diff options
-rw-r--r-- | manifests/haproxy.pp | 865 | ||||
-rw-r--r-- | manifests/haproxy/endpoint.pp | 120 | ||||
-rw-r--r-- | manifests/keepalived.pp | 144 | ||||
-rw-r--r-- | manifests/loadbalancer.pp | 674 | ||||
-rw-r--r-- | manifests/loadbalancer/endpoint.pp | 45 |
5 files changed, 1201 insertions, 647 deletions
diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp new file mode 100644 index 0000000..9d07fa9 --- /dev/null +++ b/manifests/haproxy.pp @@ -0,0 +1,865 @@ +# Copyright 2014 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +# == Class: tripleo::haproxy +# +# Configure HAProxy for TripleO. +# +# === Parameters: +# +# [*keepalived*] +# Whether to configure keepalived to manage the VIPs or not. +# Defaults to true +# +# [*haproxy_service_manage*] +# Will be passed as value for service_manage to HAProxy module. +# Defaults to true +# +# [*haproxy_global_maxconn*] +# The value to use as maxconn in the HAProxy global config section. +# Defaults to 20480 +# +# [*haproxy_default_maxconn*] +# The value to use as maxconn in the HAProxy default config section. +# Defaults to 4096 +# +# [*haproxy_default_timeout*] +# The value to use as timeout in the HAProxy default config section. +# Defaults to [ 'http-request 10s', 'queue 1m', 'connect 10s', 'client 1m', 'server 1m', 'check 10s' ] +# +# [*haproxy_listen_bind_param*] +# A list of params to be added to the HAProxy listener bind directive. By +# default the 'transparent' param is added but it should be cleared if +# one of the *_virtual_ip addresses is a wildcard, eg. 0.0.0.0 +# Defaults to [ 'transparent' ] +# +# [*haproxy_member_options*] +# The default options to use for the HAProxy balancer members. +# Defaults to [ 'check', 'inter 2000', 'rise 2', 'fall 5' ] +# +# [*haproxy_log_address*] +# The IPv4, IPv6 or filesystem socket path of the syslog server. +# Defaults to '/dev/log' +# +# [*controller_host*] +# (Deprecated)Host or group of hosts to load-balance the services +# Can be a string or an array. +# Defaults to undef +# +# [*controller_hosts*] +# IPs of host or group of hosts to load-balance the services +# Can be a string or an array. +# Defaults to undef +# +# [*controller_hosts_names*] +# Names of host or group of hosts to load-balance the services +# Can be a string or an array. +# Defaults to undef +# +# [*controller_virtual_ip*] +# Control IP or group of IPs to bind the pools +# Can be a string or an array. +# Defaults to undef +# +# [*public_virtual_ip*] +# Public IP or group of IPs to bind the pools +# Can be a string or an array. +# Defaults to undef +# [*haproxy_stats_user*] +# +# Username for haproxy stats authentication. +# A string. +# Defaults to 'admin' +# +# [*haproxy_stats_password*] +# Password for haproxy stats authentication. When set, authentication is +# enabled on the haproxy stats endpoint. +# A string. +# Defaults to undef +# +# [*service_certificate*] +# Filename of an HAProxy-compatible certificate and key file +# When set, enables SSL on the public API endpoints using the specified file. +# Defaults to undef +# +# [*internal_certificate*] +# Filename of an HAProxy-compatible certificate and key file +# When set, enables SSL on the internal API endpoints using the specified file. +# Defaults to undef +# +# [*ssl_cipher_suite*] +# The default string describing the list of cipher algorithms ("cipher suite") +# that are negotiated during the SSL/TLS handshake for all "bind" lines. This +# value comes from the Fedora system crypto policy. +# Defaults to '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES' +# +# [*ssl_options*] +# String that sets the default ssl options to force on all "bind" lines. +# Defaults to 'no-sslv3' +# +# [*haproxy_stats_certificate*] +# Filename of an HAProxy-compatible certificate and key file +# When set, enables SSL on the haproxy stats endpoint using the specified file. +# Defaults to undef +# +# [*keystone_admin*] +# (optional) Enable or not Keystone Admin API binding +# Defaults to false +# +# [*keystone_public*] +# (optional) Enable or not Keystone Public API binding +# Defaults to false +# +# [*neutron*] +# (optional) Enable or not Neutron API binding +# Defaults to false +# +# [*cinder*] +# (optional) Enable or not Cinder API binding +# Defaults to false +# +# [*manila*] +# (optional) Enable or not Manila API binding +# Defaults to false +# +# [*sahara*] +# (optional) Enable or not Sahara API binding +# defaults to false +# +# [*trove*] +# (optional) Enable or not Trove API binding +# defaults to false +# +# [*glance_api*] +# (optional) Enable or not Glance API binding +# Defaults to false +# +# [*glance_registry*] +# (optional) Enable or not Glance registry binding +# Defaults to false +# +# [*nova_osapi*] +# (optional) Enable or not Nova API binding +# Defaults to false +# +# [*nova_metadata*] +# (optional) Enable or not Nova metadata binding +# Defaults to false +# +# [*nova_novncproxy*] +# (optional) Enable or not Nova novncproxy binding +# Defaults to false +# +# [*ceilometer*] +# (optional) Enable or not Ceilometer API binding +# Defaults to false +# +# [*aodh*] +# (optional) Enable or not Aodh API binding +# Defaults to false +# +# [*gnocchi*] +# (optional) Enable or not Gnocchi API binding +# Defaults to false +# +# [*swift_proxy_server*] +# (optional) Enable or not Swift API binding +# Defaults to false +# +# [*heat_api*] +# (optional) Enable or not Heat API binding +# Defaults to false +# +# [*heat_cloudwatch*] +# (optional) Enable or not Heat Cloudwatch API binding +# Defaults to false +# +# [*heat_cfn*] +# (optional) Enable or not Heat CFN API binding +# Defaults to false +# +# [*horizon*] +# (optional) Enable or not Horizon dashboard binding +# Defaults to false +# +# [*ironic*] +# (optional) Enable or not Ironic API binding +# Defaults to false +# +# [*mysql*] +# (optional) Enable or not MySQL Galera binding +# Defaults to false +# +# [*mysql_clustercheck*] +# (optional) Enable check via clustercheck for mysql +# Defaults to false +# +# [*rabbitmq*] +# (optional) Enable or not RabbitMQ binding +# Defaults to false +# +# [*redis*] +# (optional) Enable or not Redis binding +# Defaults to false +# +# [*redis_password*] +# (optional) Password for Redis authentication, eventually needed by the +# specific monitoring we do from HAProxy for Redis +# Defaults to undef +# +# [*midonet_api*] +# (optional) Enable or not MidoNet API binding +# Defaults to false +# +# [*service_ports*] +# (optional) Hash that contains the values to override from the service ports +# The available keys to modify the services' ports are: +# 'aodh_api_port' (Defaults to 8042) +# 'aodh_api_ssl_port' (Defaults to 13042) +# 'ceilometer_api_port' (Defaults to 8777) +# 'ceilometer_api_ssl_port' (Defaults to 13777) +# 'cinder_api_port' (Defaults to 8776) +# 'cinder_api_ssl_port' (Defaults to 13776) +# 'glance_api_port' (Defaults to 9292) +# 'glance_api_ssl_port' (Defaults to 13292) +# 'glance_registry_port' (Defaults to 9191) +# 'gnocchi_api_port' (Defaults to 8041) +# 'gnocchi_api_ssl_port' (Defaults to 13041) +# 'heat_api_port' (Defaults to 8004) +# 'heat_api_ssl_port' (Defaults to 13004) +# 'heat_cfn_port' (Defaults to 8000) +# 'heat_cfn_ssl_port' (Defaults to 13005) +# 'heat_cw_port' (Defaults to 8003) +# 'heat_cw_ssl_port' (Defaults to 13003) +# 