summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--manifests/certmonger/mysql.pp9
-rw-r--r--manifests/haproxy.pp40
-rw-r--r--manifests/profile/pacemaker/database/mysql.pp49
-rw-r--r--releasenotes/notes/add-mysql_maxconn-to-haproxy-84a5ad07d8d14ddd.yaml5
-rw-r--r--spec/classes/tripleo_haproxy_spec.rb115
-rw-r--r--spec/fixtures/hieradata/default.yaml3
6 files changed, 201 insertions, 20 deletions
diff --git a/manifests/certmonger/mysql.pp b/manifests/certmonger/mysql.pp
index dd9b184..0988c55 100644
--- a/manifests/certmonger/mysql.pp
+++ b/manifests/certmonger/mysql.pp
@@ -31,6 +31,12 @@
# (Optional) The CA that certmonger will use to generate the certificates.
# Defaults to hiera('certmonger_ca', 'local').
#
+# [*dnsnames*]
+# (Optional) The DNS names that will be added for the SubjectAltNames entry
+# in the certificate. If left unset, the value will be set to the $hostname.
+# This parameter can take both a string or an array of strings.
+# Defaults to $hostname
+#
# [*principal*]
# (Optional) The haproxy service principal that is set for MySQL in kerberos.
# Defaults to undef
@@ -40,6 +46,7 @@ class tripleo::certmonger::mysql (
$service_certificate,
$service_key,
$certmonger_ca = hiera('certmonger_ca', 'local'),
+ $dnsnames = $hostname,
$principal = undef,
) {
include ::certmonger
@@ -51,7 +58,7 @@ class tripleo::certmonger::mysql (
certfile => $service_certificate,
keyfile => $service_key,
hostname => $hostname,
- dnsname => $hostname,
+ dnsname => $dnsnames,
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp
index 6da6dcf..2f29674 100644
--- a/manifests/haproxy.pp
+++ b/manifests/haproxy.pp
@@ -155,6 +155,10 @@
# When set, enables SSL on the haproxy stats endpoint using the specified file.
# Defaults to undef
#
+# [*haproxy_stats*]
+# (optional) Enable or not the haproxy stats interface
+# Defaults to true
+#
# [*keystone_admin*]
# (optional) Enable or not Keystone Admin API binding
# Defaults to hiera('keystone_enabled', false)
@@ -279,6 +283,10 @@
# (optional) Enable check via clustercheck for mysql
# Defaults to false
#
+# [*mysql_max_conn*]
+# (optional) Set the maxconn parameter for mysql
+# Defaults to undef
+#
# [*mysql_member_options*]
# The options to use for the mysql HAProxy balancer members.
# If this parameter is undefined, the actual value configured will depend
@@ -571,6 +579,7 @@ class tripleo::haproxy (
$ca_bundle = '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt',
$crl_file = undef,
$haproxy_stats_certificate = undef,
+ $haproxy_stats = true,
$keystone_admin = hiera('keystone_enabled', false),
$keystone_public = hiera('keystone_enabled', false),
$neutron = hiera('neutron_api_enabled', false),
@@ -602,6 +611,7 @@ class tripleo::haproxy (
$ironic_inspector = hiera('ironic_inspector_enabled', false),
$mysql = hiera('mysql_enabled', false),
$mysql_clustercheck = false,
+ $mysql_max_conn = undef,
$mysql_member_options = undef,
$rabbitmq = false,
$etcd = hiera('etcd_enabled', false),
@@ -871,19 +881,21 @@ class tripleo::haproxy (
listen_options => $default_listen_options,
}
- $stats_base = ['enable', 'uri /']
- if $haproxy_stats_password {
- $stats_config = union($stats_base, ["auth ${haproxy_stats_user}:${haproxy_stats_password}"])
- } else {
- $stats_config = $stats_base
- }
- haproxy::listen { 'haproxy.stats':
- bind => $haproxy_stats_bind_opts,
- mode => 'http',
- options => {
- 'stats' => $stats_config,
- },
- collect_exported => false,
+ if $haproxy_stats {
+ $stats_base = ['enable', 'uri /']
+ if $haproxy_stats_password {
+ $stats_config = union($stats_base, ["auth ${haproxy_stats_user}:${haproxy_stats_password}"])
+ } else {
+ $stats_config = $stats_base
+ }
+ haproxy::listen { 'haproxy.stats':
+ bind => $haproxy_stats_bind_opts,
+ mode => 'http',
+ options => {
+ 'stats' => $stats_config,
+ },
+ collect_exported => false,
+ }
}
if $keystone_admin {
@@ -1314,6 +1326,7 @@ class tripleo::haproxy (
'timeout server' => '90m',
'stick-table' => 'type ip size 1000',
'stick' => 'on dst',
+ 'maxconn' => $mysql_max_conn
}
if $mysql_member_options {
$mysql_member_options_real = $mysql_member_options
@@ -1324,6 +1337,7 @@ class tripleo::haproxy (
$mysql_listen_options = {
'timeout client' => '90m',
'timeout server' => '90m',
+ 'maxconn' => $mysql_max_conn
}
if $mysql_member_options {
$mysql_member_options_real = $mysql_member_options
diff --git a/manifests/profile/pacemaker/database/mysql.pp b/manifests/profile/pacemaker/database/mysql.pp
