diff options
| -rw-r--r-- | manifests/certmonger/mysql.pp | 9 | ||||
| -rw-r--r-- | manifests/haproxy.pp | 40 | ||||
| -rw-r--r-- | manifests/profile/pacemaker/database/mysql.pp | 49 | ||||
| -rw-r--r-- | releasenotes/notes/add-mysql_maxconn-to-haproxy-84a5ad07d8d14ddd.yaml | 5 | ||||
| -rw-r--r-- | spec/classes/tripleo_haproxy_spec.rb | 115 | ||||
| -rw-r--r-- | spec/fixtures/hieradata/default.yaml | 3 |
6 files changed, 201 insertions, 20 deletions
diff --git a/manifests/certmonger/mysql.pp b/manifests/certmonger/mysql.pp index dd9b184..0988c55 100644 --- a/manifests/certmonger/mysql.pp +++ b/manifests/certmonger/mysql.pp @@ -31,6 +31,12 @@ # (Optional) The CA that certmonger will use to generate the certificates. # Defaults to hiera('certmonger_ca', 'local'). # +# [*dnsnames*] +# (Optional) The DNS names that will be added for the SubjectAltNames entry +# in the certificate. If left unset, the value will be set to the $hostname. +# This parameter can take both a string or an array of strings. +# Defaults to $hostname +# # [*principal*] # (Optional) The haproxy service principal that is set for MySQL in kerberos. # Defaults to undef @@ -40,6 +46,7 @@ class tripleo::certmonger::mysql ( $service_certificate, $service_key, $certmonger_ca = hiera('certmonger_ca', 'local'), + $dnsnames = $hostname, $principal = undef, ) { include ::certmonger @@ -51,7 +58,7 @@ class tripleo::certmonger::mysql ( certfile => $service_certificate, keyfile => $service_key, hostname => $hostname, - dnsname => $hostname, + dnsname => $dnsnames, principal => $principal, postsave_cmd => $postsave_cmd, ca => $certmonger_ca, diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp index 6da6dcf..2f29674 100644 --- a/manifests/haproxy.pp +++ b/manifests/haproxy.pp @@ -155,6 +155,10 @@ # When set, enables SSL on the haproxy stats endpoint using the specified file. # Defaults to undef # +# [*haproxy_stats*] +# (optional) Enable or not the haproxy stats interface +# Defaults to true +# # [*keystone_admin*] # (optional) Enable or not Keystone Admin API binding # Defaults to hiera('keystone_enabled', false) @@ -279,6 +283,10 @@ # (optional) Enable check via clustercheck for mysql # Defaults to false # +# [*mysql_max_conn*] +# (optional) Set the maxconn parameter for mysql +# Defaults to undef +# # [*mysql_member_options*] # The options to use for the mysql HAProxy balancer members. # If this parameter is undefined, the actual value configured will depend @@ -571,6 +579,7 @@ class tripleo::haproxy ( $ca_bundle = '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt', $crl_file = undef, $haproxy_stats_certificate = undef, + $haproxy_stats = true, $keystone_admin = hiera('keystone_enabled', false), $keystone_public = hiera('keystone_enabled', false), $neutron = hiera('neutron_api_enabled', false), @@ -602,6 +611,7 @@ class tripleo::haproxy ( $ironic_inspector = hiera('ironic_inspector_enabled', false), $mysql = hiera('mysql_enabled', false), $mysql_clustercheck = false, + $mysql_max_conn = undef, $mysql_member_options = undef, $rabbitmq = false, $etcd = hiera('etcd_enabled', false), @@ -871,19 +881,21 @@ class tripleo::haproxy ( listen_options => $default_listen_options, } - $stats_base = ['enable', 'uri /'] - if $haproxy_stats_password { - $stats_config = union($stats_base, ["auth ${haproxy_stats_user}:${haproxy_stats_password}"]) - } else { - $stats_config = $stats_base - } - haproxy::listen { 'haproxy.stats': - bind => $haproxy_stats_bind_opts, - mode => 'http', - options => { - 'stats' => $stats_config, - }, - collect_exported => false, + if $haproxy_stats { + $stats_base = ['enable', 'uri /'] + if $haproxy_stats_password { + $stats_config = union($stats_base, ["auth ${haproxy_stats_user}:${haproxy_stats_password}"]) + } else { + $stats_config = $stats_base + } + haproxy::listen { 'haproxy.stats': + bind => $haproxy_stats_bind_opts, + mode => 'http', + options => { + 'stats' => $stats_config, + }, + collect_exported => false, + } } if $keystone_admin { @@ -1314,6 +1326,7 @@ class tripleo::haproxy ( 'timeout server' => '90m', 'stick-table' => 'type ip size 1000', 'stick' => 'on dst', + 'maxconn' => $mysql_max_conn } if $mysql_member_options { $mysql_member_options_real = $mysql_member_options @@ -1324,6 +1337,7 @@ class tripleo::haproxy ( $mysql_listen_options = { 'timeout client' => '90m', 'timeout server' => '90m', + 'maxconn' => $mysql_max_conn } if $mysql_member_options { $mysql_member_options_real = $mysql_member_options diff --git a/manifests/profile/pacemaker/database/mysql.pp b/manifests/profile/pacemaker/database/mysql.pp index 3aff62f..22adbe9 100644 --- a/manifests/profile/pacemaker/database/mysql.pp +++ b/manifests/profile/pacemaker/database/mysql.pp @@ -26,6 +26,27 @@ # (Optional) The address that the local mysql instance should bind to. # Defaults to $::hostname # +# [*ca_file*] +# (Optional) The path to the CA file that will be used for the TLS +# configuration. It's only used if internal TLS is enabled. +# Defaults to undef +# +# [*certificate_specs*] +# (Optional) The specifications to give to certmonger for the certificate +# it will create. Note that the certificate nickname must be 'mysql' in +# the case of this service. +# Example with hiera: +# tripleo::profile::base::database::mysql::certificate_specs: +# hostname: <overcloud controller fqdn> +# service_certificate: <service certificate path> +# service_key: <service key path> +# principal: "mysql/<overcloud controller fqdn>" +# Defaults to hiera('tripleo::profile::base::database::mysql::certificate_specs', {}). +# +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# # [*gmcast_listen_addr*] # (Optional) This variable defines the address on which the node listens to # connections from other nodes in the cluster. @@ -41,11 +62,14 @@ # Defaults to hiera('pcs_tries', 20) # class tripleo::profile::pacemaker::database::mysql ( - $bootstrap_node = hiera('mysql_short_bootstrap_node_name'), - $bind_address = $::hostname, - $gmcast_listen_addr = hiera('mysql_bind_host'), - $step = Integer(hiera('step')), - $pcs_tries = hiera('pcs_tries', 20), + $bootstrap_node = hiera('mysql_short_bootstrap_node_name'), + $bind_address = $::hostname, + $ca_file = undef, + $certificate_specs = hiera('tripleo::profile::base::database::mysql::certificate_specs', {}), + $enable_internal_tls = hiera('enable_internal_tls', false), + $gmcast_listen_addr = hiera('mysql_bind_host'), + $step = Integer(hiera('step')), + $pcs_tries = hiera('pcs_tries', 20), ) { if $::hostname == downcase($bootstrap_node) { $pacemaker_master = true @@ -70,6 +94,19 @@ class tripleo::profile::pacemaker::database::mysql ( $processed_galera_name_pairs = $galera_name_pairs.map |$pair| { join($pair, ':') } $cluster_host_map = join($processed_galera_name_pairs, ';') + if $enable_internal_tls { + $tls_certfile = $certificate_specs['service_certificate'] + $tls_keyfile = $certificate_specs['service_key'] + if $ca_file { + $tls_ca_options = "socket.ssl_ca=${ca_file}" + } else { + $tls_ca_options = '' + } + $tls_options = "socket.ssl_key=${tls_keyfile};socket.ssl_cert=${tls_certfile};${tls_ca_options};" + } else { + $tls_options = '' + } + $mysqld_options = { 'mysqld' => { 'skip-name-resolve' => '1', @@ -98,7 +135,7 @@ class