diff options
| -rw-r--r-- | Gemfile | 1 | ||||
| -rw-r--r-- | manifests/loadbalancer.pp | 324 | ||||
| -rw-r--r-- | manifests/ssl/cinder_config.pp | 28 | ||||
| -rw-r--r-- | spec/spec_helper.rb | 1 |
4 files changed, 234 insertions, 120 deletions
@@ -13,7 +13,6 @@ group :development, :test do gem 'puppet-lint-variable_contains_upcase', :require => 'false' gem 'puppet-lint-numericvariable', :require => 'false' gem 'json', :require => 'false' - gem 'webmock', :require => 'false' # adding 'psych' explicitly # https://github.com/bundler/bundler/issues/2068 # TODO: drop it in a future release of 'bundle'. diff --git a/manifests/loadbalancer.pp b/manifests/loadbalancer.pp index de995de..9e8c3b6 100644 --- a/manifests/loadbalancer.pp +++ b/manifests/loadbalancer.pp @@ -24,21 +24,31 @@ # Defaults to true # # [*haproxy_service_manage*] -# Will be passed as value for service_manage to haproxy module. +# Will be passed as value for service_manage to HAProxy module. # Defaults to true # # [*haproxy_global_maxconn*] -# The value to use as maxconn in the haproxy global config section. +# The value to use as maxconn in the HAProxy global config section. # Defaults to 20480 # # [*haproxy_default_maxconn*] -# The value to use as maxconn in the haproxy default config section. +# The value to use as maxconn in the HAProxy default config section. # Defaults to 4096 # # [*haproxy_default_timeout*] -# The value to use as timeout in the haproxy default config section. +# The value to use as timeout in the HAProxy default config section. # Defaults to [ 'http-request 10s', 'queue 1m', 'connect 10s', 'client 1m', 'server 1m', 'check 10s' ] # +# [*haproxy_listen_bind_param*] +# A list of params to be added to the HAProxy listener bind directive. By +# default the 'transparent' param is added but it should be cleared if +# one of the *_virtual_ip addresses is a wildcard, eg. 0.0.0.0 +# Defaults to [ 'transparent' ] +# +# [*haproxy_member_options*] +# The default options to use for the HAProxy balancer members. +# Defaults to [ 'check', 'inter 2000', 'rise 2', 'fall 5' ] +# # [*haproxy_log_address*] # The IPv4, IPv6 or filesystem socket path of the syslog server. # Defaults to '/dev/log' @@ -148,6 +158,11 @@ # When set, enables SSL on the Trove public API endpoint using the specified file. # Defaults to undef # +# [*gnocchi_certificate*] +# Filename of an HAProxy-compatible certificate and key file +# When set, enables SSL on the Gnocchi public API endpoint using the specified file. +# Defaults to undef +# # [*swift_certificate*] # Filename of an HAProxy-compatible certificate and key file # When set, enables SSL on the Swift public API endpoint using the specified file. @@ -228,6 +243,10 @@ # (optional) Enable or not Aodh API binding # Defaults to false # +# [*gnocchi*] +# (optional) Enable or not Gnocchi API binding +# Defaults to false +# # [*swift_proxy_server*] # (optional) Enable or not Swift API binding # Defaults to false @@ -285,6 +304,8 @@ class tripleo::loadbalancer ( $haproxy_global_maxconn = 20480, $haproxy_default_maxconn = 4096, $haproxy_default_timeout = [ 'http-request 10s', 'queue 1m', 'connect 10s', 'client 1m', 'server 1m', 'check 10s' ], + $haproxy_listen_bind_param = [ 'transparent' ], + $haproxy_member_options = [ 'check', 'inter 2000', 'rise 2', 'fall 5' ], $haproxy_log_address = '/dev/log', $controller_host = undef, $controller_hosts = undef, @@ -300,6 +321,7 @@ class tripleo::loadbalancer ( $nova_certificate = undef, $ceilometer_certificate = undef, $aodh_certificate = undef, + $gnocchi_certificate = undef, $swift_certificate = undef, $heat_certificate = undef, $horizon_certificate = undef, @@ -319,6 +341,7 @@ class tripleo::loadbalancer ( $nova_novncproxy = false, $ceilometer = false, $aodh = false, + $gnocchi = false, $swift_proxy_server = false, $heat_api = false, $heat_cloudwatch = false, @@ -478,6 +501,11 @@ class tripleo::loadbalancer ( } else { $aodh_bind_certificate = $service_certificate } + if $gnocchi_certificate { + $gnocchi_bind_certificate = $gnocchi_certificate + } else { + $gnocchi_bind_certificate = $service_certificate + } if $swift_certificate { $swift_bind_certificate = $swift_certificate } else { @@ -503,230 +531,275 @@ class tripleo::loadbalancer ( $keystone_admin_api_vip = hiera('keystone_admin_api_vip', $controller_virtual_ip) if $keystone_bind_certificate { $keystone_public_bind_opts = { - "${keystone_public_api_vip}:5000" => [], - "${public_virtual_ip}:13000" => ['ssl', 'crt', $keystone_bind_certificate], + "${keystone_public_api_vip}:5000" => $haproxy_listen_bind_param, + "${public_virtual_ip}:13000" => union($haproxy_listen_bind_param, ['ssl', 'crt', $keystone_bind_certificate]), } $keystone_admin_bind_opts = { - "${keystone_admin_api_vip}:35357" => [], - "${public_virtual_ip}:13357" => ['ssl', 'crt', $keystone_bind_certificate], + "${keystone_admin_api_vip}:35357" => $haproxy_listen_bind_param, + "${public_virtual_ip}:13357" => union($haproxy_listen_bind_param, ['ssl', 'crt', $keystone_bind_certificate]), } } else { $keystone_public_bind_opts = { - "${keystone_public_api_vip}:5000" => [], - "${public_virtual_ip}:5000" => [], + "${keystone_public_api_vip}:5000" => $haproxy_listen_bind_param, + "${public_virtual_ip}:5000" => $haproxy_listen_bind_param, } $keystone_admin_bind_opts = { - "${keystone_admin_api_vip}:35357" => [], - "${public_virtual_ip}:35357" => [], + "${keystone_admin_api_vip}:35357" => $haproxy_listen_bind_param, + "${public_virtual_ip}:35357" => $haproxy_listen_bind_param, } } $neutron_api_vip = hiera('neutron_api_vip', $controller_virtual_ip) if $neutron_bind_certificate { $neutron_bind_opts = { - "${neutron_api_vip}:9696" => [], - "${public_virtual_ip}:13696" => ['ssl', 'crt', $neutron_bind_certificate], + "${neutron_api_vip}:9696" => $haproxy_listen_bind_param, + "${public_virtual_ip}:13696" => union($haproxy_listen_bind_param, ['ssl', 'crt', $neutron_bind_certificate]), } } else { $neutron_bind_opts = { - "${neutron_api_vip}:9696" => [], - "${public_virtual_ip}:9696" => [], + "${neutron_api_vip}:9696" => $haproxy_listen_bind_param, + "${public_virtual_ip}:9696" => $haproxy_listen_bind_param, } } $cinder_api_vip = hiera('cinder_api_vip', $controller_virtual_ip) if $cinder_bind_certificate { $cinder_bind_opts = { - "${cinder_api_vip}:8776" => [], - "${public_virtual_ip}:13776" => ['ssl', 'crt', $cinder_bind_certificate], + "${cinder_api_vip}:8776" => $haproxy_listen_bind_param, + "${public_virtual_ip}:13776" => union($haproxy_listen_bind_param, ['ssl', 'crt', $cinder_bind_certificate]), } } else { $cinder_bind_opts = { - "${cinder_api_vip}:8776" => [], - "${public_virtual_ip}:8776" => [], + "${cinder_api_vip}:8776" => $haproxy_listen_bind_param, + "${public_virtual_ip}:8776" => $haproxy_listen_bind_param, } } $manila_api_vip = hiera('manila_api_vip', $controller_virtual_ip) if $manila_bind_certificate { $manila_bind_opts = { - "${manila_api_vip}:8786" => [], - "${public_virtual_ip}:13786" => ['ssl', 