' => [
+ 'set-header X-Forwarded-Proto https if { ssl_fc }',
+ 'set-header X-Forwarded-Proto http if !{ ssl_fc }']}
+ if $service_certificate {
+ $heat_ssl_options = {
+ 'rsprep' => "^Location:\\ http://${public_virtual_ip}(.*) Location:\\ https://${public_virtual_ip}\\1",
+ }
+ $heat_options = merge($heat_base_options, $heat_ssl_options)
+ } else {
+ $heat_options = $heat_base_options
+ }
+
+ if $heat_api {
+ ::tripleo::haproxy::endpoint { 'heat_api':
+ public_virtual_ip => $public_virtual_ip,
+ internal_ip => $heat_api_vip,
+ service_port => $ports[heat_api_port],
+ ip_addresses => $heat_ip_addresses,
+ server_names => $controller_hosts_names_real,
+ mode => 'http',
+ listen_options => $heat_options,
+ public_ssl_port => $ports[heat_api_ssl_port],
+ }
+ }
+
+ if $heat_cloudwatch {
+ ::tripleo::haproxy::endpoint { 'heat_cloudwatch':
+ public_virtual_ip => $public_virtual_ip,
+ internal_ip => $heat_api_vip,
+ service_port => $ports[heat_cw_port],
+ ip_addresses => $heat_ip_addresses,
+ server_names => $controller_hosts_names_real,
+ mode => 'http',
+ listen_options => $heat_options,
+ public_ssl_port => $ports[heat_cw_ssl_port],
+ }
+ }
+
+ if $heat_cfn {
+ ::tripleo::haproxy::endpoint { 'heat_cfn':
+ public_virtual_ip => $public_virtual_ip,
+ internal_ip => $heat_api_vip,
+ service_port => $ports[heat_cfn_port],
+ ip_addresses => $heat_ip_addresses,
+ server_names => $controller_hosts_names_real,
+ mode => 'http',
+ listen_options => $heat_options,
+ public_ssl_port => $ports[heat_cfn_ssl_port],
+ }
+ }
+
+ if $horizon {
+ haproxy::listen { 'horizon':
+ bind => $horizon_bind_opts,
+ options => $horizon_options,
+ mode => 'http',
+ collect_exported => false,
+ }
+ haproxy::balancermember { 'horizon':
+ listening_service => 'horizon',
+ ports => '80',
+ ipaddresses => hiera('horizon_node_ips', $controller_hosts_real),
+ server_names => $controller_hosts_names_real,
+ options => union($haproxy_member_options, ["cookie ${::hostname}"]),
+ }
+ }
+
+ if $ironic {
+ ::tripleo::haproxy::endpoint { 'ironic':
+ public_virtual_ip => $public_virtual_ip,
+ internal_ip => hiera('ironic_api_vip', $controller_virtual_ip),
+ service_port => $ports[ironic_api_port],
+ ip_addresses => hiera('ironic_api_node_ips', $controller_hosts_real),
+ server_names => $controller_hosts_names_real,
+ public_ssl_port => $ports[ironic_api_ssl_port],
+ }
+ }
+
+ if $mysql_clustercheck {
+ $mysql_listen_options = {
+ 'option' => [ 'tcpka', 'httpchk' ],
+ 'timeout client' => '90m',
+ 'timeout server' => '90m',
+ 'stick-table' => 'type ip size 1000',
+ 'stick' => 'on dst',
+ }
+ $mysql_member_options = union($haproxy_member_options, ['backup', 'port 9200', 'on-marked-down shutdown-sessions'])
+ } else {
+ $mysql_listen_options = {
+ 'timeout client' => '90m',
+ 'timeout server' => '90m',
+ }
+ $mysql_member_options = union($haproxy_member_options, ['backup'])
+ }
+
+ if $mysql {
+ haproxy::listen { 'mysql':
+ bind => $mysql_bind_opts,
+ options => $mysql_listen_options,
+ collect_exported => false,
+ }
+ haproxy::balancermember { 'mysql-backup':
+ listening_service => 'mysql',
+ ports => '3306',
+ ipaddresses => hiera('mysql_node_ips', $controller_hosts_real),
+ server_names => $controller_hosts_names_real,
+ options => $mysql_member_options,
+ }
+ }
+
+ if $rabbitmq {
+ haproxy::listen { 'rabbitmq':
+ bind => $rabbitmq_bind_opts,
+ options => {
+ 'option' => [ 'tcpka' ],
+ 'timeout' => [ 'client 0', 'server 0' ],
+ },
+ collect_exported => false,
+ }
+ haproxy::balancermember { 'rabbitmq':
+ listening_service => 'rabbitmq',
+ ports => '5672',
+ ipaddresses => hiera('rabbitmq_network', $controller_hosts_real),
+ server_names => $controller_hosts_names_real,
+ options => $haproxy_member_options,
+ }
+ }
+
+ if $redis {
+ if $redis_password {
+ $redis_tcp_check_options = ["send AUTH\\ ${redis_password}\\r\\n"]
+ } else {
+ $redis_tcp_check_options = []
+ }
+ haproxy::listen { 'redis':
+ bind => $redis_bind_opts,
+ options => {
+ 'balance' => 'first',
+ 'option' => ['tcp-check',],
+ 'tcp-check' => union($redis_tcp_check_options, ['send PING\r\n','expect string +PONG','send info\ replication\r\n','expect string role:master','send QUIT\r\n','expect string +OK']),
+ },
+ collect_exported => false,
+ }
+ haproxy::balancermember { 'redis':
+ listening_service => 'redis',
+ ports => '6379',
+ ipaddresses => hiera('redis_node_ips', $controller_hosts_real),
+ server_names => $controller_hosts_names_real,
+ options => $haproxy_member_options,
+ }
+ }
+
+ $midonet_api_vip = hiera('midonet_api_vip', $controller_virtual_ip)
+ $midonet_bind_opts = {
+ "${midonet_api_vip}:8081" => [],
+ "${public_virtual_ip}:8081" => [],
+ }
+
+ if $midonet_api {
+ haproxy::listen { 'midonet_api':
+ bind => $midonet_bind_opts,
+ collect_exported => false,
+ }
+ haproxy::balancermember { 'midonet_api':
+ listening_service => 'midonet_api',
+ ports => '8081',
+ ipaddresses => hiera('midonet_api_node_ips', $controller_hosts_real),
+ server_names => $controller_hosts_names_real,
+ options => $haproxy_member_options,
+ }
+ }
+}
diff --git a/manifests/haproxy/endpoint.pp b/manifests/haproxy/endpoint.pp
new file mode 100644
index 0000000..94bfcff
--- /dev/null
+++ b/manifests/haproxy/endpoint.pp
@@ -0,0 +1,120 @@
+# Copyright 2014 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+# == Class: tripleo::haproxy::endpoint
+#
+# Configure a HAProxy listen endpoint
+#
+# [*internal_ip*]
+# The IP in which the proxy endpoint will be listening in the internal
+# network.
