summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--manifests/haproxy.pp41
-rw-r--r--manifests/haproxy/stats.pp74
-rw-r--r--releasenotes/notes/TLS-for-haproxy-stats-3ce3b7780f0ef5b7.yaml8
-rw-r--r--spec/classes/tripleo_haproxy_stats_spec.rb104
4 files changed, 199 insertions, 28 deletions
diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp
index 5a59c10..497c9da 100644
--- a/manifests/haproxy.pp
+++ b/manifests/haproxy.pp
@@ -766,12 +766,6 @@ class tripleo::haproxy (
$controller_hosts_names_real = downcase(any2array(split($controller_hosts_names, ',')))
}
- # TODO(bnemec): When we have support for SSL on private and admin endpoints,
- # have the haproxy stats endpoint use that certificate by default.
- if $haproxy_stats_certificate {
- $haproxy_stats_bind_certificate = $haproxy_stats_certificate
- }
-
$horizon_vip = hiera('horizon_vip', $controller_virtual_ip)
if $service_certificate {
# NOTE(jaosorior): If the horizon_vip and the public_virtual_ip are the
@@ -809,16 +803,6 @@ class tripleo::haproxy (
}
}
- if $haproxy_stats_bind_certificate {
- $haproxy_stats_bind_opts = {
- "${controller_virtual_ip}:1993" => union($haproxy_listen_bind_param, ['ssl', 'crt', $haproxy_stats_bind_certificate]),
- }
- } else {
- $haproxy_stats_bind_opts = {
- "${controller_virtual_ip}:1993" => $haproxy_listen_bind_param,
- }
- }
-
$mysql_vip = hiera('mysql_vip', $controller_virtual_ip)
$mysql_bind_opts = {
"${mysql_vip}:3306" => $haproxy_listen_bind_param,
@@ -884,19 +868,20 @@ class tripleo::haproxy (
}
if $haproxy_stats {
- $stats_base = ['enable', 'uri /']
- if $haproxy_stats_password {
- $stats_config = union($stats_base, ["auth ${haproxy_stats_user}:${haproxy_stats_password}"])
+ if $haproxy_stats_certificate {
+ $haproxy_stats_certificate_real = $haproxy_stats_certificate
+ } elsif $use_internal_certificates {
+ # NOTE(jaosorior): Right now it's hardcoded to use the ctlplane network
+ $haproxy_stats_certificate_real = $internal_certificates_specs["haproxy-ctlplane"]['service_pem']
} else {
- $stats_config = $stats_base
- }
- haproxy::listen { 'haproxy.stats':
- bind => $haproxy_stats_bind_opts,
- mode => 'http',
- options => {
- 'stats' => $stats_config,
- },
- collect_exported => false,
+ $haproxy_stats_certificate_real = undef
+ }
+ class { '::tripleo::haproxy::stats':
+ haproxy_listen_bind_param => $haproxy_listen_bind_param,
+ ip => $controller_virtual_ip,
+ password => $haproxy_stats_password,
+ certificate => $haproxy_stats_certificate_real,
+ user => $haproxy_stats_user,
}
}
diff --git a/manifests/haproxy/stats.pp b/manifests/haproxy/stats.pp
new file mode 100644
index 0000000..f185c29
--- /dev/null
+++ b/manifests/haproxy/stats.pp
@@ -0,0 +1,74 @@
+# Copyright 2014 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+# == Class: tripleo::haproxy::stats
+#
+# Configure the HAProxy stats interface
+#
+# [*haproxy_listen_bind_param*]
+# A list of params to be added to the HAProxy listener bind directive.
+#
+# [*ip*]
+# IP Address on which the stats interface is listening on. This right now
+# assumes that it's in the ctlplane network.
+#
+# [*password*]
+# Password for haproxy stats authentication. When set, authentication is
+# enabled on the haproxy stats endpoint.
+# A string.
+# Defaults to undef
+#
+# [*certificate*]
+# Filename of an HAProxy-compatible certificate and key file
+# When set, enables SSL on the haproxy stats endpoint using the specified file.
+# Defaults to undef
+#
+# [*user*]
+# Username for haproxy stats authentication.
+# A string.