index 3aff62f..22adbe9 100644
--- a/manifests/profile/pacemaker/database/mysql.pp
+++ b/manifests/profile/pacemaker/database/mysql.pp
@@ -26,6 +26,27 @@
# (Optional) The address that the local mysql instance should bind to.
# Defaults to $::hostname
#
+# [*ca_file*]
+# (Optional) The path to the CA file that will be used for the TLS
+# configuration. It's only used if internal TLS is enabled.
+# Defaults to undef
+#
+# [*certificate_specs*]
+# (Optional) The specifications to give to certmonger for the certificate
+# it will create. Note that the certificate nickname must be 'mysql' in
+# the case of this service.
+# Example with hiera:
+# tripleo::profile::base::database::mysql::certificate_specs:
+# hostname: <overcloud controller fqdn>
+# service_certificate: <service certificate path>
+# service_key: <service key path>
+# principal: "mysql/<overcloud controller fqdn>"
+# Defaults to hiera('tripleo::profile::base::database::mysql::certificate_specs', {}).
+#
+# [*enable_internal_tls*]
+# (Optional) Whether TLS in the internal network is enabled or not.
+# Defaults to hiera('enable_internal_tls', false)
+#
# [*gmcast_listen_addr*]
# (Optional) This variable defines the address on which the node listens to
# connections from other nodes in the cluster.
@@ -41,11 +62,14 @@
# Defaults to hiera('pcs_tries', 20)
#
class tripleo::profile::pacemaker::database::mysql (
- $bootstrap_node = hiera('mysql_short_bootstrap_node_name'),
- $bind_address = $::hostname,
- $gmcast_listen_addr = hiera('mysql_bind_host'),
- $step = Integer(hiera('step')),
- $pcs_tries = hiera('pcs_tries', 20),
+ $bootstrap_node = hiera('mysql_short_bootstrap_node_name'),
+ $bind_address = $::hostname,
+ $ca_file = undef,
+ $certificate_specs = hiera('tripleo::profile::base::database::mysql::certificate_specs', {}),
+ $enable_internal_tls = hiera('enable_internal_tls', false),
+ $gmcast_listen_addr = hiera('mysql_bind_host'),
+ $step = Integer(hiera('step')),
+ $pcs_tries = hiera('pcs_tries', 20),
) {
if $::hostname == downcase($bootstrap_node) {
$pacemaker_master = true
@@ -70,6 +94,19 @@ class tripleo::profile::pacemaker::database::mysql (
$processed_galera_name_pairs = $galera_name_pairs.map |$pair| { join($pair, ':') }
$cluster_host_map = join($processed_galera_name_pairs, ';')
+ if $enable_internal_tls {
+ $tls_certfile = $certificate_specs['service_certificate']
+ $tls_keyfile = $certificate_specs['service_key']
+ if $ca_file {
+ $tls_ca_options = "socket.ssl_ca=${ca_file}"
+ } else {
+ $tls_ca_options = ''
+ }
+ $tls_options = "socket.ssl_key=${tls_keyfile};socket.ssl_cert=${tls_certfile};${tls_ca_options};"
+ } else {
+ $tls_options = ''
+ }
+
$mysqld_options = {
'mysqld' => {
'skip-name-resolve' => '1',
@@ -98,7 +135,7 @@ class tripleo::profile::pacemaker::database::mysql (
'wsrep_drupal_282555_workaround'=> '0',
'wsrep_causal_reads' => '0',
'wsrep_sst_method' => 'rsync',
- 'wsrep_provider_options' => "gmcast.listen_addr=tcp://${gmcast_listen_addr}:4567;",
+ 'wsrep_provider_options' => "gmcast.listen_addr=tcp://${gmcast_listen_addr}:4567;${tls_options}",
}
}
diff --git a/releasenotes/notes/add-mysql_maxconn-to-haproxy-84a5ad07d8d14ddd.yaml b/releasenotes/notes/add-mysql_maxconn-to-haproxy-84a5ad07d8d14ddd.yaml
new file mode 100644
index 0000000..8359456
--- /dev/null
+++ b/releasenotes/notes/add-mysql_maxconn-to-haproxy-84a5ad07d8d14ddd.yaml
@@ -0,0 +1,5 @@
+---
+features:
+ - |
+ Added new parameter mysql_maxconn to the tripleo::haproxy class,
+ allowing haproxy maxconn to be configured for the MySQL server.