'ironic_api_port' (Defaults to 6385) +# 'ironic_api_ssl_port' (Defaults to 13385) +# 'keystone_admin_api_port' (Defaults to 35357) +# 'keystone_admin_api_ssl_port' (Defaults to 13357) +# 'keystone_public_api_port' (Defaults to 5000) +# 'keystone_public_api_ssl_port' (Defaults to 13000) +# 'manila_api_port' (Defaults to 8786) +# 'manila_api_ssl_port' (Defaults to 13786) +# 'neutron_api_port' (Defaults to 9696) +# 'neutron_api_ssl_port' (Defaults to 13696) +# 'nova_api_port' (Defaults to 8774) +# 'nova_api_ssl_port' (Defaults to 13774) +# 'nova_metadata_port' (Defaults to 8775) +# 'nova_novnc_port' (Defaults to 6080) +# 'nova_novnc_ssl_port' (Defaults to 13080) +# 'sahara_api_port' (Defaults to 8386) +# 'sahara_api_ssl_port' (Defaults to 13386) +# 'swift_proxy_port' (Defaults to 8080) +# 'swift_proxy_ssl_port' (Defaults to 13808) +# 'trove_api_port' (Defaults to 8779) +# 'trove_api_ssl_port' (Defaults to 13779) +# Defaults to {} +# +class tripleo::haproxy ( + $controller_virtual_ip, + $public_virtual_ip, + $keepalived = true, + $haproxy_service_manage = true, + $haproxy_global_maxconn = 20480, + $haproxy_default_maxconn = 4096, + $haproxy_default_timeout = [ 'http-request 10s', 'queue 1m', 'connect 10s', 'client 1m', 'server 1m', 'check 10s' ], + $haproxy_listen_bind_param = [ 'transparent' ], + $haproxy_member_options = [ 'check', 'inter 2000', 'rise 2', 'fall 5' ], + $haproxy_log_address = '/dev/log', + $haproxy_stats_user = 'admin', + $haproxy_stats_password = undef, + $controller_host = undef, + $controller_hosts = undef, + $controller_hosts_names = undef, + $service_certificate = undef, + $internal_certificate = undef, + $ssl_cipher_suite = '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES', + $ssl_options = 'no-sslv3', + $haproxy_stats_certificate = undef, + $keystone_admin = false, + $keystone_public = false, + $neutron = false, + $cinder = false, + $sahara = false, + $trove = false, + $manila = false, + $glance_api = false, + $glance_registry = false, + $nova_osapi = false, + $nova_metadata = false, + $nova_novncproxy = false, + $ceilometer = false, + $aodh = false, + $gnocchi = false, + $swift_proxy_server = false, + $heat_api = false, + $heat_cloudwatch = false, + $heat_cfn = false, + $horizon = false, + $ironic = false, + $mysql = false, + $mysql_clustercheck = false, + $rabbitmq = false, + $redis = false, + $redis_password = undef, + $midonet_api = false, + $service_ports = {} +) { + $default_service_ports = { + aodh_api_port => 8042, + aodh_api_ssl_port => 13042, + ceilometer_api_port => 8777, + ceilometer_api_ssl_port => 13777, + cinder_api_port => 8776, + cinder_api_ssl_port => 13776, + glance_api_port => 9292, + glance_api_ssl_port => 13292, + glance_registry_port => 9191, + gnocchi_api_port => 8041, + gnocchi_api_ssl_port => 13041, + heat_api_port => 8004, + heat_api_ssl_port => 13004, + heat_cfn_port => 8000, + heat_cfn_ssl_port => 13005, + heat_cw_port => 8003, + heat_cw_ssl_port => 13003, + ironic_api_port => 6385, + ironic_api_ssl_port => 13385, + keystone_admin_api_port => 35357, + keystone_admin_api_ssl_port => 13357, + keystone_public_api_port => 5000, + keystone_public_api_ssl_port => 13000, + manila_api_port => 8786, + manila_api_ssl_port => 13786, + neutron_api_port => 9696, + neutron_api_ssl_port => 13696, + nova_api_port => 8774, + nova_api_ssl_port => 13774, + nova_metadata_port => 8775, + nova_novnc_port => 6080, + nova_novnc_ssl_port => 13080, + sahara_api_port => 8386, + sahara_api_ssl_port => 13386, + swift_proxy_port => 8080, + swift_proxy_ssl_port => 13808, + trove_api_port => 8779, + trove_api_ssl_port => 13779, + } + $ports = merge($default_service_ports, $service_ports) + + if !$controller_host and !$controller_hosts { + fail('$controller_hosts or $controller_host (now deprecated) is a mandatory parameter') + } + if $controller_hosts { + $controller_hosts_real = any2array($controller_hosts) + } else { + warning('$controller_host has been deprecated in favor of $controller_hosts') + $controller_hosts_real = any2array($controller_host) + } + + if !$controller_hosts_names { + $controller_hosts_names_real = any2array($controller_hosts_real) + } else { + $controller_hosts_names_real = any2array($controller_hosts_names) + } + + # This code will be removed once we switch undercloud and overcloud to use both haproxy & keepalived roles. + if $keepalived { + include ::tripleo::keepalived + } + + # TODO(bnemec): When we have support for SSL on private and admin endpoints, + # have the haproxy stats endpoint use that certificate by default. + if $haproxy_stats_certificate { + $haproxy_stats_bind_certificate = $haproxy_stats_certificate + } + + $horizon_vip = hiera('horizon_vip', $controller_virtual_ip) + if $service_certificate { + # NOTE(jaosorior): If the horizon_vip and the public_virtual_ip are the + # same, the first option takes precedence. Which is the case when network + # isolation is not enabled. This is not a problem as both options are + # identical. If network isolation is enabled, this works correctly and + # will add a TLS binding to both the horizon_vip and the + # public_virtual_ip. + # Even though for the public_virtual_ip the port 80 is listening, we + # redirect to https in the horizon_options below. + $horizon_bind_opts = { + "${horizon_vip}:80" => $haproxy_listen_bind_param, + "${horizon_vip}:443" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]), + "${public_virtual_ip}:80" => $haproxy_listen_bind_param, + "${public_virtual_ip}:443" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]), + } + $horizon_options = { + 'cookie' => 'SERVERID insert indirect nocache', + 'rsprep' => '^Location:\ http://(.*) Location:\ https://\1', + # NOTE(jaosorior): We always redirect to https for the public_virtual_ip. + 'redirect' => "scheme https code 301 if { hdr(host) -i ${public_virtual_ip} } !{ ssl_fc }", + 'option' => 'forwardfor', + } + } else { + $horizon_bind_opts = { + "${horizon_vip}:80" => $haproxy_listen_bind_param, + "${public_virtual_ip}:80" => $haproxy_listen_bind_param, + } + $horizon_options = { + 'cookie' => 'SERVERID insert indirect nocache', + 'option' => 'forwardfor', + } + } + + if $haproxy_stats_bind_certificate { + $haproxy_stats_bind_opts = { + "${controller_virtual_ip}:1993" => union($haproxy_listen_bind_param, ['ssl', 'crt', $haproxy_stats_bind_certificate]), + } + } else { + $haproxy_stats_bind_opts = { + "${controller_virtual_ip}:1993" => $haproxy_listen_bind_param, + } + } + + $mysql_vip = hiera('mysql_vip', $controller_virtual_ip) + $mysql_bind_opts = { + "${mysql_vip}:3306" => $haproxy_listen_bind_param, + } + + $rabbitmq_vip = hiera('rabbitmq_vip', $controller_virtual_ip) + $rabbitmq_bind_opts = { + "${rabbitmq_vip}:5672" => $haproxy_listen_bind_param, + } + + $redis_vip = hiera('redis_vip', $controller_virtual_ip) + $redis_bind_opts = { + "${redis_vip}:6379" => $haproxy_listen_bind_param, + } + + class { '::haproxy': + service_manage => $haproxy_service_manage, + global_options => { + 'log' => "${haproxy_log_address} local0", + 'pidfile' => '/var/run/haproxy.pid', + 'user' => 'haproxy', + 'group' => 'haproxy', + 'daemon' => '', + 'maxconn' => $haproxy_global_maxconn, + 'ssl-default-bind-ciphers' => $ssl_cipher_suite, + 'ssl-default-bind-options' => $ssl_options, + }, + defaults_options => { + 'mode' => 'tcp', + 'log' => 'global', + 'retries' => '3', + 'timeout' => $haproxy_default_timeout, + 'maxconn' => $haproxy_default_maxconn, + }, + } + + Tripleo::Haproxy::Endpoint { + haproxy_listen_bind_param => $haproxy_listen_bind_param, + member_options => $haproxy_member_options, + public_certificate => $service_certificate, + internal_certificate => $internal_certificate, + } + + $stats_base = ['enable', 'uri /'] + if $haproxy_stats_password { + $stats_config = union($stats_base, ["auth ${haproxy_stats_user}:${haproxy_stats_password}"]) + } else { + $stats_config = $stats_base + } + haproxy::listen { 'haproxy.stats': + bind => $haproxy_stats_bind_opts, + mode => 'http', + options => { + 'stats' => $stats_config, + }, + collect_exported => false, + } + + if $keystone_admin { + ::tripleo::haproxy::endpoint { 'keystone_admin': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('keystone_admin_api_vip', $controller_virtual_ip), + service_port => $ports[keystone_admin_api_port], + ip_addresses => hiera('keystone_admin_api_node_ips', $controller_hosts_real), + server_names => $controller_hosts_names_real, + mode => 'http', + listen_options => { + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], + }, + public_ssl_port => $ports[keystone_admin_api_ssl_port], + } + } + + if $keystone_public { + ::tripleo::haproxy::endpoint { 'keystone_public': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('keystone_public_api_vip', $controller_virtual_ip), + service_port => $ports[keystone_public_api_port], + ip_addresses => hiera('keystone_public_api_node_ips', $controller_hosts_real), + server_names => $controller_hosts_names_real, + mode => 'http', + listen_options => { + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], + }, + public_ssl_port => $ports[keystone_public_api_ssl_port], + } + } + + if $neutron { + ::tripleo::haproxy::endpoint { 'neutron': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('neutron_api_vip', $controller_virtual_ip), + service_port => $ports[neutron_api_port], + ip_addresses => hiera('neutron_api_node_ips', $controller_hosts_real), + server_names => $controller_hosts_names_real, + public_ssl_port => $ports[neutron_api_ssl_port], + } + } + + if $cinder { + ::tripleo::haproxy::endpoint { 'cinder': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('cinder_api_vip', $controller_virtual_ip), + service_port => $ports[cinder_api_port], + ip_addresses => hiera('cinder_api_node_ips', $controller_hosts_real), + server_names => $controller_hosts_names_real, + mode => 'http', + listen_options => { + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], + }, + public_ssl_port => $ports[cinder_api_ssl_port], + } + } + + if $manila { + ::tripleo::haproxy::endpoint { 'manila': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('manila_api_vip', $controller_virtual_ip), + service_port => $ports[manila_api_port], + ip_addresses => hiera('manila_api_node_ips', $controller_hosts_real), + server_names => $controller_hosts_names_real, + public_ssl_port => $ports[manila_api_ssl_port], + } + } + + if $sahara { + ::tripleo::haproxy::endpoint { 'sahara': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('sahara_api_vip', $controller_virtual_ip), + service_port => $ports[sahara_api_port], + ip_addresses => hiera('sahara_api_node_ips', $controller_hosts_real), + server_names => $controller_hosts_names_real, + public_ssl_port => $ports[sahara_api_ssl_port], + } + } + + if $trove { + ::tripleo::haproxy::endpoint { 'trove': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('trove_api_vip', $controller_virtual_ip), + service_port => $ports[trove_api_port], + ip_addresses => hiera('trove_api_node_ips', $controller_hosts_real), + server_names => $controller_hosts_names_real, + public_ssl_port => $ports[trove_api_ssl_port], + } + } + + if $glance_api { + ::tripleo::haproxy::endpoint { 'glance_api': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('glance_api_vip', $controller_virtual_ip), + service_port => $ports[glance_api_port], + ip_addresses => hiera('glance_api_node_ips', $controller_hosts_real), + server_names => $controller_hosts_names_real, + public_ssl_port => $ports[glance_api_ssl_port], + } + } + + if $glance_registry { + ::tripleo::haproxy::endpoint { 'glance_registry': + internal_ip => hiera('glance_registry_vip', $controller_virtual_ip), + service_port => $ports[glance_registry_port], + ip_addresses => hiera('glance_registry_node_ips', $controller_hosts_real), + server_names => $controller_hosts_names_real, + } + } + + $nova_api_vip = hiera('nova_api_vip', $controller_virtual_ip) + if $nova_osapi { + ::tripleo::haproxy::endpoint { 'nova_osapi': + public_virtual_ip => $public_virtual_ip, + internal_ip => $nova_api_vip, + service_port => $ports[nova_api_port], + ip_addresses => hiera('nova_api_node_ips', $controller_hosts_real), + server_names => $controller_hosts_names_real, + mode => 'http', + listen_options => { + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], + }, + public_ssl_port => $ports[nova_api_ssl_port], + } + } + + if $nova_metadata { + ::tripleo::haproxy::endpoint { 'nova_metadata': + internal_ip => hiera('nova_metadata_vip', $controller_virtual_ip), + service_port => $ports[nova_metadata_port], + ip_addresses => hiera('nova_metadata_node_ips', $controller_hosts_real), + server_names => $controller_hosts_names_real, + } + } + + if $nova_novncproxy { + ::tripleo::haproxy::endpoint { 'nova_novncproxy': + public_virtual_ip => $public_virtual_ip, + internal_ip => $nova_api_vip, + service_port => $ports[nova_novnc_port], + ip_addresses => hiera('nova_api_node_ips', $controller_hosts_real), + server_names => $controller_hosts_names_real, + listen_options => { + 'balance' => 'source', + 'timeout' => [ 'tunnel 1h' ], + }, + public_ssl_port => $ports[nova_novnc_ssl_port], + } + } + + if $ceilometer { + ::tripleo::haproxy::endpoint { 'ceilometer': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('ceilometer_api_vip', $controller_virtual_ip), + service_port => $ports[ceilometer_api_port], + ip_addresses => hiera('ceilometer_api_node_ips', $controller_hosts_real), + server_names => $controller_hosts_names_real, + public_ssl_port => $ports[ceilometer_api_ssl_port], + } + } + + if $aodh { + ::tripleo::haproxy::endpoint { 'aodh': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('aodh_api_vip', $controller_virtual_ip), + service_port => $ports[aodh_api_port], + ip_addresses => hiera('aodh_api_node_ips', $controller_hosts_real), + server_names => $controller_hosts_names_real, + public_ssl_port => $ports[aodh_api_ssl_port], + } + } + + if $gnocchi { + ::tripleo::haproxy::endpoint { 'gnocchi': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('gnocchi_api_vip', $controller_virtual_ip), + service_port => $ports[gnocchi_api_port], + ip_addresses => hiera('gnocchi_api_node_ips', $controller_hosts_real), + server_names => $controller_hosts_names_real, + public_ssl_port => $ports[gnocchi_api_ssl_port], + } + } + + if $swift_proxy_server { + ::tripleo::haproxy::endpoint { 'swift_proxy_server': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('swift_proxy_vip', $controller_virtual_ip), + service_port => $ports[swift_proxy_port], + ip_addresses => hiera('swift_proxy_node_ips', $controller_hosts_real), + server_names => $controller_hosts_names_real, + public_ssl_port => $ports[swift_proxy_ssl_port], + } + } + + $heat_api_vip = hiera('heat_api_vip', $controller_virtual_ip) + $heat_ip_addresses = hiera('heat_api_node_ips', $controller_hosts_real) + $heat_base_options = { + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }']} + if $service_certificate { + $heat_ssl_options = { + 'rsprep' => "^Location:\\ http://${public_virtual_ip}(.