+#
+# [*service_port*]
+# The default port on which the endpoint will be listening.
+#
+# [*ip_addresses*]
+# The ordered list of IPs to be used to contact the balancer member.
+#
+# [*server_names*]
+# The names of the balancer members, which usually should be the hostname.
+#
+# [*member_options*]
+# Options for the balancer member, specified after the server declaration.
+# These should go in the member's configuration block.
+#
+# [*public_virtual_ip*]
+# Address in which the proxy endpoint will be listening in the public network.
+# If this service is internal only this should be ommited.
+# Defaults to undef.
+#
+# [*mode*]
+# HAProxy mode in which the endpoint will be listening. This can be undef,
+# tcp, http or health.
+# Defaults to undef.
+#
+# [*haproxy_listen_bind_param*]
+# A list of params to be added to the HAProxy listener bind directive.
+# Defaults to undef.
+#
+# [*listen_options*]
+# Options specified for the listening service's configuration block (in
+# HAproxy terms, the frontend).
+# defaults to {'option' => []}
+#
+# [*public_ssl_port*]
+# The port used for the public proxy endpoint if it differs from the default
+# one. This is used only if SSL is enabled, and it's used in order to avoid
+# overriding with the internal proxy endpoint (which could happen if they were
+# in the same network).
+# Defaults to undef.
+#
+# [*public_certificate*]
+# Certificate path used to enable TLS for the public proxy endpoint.
+# Defaults to undef.
+#
+# [*internal_certificate*]
+# Certificate path used to enable TLS for the internal proxy endpoint.
+# Defaults to undef.
+#
+define tripleo::haproxy::endpoint (
+ $internal_ip,
+ $service_port,
+ $ip_addresses,
+ $server_names,
+ $member_options,
+ $public_virtual_ip = undef,
+ $mode = undef,
+ $haproxy_listen_bind_param = undef,
+ $listen_options = {
+ 'option' => [],
+ },
+ $public_ssl_port = undef,
+ $public_certificate = undef,
+ $internal_certificate = undef,
+) {
+ if $public_virtual_ip {
+ # service exposed to the public network
+
+ if $public_certificate {
+ $public_bind_opts = list_to_hash(suffix(any2array($public_virtual_ip), ":${public_ssl_port}"), union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate]))
+ } else {
+ $public_bind_opts = list_to_hash(suffix(any2array($public_virtual_ip), ":${service_port}"), $haproxy_listen_bind_param)
+ }
+ } else {
+ # internal service only
+ $public_bind_opts = {}
+ }
+
+ if $internal_certificate {
+ $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"), union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate]))
+ } else {
+ $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"), $haproxy_listen_bind_param)
+ }
+ $bind_opts = merge($internal_bind_opts, $public_bind_opts)
+
+ haproxy::listen { "${name}":
+ bind => $bind_opts,
+ collect_exported => false,
+ mode => $mode,
+ options => $listen_options,
+ }
+ haproxy::balancermember { "${name}":
+ listening_service => $name,
+ ports => $service_port,
+ ipaddresses => $ip_addresses,
+ server_names => $server_names,
+ options => $member_options,
+ }
+}
diff --git a/manifests/keepalived.pp b/manifests/keepalived.pp
new file mode 100644
index 0000000..45d772e
--- /dev/null
+++ b/manifests/keepalived.pp
@@ -0,0 +1,144 @@
+# Copyright 2014 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+# == Class: tripleo::keepalived
+#
+# Configure keepalived for TripleO.
+#
+# === Parameters:
+#
+# [*controller_virtual_ip*]
+# Control IP or group of IPs to bind the pools
+# Can be a string or an array.
+# Defaults to undef
+#
+# [*control_virtual_interface*]
+# Interface to bind the control VIP
+# Can be a string or an array.
+# Defaults to undef
+#
+# [*public_virtual_interface*]
+# Interface to bind the public VIP
+# Can be a string or an array.
