diff options
| -rw-r--r-- | manifests/haproxy.pp | 48 | ||||
| -rw-r--r-- | manifests/profile/base/aodh.pp | 3 | ||||
| -rw-r--r-- | manifests/profile/base/ceilometer.pp | 3 | ||||
| -rw-r--r-- | manifests/profile/base/cinder.pp | 3 | ||||
| -rw-r--r-- | manifests/profile/base/glance/api.pp | 4 | ||||
| -rw-r--r-- | manifests/profile/base/gnocchi/api.pp | 59 | ||||
| -rw-r--r-- | manifests/profile/base/heat.pp | 3 | ||||
| -rw-r--r-- | manifests/profile/base/ironic.pp | 3 | ||||
| -rw-r--r-- | manifests/profile/base/keystone.pp | 3 | ||||
| -rw-r--r-- | manifests/profile/base/manila.pp | 3 | ||||
| -rw-r--r-- | manifests/profile/base/mistral.pp | 3 | ||||
| -rw-r--r-- | manifests/profile/base/neutron.pp | 3 | ||||
| -rw-r--r-- | manifests/profile/base/nova.pp | 3 | ||||
| -rw-r--r-- | manifests/profile/base/sahara.pp | 3 | ||||
| -rw-r--r-- | manifests/ui.pp | 2 |
15 files changed, 123 insertions, 23 deletions
diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp index 2ca7a06..3fbd64e 100644 --- a/manifests/haproxy.pp +++ b/manifests/haproxy.pp @@ -37,7 +37,7 @@ # # [*haproxy_default_timeout*] # The value to use as timeout in the HAProxy default config section. -# Defaults to [ 'http-request 10s', 'queue 1m', 'connect 10s', 'client 1m', 'server 1m', 'check 10s' ] +# Defaults to [ 'http-request 10s', 'queue 2m', 'connect 10s', 'client 2m', 'server 2m', 'check 10s' ] # # [*haproxy_listen_bind_param*] # A list of params to be added to the HAProxy listener bind directive. By @@ -230,6 +230,14 @@ # (optional) Enable check via clustercheck for mysql # Defaults to false # +# [*mysql_member_options*] +# The options to use for the mysql HAProxy balancer members. +# If this parameter is undefined, the actual value configured will depend +# on the value of $mysql_clustercheck. If cluster checking is enabled, +# the mysql member options will be: "['backup', 'port 9200', 'on-marked-down shutdown-sessions', 'check', 'inter 1s']" +# and if mysql cluster checking is disabled, the member options will be: "union($haproxy_member_options, ['backup'])" +# Defaults to undef +# # [*rabbitmq*] # (optional) Enable or not RabbitMQ binding # Defaults to false @@ -445,7 +453,7 @@ class tripleo::haproxy ( $haproxy_service_manage = true, $haproxy_global_maxconn = 20480, $haproxy_default_maxconn = 4096, - $haproxy_default_timeout = [ 'http-request 10s', 'queue 1m', 'connect 10s', 'client 1m', 'server 1m', 'check 10s' ], + $haproxy_default_timeout = [ 'http-request 10s', 'queue 2m', 'connect 10s', 'client 2m', 'server 2m', 'check 10s' ], $haproxy_listen_bind_param = [ 'transparent' ], $haproxy_member_options = [ 'check', 'inter 2000', 'rise 2', 'fall 5' ], $haproxy_log_address = '/dev/log', @@ -486,6 +494,7 @@ class tripleo::haproxy ( $ironic_inspector = hiera('ironic_inspector_enabled', false), $mysql = hiera('mysql_enabled', false), $mysql_clustercheck = false, + $mysql_member_options = undef, $rabbitmq = false, $docker_registry = hiera('enable_docker_registry', false), $redis = hiera('redis_enabled', false), @@ -775,6 +784,11 @@ class tripleo::haproxy ( service_port => $ports[neutron_api_port], ip_addresses => hiera('neutron_api_node_ips', $controller_hosts_real), server_names => hiera('neutron_api_node_names', $controller_hosts_names_real), + listen_options => { + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], + }, public_ssl_port => $ports[neutron_api_ssl_port], service_network => $neutron_network, } @@ -919,6 +933,11 @@ class tripleo::haproxy ( service_port => $ports[ceilometer_api_port], ip_addresses => hiera('ceilometer_api_node_ips', $controller_hosts_real), server_names => hiera('ceilometer_api_node_names', $controller_hosts_names_real), + listen_options => { + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], + }, public_ssl_port => $ports[ceilometer_api_ssl_port], service_network => $ceilometer_network, member_options => union($haproxy_member_options, $internal_tls_member_options), @@ -932,6 +951,11 @@ class tripleo::haproxy ( service_port => $ports[aodh_api_port], ip_addresses => hiera('aodh_api_node_ips', $controller_hosts_real), server_names => hiera('aodh_api_node_names', $controller_hosts_names_real), + listen_options => { + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], + }, public_ssl_port => $ports[aodh_api_ssl_port], service_network => $aodh_network, member_options => union($haproxy_member_options, $internal_tls_member_options), @@ -957,8 +981,14 @@ class tripleo::haproxy ( service_port => $ports[gnocchi_api_port], ip_addresses => hiera('gnocchi_api_node_ips', $controller_hosts_real), server_names => hiera('gnocchi_api_node_names', $controller_hosts_names_real), + listen_options => { + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], + }, public_ssl_port => $ports[gnocchi_api_ssl_port], service_network => $gnocchi_network, + member_options => union($haproxy_member_options, $internal_tls_member_options), } } @@ -1096,13 +1126,21 @@ class tripleo::haproxy ( 'stick-table' => 'type ip size 1000', 'stick' => 'on dst', } - $mysql_member_options = union($haproxy_member_options, ['backup', 'port 9200', 'on-marked-down shutdown-sessions']) + if $mysql_member_options { + $mysql_member_options_real = $mysql_member_options + } else { + $mysql_member_options_real = ['backup', 'port 9200', 'on-marked-down shutdown-sessions', 'check', 'inter 1s'] + } } else { $mysql_listen_options = { 'timeout client' => '90m', 'timeout server' => '90m', } - $mysql_member_options = union($haproxy_member_options, ['backup']) + if $mysql_member_options { + $mysql_member_options_real = $mysql_member_options + } else { + $mysql_member_options_real = union($haproxy_member_options, ['backup']) + } } if $mysql { @@ -1116,7 +1154,7 @@ class tripleo::haproxy ( ports => '3306', ipaddresses => hiera('mysql_node_ips', $controller_hosts_real), server_names => hiera('mysql_node_names', $controller_hosts_names_real), - options => $mysql_member_options, + options => $mysql_member_options_real, } } diff --git a/manifests/profile/base/aodh.pp b/manifests/profile/base/aodh.pp index 02c1d07..281e069 100644 --- a/manifests/profile/base/aodh.pp +++ b/manifests/profile/base/aodh.pp @@ -49,8 +49,9 @@ class tripleo::profile::base::aodh ( } if $step >= 4 or ($step >= 3 and $sync_db) { + $rabbit_endpoints = suffix(any2array(normalize_ip_for_uri($rabbit_hosts)), ":${rabbit_port}") class { '::aodh' : - rabbit_hosts => suffix($rabbit_hosts, ":${rabbit_port}") + rabbit_hosts => $rabbit_endpoints, } include ::aodh::auth include ::aodh::config diff --git a/manifests/profile/base/ceilometer.pp b/manifests/profile/base/ceilometer.pp index 959d86c..392d0c7 100644 --- a/manifests/profile/base/ceilometer.pp +++ b/manifests/profile/base/ceilometer.pp @@ -38,8 +38,9 @@ class tripleo::profile::base::ceilometer ( ) { if $step >= 3 { + $rabbit_endpoints = suffix(any2array(normalize_ip_for_uri($rabbit_hosts)), ":${rabbit_port}") class { '::ceilometer' : - rabbit_hosts => suffix($rabbit_hosts, ":${rabbit_port}") + rabbit_hosts => $rabbit_endpoints, } include ::ceilometer::config } diff --git a/manifests/profile/base/cinder.pp b/manifests/profile/base/cinder.pp index 9f7c453..8023fcc 100644 --- a/manifests/profile/base/cinder.pp +++ b/manifests/profile/base/cinder.pp @@ -52,8 +52,9 @@ class tripleo::profile::base::cinder ( } if $step >= 4 or ($step >= 3 and $sync_db) { + $rabbit_endpoints = suffix(any2array(normalize_ip_for_uri($rabbit_hosts)), ":${rabbit_port}") class { '::cinder' : - rabbit_hosts => suffix($rabbit_hosts, ":${rabbit_port}") + rabbit_hosts => $rabbit_endpoints, } include ::cinder::config } diff --git a/manifests/profile/base/glance/api.pp b/manifests/profile/base/glance/api.pp index a7d4487..af3b0ac 100644 --- a/manifests/profile/base/glance/api.pp +++ b/manifests/profile/base/glance/api.pp @@ -67,9 +67,9 @@ class tripleo::profile::base::glance::api ( class { '::glance::api': stores => $glance_store, } - + $rabbit_endpoints = suffix(any2array(normalize_ip_for_uri($rabbit_hosts)), ":${rabbit_port}") class { '::glance::notify::rabbitmq' : - rabbit_hosts => suffix($rabbit_hosts, ":${rabbit_port}") + rabbit_hosts => $rabbit_endpoints, } include join(['::glance::backend::', $glance_backend]) } diff --git a/manifests/profile/base/gnocchi/api.pp b/manifests/profile/base/gnocchi/api.pp index 9a08551..2fde1fc 100644 --- a/manifests/profile/base/gnocchi/api.pp +++ b/manifests/profile/base/gnocchi/api.pp @@ -22,19 +22,52 @@ # (Optional) The hostname of the node responsible for bootstrapping tasks # Defaults to hiera('bootstrap_nodeid') # +# [*certificates_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Example with hiera: +# apache_certificates_specs: +# httpd-internal_api: +# hostname: <overcloud controller fqdn> +# service_certificate: <service certificate path> +# service_key: <service key path> +# principal: "haproxy/<overcloud controller fqdn>" +# Defaults to hiera('apache_certificate_specs', {}). +# +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# +# [*generate_service_certificates*] +# (Optional) Whether or not certmonger will generate certificates for +# HAProxy. This could be as many as specified by the $certificates_specs +# variable. +# Note that this doesn't configure the certificates in haproxy, it merely +# creates the certificates. +# Defaults to hiera('generate_service_certificate', false). +# # [*gnocchi_backend*] # (Optional) Gnocchi backend string file, swift or rbd # Defaults to swift # +# [*gnocchi_network*] +# (Optional) The network name where the gnocchi endpoint is listening on. +# This is set by t-h-t. +# Defaults to hiera('gnocchi_api_network', undef) +# # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates # for more details. # Defaults to hiera('step') # class tripleo::profile::base::gnocchi::api ( - $bootstrap_node = hiera('bootstrap_nodeid', undef), - $gnocchi_backend = downcase(hiera('gnocchi_backend', 'swift')), - $step = hiera('step'), + $bootstrap_node = hiera('bootstrap_nodeid', undef), + $certificates_specs = hiera('apache_certificates_specs', {}), + $enable_internal_tls = hiera('enable_internal_tls', false), + $generate_service_certificates = hiera('generate_service_certificates', false), + $gnocchi_backend = downcase(hiera('gnocchi_backend', 'swift')), + $gnocchi_network = hiera('gnocchi_api_network', undef), + $step = hiera('step'), ) { if $::hostname == downcase($bootstrap_node) { $sync_db = true @@ -44,13 +77,31 @@ class tripleo::profile::base::gnocchi::api ( include ::tripleo::profile::base::gnocchi + if $enable_internal_tls { + if $generate_service_certificates { + ensure_resources('tripleo::certmonger::httpd', $certificates_specs) + } + + if !$gnocchi_network { + fail('gnocchi_api_network is not set in the hieradata.') + } + $tls_certfile = $certificates_specs["httpd-${gnocchi_network}"]['service_certificate'] + $tls_keyfile = $certificates_specs["httpd-${gnocchi_network}"]['service_key'] + } else { + $tls_certfile = undef + $tls_keyfile = undef + } + if $step >= 3 and $sync_db { include ::gnocchi::db::sync } if $step >= 4 { include ::gnocchi::api - include ::gnocchi::wsgi::apache + class { '::gnocchi::wsgi::apache': + ssl_cert => $tls_certfile, + ssl_key => $tls_keyfile, + } class { '::gnocchi::storage': coordination_url => join(['redis://:', hiera('gnocchi_redis_password'), '@', normalize_ip_for_uri(hiera('redis_vip')), ':6379/']), diff --git a/manifests/profile/base/heat.pp b/manifests/profile/base/heat.pp index 2babf4c..00a9809 100644 --- a/manifests/profile/base/heat.pp +++ b/manifests/profile/base/heat.pp @@ -62,9 +62,10 @@ class tripleo::profile::base::heat ( } if $step >= 4 { + $rabbit_endpoints = suffix(any2array(normalize_ip_for_uri($rabbit_hosts)), ":${rabbit_port}") class { '::heat' : notification_driver => $notification_driver, - rabbit_hosts => suffix($rabbit_hosts, ":${rabbit_port}") + rabbit_hosts => $rabbit_endpoints, } include ::heat::config include ::heat::cors diff --git a/manifests/profile/base/ironic.pp b/manifests/profile/base/ironic.pp index e63e4c6..7b44421 100644 --- a/manifests/profile/base/ironic.pp +++ b/manifests/profile/base/ironic.pp @@ -48,9 +48,10 @@ class tripleo::profile::base::ironic ( } if $step >= 4 or ($step >= 3 and $sync_db) { + $rabbit_endpoints = suffix(any2array(normalize_ip_for_uri($rabbit_hosts)), ":${rabbit_port}") class { '::ironic': sync_db => $sync_db, - rabbit_hosts => suffix($rabbit_hosts, ":${rabbit_port}") + rabbit_hosts => $rabbit_endpoints, } include ::ironic::cors diff --git a/manifests/profile/base/keystone.pp b/manifests/profile/base/keystone.pp index e30f712..9801eb2 100644 --- a/manifests/profile/base/keystone.pp +++ b/manifests/profile/base/keystone.pp @@ -143,10 +143,11 @@ class tripleo::profile::base::keystone ( } if $step >= 4 or ( $step >= 3 and $sync_db ) { + $rabbit_endpoints = suffix(any2array(normalize_ip_for_uri($rabbit_hosts)), ":${rabbit_port}") class { '::keystone': sync_db => $sync_db, enable_bootstrap => $sync_db, - rabbit_hosts => suffix($rabbit_hosts, ":${rabbit_port}") + rabbit_hosts => $rabbit_endpoints, } include ::keystone::config diff --git a/manifests/profile/base/manila.pp b/manifests/profile/base/manila.pp index 393dd52..3e16dff 100644 --- a/manifests/profile/base/manila.pp +++ b/manifests/profile/base/manila.pp @@ -47,8 +47,9 @@ class tripleo::profile::base::manila ( } if $step >= 4 or ($step >= 3 and $sync_db) { + $rabbit_endpoints = suffix(any2array(normalize_ip_for_uri($rabbit_hosts)), ":${rabbit_port}") class { '::manila' : - rabbit_hosts => suffix($rabbit_hosts, ":${rabbit_port}") + rabbit_hosts => $rabbit_endpoints, } include ::manila::config } diff --git a/manifests/profile/base/mistral.pp b/manifests/profile/base/mistral.pp index dcd9d0b..3da754c 100644 --- a/manifests/profile/base/mistral.pp +++ b/manifests/profile/base/mistral.pp @@ -48,8 +48,9 @@ class tripleo::profile::base::mistral ( } if $step >= 4 or ($step >= 3 and $sync_db) { + $rabbit_endpoints = suffix(any2array(normalize_ip_for_uri($rabbit_hosts)), ":${rabbit_port}") class { '::mistral': - rabbit_hosts => suffix($rabbit_hosts, ":${rabbit_port}") + rabbit_hosts => $rabbit_endpoints, } include ::mistral::config include ::mistral::client diff --git a/manifests/profile/base/neutron.pp b/manifests/profile/base/neutron.pp index 53df3d9..64f5f32 100644 --- a/manifests/profile/base/neutron.pp +++ b/manifests/profile/base/neutron.pp @@ -36,8 +36,9 @@ class tripleo::profile::base::neutron ( $rabbit_port = hiera('neutron::rabbit_port', 5672), ) { if $step >= 3 { + $rabbit_endpoints = suffix(any2array(normalize_ip_for_uri($rabbit_hosts)), ":${rabbit_port}") class { '::neutron' : - rabbit_hosts => suffix($rabbit_hosts, ":${rabbit_port}") + rabbit_hosts => $rabbit_endpoints, } include ::neutron::config } diff --git a/manifests/profile/base/nova.pp b/manifests/profile/base/nova.pp index b397802..4626465 100644 --- a/manifests/profile/base/nova.pp +++ b/manifests/profile/base/nova.pp @@ -68,8 +68,9 @@ class tripleo::profile::base::nova ( } if hiera('step') >= 4 or (hiera('step') >= 3 and $sync_db) { + $rabbit_endpoints = suffix(any2array(normalize_ip_for_uri($rabbit_hosts)), ":${rabbit_port}") class { '::nova' : - rabbit_hosts => suffix($rabbit_hosts, ":${rabbit_port}") + rabbit_hosts => $rabbit_endpoints, } include ::nova::config class { '::nova::cache': diff --git a/manifests/profile/base/sahara.pp b/manifests/profile/base/sahara.pp index c034628..f509225 100644 --- a/manifests/profile/base/sahara.pp +++ b/manifests/profile/base/sahara.pp @@ -47,9 +47,10 @@ class tripleo::profile::base::sahara ( } if $step >= 4 or ($step >= 3 and $sync_db){ + $rabbit_endpoints = suffix(any2array(normalize_ip_for_uri($rabbit_hosts)), ":${rabbit_port}") class { '::sahara': sync_db => $sync_db, - rabbit_hosts => suffix($rabbit_hosts, ":${rabbit_port}") + rabbit_hosts => $rabbit_endpoints, } } } diff --git a/manifests/ui.pp b/manifests/ui.pp index 41ad8d6..27e3e50 100644 --- a/manifests/ui.pp +++ b/manifests/ui.pp @@ -25,7 +25,7 @@ # # [*bind_host*] # The host/ip address Apache will listen on. -# Optional. Defaults to undef (listen on all ip addresses). +# Optional. Defaults to hiera('controller_host') # # [*ui_port*] # The port on which the UI is listening. |