summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--manifests/loadbalancer.pp249
1 files changed, 42 insertions, 207 deletions
diff --git a/manifests/loadbalancer.pp b/manifests/loadbalancer.pp
index 272781b..0025025 100644
--- a/manifests/loadbalancer.pp
+++ b/manifests/loadbalancer.pp
@@ -117,7 +117,6 @@
# [*service_certificate*]
# Filename of an HAProxy-compatible certificate and key file
# When set, enables SSL on the public API endpoints using the specified file.
-# Any service-specific certificates take precedence over this one.
# Defaults to undef
#
# [*ssl_cipher_suite*]
@@ -130,80 +129,6 @@
# String that sets the default ssl options to force on all "bind" lines.
# Defaults to 'no-sslv3'
#
-# [*keystone_certificate*]
-# Filename of an HAProxy-compatible certificate and key file
-# When set, enables SSL on the Keystone public API endpoint using the specified file.
-# Defaults to undef
-#
-# [*neutron_certificate*]
-# Filename of an HAProxy-compatible certificate and key file
-# When set, enables SSL on the Neutron public API endpoint using the specified file.
-# Defaults to undef
-#
-# [*cinder_certificate*]
-# Filename of an HAProxy-compatible certificate and key file
-# When set, enables SSL on the Cinder public API endpoint using the specified file.
-# Defaults to undef
-#
-# [*manila_certificate*]
-# Filename of an HAProxy-compatible certificate and key file
-# When set, enables SSL on the Manila public API endpoint using the specified file.
-# Defaults to undef
-#
-# [*glance_certificate*]
-# Filename of an HAProxy-compatible certificate and key file
-# When set, enables SSL on the Glance public API endpoint using the specified file.
-# Defaults to undef
-#
-# [*nova_certificate*]
-# Filename of an HAProxy-compatible certificate and key file
-# When set, enables SSL on the Nova public API endpoint using the specified file.
-# Defaults to undef
-#
-# [*ceilometer_certificate*]
-# Filename of an HAProxy-compatible certificate and key file
-# When set, enables SSL on the Ceilometer public API endpoint using the specified file.
-# Defaults to undef
-#
-# [*aodh_certificate*]
-# Filename of an HAProxy-compatible certificate and key file
-# When set, enables SSL on the Aodh public API endpoint using the specified file.
-#
-# [*sahara_certificate*]
-# Filename of an HAProxy-compatible certificate and key file
-# When set, enables SSL on the Sahara public API endpoint using the specified file.
-# Defaults to undef
-#
-# [*trove_certificate*]
-# Filename of an HAProxy-compatible certificate and key file
-# When set, enables SSL on the Trove public API endpoint using the specified file.
-# Defaults to undef
-#
-# [*gnocchi_certificate*]
-# Filename of an HAProxy-compatible certificate and key file
-# When set, enables SSL on the Gnocchi public API endpoint using the specified file.
-# Defaults to undef
-#
-# [*swift_certificate*]
-# Filename of an HAProxy-compatible certificate and key file
-# When set, enables SSL on the Swift public API endpoint using the specified file.
-# Defaults to undef
-#
-# [*heat_certificate*]
-# Filename of an HAProxy-compatible certificate and key file
-# When set, enables SSL on the Heat public API endpoint using the specified file.
-# Defaults to undef
-#
-# [*horizon_certificate*]
-# Filename of an HAProxy-compatible certificate and key file
-# When set, enables SSL on the Horizon public API endpoint using the specified file.
-# Defaults to undef
-#
-# [*ironic_certificate*]
-# Filename of an HAProxy-compatible certificate and key file
-# When set, enables SSL on the Ironic public API endpoint using the specified file.