*) Location:\\ https://${public_virtual_ip}\\1", + } + $heat_options = merge($heat_base_options, $heat_ssl_options) + } else { + $heat_options = $heat_base_options + } + + if $heat_api { + ::tripleo::haproxy::endpoint { 'heat_api': + public_virtual_ip => $public_virtual_ip, + internal_ip => $heat_api_vip, + service_port => $ports[heat_api_port], + ip_addresses => $heat_ip_addresses, + server_names => $controller_hosts_names_real, + mode => 'http', + listen_options => $heat_options, + public_ssl_port => $ports[heat_api_ssl_port], + } + } + + if $heat_cloudwatch { + ::tripleo::haproxy::endpoint { 'heat_cloudwatch': + public_virtual_ip => $public_virtual_ip, + internal_ip => $heat_api_vip, + service_port => $ports[heat_cw_port], + ip_addresses => $heat_ip_addresses, + server_names => $controller_hosts_names_real, + mode => 'http', + listen_options => $heat_options, + public_ssl_port => $ports[heat_cw_ssl_port], + } + } + + if $heat_cfn { + ::tripleo::haproxy::endpoint { 'heat_cfn': + public_virtual_ip => $public_virtual_ip, + internal_ip => $heat_api_vip, + service_port => $ports[heat_cfn_port], + ip_addresses => $heat_ip_addresses, + server_names => $controller_hosts_names_real, + mode => 'http', + listen_options => $heat_options, + public_ssl_port => $ports[heat_cfn_ssl_port], + } + } + + if $horizon { + haproxy::listen { 'horizon': + bind => $horizon_bind_opts, + options => $horizon_options, + mode => 'http', + collect_exported => false, + } + haproxy::balancermember { 'horizon': + listening_service => 'horizon', + ports => '80', + ipaddresses => hiera('horizon_node_ips', $controller_hosts_real), + server_names => $controller_hosts_names_real, + options => union($haproxy_member_options, ["cookie ${::hostname}"]), + } + } + + if $ironic { + ::tripleo::haproxy::endpoint { 'ironic': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('ironic_api_vip', $controller_virtual_ip), + service_port => $ports[ironic_api_port], + ip_addresses => hiera('ironic_api_node_ips', $controller_hosts_real), + server_names => $controller_hosts_names_real, + public_ssl_port => $ports[ironic_api_ssl_port], + } + } + + if $mysql_clustercheck { + $mysql_listen_options = { + 'option' => [ 'tcpka', 'httpchk' ], + 'timeout client' => '90m', + 'timeout server' => '90m', + 'stick-table' => 'type ip size 1000', + 'stick' => 'on dst', + } + $mysql_member_options = union($haproxy_member_options, ['backup', 'port 9200', 'on-marked-down shutdown-sessions']) + } else { + $mysql_listen_options = { + 'timeout client' => '90m', + 'timeout server' => '90m', + } + $mysql_member_options = union($haproxy_member_options, ['backup']) + } + + if $mysql { + haproxy::listen { 'mysql': + bind => $mysql_bind_opts, + options => $mysql_listen_options, + collect_exported => false, + } + haproxy::balancermember { 'mysql-backup': + listening_service => 'mysql', + ports => '3306', + ipaddresses => hiera('mysql_node_ips', $controller_hosts_real), + server_names => $controller_hosts_names_real, + options => $mysql_member_options, + } + } + + if $rabbitmq { + haproxy::listen { 'rabbitmq': + bind => $rabbitmq_bind_opts, + options => { + 'option' => [ 'tcpka' ], + 'timeout' => [ 'client 0', 'server 0' ], + }, + collect_exported => false, + } + haproxy::balancermember { 'rabbitmq': + listening_service => 'rabbitmq', + ports => '5672', + ipaddresses => hiera('rabbitmq_network', $controller_hosts_real), + server_names => $controller_hosts_names_real, + options => $haproxy_member_options, + } + } + + if $redis { + if $redis_password { + $redis_tcp_check_options = ["send AUTH\\ ${redis_password}\\r\\n"] + } else { + $redis_tcp_check_options = [] + } + haproxy::listen { 'redis': + bind => $redis_bind_opts, + options => { + 'balance' => 'first', + 'option' => ['tcp-check',], + 'tcp-check' => union($redis_tcp_check_options, ['send PING\r\n','expect string +PONG','send info\ replication\r\n','expect string role:master','send QUIT\r\n','expect string +OK']), + }, + collect_exported => false, + } + haproxy::balancermember { 'redis': + listening_service => 'redis', + ports => '6379', + ipaddresses => hiera('redis_node_ips', $controller_hosts_real), + server_names => $controller_hosts_names_real, + options => $haproxy_member_options, + } + } + + $midonet_api_vip = hiera('midonet_api_vip', $controller_virtual_ip) + $midonet_bind_opts = { + "${midonet_api_vip}:8081" => [], + "${public_virtual_ip}:8081" => [], + } + + if $midonet_api { + haproxy::listen { 'midonet_api': + bind => $midonet_bind_opts, + collect_exported => false, + } + haproxy::balancermember { 'midonet_api': + listening_service => 'midonet_api', + ports => '8081', + ipaddresses => hiera('midonet_api_node_ips', $controller_hosts_real), + server_names => $controller_hosts_names_real, + options => $haproxy_member_options, + } + } +} diff --git a/manifests/haproxy/endpoint.pp b/manifests/haproxy/endpoint.pp new file mode 100644 index 0000000..94bfcff --- /dev/null +++ b/manifests/haproxy/endpoint.pp @@ -0,0 +1,120 @@ +# Copyright 2014 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +# == Class: tripleo::haproxy::endpoint +# +# Configure a HAProxy listen endpoint +# +# [*internal_ip*] +# The IP in which the proxy endpoint will be listening in the internal +# network. +# +# [*service_port*] +# The default port on which the endpoint will be listening. +# +# [*ip_addresses*] +# The ordered list of IPs to be used to contact the balancer member. +# +# [*server_names*] +# The names of the balancer members, which usually should be the hostname. +# +# [*member_options*] +# Options for the balancer member, specified after the server declaration. +# These should go in the member's configuration block. +# +# [*public_virtual_ip*] +# Address in which the proxy endpoint will be listening in the public network. +# If this service is internal only this should be ommited. +# Defaults to undef. +# +# [*mode*] +# HAProxy mode in which the endpoint will be listening. This can be undef, +# tcp, http or health. +# Defaults to undef. +# +# [*haproxy_listen_bind_param*] +# A list of params to be added to the HAProxy listener bind directive. +# Defaults to undef. +# +# [*listen_options*] +# Options specified for the listening service's configuration block (in +# HAproxy terms, the frontend). +# defaults to {'option' => []} +# +# [*public_ssl_port*] +# The port used for the public proxy endpoint if it differs from the default +# one. This is used only if SSL is enabled, and it's used in order to avoid +# overriding with the internal proxy endpoint (which could happen if they were +# in the same network). +# Defaults to undef. +# +# [*public_certificate*] +# Certificate path used to enable TLS for the public proxy endpoint. +# Defaults to undef. +# +# [*internal_certificate*] +# Certificate path used to enable TLS for the internal proxy endpoint. +# Defaults to