+# Defaults to undef
+#
+# [*public_virtual_ip*]
+# Public IP or group of IPs to bind the pools
+# Can be a string or an array.
+# Defaults to undef
+#
+# [*internal_api_virtual_ip*]
+# Virtual IP on the internal API network.
+# A string.
+# Defaults to false
+#
+# [*storage_virtual_ip*]
+# Virtual IP on the storage network.
+# A string.
+# Defaults to false
+#
+# [*storage_mgmt_virtual_ip*]
+# Virtual IP on the storage mgmt network.
+# A string.
+# Defaults to false
+#
+class tripleo::keepalived (
+ $controller_virtual_ip,
+ $control_virtual_interface,
+ $public_virtual_interface,
+ $public_virtual_ip,
+ $internal_api_virtual_ip = false,
+ $storage_virtual_ip = false,
+ $storage_mgmt_virtual_ip = false,
+) {
+
+ case $::osfamily {
+ 'RedHat': {
+ $keepalived_name_is_process = false
+ $keepalived_vrrp_script = 'systemctl status haproxy.service'
+ } # RedHat
+ 'Debian': {
+ $keepalived_name_is_process = true
+ $keepalived_vrrp_script = undef
+ }
+ default: {
+ warning('Please configure keepalived defaults in tripleo::keepalived.')
+ $keepalived_name_is_process = undef
+ $keepalived_vrrp_script = undef
+ }
+ }
+
+ class { '::keepalived': }
+ keepalived::vrrp_script { 'haproxy':
+ name_is_process => $keepalived_name_is_process,
+ script => $keepalived_vrrp_script,
+ }
+
+ # KEEPALIVE INSTANCE CONTROL
+ keepalived::instance { '51':
+ interface => $control_virtual_interface,
+ virtual_ips => [join([$controller_virtual_ip, ' dev ', $control_virtual_interface])],
+ state => 'MASTER',
+ track_script => ['haproxy'],
+ priority => 101,
+ }
+
+ # KEEPALIVE INSTANCE PUBLIC
+ keepalived::instance { '52':
+ interface => $public_virtual_interface,
+ virtual_ips => [join([$public_virtual_ip, ' dev ', $public_virtual_interface])],
+ state => 'MASTER',
+ track_script => ['haproxy'],
+ priority => 101,
+ }
+
+
+ if $internal_api_virtual_ip and $internal_api_virtual_ip != $controller_virtual_ip {
+ $internal_api_virtual_interface = interface_for_ip($internal_api_virtual_ip)
+ # KEEPALIVE INTERNAL API NETWORK
+ keepalived::instance { '53':
+ interface => $internal_api_virtual_interface,
+ virtual_ips => [join([$internal_api_virtual_ip, ' dev ', $internal_api_virtual_interface])],
+ state => 'MASTER',
+ track_script => ['haproxy'],
+ priority => 101,
+ }
+ }
+
+ if $storage_virtual_ip and $storage_virtual_ip != $controller_virtual_ip {
+ $storage_virtual_interface = interface_for_ip($storage_virtual_ip)
+ # KEEPALIVE STORAGE NETWORK
+ keepalived::instance { '54':
+ interface => $storage_virtual_interface,
+ virtual_ips => [join([$storage_virtual_ip, ' dev ', $storage_virtual_interface])],
+ state => 'MASTER',
+ track_script => ['haproxy'],
+ priority => 101,
+ }
+ }
+
+ if $storage_mgmt_virtual_ip and $storage_mgmt_virtual_ip != $controller_virtual_ip {
+ $storage_mgmt_virtual_interface = interface_for_ip($storage_mgmt_virtual_ip)
+ # KEEPALIVE STORAGE MANAGEMENT NETWORK
+ keepalived::instance { '55':
+ interface => $storage_mgmt_virtual_interface,
+ virtual_ips => [join([$storage_mgmt_virtual_ip, ' dev ', $storage_mgmt_virtual_interface])],
+ state => 'MASTER',
+ track_script => ['haproxy'],
+ priority => 101,
+ }
+ }
+
+}
diff --git a/manifests/loadbalancer.pp b/manifests/loadbalancer.pp
index ebac621..c75e36a 100644
--- a/manifests/loadbalancer.pp
+++ b/manifests/loadbalancer.pp
@@ -346,625 +346,69 @@ class tripleo::loadbalancer (
$midonet_api = false,
$service_ports = {}
) {
- $default_service_ports = {
- aodh_api_port => 8042,
- aodh_api_ssl_port => 13042,
- ceilometer_api_port => 8777,
- ceilometer_api_ssl_port => 13777,
- cinder_api_port => 8776,
- cinder_api_ssl_port => 13776,
- glance_api_port => 9292,
- glance_api_ssl_port => 13292,
- glance_registry_port => 9191,
- gnocchi_api_port => 8041,
- gnocchi_api_ssl_port => 13041,
- heat_api_port => 8004,
- heat_api_ssl_port => 13004,
- heat_cfn_port => 8000,
- heat_cfn_ssl_port => 13005,
- heat_cw_port => 8003,
- heat_cw_ssl_port => 13003,
- ironic_api_port => 6385,
- ironic_api_ssl_port => 13385,
- keystone_admin_api_port => 35357,
- keystone_admin_api_ssl_port => 13357,
- keystone_public_api_port => 5000,
- keystone_public_api_ssl_port => 13000,
- manila_api_port => 8786,
- manila_api_ssl_port => 13786,
- neutron_api_port => 9696,
- neutron_api_ssl_port => 13696,
- nova_api_port => 8774,
- nova_api_ssl_port => 13774,
- nova_metadata_port => 8775,
- nova_novnc_port => 6080,
- nova_novnc_ssl_port => 13080,
- sahara_api_port => 8386,
- sahara_api_ssl_port => 13386,
- swift_proxy_port => 8080,
- swift_proxy_ssl_port => 13808,
- trove_api_port => 8779,
- trove_api_ssl_port => 13779,
- }
- $ports = merge($default_service_ports, $service_ports)
-
- if !$controller_host and !$controller_hosts {
- fail('$controller_hosts or $controller_host (now deprecated) is a mandatory parameter')
- }
- if $controller_hosts {
- $controller_hosts_real = any2array($controller_hosts)
- } else {
- warning('$controller_host has been deprecated in favor of $controller_hosts')
- $controller_hosts_real = any2array($controller_host)
- }
-
- if !$controller_hosts_names {
- $controller_hosts_names_real = any2array($controller_hosts_real)
- } else {
- $controller_hosts_names_real = any2array($controller_hosts_names)
- }
-
- if $manage_vip {
- case $::osfamily {
- 'RedHat': {
- $keepalived_name_is_process = false
- $keepalived_vrrp_script = 'systemctl status haproxy.service'
- } # RedHat
- 'Debian': {
- $keepalived_name_is_process = true
- $keepalived_vrrp_script = undef
- }
- default: {
- warning('Please configure keepalived defaults in tripleo::loadbalancer.')