-# Defaults to undef
-#
# [*haproxy_stats_certificate*]
# Filename of an HAProxy-compatible certificate and key file
# When set, enables SSL on the haproxy stats endpoint using the specified file.
@@ -391,21 +316,6 @@ class tripleo::loadbalancer (
$service_certificate = undef,
$ssl_cipher_suite = '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES',
$ssl_options = 'no-sslv3',
- $keystone_certificate = undef,
- $neutron_certificate = undef,
- $cinder_certificate = undef,
- $sahara_certificate = undef,
- $trove_certificate = undef,
- $manila_certificate = undef,
- $glance_certificate = undef,
- $nova_certificate = undef,
- $ceilometer_certificate = undef,
- $aodh_certificate = undef,
- $gnocchi_certificate = undef,
- $swift_certificate = undef,
- $heat_certificate = undef,
- $horizon_certificate = undef,
- $ironic_certificate = undef,
$haproxy_stats_certificate = undef,
$keystone_admin = false,
$keystone_public = false,
@@ -539,7 +449,7 @@ class tripleo::loadbalancer (
}
- if $internal_api_virtual_ip and $internal_api_virtual_ip != $control_virtual_interface {
+ if $internal_api_virtual_ip and $internal_api_virtual_ip != $controller_virtual_ip {
$internal_api_virtual_interface = interface_for_ip($internal_api_virtual_ip)
# KEEPALIVE INTERNAL API NETWORK
keepalived::instance { '53':
@@ -551,7 +461,7 @@ class tripleo::loadbalancer (
}
}
- if $storage_virtual_ip and $storage_virtual_ip != $control_virtual_interface {
+ if $storage_virtual_ip and $storage_virtual_ip != $controller_virtual_ip {
$storage_virtual_interface = interface_for_ip($storage_virtual_ip)
# KEEPALIVE STORAGE NETWORK
keepalived::instance { '54':
@@ -563,7 +473,7 @@ class tripleo::loadbalancer (
}
}
- if $storage_mgmt_virtual_ip and $storage_mgmt_virtual_ip != $control_virtual_interface {
+ if $storage_mgmt_virtual_ip and $storage_mgmt_virtual_ip != $controller_virtual_ip {
$storage_mgmt_virtual_interface = interface_for_ip($storage_mgmt_virtual_ip)
# KEEPALIVE STORAGE MANAGEMENT NETWORK
keepalived::instance { '55':