undef. +# +define tripleo::haproxy::endpoint ( + $internal_ip, + $service_port, + $ip_addresses, + $server_names, + $member_options, + $public_virtual_ip = undef, + $mode = undef, + $haproxy_listen_bind_param = undef, + $listen_options = { + 'option' => [], + }, + $public_ssl_port = undef, + $public_certificate = undef, + $internal_certificate = undef, +) { + if $public_virtual_ip { + # service exposed to the public network + + if $public_certificate { + $public_bind_opts = list_to_hash(suffix(any2array($public_virtual_ip), ":${public_ssl_port}"), union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate])) + } else { + $public_bind_opts = list_to_hash(suffix(any2array($public_virtual_ip), ":${service_port}"), $haproxy_listen_bind_param) + } + } else { + # internal service only + $public_bind_opts = {} + } + + if $internal_certificate { + $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"), union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate])) + } else { + $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"), $haproxy_listen_bind_param) + } + $bind_opts = merge($internal_bind_opts, $public_bind_opts) + + haproxy::listen { "${name}": + bind => $bind_opts, + collect_exported => false, + mode => $mode, + options => $listen_options, + } + haproxy::balancermember { "${name}": + listening_service => $name, + ports => $service_port, + ipaddresses => $ip_addresses, + server_names => $server_names, + options => $member_options, + } +} diff --git a/manifests/keepalived.pp b/manifests/keepalived.pp new file mode 100644 index 0000000..45d772e --- /dev/null +++ b/manifests/keepalived.pp @@ -0,0 +1,144 @@ +# Copyright 2014 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +# == Class: tripleo::keepalived +# +# Configure keepalived for TripleO. +# +# === Parameters: +# +# [*controller_virtual_ip*] +# Control IP or group of IPs to bind the pools +# Can be a string or an array. +# Defaults to undef +# +# [*control_virtual_interface*] +# Interface to bind the control VIP +# Can be a string or an array. +# Defaults to undef +# +# [*public_virtual_interface*] +# Interface to bind the public VIP +# Can be a string or an array. +# Defaults to undef +# +# [*public_virtual_ip*] +# Public IP or group of IPs to bind the pools +# Can be a string or an array. +# Defaults to undef +# +# [*internal_api_virtual_ip*] +# Virtual IP on the internal API network. +# A string. +# Defaults to false +# +# [*storage_virtual_ip*] +# Virtual IP on the storage network. +# A string. +# Defaults to false +# +# [*storage_mgmt_virtual_ip*] +# Virtual IP on the storage mgmt network. +# A string. +# Defaults to false +# +class tripleo::keepalived ( + $controller_virtual_ip, + $control_virtual_interface, + $public_virtual_interface, + $public_virtual_ip, + $internal_api_virtual_ip = false, + $storage_virtual_ip = false, + $storage_mgmt_virtual_ip = false, +) { + + case $::osfamily { + 'RedHat': { + $keepalived_name_is_process = false + $keepalived_vrrp_script = 'systemctl status haproxy.service' + } # RedHat + 'Debian': { + $keepalived_name_is_process = true + $keepalived_vrrp_script = undef + } + default: { + warning('Please configure keepalived defaults in tripleo::keepalived.') + $keepalived_name_is_process = undef + $keepalived_vrrp_script = undef + } + } + + class { '::keepalived': } + keepalived::vrrp_script { 'haproxy': + name_is_process => $keepalived_name_is_process, + script => $keepalived_vrrp_script, + } + + # KEEPALIVE INSTANCE CONTROL + keepalived::instance { '51': + interface => $control_virtual_interface, + virtual_ips => [join([$controller_virtual_ip, ' dev ', $control_virtual_interface])], + state => 'MASTER', + track_script => ['haproxy'], + priority => 101, + } + + # KEEPALIVE INSTANCE PUBLIC + keepalived::instance { '52': + interface => $public_virtual_interface, + virtual_ips => [join([$public_virtual_ip, ' dev ', $public_virtual_interface])], + state => 'MASTER', + track_script => ['haproxy'], + priority => 101, + } + + + if $internal_api_virtual_ip and $internal_api_virtual_ip != $controller_virtual_ip { + $internal_api_virtual_interface = interface_for_ip($internal_api_virtual_ip) + # KEEPALIVE INTERNAL API NETWORK + keepalived::instance { '53': + interface => $internal_api_virtual_interface, + virtual_ips => [join([$internal_api_virtual_ip, ' dev ', $internal_api_virtual_interface])], + state => 'MASTER', + track_script => ['haproxy'], + priority => 101, + } + } + + if $storage_virtual_ip and $storage_virtual_ip != $controller_virtual_ip { + $storage_virtual_interface = interface_for_ip($storage_virtual_ip) + # KEEPALIVE STORAGE NETWORK + keepalived::instance { '54': + interface => $storage_virtual_interface, + virtual_ips => [join([$storage_virtual_ip, ' dev ', $storage_virtual_interface])], + state => 'MASTER', + track_script => ['haproxy'], + priority => 101, + } + } + + if $storage_mgmt_virtual_ip and $storage_mgmt_virtual_ip != $controller_virtual_ip { + $storage_mgmt_virtual_interface = interface_for_ip($storage_mgmt_virtual_ip) + # KEEPALIVE STORAGE MANAGEMENT NETWORK + keepalived::instance { '55': + interface => $storage_mgmt_virtual_interface, + virtual_ips => [join([$storage_mgmt_virtual_ip, ' dev ', $storage_mgmt_virtual_interface])], + state => 'MASTER', + track_script => ['haproxy'], + priority => 101, + } + } + +} diff --git a/manifests/loadbalancer.pp b/manifests/loadbalancer.pp index ebac621..c75e36a 100644 --- a/manifests/loadbalancer.pp +++ b/manifests/loadbalancer.pp @@ -346,625 +346,69 @@ class tripleo::loadbalancer ( $midonet_api = false, $service_ports = {} ) { - $default_service_ports = { - aodh_api_port => 8042, - aodh_api_ssl_port => 13042, - ceilometer_api_port => 8777, - ceilometer_api_ssl_port => 13777, - cinder_api_port => 8776, - cinder_api_ssl_port => 13776, - glance_api_port => 9292, - glance_api_ssl_port => 13292, - glance_registry_port => 9191, - gnocchi_api_port => 8041, - gnocchi_api_ssl_port => 13041, - heat_api_port => 8004, - heat_api_ssl_port => 13004, - heat_cfn_port => 8000, - heat_cfn_ssl_port => 13005, - heat_cw_port => 8003, - heat_cw_ssl_port => 13003, - ironic_api_port => 6385, - ironic_api_ssl_port => 13385, - keystone_admin_api_port => 35357, - keystone_admin_api_ssl_port => 13357, - keystone_public_api_port => 5000, - keystone_public_api_ssl_port => 13000, - manila_api_port => 8786, - manila_api_ssl_port => 13786, - neutron_api_port => 9696, - neutron_api_ssl_port => 13696, - nova_api_port => 8774, - nova_api_ssl_port => 13774, - nova_metadata_port => 8775, - nova_novnc_port => 6080, - nova_novnc_ssl_port => 13080, - sahara_api_port => 8386, - sahara_api_ssl_port => 13386, - swift_proxy_port => 8080, - swift_proxy_ssl_port => 13808, - trove_api_port => 8779, - trove_api_ssl_port => 13779, - } - $ports = merge($default_service_ports, $service_ports) - - if !$controller_host and !$controller_hosts { - fail('$controller_hosts or $controller_host (now deprecated) is a mandatory parameter') - } - if $controller_hosts { - $controller_hosts_real = any2array($controller_hosts) - } else { - warning('$controller_host has been deprecated in favor of $controller_hosts') - $controller_hosts_real = any2array($controller_host) - } - - if !