- $keepalived_name_is_process = undef
- $keepalived_vrrp_script = undef
- }
- }
-
- class { '::keepalived': }
- keepalived::vrrp_script { 'haproxy':
- name_is_process => $keepalived_name_is_process,
- script => $keepalived_vrrp_script,
- }
-
- # KEEPALIVE INSTANCE CONTROL
- keepalived::instance { '51':
- interface => $control_virtual_interface,
- virtual_ips => [join([$controller_virtual_ip, ' dev ', $control_virtual_interface])],
- state => 'MASTER',
- track_script => ['haproxy'],
- priority => 101,
- }
-
- # KEEPALIVE INSTANCE PUBLIC
- keepalived::instance { '52':
- interface => $public_virtual_interface,
- virtual_ips => [join([$public_virtual_ip, ' dev ', $public_virtual_interface])],
- state => 'MASTER',
- track_script => ['haproxy'],
- priority => 101,
- }
-
-
- if $internal_api_virtual_ip and $internal_api_virtual_ip != $controller_virtual_ip {
- $internal_api_virtual_interface = interface_for_ip($internal_api_virtual_ip)
- # KEEPALIVE INTERNAL API NETWORK
- keepalived::instance { '53':
- interface => $internal_api_virtual_interface,
- virtual_ips => [join([$internal_api_virtual_ip, ' dev ', $internal_api_virtual_interface])],
- state => 'MASTER',
- track_script => ['haproxy'],
- priority => 101,
- }
- }
-
- if $storage_virtual_ip and $storage_virtual_ip != $controller_virtual_ip {
- $storage_virtual_interface = interface_for_ip($storage_virtual_ip)
- # KEEPALIVE STORAGE NETWORK
- keepalived::instance { '54':
- interface => $storage_virtual_interface,
- virtual_ips => [join([$storage_virtual_ip, ' dev ', $storage_virtual_interface])],
- state => 'MASTER',
- track_script => ['haproxy'],
- priority => 101,
- }
- }
-
- if $storage_mgmt_virtual_ip and $storage_mgmt_virtual_ip != $controller_virtual_ip {
- $storage_mgmt_virtual_interface = interface_for_ip($storage_mgmt_virtual_ip)
- # KEEPALIVE STORAGE MANAGEMENT NETWORK
- keepalived::instance { '55':
- interface => $storage_mgmt_virtual_interface,
- virtual_ips => [join([$storage_mgmt_virtual_ip, ' dev ', $storage_mgmt_virtual_interface])],
- state => 'MASTER',
- track_script => ['haproxy'],
- priority => 101,
- }
- }
-
- }
-
- # TODO(bnemec): When we have support for SSL on private and admin endpoints,
- # have the haproxy stats endpoint use that certificate by default.
- if $haproxy_stats_certificate {
- $haproxy_stats_bind_certificate = $haproxy_stats_certificate
- }
-
- $horizon_vip = hiera('horizon_vip', $controller_virtual_ip)
- if $service_certificate {
- # NOTE(jaosorior): If the horizon_vip and the public_virtual_ip are the
- # same, the first option takes precedence. Which is the case when network
- # isolation is not enabled. This is not a problem as both options are
- # identical. If network isolation is enabled, this works correctly and
- # will add a TLS binding to both the horizon_vip and the
- # public_virtual_ip.
- # Even though for the public_virtual_ip the port 80 is listening, we
- # redirect to https in the horizon_options below.
- $horizon_bind_opts = {
- "${horizon_vip}:80" => $haproxy_listen_bind_param,
- "${horizon_vip}:443" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
- "${public_virtual_ip}:80" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:443" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
- }
- $horizon_options = {
- 'cookie' => 'SERVERID insert indirect nocache',
- 'rsprep' => '^Location:\ http://(.*) Location:\ https://\1',
- # NOTE(jaosorior): We always redirect to https for the public_virtual_ip.