@@ -577,81 +487,6 @@ class tripleo::loadbalancer (
}
- if $keystone_certificate {
- $keystone_bind_certificate = $keystone_certificate
- } else {
- $keystone_bind_certificate = $service_certificate
- }
- if $neutron_certificate {
- $neutron_bind_certificate = $neutron_certificate
- } else {
- $neutron_bind_certificate = $service_certificate
- }
- if $cinder_certificate {
- $cinder_bind_certificate = $cinder_certificate
- } else {
- $cinder_bind_certificate = $service_certificate
- }
- if $sahara_certificate {
- $sahara_bind_certificate = $sahara_certificate
- } else {
- $sahara_bind_certificate = $service_certificate
- }
- if $trove_certificate {
- $trove_bind_certificate = $trove_certificate
- } else {
- $trove_bind_certificate = $trove_certificate
- }
- if $manila_certificate {
- $manila_bind_certificate = $manila_certificate
- } else {
- $manila_bind_certificate = $service_certificate
- }
- if $glance_certificate {
- $glance_bind_certificate = $glance_certificate
- } else {
- $glance_bind_certificate = $service_certificate
- }
- if $nova_certificate {
- $nova_bind_certificate = $nova_certificate
- } else {
- $nova_bind_certificate = $service_certificate
- }
- if $ceilometer_certificate {
- $ceilometer_bind_certificate = $ceilometer_certificate
- } else {
- $ceilometer_bind_certificate = $service_certificate
- }
- if $aodh_certificate {
- $aodh_bind_certificate = $aodh_certificate
- } else {
- $aodh_bind_certificate = $service_certificate
- }
- if $gnocchi_certificate {
- $gnocchi_bind_certificate = $gnocchi_certificate
- } else {
- $gnocchi_bind_certificate = $service_certificate
- }
- if $swift_certificate {
- $swift_bind_certificate = $swift_certificate
- } else {
- $swift_bind_certificate = $service_certificate
- }
- if $heat_certificate {
- $heat_bind_certificate = $heat_certificate
- } else {
- $heat_bind_certificate = $service_certificate
- }
- if $horizon_certificate {
- $horizon_bind_certificate = $horizon_certificate
- } else {
- $horizon_bind_certificate = $service_certificate
- }
- if $ironic_certificate {
- $ironic_bind_certificate = $ironic_certificate
- } else {
- $ironic_bind_certificate = $service_certificate
- }
# TODO(bnemec): When we have support for SSL on private and admin endpoints,
# have the haproxy stats endpoint use that certificate by default.
if $haproxy_stats_certificate {
@@ -660,14 +495,14 @@ class tripleo::loadbalancer (
$keystone_public_api_vip = hiera('keystone_public_api_vip', $controller_virtual_ip)
$keystone_admin_api_vip = hiera('keystone_admin_api_vip', $controller_virtual_ip)
- if $keystone_bind_certificate {
+ if $service_certificate {
$keystone_public_bind_opts = {
"${keystone_public_api_vip}:${ports[keystone_public_api_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[keystone_public_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $keystone_bind_certificate]),
+ "${public_virtual_ip}:${ports[keystone_public_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
}
$keystone_admin_bind_opts = {
"${keystone_admin_api_vip}:${ports[keystone_admin_api_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[keystone_admin_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $keystone_bind_certificate]),
+ "${public_virtual_ip}:${ports[keystone_admin_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
}
} else {
$keystone_public_bind_opts = {
@@ -681,10 +516,10 @@ class tripleo::loadbalancer (
}
$neutron_api_vip = hiera('neutron_api_vip', $controller_virtual_ip)
- if $neutron_bind_certificate {
+ if $service_certificate {
$neutron_bind_opts = {
"${neutron_api_vip}:${ports[neutron_api_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[neutron_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $neutron_bind_certificate]),
+ "${public_virtual_ip}:${ports[neutron_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
}
} else {
$neutron_bind_opts = {
@@ -694,10 +529,10 @@ class tripleo::loadbalancer (
}
$cinder_api_vip = hiera('cinder_api_vip', $controller_virtual_ip)
- if $cinder_bind_certificate {
+ if $service_certificate {
$cinder_bind_opts = {
"${cinder_api_vip}:${ports[cinder_api_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[cinder_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $cinder_bind_certificate]),
+ "${public_virtual_ip}:${ports[cinder_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
}
} else {
$cinder_bind_opts = {
@@ -707,10 +542,10 @@ class tripleo::loadbalancer (
}
$manila_api_vip = hiera('manila_api_vip', $controller_virtual_ip)
- if $manila_bind_certificate {
+ if $service_certificate {
$manila_bind_opts = {
"${manila_api_vip}:${ports[manila_api_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[manila_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $manila_bind_certificate]),
+ "${public_virtual_ip}:${ports[manila_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
}
} else {
$manila_bind_opts = {
@@ -720,10 +555,10 @@ class tripleo::loadbalancer (
}
$glance_api_vip = hiera('glance_api_vip', $controller_virtual_ip)
- if $glance_bind_certificate {
+ if $service_certificate {
$glance_bind_opts = {
"${glance_api_vip}:${ports[glance_api_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[glance_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $glance_bind_certificate]),
+ "${public_virtual_ip}:${ports[glance_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
}
} else {
$glance_bind_opts = {
@@ -738,10 +573,10 @@ class tripleo::loadbalancer (
}
$sahara_api_vip = hiera('sahara_api_vip', $controller_virtual_ip)
- if $sahara_bind_certificate {
+ if $service_certificate {
$sahara_bind_opts = {
"${sahara_api_vip}:${ports[sahara_api_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[sahara_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $sahara_bind_certificate]),
+ "${public_virtual_ip}:${ports[sahara_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
}
} else {
$sahara_bind_opts = {
@@ -751,10 +586,10 @@ class tripleo::loadbalancer (
}
$trove_api_vip = hiera('$trove_api_vip', $controller_virtual_ip)
- if $trove_bind_certificate {
+ if $service_certificate {
$trove_bind_opts = {
"${trove_api_vip}:${ports[trove_api_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[trove_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $trove_bind_certificate]),
+ "${public_virtual_ip}:${ports[trove_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
}
} else {
$trove_bind_opts = {