$controller_hosts_names { - $controller_hosts_names_real = any2array($controller_hosts_real) - } else { - $controller_hosts_names_real = any2array($controller_hosts_names) - } - - if $manage_vip { - case $::osfamily { - 'RedHat': { - $keepalived_name_is_process = false - $keepalived_vrrp_script = 'systemctl status haproxy.service' - } # RedHat - 'Debian': { - $keepalived_name_is_process = true - $keepalived_vrrp_script = undef - } - default: { - warning('Please configure keepalived defaults in tripleo::loadbalancer.') - $keepalived_name_is_process = undef - $keepalived_vrrp_script = undef - } - } - - class { '::keepalived': } - keepalived::vrrp_script { 'haproxy': - name_is_process => $keepalived_name_is_process, - script => $keepalived_vrrp_script, - } - - # KEEPALIVE INSTANCE CONTROL - keepalived::instance { '51': - interface => $control_virtual_interface, - virtual_ips => [join([$controller_virtual_ip, ' dev ', $control_virtual_interface])], - state => 'MASTER', - track_script => ['haproxy'], - priority => 101, - } - - # KEEPALIVE INSTANCE PUBLIC - keepalived::instance { '52': - interface => $public_virtual_interface, - virtual_ips => [join([$public_virtual_ip, ' dev ', $public_virtual_interface])], - state => 'MASTER', - track_script => ['haproxy'], - priority => 101, - } - - - if $internal_api_virtual_ip and $internal_api_virtual_ip != $controller_virtual_ip { - $internal_api_virtual_interface = interface_for_ip($internal_api_virtual_ip) - # KEEPALIVE INTERNAL API NETWORK - keepalived::instance { '53': - interface => $internal_api_virtual_interface, - virtual_ips => [join([$internal_api_virtual_ip, ' dev ', $internal_api_virtual_interface])], - state => 'MASTER', - track_script => ['haproxy'], - priority => 101, - } - } - - if $storage_virtual_ip and $storage_virtual_ip != $controller_virtual_ip { - $storage_virtual_interface = interface_for_ip($storage_virtual_ip) - # KEEPALIVE STORAGE NETWORK - keepalived::instance { '54': - interface => $storage_virtual_interface, - virtual_ips => [join([$storage_virtual_ip, ' dev ', $storage_virtual_interface])], - state => 'MASTER', - track_script => ['haproxy'], - priority => 101, - } - } - - if $storage_mgmt_virtual_ip and $storage_mgmt_virtual_ip != $controller_virtual_ip { - $storage_mgmt_virtual_interface = interface_for_ip($storage_mgmt_virtual_ip) - # KEEPALIVE STORAGE MANAGEMENT NETWORK - keepalived::instance { '55': - interface => $storage_mgmt_virtual_interface, - virtual_ips => [join([$storage_mgmt_virtual_ip, ' dev ', $storage_mgmt_virtual_interface])], - state => 'MASTER', - track_script => ['haproxy'], - priority => 101, - } - } - - } - - # TODO(bnemec): When we have support for SSL on private and admin endpoints, - # have the haproxy stats endpoint use that certificate by default. - if $haproxy_stats_certificate { - $haproxy_stats_bind_certificate = $haproxy_stats_certificate - } - - $horizon_vip = hiera('horizon_vip', $controller_virtual_ip) - if $service_certificate { - # NOTE(jaosorior): If the horizon_vip and the public_virtual_ip are the - # same, the first option takes precedence. Which is the case when network - # isolation is not enabled. This is not a problem as both options are - # identical. If network isolation is enabled, this works correctly and - # will add a TLS binding to both the horizon_vip and the - # public_virtual_ip. - # Even though for the public_virtual_ip the port 80 is listening, we - # redirect to https in the horizon_options below. - $horizon_bind_opts = { - "${horizon_vip}:80" => $haproxy_listen_bind_param, - "${horizon_vip}:443" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]), - "${public_virtual_ip}:80" => $haproxy_listen_bind_param, - "${public_virtual_ip}:443" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]), - } - $horizon_options = { - 'cookie' => 'SERVERID insert indirect nocache', - 'rsprep' => '^Location:\ http://(.*) Location:\ https://\1', - # NOTE(jaosorior): We always redirect to https for the public_virtual_ip. - 'redirect' => "scheme https code 301 if { hdr(host) -i ${public_virtual_ip} } !{ ssl_fc }", - 'option' => 'forwardfor', - } - } else { - $horizon_bind_opts = { - "${horizon_vip}:80" => $haproxy_listen_bind_param, - "${public_virtual_ip}:80" => $haproxy_listen_bind_param, - } - $horizon_options = { - 'cookie' => 'SERVERID insert indirect nocache', - 'option' => 'forwardfor', - } - } - - if $haproxy_stats_bind_certificate { - $haproxy_stats_bind_opts = { - "${controller_virtual_ip}:1993" => union($haproxy_listen_bind_param, ['ssl', 'crt', $haproxy_stats_bind_certificate]), - } - } else { - $haproxy_stats_bind_opts = { - "${controller_virtual_ip}:1993" => $haproxy_listen_bind_param, - } - } - - $mysql_vip = hiera('mysql_vip', $controller_virtual_ip) - $mysql_bind_opts = { - "${mysql_vip}:3306" => $haproxy_listen_bind_param, - } - - $rabbitmq_vip = hiera('rabbitmq_vip', $controller_virtual_ip) - $rabbitmq_bind_opts = { - "${rabbitmq_vip}:5672" => $haproxy_listen_bind_param, - } - - $redis_vip = hiera('redis_vip', $controller_virtual_ip) - $redis_bind_opts = { - "${redis_vip}:6379" => $haproxy_listen_bind_param, - } - - class { '::haproxy': - service_manage => $haproxy_service_manage, - global_options => { - 'log' => "${haproxy_log_address} local0", - 'pidfile' => '/var/run/haproxy.pid', - 'user' => 'haproxy', - 'group' => 'haproxy', - 'daemon' => '', - 'maxconn' => $haproxy_global_maxconn, - 'ssl-default-bind-ciphers' => $ssl_cipher_suite, - 'ssl-default-bind-options' => $ssl_options, - }, - defaults_options => { - 'mode' => 'tcp', - 'log' => 'global', - 'retries' => '3', - 'timeout' => $haproxy_default_timeout, - 'maxconn' => $haproxy_default_maxconn, - }, - } - - Tripleo::Loadbalancer::Endpoint { + warning('This class is going to be dropped during Newton cycle, replaced by tripleo::haproxy and tripleo::keepalived.') + class { '::tripleo::haproxy': + controller_virtual_ip => $controller_virtual_ip, + public_virtual_ip => $public_virtual_ip, + # Force to false because we already declare ::tripleo::keepalived later in this manifest to kep + # old hieradata binding. + keepalived => false, + haproxy_service_manage => $haproxy_service_manage, + haproxy_global_maxconn => $haproxy_global_maxconn, + haproxy_default_maxconn => $haproxy_default_maxconn, + haproxy_default_timeout => $haproxy_default_timeout, haproxy_listen_bind_param => $haproxy_listen_bind_param, - member_options => $haproxy_member_options, - public_certificate => $service_certificate, + haproxy_member_options => $haproxy_member_options, + haproxy_log_address => $haproxy_log_address, + haproxy_stats_user => $haproxy_stats_user, + haproxy_stats_password => $haproxy_stats_password, + controller_host => $controller_host, + controller_hosts => $controller_hosts, + controller_hosts_names => $controller_hosts_names, + service_certificate => $service_certificate, internal_certificate => $internal_certificate, + ssl_cipher_suite => $ssl_cipher_suite, + ssl_options => $ssl_options, + haproxy_stats_certificate => $haproxy_stats_certificate, + keystone_admin => $keystone_admin, + keystone_public => $keystone_public, + neutron => $neutron, + cinder => $cinder, + sahara => $sahara, + trove => $trove, + manila => $manila, + glance_api => $glance_api, + glance_registry => $glance_registry, + nova_osapi => $nova_osapi, + nova_metadata => $nova_metadata, + nova_novncproxy => $nova_novncproxy, + ceilometer => $ceilometer, + aodh => $aodh, + gnocchi => $gnocchi, + swift_proxy_server => $swift_proxy_server, + heat_api => $heat_api, + heat_cloudwatch => $heat_cloudwatch, + heat_cfn => $heat_cfn, + horizon => $horizon, + ironic => $ironic, + mysql => $mysql, + mysql_clustercheck => $mysql_clustercheck, + rabbitmq => $rabbitmq, + redis => $redis, + redis_password => $redis_password, + midonet_api => $midonet_api, + service_ports => $service_ports, } - $stats_base = ['enable', 'uri /'] - if $haproxy_stats_password { - $stats_config = union($stats_base, ["auth ${haproxy_stats_user}:${haproxy_stats_password}"]) - } else { - $stats_config = $stats_base - } - haproxy::listen { 'haproxy.stats': - bind => $haproxy_stats_bind_opts, - mode => 'http', - options => { - 'stats' => $stats_config, - }, - collect_exported => false, - } - - if $keystone_admin { - ::tripleo::loadbalancer::endpoint { 'keystone_admin': - public_virtual_ip => $public_virtual_ip, - internal_ip => hiera('keystone_admin_api_vip', $controller_virtual_ip), - service_port => $ports[keystone_admin_api_port], - ip_addresses => hiera('keystone_admin_api_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, - mode => 'http', - listen_options => { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - }, - public_ssl_port => $ports[keystone_admin_api_ssl_port], - } - } - - if $keystone_public { - ::tripleo::loadbalancer::endpoint { 'keystone_public': - public_virtual_ip => $public_virtual_ip, - internal_ip => hiera('keystone_public_api_vip', $controller_virtual_ip), - service_port => $ports[keystone_public_api_port], - ip_addresses => hiera('keystone_public_api_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, - mode => 'http', - listen_options => { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - }, - public_ssl_port => $ports[keystone_public_api_ssl_port], - } - } - - if $neutron { - ::tripleo::loadbalancer::endpoint { 'neutron': - public_virtual_ip => $public_virtual_ip, - internal_ip => hiera('neutron_api_vip', $controller_virtual_ip), - service_port => $ports[neutron_api_port], - ip_addresses => hiera('neutron_api_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, - public_ssl_port => $ports[neutron_api_ssl_port], - } - } - - if $cinder { - ::tripleo::loadbalancer::endpoint { 'cinder': - public_virtual_ip => $public_virtual_ip, - internal_ip => hiera('cinder_api_vip', $controller_virtual_ip), - service_port => $ports[cinder_api_port], - ip_addresses => hiera('cinder_api_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, - mode => 'http', - listen_options => { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - }, - public_ssl_port => $ports[cinder_api_ssl_port], - } - } - - if $manila { - ::tripleo::loadbalancer::endpoint { 'manila': - public_virtual_ip => $public_virtual_ip, - internal_ip => hiera('manila_api_vip', $controller_virtual_ip), - service_port => $ports[manila_api_port], - ip_addresses => hiera('manila_api_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, - public_ssl_port => $ports[manila_api_ssl_port], - } - } - - if $sahara { - ::tripleo::loadbalancer::endpoint { 'sahara': - public_virtual_ip => $public_virtual_ip, - internal_ip => hiera('sahara_api_vip', $controller_virtual_ip), - service_port => $ports[sahara_api_port], - ip_addresses => hiera('sahara_api_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, - public_ssl_port => $ports[sahara_api_ssl_port], - } - } - - if $trove { - ::tripleo::loadbalancer::endpoint { 'trove': - public_virtual_ip => $public_virtual_ip, - internal_ip => hiera('trove_api_vip', $controller_virtual_ip), - service_port => $ports[trove_api_port], - ip_addresses => hiera('trove_api_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, - public_ssl_port => $ports[trove_api_ssl_port], - } - } - - if $glance_api { - ::tripleo::loadbalancer::endpoint { 'glance_api': - public_virtual_ip => $public_virtual_ip, - internal_ip => hiera('glance_api_vip', $controller_virtual_ip), - service_port => $ports[glance_api_port], - ip_addresses => hiera('glance_api_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, - public_ssl_port => $ports[glance_api_ssl_port], - } - } - - if $glance_registry { - ::tripleo::loadbalancer::endpoint { 'glance_registry': - internal_ip => hiera('glance_registry_vip', $controller_virtual_ip), - service_port => $ports[glance_registry_port], - ip_addresses => hiera('glance_registry_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, - } - } - - $nova_api_vip = hiera('nova_api_vip', $controller_virtual_ip) - if $nova_osapi { - ::tripleo::loadbalancer::endpoint { 'nova_osapi': - public_virtual_ip => $public_virtual_ip, - internal_ip => $nova_api_vip, - service_port => $ports[nova_api_port], - ip_addresses => hiera('nova_api_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, - mode => 'http', - listen_options => { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], - }, - public_ssl_port => $ports[nova_api_ssl_port], - } - } - - if $nova_metadata { - ::tripleo::loadbalancer::endpoint { 'nova_metadata': - internal_ip => hiera('nova_metadata_vip', $controller_virtual_ip), - service_port => $ports[nova_metadata_port], - ip_addresses => hiera('nova_metadata_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, - } - } - - if $nova_novncproxy { - ::tripleo::loadbalancer::endpoint { 'nova_novncproxy': - public_virtual_ip => $public_virtual_ip, - internal_ip => $nova_api_vip, - service_port => $ports[nova_novnc_port], - ip_addresses => hiera('nova_api_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, - listen_options => { - 'balance' => 'source', - 'timeout' => [ 'tunnel 1h' ], - }, - public_ssl_port => $ports[nova_novnc_ssl_port], - } - } - - if $ceilometer { - ::tripleo::loadbalancer::endpoint { 'ceilometer': - public_virtual_ip => $public_virtual_ip, - internal_ip => hiera('ceilometer_api_vip', $controller_virtual_ip), - service_port => $ports[ceilometer_api_port], - ip_addresses => hiera('ceilometer_api_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, - public_ssl_port => $ports[ceilometer_api_ssl_port], - } - } - - if $aodh { - ::tripleo::loadbalancer::endpoint { 'aodh': - public_virtual_ip => $public_virtual_ip, - internal_ip => hiera('aodh_api_vip', $controller_virtual_ip), - service_port => $ports[aodh_api_port], - ip_addresses => hiera('aodh_api_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, - public_ssl_port => $ports[aodh_api_ssl_port], - } - } - - if $gnocchi { - ::tripleo::loadbalancer::endpoint { 'gnocchi': - public_virtual_ip => $public_virtual_ip, - internal_ip => hiera('gnocchi_api_vip', $controller_virtual_ip), - service_port => $ports[gnocchi_api_port], - ip_addresses => hiera('gnocchi_api_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, - public_ssl_port => $ports[gnocchi_api_ssl_port], - } - } - - if $swift_proxy_server { - ::tripleo::loadbalancer::endpoint { 'swift_proxy_server': - public_virtual_ip => $public_virtual_ip, - internal_ip => hiera('swift_proxy_vip', $controller_virtual_ip), - service_port => $ports[swift_proxy_port], - ip_addresses => hiera('swift_proxy_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, - public_ssl_port => $ports[swift_proxy_ssl_port], - } - } - - $heat_api_vip = hiera('heat_api_vip', $controller_virtual_ip) - $heat_ip_addresses = hiera('heat_api_node_ips', $controller_hosts_real) - $heat_base_options = { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }']} - if $service_certificate { - $heat_ssl_options = { - 'rsprep' => "^Location:\\ http://${public_virtual_ip}(.