- 'redirect' => "scheme https code 301 if { hdr(host) -i ${public_virtual_ip} } !{ ssl_fc }",
- 'option' => 'forwardfor',
- }
- } else {
- $horizon_bind_opts = {
- "${horizon_vip}:80" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:80" => $haproxy_listen_bind_param,
- }
- $horizon_options = {
- 'cookie' => 'SERVERID insert indirect nocache',
- 'option' => 'forwardfor',
- }
- }
-
- if $haproxy_stats_bind_certificate {
- $haproxy_stats_bind_opts = {
- "${controller_virtual_ip}:1993" => union($haproxy_listen_bind_param, ['ssl', 'crt', $haproxy_stats_bind_certificate]),
- }
- } else {
- $haproxy_stats_bind_opts = {
- "${controller_virtual_ip}:1993" => $haproxy_listen_bind_param,
- }
- }
-
- $mysql_vip = hiera('mysql_vip', $controller_virtual_ip)
- $mysql_bind_opts = {
- "${mysql_vip}:3306" => $haproxy_listen_bind_param,
- }
-
- $rabbitmq_vip = hiera('rabbitmq_vip', $controller_virtual_ip)
- $rabbitmq_bind_opts = {
- "${rabbitmq_vip}:5672" => $haproxy_listen_bind_param,
- }
-
- $redis_vip = hiera('redis_vip', $controller_virtual_ip)
- $redis_bind_opts = {
- "${redis_vip}:6379" => $haproxy_listen_bind_param,
- }
-
- class { '::haproxy':
- service_manage => $haproxy_service_manage,
- global_options => {
- 'log' => "${haproxy_log_address} local0",
- 'pidfile' => '/var/run/haproxy.pid',
- 'user' => 'haproxy',
- 'group' => 'haproxy',
- 'daemon' => '',
- 'maxconn' => $haproxy_global_maxconn,
- 'ssl-default-bind-ciphers' => $ssl_cipher_suite,
- 'ssl-default-bind-options' => $ssl_options,
- },
- defaults_options => {
- 'mode' => 'tcp',
- 'log' => 'global',
- 'retries' => '3',
- 'timeout' => $haproxy_default_timeout,
- 'maxconn' => $haproxy_default_maxconn,
- },
- }
-
- Tripleo::Loadbalancer::Endpoint {
+ warning('This class is going to be dropped during Newton cycle, replaced by tripleo::haproxy and tripleo::keepalived.')
+ class { '::tripleo::haproxy':
+ controller_virtual_ip => $controller_virtual_ip,
+ public_virtual_ip => $public_virtual_ip,
+ # Force to false because we already declare ::tripleo::keepalived later in this manifest to kep
+ # old hieradata binding.
+ keepalived => false,
+ haproxy_service_manage => $haproxy_service_manage,
+ haproxy_global_maxconn => $haproxy_global_maxconn,
+ haproxy_default_maxconn => $haproxy_default_maxconn,
+ haproxy_default_timeout => $haproxy_default_timeout,
haproxy_listen_bind_param => $haproxy_listen_bind_param,
- member_options => $haproxy_member_options,
- public_certificate => $service_certificate,
+ haproxy_member_options => $haproxy_member_options,
+ haproxy_log_address => $haproxy_log_address,
+ haproxy_stats_user => $haproxy_stats_user,
+ haproxy_stats_password => $haproxy_stats_password,
+ controller_host => $controller_host,
+ controller_hosts => $controller_hosts,
+ controller_hosts_names => $controller_hosts_names,
+ service_certificate => $service_certificate,
internal_certificate => $internal_certificate,
+ ssl_cipher_suite => $ssl_cipher_suite,
+ ssl_options => $ssl_options,
+ haproxy_stats_certificate => $haproxy_stats_certificate,
+ keystone_admin => $keystone_admin,
+ keystone_public => $keystone_public,
+ neutron => $neutron,
+ cinder => $cinder,
+ sahara => $sahara,
+ trove => $trove,
+ manila => $manila,
+ glance_api => $glance_api,
+ glance_registry => $glance_registry,
+ nova_osapi => $nova_osapi,
+ nova_metadata => $nova_metadata,
+ nova_novncproxy => $nova_novncproxy,
+ ceilometer => $ceilometer,
+ aodh => $aodh,
+ gnocchi => $gnocchi,
+ swift_proxy_server => $swift_proxy_server,
+ heat_api => $heat_api,
+ heat_cloudwatch => $heat_cloudwatch,
+ heat_cfn => $heat_cfn,
+ horizon => $horizon,
+ ironic => $ironic,
+ mysql => $mysql,
+ mysql_clustercheck => $mysql_clustercheck,
+ rabbitmq => $rabbitmq,
+ redis => $redis,
+ redis_password => $redis_password,
+ midonet_api => $midonet_api,
+ service_ports => $service_ports,
}
- $stats_base = ['enable', 'uri /']
- if $haproxy_stats_password {
- $stats_config = union($stats_base, ["auth ${haproxy_stats_user}:${haproxy_stats_password}"])
- } else {
- $stats_config = $stats_base
- }
- haproxy::listen { 'haproxy.stats':
- bind => $haproxy_stats_bind_opts,
- mode => 'http',
- options => {
- 'stats' => $stats_config,
- },
- collect_exported => false,
- }
-
- if $keystone_admin {
- ::tripleo::loadbalancer::endpoint { 'keystone_admin':
- public_virtual_ip => $public_virtual_ip,
- internal_ip => hiera('keystone_admin_api_vip', $controller_virtual_ip),
- service_port => $ports[keystone_admin_api_port],
- ip_addresses => hiera('keystone_admin_api_node_ips', $controller_hosts_real),
- server_names => $controller_hosts_names_real,
- mode => 'http',