diff --git a/spec/classes/tripleo_haproxy_spec.rb b/spec/classes/tripleo_haproxy_spec.rb
new file mode 100644
index 0000000..966729a
--- /dev/null
+++ b/spec/classes/tripleo_haproxy_spec.rb
@@ -0,0 +1,115 @@
+# Copyright 2016 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+
+require 'spec_helper'
+
+describe 'tripleo::haproxy' do
+
+ shared_examples_for 'tripleo::haproxy' do
+ let :params do {
+ :controller_virtual_ip => '10.1.0.1',
+ :public_virtual_ip => '192.168.0.1'
+ }
+ end
+
+ describe "default settings" do
+ it 'should configure haproxy' do
+ is_expected.to contain_haproxy__listen('mysql').with(
+ :options => {
+ 'timeout client' => "90m",
+ 'timeout server' => "90m",
+ 'maxconn' => :undef
+ }
+ )
+ end
+ end
+
+ describe "set clustercheck" do
+ before :each do
+ params.merge!({
+ :mysql_clustercheck => true,
+ })
+ end
+
+ it 'should configure haproxy with clustercheck' do
+ is_expected.to contain_haproxy__listen('mysql').with(
+ :options => {
+ 'timeout client' => "90m",
+ 'timeout server' => "90m",
+ 'option' => ["tcpka", "httpchk"],
+ 'timeout client' => "90m",
+ 'timeout server' => "90m",
+ 'stick-table' => "type ip size 1000",
+ 'stick' => "on dst",
+ 'maxconn' => :undef
+ }
+ )
+ end
+ end
+
+ describe "override maxconn with clustercheck" do
+ before :each do
+ params.merge!({
+ :mysql_clustercheck => true,
+ :mysql_max_conn => 6500,
+ })
+ end
+
+ it 'should configure haproxy' do
+ is_expected.to contain_haproxy__listen('mysql').with(
+ :options => {
+ 'option' => ["tcpka", "httpchk"],
+ 'timeout client' => "90m",
+ 'timeout server' => "90m",
+ 'stick-table' => "type ip size 1000",
+ 'stick' => "on dst",
+ 'maxconn' => 6500
+ }
+ )
+ end
+ end
+
+ describe "override maxconn without clustercheck" do
+ before :each do
+ params.merge!({
+ :mysql_max_conn => 6500,
+ })
+ end
+
+ it 'should configure haproxy' do
+ is_expected.to contain_haproxy__listen('mysql').with(
+ :options => {
+ 'timeout client' => "90m",
+ 'timeout server' => "90m",
+ 'maxconn' => 6500
+ }
+ )
+ end
+ end
+
+ end
+
+ on_supported_os.each do |os, facts|
+ context "on #{os}" do
+ let(:facts) do
+ facts.merge({ })
+ end
+
+ it_behaves_like 'tripleo::haproxy'
+ end
+ end
+
+end \ No newline at end of file
diff --git a/spec/fixtures/hieradata/default.yaml b/spec/fixtures/hieradata/default.yaml
index 5d978cc..a0f4efc 100644
--- a/spec/fixtures/hieradata/default.yaml
+++ b/spec/fixtures/hieradata/default.yaml
@@ -33,6 +33,9 @@ cinder::keystone::authtoken::password: 'password'
gnocchi::keystone::authtoken::password: 'password'
gnocchi::storage::ceph::ceph_username: 'gnocchi'
gnocchi::storage::ceph::ceph_secret: 'password'
+# haproxy related items
+mysql_enabled: true
+controller_node_ips: '10.1.0.1,10.1.0.2'
# nova related items
nova::rabbit_password: 'password'
nova::keystone::authtoken::password: 'password'