@@ -764,18 +599,18 @@ class tripleo::loadbalancer (
}
$nova_api_vip = hiera('nova_api_vip', $controller_virtual_ip)
- if $nova_bind_certificate {
+ if $service_certificate {
$nova_osapi_bind_opts = {
"${nova_api_vip}:${ports[nova_api_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[nova_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $nova_bind_certificate]),
+ "${public_virtual_ip}:${ports[nova_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
}
$nova_ec2_bind_opts = {
"${nova_api_vip}:${ports[nova_ec2_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[nova_ec2_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $nova_bind_certificate]),
+ "${public_virtual_ip}:${ports[nova_ec2_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
}
$nova_novnc_bind_opts = {
"${nova_api_vip}:${ports[nova_novnc_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[nova_novnc_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $nova_bind_certificate]),
+ "${public_virtual_ip}:${ports[nova_novnc_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
}
} else {
$nova_osapi_bind_opts = {
@@ -798,10 +633,10 @@ class tripleo::loadbalancer (
}
$ceilometer_api_vip = hiera('ceilometer_api_vip', $controller_virtual_ip)
- if $ceilometer_bind_certificate {
+ if $service_certificate {
$ceilometer_bind_opts = {
"${ceilometer_api_vip}:${ports[ceilometer_api_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[ceilometer_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $ceilometer_bind_certificate]),
+ "${public_virtual_ip}:${ports[ceilometer_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
}
} else {
$ceilometer_bind_opts = {
@@ -811,10 +646,10 @@ class tripleo::loadbalancer (
}
$aodh_api_vip = hiera('aodh_api_vip', $controller_virtual_ip)
- if $aodh_bind_certificate {
+ if $service_certificate {
$aodh_bind_opts = {
"${aodh_api_vip}:${ports[aodh_api_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[aodh_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $aodh_bind_certificate]),
+ "${public_virtual_ip}:${ports[aodh_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
}
} else {
$aodh_bind_opts = {
@@ -824,23 +659,23 @@ class tripleo::loadbalancer (
}
$gnocchi_api_vip = hiera('gnocchi_api_vip', $controller_virtual_ip)
- if $gnocchi_bind_certificate {
+ if $service_certificate {
$gnocchi_bind_opts = {
- "${gnocchi_api_vip}:${ports[gnocchi_api_port]}" => [],
- "${public_virtual_ip}:${ports[gnocchi_api_ssl_port]}" => ['ssl', 'crt', $gnocchi_bind_certificate],
+ "${gnocchi_api_vip}:${ports[gnocchi_api_port]}" => $haproxy_listen_bind_param,
+ "${public_virtual_ip}:${ports[gnocchi_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
}
} else {
$gnocchi_bind_opts = {
- "${gnocchi_api_vip}:${ports[gnocchi_api_port]}" => [],
- "${public_virtual_ip}:${ports[gnocchi_api_port]}" => [],
+ "${gnocchi_api_vip}:${ports[gnocchi_api_port]}" => $haproxy_listen_bind_param,
+ "${public_virtual_ip}:${ports[gnocchi_api_port]}" => $haproxy_listen_bind_param,
}
}
$swift_proxy_vip = hiera('swift_proxy_vip', $controller_virtual_ip)
- if $swift_bind_certificate {
+ if $service_certificate {
$swift_bind_opts = {
"${swift_proxy_vip}:${ports[swift_proxy_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[swift_proxy_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $swift_bind_certificate]),
+ "${public_virtual_ip}:${ports[swift_proxy_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
}
} else {
$swift_bind_opts = {
@@ -854,10 +689,10 @@ class tripleo::loadbalancer (
'http-request' => [
'set-header X-Forwarded-Proto https if { ssl_fc }',
'set-header X-Forwarded-Proto http if !{ ssl_fc }']}
- if $heat_bind_certificate {
+ if $service_certificate {
$heat_bind_opts = {
"${heat_api_vip}:${ports[heat_api_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[heat_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $heat_bind_certificate]),
+ "${public_virtual_ip}:${ports[heat_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
}
$heat_ssl_options = {
'rsprep' => "^Location:\\ http://${public_virtual_ip}(.*) Location:\\ https://${public_virtual_ip}\\1",
@@ -865,11 +700,11 @@ class tripleo::loadbalancer (
$heat_options = merge($heat_base_options, $heat_ssl_options)
$heat_cw_bind_opts = {
"${heat_api_vip}:${ports[heat_cw_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[heat_cw_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $heat_bind_certificate]),
+ "${public_virtual_ip}:${ports[heat_cw_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
}
$heat_cfn_bind_opts = {
"${heat_api_vip}:${ports[heat_cfn_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[heat_cfn_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $heat_bind_certificate]),
+ "${public_virtual_ip}:${ports[heat_cfn_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
}
} else {
$heat_bind_opts = {
@@ -888,7 +723,7 @@ class tripleo::loadbalancer (
}
$horizon_vip = hiera('horizon_vip', $controller_virtual_ip)
- if $horizon_bind_certificate {
+ if $service_certificate {
# NOTE(jaosorior): If the horizon_vip and the public_virtual_ip are the
# same, the first option takes precedence. Which is the case when network
# isolation is not enabled. This is not a problem as both options are
@@ -899,9 +734,9 @@ class tripleo::loadbalancer (
# redirect to https in the horizon_options below.
$horizon_bind_opts = {
"${horizon_vip}:80" => $haproxy_listen_bind_param,
- "${horizon_vip}:443" => union($haproxy_listen_bind_param, ['ssl', 'crt', $horizon_bind_certificate]),
+ "${horizon_vip}:443" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
"${public_virtual_ip}:80" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:443" => union($haproxy_listen_bind_param, ['ssl', 'crt', $horizon_bind_certificate]),
+ "${public_virtual_ip}:443" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
}
$horizon_options = {
'cookie' => 'SERVERID insert indirect nocache',
@@ -920,10 +755,10 @@ class tripleo::loadbalancer (
}
$ironic_api_vip = hiera('ironic_api_vip', $controller_virtual_ip)
- if $ironic_bind_certificate {
+ if $service_certificate {
$ironic_bind_opts = {
"${ironic_api_vip}:${ports[ironic_api_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[ironic_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $ironic_bind_certificate]),
+ "${public_virtual_ip}:${ports[ironic_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
}
} else {
$ironic_bind_opts = {