+# Defaults to 'admin'
+#
+class tripleo::haproxy::stats (
+ $haproxy_listen_bind_param,
+ $ip,
+ $password = undef,
+ $certificate = undef,
+ $user = 'admin'
+) {
+ if $certificate {
+ $haproxy_stats_bind_opts = {
+ "${ip}:1993" => union($haproxy_listen_bind_param, ['ssl', 'crt', $certificate]),
+ }
+ } else {
+ $haproxy_stats_bind_opts = {
+ "${ip}:1993" => $haproxy_listen_bind_param,
+ }
+ }
+
+ $stats_base = ['enable', 'uri /']
+ if $password {
+ $stats_config = union($stats_base, ["auth ${user}:${password}"])
+ } else {
+ $stats_config = $stats_base
+ }
+ haproxy::listen { 'haproxy.stats':
+ bind => $haproxy_stats_bind_opts,
+ mode => 'http',
+ options => {
+ 'stats' => $stats_config,
+ },
+ collect_exported => false,
+ }
+}
diff --git a/releasenotes/notes/TLS-for-haproxy-stats-3ce3b7780f0ef5b7.yaml b/releasenotes/notes/TLS-for-haproxy-stats-3ce3b7780f0ef5b7.yaml
new file mode 100644
index 0000000..2f981a1
--- /dev/null
+++ b/releasenotes/notes/TLS-for-haproxy-stats-3ce3b7780f0ef5b7.yaml
@@ -0,0 +1,8 @@
+---
+features:
+ - When TLS everywhere is enabled, the HAProxy stats interface will also use
+ TLS. This requires the user to access the interface through the ctlplane
+ FQDN (which is configured by the CloudNameCtlplane parameter in
+ tripleo-heat-templates). Note that one can still use the
+ haproxy_stats_certificate parameter from the haproxy class, and that one
+ will take precedence if set.
diff --git a/spec/classes/tripleo_haproxy_stats_spec.rb b/spec/classes/tripleo_haproxy_stats_spec.rb
new file mode 100644
index 0000000..bad5bf1
--- /dev/null
+++ b/spec/classes/tripleo_haproxy_stats_spec.rb
@@ -0,0 +1,104 @@
+#
+# Copyright (C) 2016 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+
+require 'spec_helper'
+
+describe 'tripleo::haproxy::stats' do
+
+ shared_examples_for 'tripleo::haproxy::stats' do
+ let :pre_condition do
+ "Haproxy::Listen {
+ config_file => '/etc/haproxy.cfg'
+ }"
+ end
+
+ context 'with only required parameters' do
+ let(:params) do
+ {
+ :ip => '127.0.0.1',
+ :haproxy_listen_bind_param => ['transparent'],
+ }
+ end
+ it 'should configure basic stats frontend' do
+ is_expected.to contain_haproxy__listen('haproxy.stats').with(
+ :bind => {
+ "127.0.0.1:1993" => ['transparent']
+ },
+ :mode => 'http',
+ :options => {
+ 'stats' => ['enable', 'uri /']
+ },
+ :collect_exported => false
+ )
+ end
+ end
+
+ context 'with auth parameters' do
+ let(:params) do
+ {
+ :ip => '127.0.0.1',
+ :haproxy_listen_bind_param => ['transparent'],
+ :user => 'myuser',
+ :password => 'superdupersecret',
+ }
+ end
+ it 'should configure stats frontend with auth enabled' do
+ is_expected.to contain_haproxy__listen('haproxy.stats').with(
+ :bind => {
+ "127.0.0.1:1993" => ['transparent']
+ },
+ :mode => 'http',
+ :options => {
+ 'stats' => ['enable', 'uri /', 'auth myuser:superdupersecret']
+ },
+ :collect_exported => false
+ )
+ end
+ end
+
+ context 'with certificate parameter' do
+ let(:params) do
+ {
+ :ip => '127.0.0.1',
+ :haproxy_listen_bind_param => ['transparent'],
+ :certificate => '/path/to/cert',
+ }
+ end
+ it 'should configure stats frontend with TLS enabled' do
+ is_expected.to contain_haproxy__listen('haproxy.stats').with(
+ :bind => {
+ "127.0.0.1:1993" => ['transparent', 'ssl', 'crt', '/path/to/cert']
+ },
+ :mode => 'http',
+ :options => {
+ 'stats' => ['enable', 'uri /']
+ },
+ :collect_exported => false
+ )
+ end
+ end
+ end
+
+ on_supported_os.each do |os, facts|
+ context "on #{os}" do
+ let(:facts) do
+ facts.merge({})
+ end
+
+ it_behaves_like 'tripleo::haproxy::stats'
+ end
+ end
+end