'crt', $manila_bind_certificate], + "${manila_api_vip}:8786" => $haproxy_listen_bind_param, + "${public_virtual_ip}:13786" => union($haproxy_listen_bind_param, ['ssl', 'crt', $manila_bind_certificate]), } } else { $manila_bind_opts = { - "${manila_api_vip}:8786" => [], - "${public_virtual_ip}:8786" => [], + "${manila_api_vip}:8786" => $haproxy_listen_bind_param, + "${public_virtual_ip}:8786" => $haproxy_listen_bind_param, } } $glance_api_vip = hiera('glance_api_vip', $controller_virtual_ip) if $glance_bind_certificate { $glance_bind_opts = { - "${glance_api_vip}:9292" => [], - "${public_virtual_ip}:13292" => ['ssl', 'crt', $glance_bind_certificate], + "${glance_api_vip}:9292" => $haproxy_listen_bind_param, + "${public_virtual_ip}:13292" => union($haproxy_listen_bind_param, ['ssl', 'crt', $glance_bind_certificate]), } } else { $glance_bind_opts = { - "${glance_api_vip}:9292" => [], - "${public_virtual_ip}:9292" => [], + "${glance_api_vip}:9292" => $haproxy_listen_bind_param, + "${public_virtual_ip}:9292" => $haproxy_listen_bind_param, } } + $glance_registry_vip = hiera('glance_registry_vip', $controller_virtual_ip) + $glance_registry_bind_opts = { + "${glance_registry_vip}:9191" => $haproxy_listen_bind_param, + } + $sahara_api_vip = hiera('sahara_api_vip', $controller_virtual_ip) if $sahara_bind_certificate { $sahara_bind_opts = { - "${sahara_api_vip}:8386" => [], - "${public_virtual_ip}:13786" => ['ssl', 'crt', $sahara_bind_certificate], + "${sahara_api_vip}:8386" => $haproxy_listen_bind_param, + "${public_virtual_ip}:13786" => union($haproxy_listen_bind_param, ['ssl', 'crt', $sahara_bind_certificate]), } } else { $sahara_bind_opts = { - "${sahara_api_vip}:8386" => [], - "${public_virtual_ip}:8386" => [], + "${sahara_api_vip}:8386" => $haproxy_listen_bind_param, + "${public_virtual_ip}:8386" => $haproxy_listen_bind_param, } } $trove_api_vip = hiera('$trove_api_vip', $controller_virtual_ip) if $trove_bind_certificate { $trove_bind_opts = { - "${trove_api_vip}:8779" => [], - "${public_virtual_ip}:13779" => ['ssl', 'crt', $trove_bind_certificate], + "${trove_api_vip}:8779" => $haproxy_listen_bind_param, + "${public_virtual_ip}:13779" => union($haproxy_listen_bind_param, ['ssl', 'crt', $trove_bind_certificate]), } } else { $trove_bind_opts = { - "${trove_api_vip}:8779" => [], - "${public_virtual_ip}:8779" => [], + "${trove_api_vip}:8779" => $haproxy_listen_bind_param, + "${public_virtual_ip}:8779" => $haproxy_listen_bind_param, } } $nova_api_vip = hiera('nova_api_vip', $controller_virtual_ip) if $nova_bind_certificate { $nova_osapi_bind_opts = { - "${nova_api_vip}:8774" => [], - "${public_virtual_ip}:13774" => ['ssl', 'crt', $nova_bind_certificate], + "${nova_api_vip}:8774" => $haproxy_listen_bind_param, + "${public_virtual_ip}:13774" => union($haproxy_listen_bind_param, ['ssl', 'crt', $nova_bind_certificate]), } $nova_ec2_bind_opts = { - "${nova_api_vip}:8773" => [], - "${public_virtual_ip}:13773" => ['ssl', 'crt', $nova_bind_certificate], + "${nova_api_vip}:8773" => $haproxy_listen_bind_param, + "${public_virtual_ip}:13773" => union($haproxy_listen_bind_param, ['ssl', 'crt', $nova_bind_certificate]), } $nova_novnc_bind_opts = { - "${nova_api_vip}:6080" => [], - "${public_virtual_ip}:13080" => ['ssl', 'crt', $nova_bind_certificate], + "${nova_api_vip}:6080" => $haproxy_listen_bind_param, + "${public_virtual_ip}:13080" => union($haproxy_listen_bind_param, ['ssl', 'crt', $nova_bind_certificate]), } } else { $nova_osapi_bind_opts = { - "${nova_api_vip}:8774" => [], - "${public_virtual_ip}:8774" => [], + "${nova_api_vip}:8774" => $haproxy_listen_bind_param, + "${public_virtual_ip}:8774" => $haproxy_listen_bind_param, } $nova_ec2_bind_opts = { - "${nova_api_vip}:8773" => [], - "${public_virtual_ip}:8773" => [], + "${nova_api_vip}:8773" => $haproxy_listen_bind_param, + "${public_virtual_ip}:8773" => $haproxy_listen_bind_param, } $nova_novnc_bind_opts = { - "${nova_api_vip}:6080" => [], - "${public_virtual_ip}:6080" => [], + "${nova_api_vip}:6080" => $haproxy_listen_bind_param, + "${public_virtual_ip}:6080" => $haproxy_listen_bind_param, } } + $nova_metadata_vip = hiera('nova_metadata_vip', $controller_virtual_ip) + $nova_metadata_bind_opts = { + "${nova_metadata_vip}:8775" => $haproxy_listen_bind_param, + } + $ceilometer_api_vip = hiera('ceilometer_api_vip', $controller_virtual_ip) if $ceilometer_bind_certificate { $ceilometer_bind_opts = { - "${ceilometer_api_vip}:8777" => [], - "${public_virtual_ip}:13777" => ['ssl', 'crt', $ceilometer_bind_certificate], + "${ceilometer_api_vip}:8777" => $haproxy_listen_bind_param, + "${public_virtual_ip}:13777" => union($haproxy_listen_bind_param, ['ssl', 'crt', $ceilometer_bind_certificate]), } } else { $ceilometer_bind_opts = { - "${ceilometer_api_vip}:8777" => [], - "${public_virtual_ip}:8777" => [], + "${ceilometer_api_vip}:8777" => $haproxy_listen_bind_param, + "${public_virtual_ip}:8777" => $haproxy_listen_bind_param, } } $aodh_api_vip = hiera('aodh_api_vip', $controller_virtual_ip) if $aodh_bind_certificate { $aodh_bind_opts = { - "${aodh_api_vip}:8042" => [], - "${public_virtual_ip}:13042" => ['ssl', 'crt', $aodh_bind_certificate], + "${aodh_api_vip}:8042" => $haproxy_listen_bind_param, + "${public_virtual_ip}:13042" => union($haproxy_listen_bind_param, ['ssl', 'crt', $aodh_bind_certificate]), } } else { $aodh_bind_opts = { - "${aodh_api_vip}:8042" => [], - "${public_virtual_ip}:8042" => [], + "${aodh_api_vip}:8042" => $haproxy_listen_bind_param, + "${public_virtual_ip}:8042" => $haproxy_listen_bind_param, + } + } + + $gnocchi_api_vip = hiera('gnocchi_api_vip', $controller_virtual_ip) + if $gnocchi_bind_certificate { + $gnocchi_bind_opts = { + "${gnocchi_api_vip}:8041" => [], + "${public_virtual_ip}:13041" => ['ssl', 'crt', $gnocchi_bind_certificate], + } + } else { + $gnocchi_bind_opts = { + "${gnocchi_api_vip}:8041" => [], + "${public_virtual_ip}:8041" => [], } } $swift_proxy_vip = hiera('swift_proxy_vip', $controller_virtual_ip) if $swift_bind_certificate { $swift_bind_opts = { - "${swift_proxy_vip}:8080" => [], - "${public_virtual_ip}:13808" => ['ssl', 'crt', $swift_bind_certificate], + "${swift_proxy_vip}:8080" => $haproxy_listen_bind_param, + "${public_virtual_ip}:13808" => union($haproxy_listen_bind_param, ['ssl', 'crt', $swift_bind_certificate]), } } else { $swift_bind_opts = { - "${swift_proxy_vip}:8080" => [], - "${public_virtual_ip}:8080" => [], + "${swift_proxy_vip}:8080" => $haproxy_listen_bind_param, + "${public_virtual_ip}:8080" => $haproxy_listen_bind_param, } } $heat_api_vip = hiera('heat_api_vip', $controller_virtual_ip) if $heat_bind_certificate { $heat_bind_opts = { - "${heat_api_vip}:8004" => [], - "${public_virtual_ip}:13004" => ['ssl', 'crt', $heat_bind_certificate], + "${heat_api_vip}:8004" => $haproxy_listen_bind_param, + "${public_virtual_ip}:13004" => union($haproxy_listen_bind_param, ['ssl', 'crt', $heat_bind_certificate]), } $heat_options = { 'rsprep' => "^Location:\\ http://${public_virtual_ip}(.