- listen_options => {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- },
- public_ssl_port => $ports[keystone_admin_api_ssl_port],
- }
- }
-
- if $keystone_public {
- ::tripleo::loadbalancer::endpoint { 'keystone_public':
- public_virtual_ip => $public_virtual_ip,
- internal_ip => hiera('keystone_public_api_vip', $controller_virtual_ip),
- service_port => $ports[keystone_public_api_port],
- ip_addresses => hiera('keystone_public_api_node_ips', $controller_hosts_real),
- server_names => $controller_hosts_names_real,
- mode => 'http',
- listen_options => {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- },
- public_ssl_port => $ports[keystone_public_api_ssl_port],
- }
- }
-
- if $neutron {
- ::tripleo::loadbalancer::endpoint { 'neutron':
- public_virtual_ip => $public_virtual_ip,
- internal_ip => hiera('neutron_api_vip', $controller_virtual_ip),
- service_port => $ports[neutron_api_port],
- ip_addresses => hiera('neutron_api_node_ips', $controller_hosts_real),
- server_names => $controller_hosts_names_real,
- public_ssl_port => $ports[neutron_api_ssl_port],
- }
- }
-
- if $cinder {
- ::tripleo::loadbalancer::endpoint { 'cinder':
- public_virtual_ip => $public_virtual_ip,
- internal_ip => hiera('cinder_api_vip', $controller_virtual_ip),
- service_port => $ports[cinder_api_port],
- ip_addresses => hiera('cinder_api_node_ips', $controller_hosts_real),
- server_names => $controller_hosts_names_real,
- mode => 'http',
- listen_options => {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- },
- public_ssl_port => $ports[cinder_api_ssl_port],
- }
- }
-
- if $manila {
- ::tripleo::loadbalancer::endpoint { 'manila':
- public_virtual_ip => $public_virtual_ip,
- internal_ip => hiera('manila_api_vip', $controller_virtual_ip),
- service_port => $ports[manila_api_port],
- ip_addresses => hiera('manila_api_node_ips', $controller_hosts_real),
- server_names => $controller_hosts_names_real,
- public_ssl_port => $ports[manila_api_ssl_port],
- }
- }
-
- if $sahara {
- ::tripleo::loadbalancer::endpoint { 'sahara':
- public_virtual_ip => $public_virtual_ip,
- internal_ip => hiera('sahara_api_vip', $controller_virtual_ip),
- service_port => $ports[sahara_api_port],
- ip_addresses => hiera('sahara_api_node_ips', $controller_hosts_real),
- server_names => $controller_hosts_names_real,
- public_ssl_port => $ports[sahara_api_ssl_port],
- }
- }
-
- if $trove {
- ::tripleo::loadbalancer::endpoint { 'trove':
- public_virtual_ip => $public_virtual_ip,
- internal_ip => hiera('trove_api_vip', $controller_virtual_ip),
- service_port => $ports[trove_api_port],
- ip_addresses => hiera('trove_api_node_ips', $controller_hosts_real),
- server_names => $controller_hosts_names_real,
- public_ssl_port => $ports[trove_api_ssl_port],
- }
- }
-
- if $glance_api {
- ::tripleo::loadbalancer::endpoint { 'glance_api':
- public_virtual_ip => $public_virtual_ip,
- internal_ip => hiera('glance_api_vip', $controller_virtual_ip),
- service_port => $ports[glance_api_port],
- ip_addresses => hiera('glance_api_node_ips', $controller_hosts_real),
- server_names => $controller_hosts_names_real,
- public_ssl_port => $ports[glance_api_ssl_port],
- }
- }
-
- if $glance_registry {
- ::tripleo::loadbalancer::endpoint { 'glance_registry':
- internal_ip => hiera('glance_registry_vip', $controller_virtual_ip),
- service_port => $ports[glance_registry_port],
- ip_addresses => hiera('glance_registry_node_ips', $controller_hosts_real),
- server_names => $controller_hosts_names_real,
- }
- }
-
- $nova_api_vip = hiera('nova_api_vip', $controller_virtual_ip)
- if $nova_osapi {
- ::tripleo::loadbalancer::endpoint { 'nova_osapi':
- public_virtual_ip => $public_virtual_ip,
- internal_ip => $nova_api_vip,
- service_port => $ports[nova_api_port],
- ip_addresses => hiera('nova_api_node_ips', $controller_hosts_real),
- server_names => $controller_hosts_names_real,
- mode => 'http',
- listen_options => {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- },
- public_ssl_port => $ports[nova_api_ssl_port],
- }
- }
-
- if $nova_metadata {
- ::tripleo::loadbalancer::endpoint { 'nova_metadata':
- internal_ip => hiera('nova_metadata_vip', $controller_virtual_ip),
- service_port => $ports[nova_metadata_port],
- ip_addresses => hiera('nova_metadata_node_ips', $controller_hosts_real),
- server_names => $controller_hosts_names_real,
- }
- }
-
- if $nova_novncproxy {
- ::tripleo::loadbalancer::endpoint { 'nova_novncproxy':
- public_virtual_ip => $public_virtual_ip,
- internal_ip => $nova_api_vip,
- service_port => $ports[nova_novnc_port],
- ip_addresses => hiera('nova_api_node_ips', $controller_hosts_real),
- server_names => $controller_hosts_names_real,