tripleo::profile::pacemaker::database::mysql ( 'wsrep_drupal_282555_workaround'=> '0', 'wsrep_causal_reads' => '0', 'wsrep_sst_method' => 'rsync', - 'wsrep_provider_options' => "gmcast.listen_addr=tcp://${gmcast_listen_addr}:4567;", + 'wsrep_provider_options' => "gmcast.listen_addr=tcp://${gmcast_listen_addr}:4567;${tls_options}", } } diff --git a/releasenotes/notes/add-mysql_maxconn-to-haproxy-84a5ad07d8d14ddd.yaml b/releasenotes/notes/add-mysql_maxconn-to-haproxy-84a5ad07d8d14ddd.yaml new file mode 100644 index 0000000..8359456 --- /dev/null +++ b/releasenotes/notes/add-mysql_maxconn-to-haproxy-84a5ad07d8d14ddd.yaml @@ -0,0 +1,5 @@ +--- +features: + - | + Added new parameter mysql_maxconn to the tripleo::haproxy class, + allowing haproxy maxconn to be configured for the MySQL server. diff --git a/spec/classes/tripleo_haproxy_spec.rb b/spec/classes/tripleo_haproxy_spec.rb new file mode 100644 index 0000000..966729a --- /dev/null +++ b/spec/classes/tripleo_haproxy_spec.rb @@ -0,0 +1,115 @@ +# Copyright 2016 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# + +require 'spec_helper' + +describe 'tripleo::haproxy' do + + shared_examples_for 'tripleo::haproxy' do + let :params do { + :controller_virtual_ip => '10.1.0.1', + :public_virtual_ip => '192.168.0.1' + } + end + + describe "default settings" do + it 'should configure haproxy' do + is_expected.to contain_haproxy__listen('mysql').with( + :options => { + 'timeout client' => "90m", + 'timeout server' => "90m", + 'maxconn' => :undef + } + ) + end + end + + describe "set clustercheck" do + before :each do + params.merge!({ + :mysql_clustercheck => true, + }) + end + + it 'should configure haproxy with clustercheck' do + is_expected.to contain_haproxy__listen('mysql').with( + :options => { + 'timeout client' => "90m", + 'timeout server' => "90m", + 'option' => ["tcpka", "httpchk"], + 'timeout client' => "90m", + 'timeout server' => "90m", + 'stick-table' => "type ip size 1000", + 'stick' => "on dst", + 'maxconn' => :undef + } + ) + end + end + + describe "override maxconn with clustercheck" do + before :each do + params.merge!({ + :mysql_clustercheck => true, + :mysql_max_conn => 6500, + }) + end + + it 'should configure haproxy' do + is_expected.to contain_haproxy__listen('mysql').with( + :options => { + 'option' => ["tcpka", "httpchk"], + 'timeout client' => "90m", + 'timeout server' => "90m", + 'stick-table' => "type ip size 1000", + 'stick' => "on dst", + 'maxconn' => 6500 + } + ) + end + end + + describe "override maxconn without clustercheck" do + before :each do + params.merge!({ + :mysql_max_conn => 6500, + }) + end + + it 'should configure haproxy' do + is_expected.to contain_haproxy__listen('mysql').with( + :options => { + 'timeout client' => "90m", + 'timeout server' => "90m", + 'maxconn' => 6500 + } + ) + end + end + + end + + on_supported_os.each do |os, facts| + context "on #{os}" do + let(:facts) do + facts.merge({ }) + end + + it_behaves_like 'tripleo::haproxy' + end + end + +end
\ No newline at end of file diff --git a/spec/fixtures/hieradata/default.yaml b/spec/fixtures/hieradata/default.yaml index 5d978cc..a0f4efc 100644 --- a/spec/fixtures/hieradata/default.yaml +++ b/spec/fixtures/hieradata/default.yaml @@ -33,6 +33,9 @@ cinder::keystone::authtoken::password: 'password' gnocchi::keystone::authtoken::password: 'password' gnocchi::storage::ceph::ceph_username: 'gnocchi' gnocchi::storage::ceph::ceph_secret: 'password' +# haproxy related items +mysql_enabled: true +controller_node_ips: '10.1.0.1,10.1.0.2' # nova related items nova::rabbit_password: 'password' nova::keystone::authtoken::password: 'password' |