*) Location:\\ https://${public_virtual_ip}\\1", 'http-request' => ['set-header X-Forwarded-Proto https if { ssl_fc }'], } $heat_cw_bind_opts = { - "${heat_api_vip}:8003" => [], - "${public_virtual_ip}:13003" => ['ssl', 'crt', $heat_bind_certificate], + "${heat_api_vip}:8003" => $haproxy_listen_bind_param, + "${public_virtual_ip}:13003" => union($haproxy_listen_bind_param, ['ssl', 'crt', $heat_bind_certificate]), } $heat_cfn_bind_opts = { - "${heat_api_vip}:8000" => [], - "${public_virtual_ip}:13800" => ['ssl', 'crt', $heat_bind_certificate], + "${heat_api_vip}:8000" => $haproxy_listen_bind_param, + "${public_virtual_ip}:13800" => union($haproxy_listen_bind_param, ['ssl', 'crt', $heat_bind_certificate]), } } else { $heat_bind_opts = { - "${heat_api_vip}:8004" => [], - "${public_virtual_ip}:8004" => [], + "${heat_api_vip}:8004" => $haproxy_listen_bind_param, + "${public_virtual_ip}:8004" => $haproxy_listen_bind_param, } $heat_options = {} $heat_cw_bind_opts = { - "${heat_api_vip}:8003" => [], - "${public_virtual_ip}:8003" => [], + "${heat_api_vip}:8003" => $haproxy_listen_bind_param, + "${public_virtual_ip}:8003" => $haproxy_listen_bind_param, } $heat_cfn_bind_opts = { - "${heat_api_vip}:8000" => [], - "${public_virtual_ip}:8000" => [], + "${heat_api_vip}:8000" => $haproxy_listen_bind_param, + "${public_virtual_ip}:8000" => $haproxy_listen_bind_param, } } $horizon_vip = hiera('horizon_vip', $controller_virtual_ip) if $horizon_bind_certificate { $horizon_bind_opts = { - "${horizon_vip}:80" => [], - "${public_virtual_ip}:443" => ['ssl', 'crt', $horizon_bind_certificate], + "${horizon_vip}:80" => $haproxy_listen_bind_param, + "${public_virtual_ip}:443" => union($haproxy_listen_bind_param, ['ssl', 'crt', $horizon_bind_certificate]), + } + $horizon_options = { + 'cookie' => 'SERVERID insert indirect nocache', + 'rsprep' => '^Location:\ http://(.*) Location:\ https://\1', } } else { $horizon_bind_opts = { - "${horizon_vip}:80" => [], - "${public_virtual_ip}:80" => [], + "${horizon_vip}:80" => $haproxy_listen_bind_param, + "${public_virtual_ip}:80" => $haproxy_listen_bind_param, + } + $horizon_options = { + 'cookie' => 'SERVERID insert indirect nocache', } } $ironic_api_vip = hiera('ironic_api_vip', $controller_virtual_ip) if $ironic_bind_certificate { $ironic_bind_opts = { - "${ironic_api_vip}:6385" => [], - "${public_virtual_ip}:13385" => ['ssl', 'crt', $ironic_bind_certificate], + "${ironic_api_vip}:6385" => $haproxy_listen_bind_param, + "${public_virtual_ip}:13385" => union($haproxy_listen_bind_param, ['ssl', 'crt', $ironic_bind_certificate]), } } else { $ironic_bind_opts = { - "${ironic_api_vip}:6385" => [], - "${public_virtual_ip}:6385" => [], + "${ironic_api_vip}:6385" => $haproxy_listen_bind_param, + "${public_virtual_ip}:6385" => $haproxy_listen_bind_param, } } + $mysql_vip = hiera('mysql_vip', $controller_virtual_ip) + $mysql_bind_opts = { + "${mysql_vip}:3306" => $haproxy_listen_bind_param, + } + + $rabbitmq_vip = hiera('rabbitmq_vip', $controller_virtual_ip) + $rabbitmq_bind_opts = { + "${rabbitmq_vip}:5672" => $haproxy_listen_bind_param, + } + + $redis_vip = hiera('redis_vip', $controller_virtual_ip) + $redis_bind_opts = { + "${redis_vip}:6379" => $haproxy_listen_bind_param, + } + sysctl::value { 'net.ipv4.ip_nonlocal_bind': value => '1' } class { '::haproxy': @@ -768,13 +841,17 @@ class tripleo::loadbalancer ( haproxy::listen { 'keystone_admin': bind => $keystone_admin_bind_opts, collect_exported => false, + mode => 'http', # Needed for http-request option + options => { + 'http-request' => ['set-header X-Forwarded-Proto https if { ssl_fc }'], + }, } haproxy::balancermember { 'keystone_admin': listening_service => 'keystone_admin', ports => '35357', ipaddresses => hiera('keystone_admin_api_node_ips',$controller_hosts_real), server_names => $controller_hosts_names_real, - options => ['check', 'inter 2000', 'rise 2', 'fall 5'], + options => $haproxy_member_options, } } @@ -792,7 +869,7 @@ class tripleo::loadbalancer ( ports => '5000', ipaddresses => hiera('keystone_public_api_node_ips', $controller_hosts_real), server_names => $controller_hosts_names_real, - options => ['check', 'inter 2000', 'rise 2', 'fall 5'], + options => $haproxy_member_options, } } @@ -806,7 +883,7 @@ class tripleo::loadbalancer ( ports => '9696', ipaddresses => hiera('neutron_api_node_ips', $controller_hosts_real), server_names => $controller_hosts_names_real, - options => ['check', 'inter 2000', 'rise 2', 'fall 5'], + options => $haproxy_member_options, } } @@ -814,13 +891,17 @@ class tripleo::loadbalancer ( haproxy::listen { 'cinder': bind => $cinder_bind_opts, collect_exported => false, + mode => 'http', # Needed for http-request option + options => { + 'http-request' => ['set-header X-Forwarded-Proto https if { ssl_fc }'], + }, } haproxy::balancermember { 'cinder': listening_service => 'cinder', ports => '8776', ipaddresses => hiera('cinder_api_node_ips', $controller_hosts_real), server_names => $controller_hosts_names_real, - options => ['check', 'inter 2000', 'rise 2', 'fall 5'], + options => $haproxy_member_options, } } @@ -834,7 +915,7 @@ class tripleo::loadbalancer ( ports => '8786', ipaddresses => hiera('manila_api_node_ips', $controller_hosts_real), server_names => $controller_hosts_names_real, - options => ['check', 'inter 2000', 'rise 2', 'fall 5'], + options => $haproxy_member_options, } } @@ -848,7 +929,7 @@ class tripleo::loadbalancer ( ports => '8386', ipaddresses => hiera('sahara_api_node_ips', $controller_hosts_real), server_names => $controller_hosts_names_real, - options => ['check', 'inter 2000', 'rise 2', 'fall 5'], + options => $haproxy_member_options, } } @@ -862,7 +943,7 @@ class tripleo::loadbalancer ( ports => '8779', ipaddresses => hiera('trove_api_node_ips', $controller_hosts_real), server_names => $controller_hosts_names_real, - options => ['check', 'inter 2000', 'rise 2', 'fall 5'], + options => $haproxy_member_options, } } @@ -876,14 +957,13 @@ class tripleo::loadbalancer ( ports => '9292', ipaddresses => hiera('glance_api_node_ips', $controller_hosts_real), server_names => $controller_hosts_names_real, - options => ['check', 'inter 2000', 'rise 2', 'fall 5'], + options => $haproxy_member_options, } } if $glance_registry { haproxy::listen { 'glance_registry': - ipaddress => hiera('glance_registry_vip', $controller_virtual_ip), - ports => 9191, + bind => $glance_registry_bind_opts, collect_exported => false, } haproxy::balancermember { 'glance_registry': @@ -891,7 +971,7 @@ class tripleo::loadbalancer ( ports => '9191', ipaddresses => hiera('glance_registry_node_ips', $controller_hosts_real), server_names => $controller_hosts_names_real, - options => ['check', 'inter 2000', 'rise 2', 'fall 5'], + options => $haproxy_member_options, } } @@ -905,7 +985,7 @@ class tripleo::loadbalancer ( ports => '8773', ipaddresses => hiera('nova_api_node_ips', $controller_hosts_real), server_names => $controller_hosts_names_real, - options => ['check', 'inter 2000', 'rise 2', 'fall 5'], + options => $haproxy_member_options, } } @@ -923,14 +1003,13 @@ class tripleo::loadbalancer ( ports => '8774', ipaddresses => hiera('nova_api_node_ips', $controller_hosts_real), server_names => $controller_hosts_names_real, - options => ['check', 'inter 2000', 'rise 2', 'fall 5'], + options => $haproxy_member_options, } } if $nova_metadata { haproxy::listen { 'nova_metadata': - ipaddress => hiera('nova_metadata_vip', $controller_virtual_ip), - ports => 8775, + bind => $nova_metadata_bind_opts, collect_exported => false, } haproxy::balancermember { 'nova_metadata': @@ -938,7 +1017,7 @@ class tripleo::loadbalancer ( ports => '8775', ipaddresses => hiera('nova_metadata_node_ips', $controller_hosts_real), server_names => $controller_hosts_names_real, - options => ['check', 'inter 2000', 'rise 2', 'fall 5'], + options => $haproxy_member_options, } } @@ -956,7 +1035,7 @@ class tripleo::loadbalancer ( ports => '6080', ipaddresses => hiera('nova_api_node_ips', $controller_hosts_real), server_names => $controller_hosts_names_real, - options => ['check', 'inter 2000', 'rise 2', 'fall 5'], + options => $haproxy_member_options, } } @@ -970,7 +1049,7 @@ class tripleo::loadbalancer ( ports => '8777', ipaddresses => hiera('ceilometer_api_node_ips', $controller_hosts_real), server_names => $controller_hosts_names_real, - options => ['check', 'inter 2000', 'rise 2', 'fall 5'], + options => $haproxy_member_options, } } @@ -984,6 +1063,20 @@ class tripleo::loadbalancer ( ports => '8042', ipaddresses => hiera('aodh_api_node_ips', $controller_hosts_real), server_names => $controller_hosts_names_real, + options => $haproxy_member_options, + } + } + + if $gnocchi { + haproxy::listen { 'gnocchi': + bind => $gnocchi_bind_opts, + collect_exported => false, + } + haproxy::balancermember { 'gnocchi': + listening_service => 'gnocchi', + ports => '8041', + ipaddresses => hiera('gnocchi_api_node_ips', $controller_hosts_real), + server_names => $controller_hosts_names_real, options => ['check', 'inter 2000', 'rise 2', 'fall 5'], } } @@ -998,7 +1091,7 @@ class tripleo::loadbalancer ( ports => '8080', ipaddresses => hiera('swift_proxy_node_ips', $controller_hosts_real), server_names => $controller_hosts_names_real, - options => ['check', 'inter 2000', 'rise 2', 'fall 5'], + options => $haproxy_member_options, } } @@ -1014,7 +1107,7 @@ class tripleo::loadbalancer ( ports => '8004', ipaddresses => hiera('heat_api_node_ips', $controller_hosts_real), server_names => $controller_hosts_names_real, - options => ['check', 'inter 2000', 'rise 2', 'fall 5'], + options => $haproxy_member_options, } } @@ -1028,7 +1121,7 @@ class tripleo::loadbalancer ( ports => '8003', ipaddresses => hiera('heat_api_node_ips', $controller_hosts_real), server_names => $controller_hosts_names_real, - options => ['check', 'inter 2000', 'rise 2', 'fall 5'], + options => $haproxy_member_options, } } @@ -1042,16 +1135,14 @@ class tripleo::loadbalancer ( ports => '8000', ipaddresses => hiera('heat_api_node_ips', $controller_hosts_real), server_names => $controller_hosts_names_real, - options => ['check', 'inter 2000', 'rise 2', 'fall 5'], + options => $haproxy_member_options, } } if $horizon { haproxy::listen { 'horizon': bind => $horizon_bind_opts, - options => { - 'cookie' => 'SERVERID insert indirect nocache', - }, + options => $horizon_options, mode => 'http', collect_exported => false, } @@ -1060,7 +1151,7 @@ class tripleo::loadbalancer ( ports => '80', ipaddresses => hiera('horizon_node_ips', $controller_hosts_real), server_names => $controller_hosts_names_real, - options => ["cookie ${::hostname}", 'check', 'inter 2000', 'rise 2', 'fall 5'], + options => union($haproxy_member_options, ["cookie ${::hostname}"]), } } @@ -1072,13 +1163,13 @@ class tripleo::loadbalancer ( 'stick-table' => 'type ip size 1000', 'stick' => 'on dst', } - $mysql_member_options = ['check', 'inter 2000', 'rise 2', 'fall 5', 'backup', 'port 9200', 'on-marked-down shutdown-sessions'] + $mysql_member_options = union($haproxy_member_options, ['backup', 'port 9200', 'on-marked-down shutdown-sessions']) } else { $mysql_listen_options = { 'timeout client' => '90m', 'timeout server' => '90m', } - $mysql_member_options = ['check', 'inter 2000', 'rise 2', 'fall 5', 'backup'] + $mysql_member_options = union($haproxy_member_options, ['backup']) } if $ironic { @@ -1091,14 +1182,13 @@ class tripleo::loadbalancer ( ports => '6385', ipaddresses => hiera('ironic_api_node_ips', $controller_hosts_real), server_names => $controller_hosts_names_real, - options => ['check', 'inter 2000', 'rise 2', 'fall 5'], + options => $haproxy_member_options, } } if $mysql { haproxy::listen { 'mysql': - ipaddress => [hiera('mysql_vip', $controller_virtual_ip)], - ports => 3306, + bind => $mysql_bind_opts, options => $mysql_listen_options, collect_exported => false, } @@ -1113,8 +1203,7 @@ class tripleo::loadbalancer ( if $rabbitmq { haproxy::listen { 'rabbitmq': - ipaddress => [hiera('rabbitmq_vip', $controller_virtual_ip)], - ports => 5672, + bind => $rabbitmq_bind_opts, options => { 'option' => [ 'tcpka' ], 'timeout' => [ 'client 0', 'server 0' ], @@ -1126,14 +1215,13 @@ class tripleo::loadbalancer ( ports => '5672', ipaddresses => hiera('rabbitmq_network', $controller_hosts_real), server_names => $controller_hosts_names_real, - options => ['check', 'inter 2000', 'rise 2', 'fall 5'], + options => $haproxy_member_options, } } if $redis { haproxy::listen { 'redis': - ipaddress => [hiera('redis_vip', $controller_virtual_ip)], - ports => 6379, + bind => $redis_bind_opts, options => { 'timeout' => [ 'client 0', 'server 0' ], 'balance' => 'first', @@ -1147,7 +1235,7 @@ class tripleo::loadbalancer ( ports => '6379', ipaddresses => hiera('redis_node_ips', $controller_hosts_real), server_names => $controller_hosts_names_real, - options => ['check', 'inter 2000', 'rise 2', 'fall 5'], + options => $haproxy_member_options, } } @@ -1167,7 +1255,7 @@ class tripleo::loadbalancer ( ports => '8081', ipaddresses => hiera('midonet_api_node_ips', $controller_hosts_real), server_names => $controller_hosts_names_real, - options => ['check', 'inter 2000', 'rise 2', 'fall 5'], + options => $haproxy_member_options, } } } diff --git a/manifests/ssl/cinder_config.pp b/manifests/ssl/cinder_config.pp new file mode 100644 index 0000000..e1ed113 --- /dev/null +++ b/manifests/ssl/cinder_config.pp @@ -0,0 +1,28 @@ +# Copyright 2016 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +# == Class: tripleo::ssl::cinder_config +# +# Enable SSL middleware for the cinder service's pipeline. +# + +class tripleo::ssl::cinder_config { + cinder_api_paste_ini { + 'filter:ssl_header_handler/paste.filter_factory': + value => 'oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory'; + 'pipeline:apiversions/pipeline': + value => 'ssl_header_handler faultwrap osvolumeversionapp'; + } +} diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index 5cf9642..15d5eab 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -1,6 +1,5 @@ require 'puppetlabs_spec_helper/module_spec_helper' require 'shared_examples' -require 'webmock/rspec' fixture_path = File.expand_path(File.join(__FILE__, '..', 'fixtures')) |