*) Location:\\ https://${public_virtual_ip}\\1", - } - $heat_options = merge($heat_base_options, $heat_ssl_options) - } else { - $heat_options = $heat_base_options - } - - if $heat_api { - ::tripleo::loadbalancer::endpoint { 'heat_api': - public_virtual_ip => $public_virtual_ip, - internal_ip => $heat_api_vip, - service_port => $ports[heat_api_port], - ip_addresses => $heat_ip_addresses, - server_names => $controller_hosts_names_real, - mode => 'http', - listen_options => $heat_options, - public_ssl_port => $ports[heat_api_ssl_port], - } - } - - if $heat_cloudwatch { - ::tripleo::loadbalancer::endpoint { 'heat_cloudwatch': - public_virtual_ip => $public_virtual_ip, - internal_ip => $heat_api_vip, - service_port => $ports[heat_cw_port], - ip_addresses => $heat_ip_addresses, - server_names => $controller_hosts_names_real, - mode => 'http', - listen_options => $heat_options, - public_ssl_port => $ports[heat_cw_ssl_port], - } - } - - if $heat_cfn { - ::tripleo::loadbalancer::endpoint { 'heat_cfn': - public_virtual_ip => $public_virtual_ip, - internal_ip => $heat_api_vip, - service_port => $ports[heat_cfn_port], - ip_addresses => $heat_ip_addresses, - server_names => $controller_hosts_names_real, - mode => 'http', - listen_options => $heat_options, - public_ssl_port => $ports[heat_cfn_ssl_port], - } - } - - if $horizon { - haproxy::listen { 'horizon': - bind => $horizon_bind_opts, - options => $horizon_options, - mode => 'http', - collect_exported => false, - } - haproxy::balancermember { 'horizon': - listening_service => 'horizon', - ports => '80', - ipaddresses => hiera('horizon_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, - options => union($haproxy_member_options, ["cookie ${::hostname}"]), - } - } - - if $ironic { - ::tripleo::loadbalancer::endpoint { 'ironic': - public_virtual_ip => $public_virtual_ip, - internal_ip => hiera('ironic_api_vip', $controller_virtual_ip), - service_port => $ports[ironic_api_port], - ip_addresses => hiera('ironic_api_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, - public_ssl_port => $ports[ironic_api_ssl_port], - } - } - - if $mysql_clustercheck { - $mysql_listen_options = { - 'option' => [ 'tcpka', 'httpchk' ], - 'timeout client' => '90m', - 'timeout server' => '90m', - 'stick-table' => 'type ip size 1000', - 'stick' => 'on dst', - } - $mysql_member_options = union($haproxy_member_options, ['backup', 'port 9200', 'on-marked-down shutdown-sessions']) - } else { - $mysql_listen_options = { - 'timeout client' => '90m', - 'timeout server' => '90m', - } - $mysql_member_options = union($haproxy_member_options, ['backup']) - } - - if $mysql { - haproxy::listen { 'mysql': - bind => $mysql_bind_opts, - options => $mysql_listen_options, - collect_exported => false, - } - haproxy::balancermember { 'mysql-backup': - listening_service => 'mysql', - ports => '3306', - ipaddresses => hiera('mysql_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, - options => $mysql_member_options, - } - } - - if $rabbitmq { - haproxy::listen { 'rabbitmq': - bind => $rabbitmq_bind_opts, - options => { - 'option' => [ 'tcpka' ], - 'timeout' => [ 'client 0', 'server 0' ], - }, - collect_exported => false, - } - haproxy::balancermember { 'rabbitmq': - listening_service => 'rabbitmq', - ports => '5672', - ipaddresses => hiera('rabbitmq_network', $controller_hosts_real), - server_names => $controller_hosts_names_real, - options => $haproxy_member_options, - } - } - - if $redis { - if $redis_password { - $redis_tcp_check_options = ["send AUTH\\ ${redis_password}\\r\\n"] - } else { - $redis_tcp_check_options = [] - } - haproxy::listen { 'redis': - bind => $redis_bind_opts, - options => { - 'balance' => 'first', - 'option' => ['tcp-check',], - 'tcp-check' => union($redis_tcp_check_options, ['send PING\r\n','expect string +PONG','send info\ replication\r\n','expect string role:master','send QUIT\r\n','expect string +OK']), - }, - collect_exported => false, - } - haproxy::balancermember { 'redis': - listening_service => 'redis', - ports => '6379', - ipaddresses => hiera('redis_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, - options => $haproxy_member_options, - } - } - - $midonet_api_vip = hiera('midonet_api_vip', $controller_virtual_ip) - $midonet_bind_opts = { - "${midonet_api_vip}:8081" => [], - "${public_virtual_ip}:8081" => [], - } - - if $midonet_api { - haproxy::listen { 'midonet_api': - bind => $midonet_bind_opts, - collect_exported => false, - } - haproxy::balancermember { 'midonet_api': - listening_service => 'midonet_api', - ports => '8081', - ipaddresses => hiera('midonet_api_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, - options => $haproxy_member_options, + if $manage_vip { + class { '::tripleo::keepalived': + controller_virtual_ip => $controller_virtual_ip, + control_virtual_interface => $public_virtual_interface, + public_virtual_interface => $public_virtual_interface, + public_virtual_ip => $public_virtual_ip, + internal_api_virtual_ip => $internal_api_virtual_ip, + storage_virtual_ip => $storage_virtual_ip, + storage_mgmt_virtual_ip => $storage_mgmt_virtual_ip, } } } diff --git a/manifests/loadbalancer/endpoint.pp b/manifests/loadbalancer/endpoint.pp index f75f79a..add6689 100644 --- a/manifests/loadbalancer/endpoint.pp +++ b/manifests/loadbalancer/endpoint.pp @@ -84,37 +84,18 @@ define tripleo::loadbalancer::endpoint ( $public_certificate = undef, $internal_certificate = undef, ) { - if $public_virtual_ip { - # service exposed to the public network - - if $public_certificate { - $public_bind_opts = list_to_hash(suffix(any2array($public_virtual_ip), ":${public_ssl_port}"), union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate])) - } else { - $public_bind_opts = list_to_hash(suffix(any2array($public_virtual_ip), ":${service_port}"), $haproxy_listen_bind_param) - } - } else { - # internal service only - $public_bind_opts = {} - } - - if $internal_certificate { - $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"), union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate])) - } else { - $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"), $haproxy_listen_bind_param) - } - $bind_opts = merge($internal_bind_opts, $public_bind_opts) - - haproxy::listen { "${name}": - bind => $bind_opts, - collect_exported => false, - mode => $mode, - options => $listen_options, - } - haproxy::balancermember { "${name}": - listening_service => $name, - ports => $service_port, - ipaddresses => $ip_addresses, - server_names => $server_names, - options => $member_options, + ::tripleo::haproxy::endpoint { $name: + internal_ip => $internal_ip, + service_port => $service_port, + ip_addresses => $ip_addresses, + server_names => $server_names, + member_options => $member_options, + public_virtual_ip => $public_virtual_ip, + mode => $mode, + haproxy_listen_bind_param => $haproxy_listen_bind_param, + listen_options => $listen_options, + public_ssl_port => $public_ssl_port, + public_certificate => $public_certificate, + internal_certificate => $internal_certificate } } |