- listen_options => {
- 'balance' => 'source',
- 'timeout' => [ 'tunnel 1h' ],
- },
- public_ssl_port => $ports[nova_novnc_ssl_port],
- }
- }
-
- if $ceilometer {
- ::tripleo::loadbalancer::endpoint { 'ceilometer':
- public_virtual_ip => $public_virtual_ip,
- internal_ip => hiera('ceilometer_api_vip', $controller_virtual_ip),
- service_port => $ports[ceilometer_api_port],
- ip_addresses => hiera('ceilometer_api_node_ips', $controller_hosts_real),
- server_names => $controller_hosts_names_real,
- public_ssl_port => $ports[ceilometer_api_ssl_port],
- }
- }
-
- if $aodh {
- ::tripleo::loadbalancer::endpoint { 'aodh':
- public_virtual_ip => $public_virtual_ip,
- internal_ip => hiera('aodh_api_vip', $controller_virtual_ip),
- service_port => $ports[aodh_api_port],
- ip_addresses => hiera('aodh_api_node_ips', $controller_hosts_real),
- server_names => $controller_hosts_names_real,
- public_ssl_port => $ports[aodh_api_ssl_port],
- }
- }
-
- if $gnocchi {
- ::tripleo::loadbalancer::endpoint { 'gnocchi':
- public_virtual_ip => $public_virtual_ip,
- internal_ip => hiera('gnocchi_api_vip', $controller_virtual_ip),
- service_port => $ports[gnocchi_api_port],
- ip_addresses => hiera('gnocchi_api_node_ips', $controller_hosts_real),
- server_names => $controller_hosts_names_real,
- public_ssl_port => $ports[gnocchi_api_ssl_port],
- }
- }
-
- if $swift_proxy_server {
- ::tripleo::loadbalancer::endpoint { 'swift_proxy_server':
- public_virtual_ip => $public_virtual_ip,
- internal_ip => hiera('swift_proxy_vip', $controller_virtual_ip),
- service_port => $ports[swift_proxy_port],
- ip_addresses => hiera('swift_proxy_node_ips', $controller_hosts_real),
- server_names => $controller_hosts_names_real,
- public_ssl_port => $ports[swift_proxy_ssl_port],
- }
- }
-
- $heat_api_vip = hiera('heat_api_vip', $controller_virtual_ip)
- $heat_ip_addresses = hiera('heat_api_node_ips', $controller_hosts_real)
- $heat_base_options = {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }']}
- if $service_certificate {
- $heat_ssl_options = {
- 'rsprep' => "^Location:\\ http://${public_virtual_ip}(.*) Location:\\ https://${public_virtual_ip}\\1",
- }
- $heat_options = merge($heat_base_options, $heat_ssl_options)
- } else {
- $heat_options = $heat_base_options
- }
-
- if $heat_api {
- ::tripleo::loadbalancer::endpoint { 'heat_api':
- public_virtual_ip => $public_virtual_ip,
- internal_ip => $heat_api_vip,
- service_port => $ports[heat_api_port],
- ip_addresses => $heat_ip_addresses,
- server_names => $controller_hosts_names_real,
- mode => 'http',
- listen_options => $heat_options,
- public_ssl_port => $ports[heat_api_ssl_port],
- }
- }
-
- if $heat_cloudwatch {
- ::tripleo::loadbalancer::endpoint { 'heat_cloudwatch':
- public_virtual_ip => $public_virtual_ip,
- internal_ip => $heat_api_vip,
- service_port => $ports[heat_cw_port],
- ip_addresses => $heat_ip_addresses,
- server_names => $controller_hosts_names_real,
- mode => 'http',
- listen_options => $heat_options,
- public_ssl_port => $ports[heat_cw_ssl_port],
- }
- }
-
- if $heat_cfn {
- ::tripleo::loadbalancer::endpoint { 'heat_cfn':
- public_virtual_ip => $public_virtual_ip,
- internal_ip => $heat_api_vip,
- service_port => $ports[heat_cfn_port],
- ip_addresses => $heat_ip_addresses,
- server_names => $controller_hosts_names_real,
- mode => 'http',
- listen_options => $heat_options,
- public_ssl_port => $ports[heat_cfn_ssl_port],
- }
- }
-
- if $horizon {
- haproxy::listen { 'horizon':
- bind => $horizon_bind_opts,
- options => $horizon_options,
- mode => 'http',
- collect_exported => false,
- }
- haproxy::balancermember { 'horizon':
- listening_service => 'horizon',
- ports => '80',
- ipaddresses => hiera('horizon_node_ips', $controller_hosts_real),
- server_names => $controller_hosts_names_real,
- options => union($haproxy_member_options, ["cookie ${::hostname}"]),
- }
- }
-
- if $ironic {
- ::tripleo::loadbalancer::endpoint { 'ironic':
- public_virtual_ip => $public_virtual_ip,
- internal_ip => hiera('ironic_api_vip', $controller_virtual_ip),
- service_port => $ports[ironic_api_port],
- ip_addresses => hiera('ironic_api_node_ips', $controller_hosts_real),
- server_names => $controller_hosts_names_real,
- public_ssl_port => $ports[ironic_api_ssl_port],
- }
- }
-
- if $mysql_clustercheck {
- $mysql_listen_options = {
- 'option' => [ 'tcpka', 'httpchk' ],
- 'timeout client' => '90m',
- 'timeout server' => '90m',
- 'stick-table' => 'type ip size 1000',
- 'stick' => 'on dst',
- }
- $mysql_member_options = union($haproxy_member_options, ['backup', 'port 9200', 'on-marked-down shutdown-sessions'])
- } else {
- $mysql_listen_options = {
- 'timeout client' => '90m',
- 'timeout server' => '90m',
- }
- $mysql_member_options = union($haproxy_member_options, ['backup'])
- }
-
- if $mysql {
- haproxy::listen { 'mysql':
- bind => $mysql_bind_opts,
- options => $mysql_listen_options,
- collect_exported => false,
- }
- haproxy::balancermember { 'mysql-backup':
- listening_service => 'mysql',
- ports => '3306',
- ipaddresses => hiera('mysql_node_ips', $controller_hosts_real),
- server_names => $controller_hosts_names_real,
- options => $mysql_member_options,
- }
- }
-
- if $rabbitmq {
- haproxy::listen { 'rabbitmq':
- bind => $rabbitmq_bind_opts,
- options => {
- 'option' => [ 'tcpka' ],
- 'timeout' => [ 'client 0', 'server 0' ],
- },
- collect_exported => false,
- }
- haproxy::balancermember { 'rabbitmq':
- listening_service => 'rabbitmq',
- ports => '5672',
- ipaddresses => hiera('rabbitmq_network', $controller_hosts_real),
- server_names => $controller_hosts_names_real,
- options => $haproxy_member_options,
- }
- }
-
- if $redis {
- if $redis_password {
- $redis_tcp_check_options = ["send AUTH\\ ${redis_password}\\r\\n"]
- } else {
- $redis_tcp_check_options = []
- }
- haproxy::listen { 'redis':
- bind => $redis_bind_opts,
- options => {
- 'balance' => 'first',
- 'option' => ['tcp-check',],
- 'tcp-check' => union($redis_tcp_check_options, ['send PING\r\n','expect string +PONG','send info\ replication\r\n','expect string role:master','send QUIT\r\n','expect string +OK']),
- },
- collect_exported => false,
- }
- haproxy::balancermember { 'redis':
- listening_service => 'redis',
- ports => '6379',
- ipaddresses => hiera('redis_node_ips', $controller_hosts_real),
- server_names => $controller_hosts_names_real,
- options => $haproxy_member_options,
- }
- }
-
- $midonet_api_vip = hiera('midonet_api_vip', $controller_virtual_ip)
- $midonet_bind_opts = {
- "${midonet_api_vip}:8081" => [],
- "${public_virtual_ip}:8081" => [],
- }
-
- if $midonet_api {
- haproxy::listen { 'midonet_api':
- bind => $midonet_bind_opts,
- collect_exported => false,
- }
- haproxy::balancermember { 'midonet_api':
- listening_service => 'midonet_api',
- ports => '8081',
- ipaddresses => hiera('midonet_api_node_ips', $controller_hosts_real),
- server_names => $controller_hosts_names_real,
- options => $haproxy_member_options,
+ if $manage_vip {
+ class { '::tripleo::keepalived':
+ controller_virtual_ip => $controller_virtual_ip,
+ control_virtual_interface => $public_virtual_interface,
+ public_virtual_interface => $public_virtual_interface,
+ public_virtual_ip => $public_virtual_ip,
+ internal_api_virtual_ip => $internal_api_virtual_ip,
+ storage_virtual_ip => $storage_virtual_ip,
+ storage_mgmt_virtual_ip => $storage_mgmt_virtual_ip,
}
}
}
diff --git a/manifests/loadbalancer/endpoint.pp b/manifests/loadbalancer/endpoint.pp
index f75f79a..add6689 100644
--- a/manifests/loadbalancer/endpoint.pp
+++ b/manifests/loadbalancer/endpoint.pp
@@ -84,37 +84,18 @@ define tripleo::loadbalancer::endpoint (
$public_certificate = undef,
$internal_certificate = undef,
) {
- if $public_virtual_ip {
- # service exposed to the public network
-
- if $public_certificate {
- $public_bind_opts = list_to_hash(suffix(any2array($public_virtual_ip), ":${public_ssl_port}"), union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate]))
- } else {
- $public_bind_opts = list_to_hash(suffix(any2array($public_virtual_ip), ":${service_port}"), $haproxy_listen_bind_param)
- }
- } else {
- # internal service only
- $public_bind_opts = {}
- }
-
- if $internal_certificate {
- $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"), union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate]))
- } else {
- $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"), $haproxy_listen_bind_param)
- }
- $bind_opts = merge($internal_bind_opts, $public_bind_opts)
-
- haproxy::listen { "${name}":
- bind => $bind_opts,
- collect_exported => false,
- mode => $mode,
- options => $listen_options,
- }
- haproxy::balancermember { "${name}":
- listening_service => $name,
- ports => $service_port,
- ipaddresses => $ip_addresses,
- server_names => $server_names,
- options => $member_options,
+ ::tripleo::haproxy::endpoint { $name:
+ internal_ip => $internal_ip,
+ service_port => $service_port,
+ ip_addresses => $ip_addresses,
+ server_names => $server_names,
+ member_options => $member_options,
+ public_virtual_ip => $public_virtual_ip,
+ mode => $mode,
+ haproxy_listen_bind_param => $haproxy_listen_bind_param,
+ listen_options => $listen_options,
+ public_ssl_port => $public_ssl_port,
+ public_certificate => $public_certificate,
+ internal_certificate => $internal_certificate
}
}