diff options
Diffstat (limited to 'manifests/haproxy.pp')
-rw-r--r-- | manifests/haproxy.pp | 85 |
1 files changed, 55 insertions, 30 deletions
diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp index a449a49..2f29674 100644 --- a/manifests/haproxy.pp +++ b/manifests/haproxy.pp @@ -146,11 +146,19 @@ # the servers it balances # Defaults to '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt' # +# [*crl_file*] +# Path to the CRL file to be used for checking revoked certificates. +# Defaults to undef +# # [*haproxy_stats_certificate*] # Filename of an HAProxy-compatible certificate and key file # When set, enables SSL on the haproxy stats endpoint using the specified file. # Defaults to undef # +# [*haproxy_stats*] +# (optional) Enable or not the haproxy stats interface +# Defaults to true +# # [*keystone_admin*] # (optional) Enable or not Keystone Admin API binding # Defaults to hiera('keystone_enabled', false) @@ -275,6 +283,10 @@ # (optional) Enable check via clustercheck for mysql # Defaults to false # +# [*mysql_max_conn*] +# (optional) Set the maxconn parameter for mysql +# Defaults to undef +# # [*mysql_member_options*] # The options to use for the mysql HAProxy balancer members. # If this parameter is undefined, the actual value configured will depend @@ -324,6 +336,11 @@ # (optional) Enable or not OVN northd binding # Defaults to hiera('ovn_dbs_enabled', false) # +# [*ovn_dbs_manage_lb*] +# (optional) Whether or not haproxy should configure OVN dbs for load balancing +# if ovn_dbs is enabled. +# Defaults to false +# # [*zaqar_ws*] # (optional) Enable or not Zaqar Websockets binding # Defaults to false @@ -513,7 +530,7 @@ # 'nova_novnc_port' (Defaults to 6080) # 'nova_novnc_ssl_port' (Defaults to 13080) # 'opendaylight_api_port' (Defaults to 8081) -# 'panko_api_port' (Defaults to 8779) +# 'panko_api_port' (Defaults to 8977) # 'panko_api_ssl_port' (Defaults to 13779) # 'ovn_nbdb_port' (Defaults to 6641) # 'ovn_sbdb_port' (Defaults to 6642) @@ -560,7 +577,9 @@ class tripleo::haproxy ( $ssl_cipher_suite = '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES', $ssl_options = 'no-sslv3', $ca_bundle = '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt', + $crl_file = undef, $haproxy_stats_certificate = undef, + $haproxy_stats = true, $keystone_admin = hiera('keystone_enabled', false), $keystone_public = hiera('keystone_enabled', false), $neutron = hiera('neutron_api_enabled', false), @@ -592,6 +611,7 @@ class tripleo::haproxy ( $ironic_inspector = hiera('ironic_inspector_enabled', false), $mysql = hiera('mysql_enabled', false), $mysql_clustercheck = false, + $mysql_max_conn = undef, $mysql_member_options = undef, $rabbitmq = false, $etcd = hiera('etcd_enabled', false), @@ -603,6 +623,7 @@ class tripleo::haproxy ( $ceph_rgw = hiera('ceph_rgw_enabled', false), $opendaylight = hiera('opendaylight_api_enabled', false), $ovn_dbs = hiera('ovn_dbs_enabled', false), + $ovn_dbs_manage_lb = false, $zaqar_ws = hiera('zaqar_api_enabled', false), $ui = hiera('enable_ui', false), $aodh_network = hiera('aodh_api_network', undef), @@ -695,7 +716,7 @@ class tripleo::haproxy ( nova_novnc_port => 6080, nova_novnc_ssl_port => 13080, opendaylight_api_port => 8081, - panko_api_port => 8779, + panko_api_port => 8977, panko_api_ssl_port => 13779, ovn_nbdb_port => 6641, ovn_sbdb_port => 6642, @@ -722,7 +743,13 @@ class tripleo::haproxy ( $ports = merge($default_service_ports, $service_ports) if $enable_internal_tls { - $internal_tls_member_options = ['ssl', 'verify required', "ca-file ${ca_bundle}"] + $base_internal_tls_member_options = ['ssl', 'verify required', "ca-file ${ca_bundle}"] + + if $crl_file { + $internal_tls_member_options = concat($base_internal_tls_member_options, "crl-file ${crl_file}") + } else { + $internal_tls_member_options = $base_internal_tls_member_options + } Haproxy::Balancermember { verifyhost => true } @@ -763,7 +790,7 @@ class tripleo::haproxy ( 'cookie' => 'SERVERID insert indirect nocache', 'rsprep' => '^Location:\ http://(.*) Location:\ https://\1', # NOTE(jaosorior): We always redirect to https for the public_virtual_ip. - 'redirect' => "scheme https code 301 if { hdr(host) -i ${public_virtual_ip} } !{ ssl_fc }", + 'redirect' => 'scheme https code 301 if !{ ssl_fc }', 'option' => [ 'forwardfor', 'httpchk' ], 'http-request' => [ 'set-header X-Forwarded-Proto https if { ssl_fc }', @@ -854,19 +881,21 @@ class tripleo::haproxy ( listen_options => $default_listen_options, } - $stats_base = ['enable', 'uri /'] - if $haproxy_stats_password { - $stats_config = union($stats_base, ["auth ${haproxy_stats_user}:${haproxy_stats_password}"]) - } else { - $stats_config = $stats_base - } - haproxy::listen { 'haproxy.stats': - bind => $haproxy_stats_bind_opts, - mode => 'http', - options => { - 'stats' => $stats_config, - }, - collect_exported => false, + if $haproxy_stats { + $stats_base = ['enable', 'uri /'] + if $haproxy_stats_password { + $stats_config = union($stats_base, ["auth ${haproxy_stats_user}:${haproxy_stats_password}"]) + } else { + $stats_config = $stats_base + } + haproxy::listen { 'haproxy.stats': + bind => $haproxy_stats_bind_opts, + mode => 'http', + options => { + 'stats' => $stats_config, + }, + collect_exported => false, + } } if $keystone_admin { @@ -885,17 +914,8 @@ class tripleo::haproxy ( } if $keystone_public { - if $service_certificate { - $keystone_public_tls_listen_opts = { - 'rsprep' => '^Location:\ http://(.*) Location:\ https://\1', - # NOTE(jaosorior): We always redirect to https for the public_virtual_ip. - 'redirect' => "scheme https code 301 if { hdr(host) -i ${public_virtual_ip} } !{ ssl_fc }", - 'option' => 'forwardfor', - } - } else { - $keystone_public_tls_listen_opts = { - 'option' => [ 'httpchk GET /v3', ], - } + $keystone_listen_opts = { + 'option' => [ 'httpchk GET /v3', ], } ::tripleo::haproxy::endpoint { 'keystone_public': public_virtual_ip => $public_virtual_ip, @@ -904,7 +924,7 @@ class tripleo::haproxy ( ip_addresses => hiera('keystone_public_api_node_ips', $controller_hosts_real), server_names => hiera('keystone_public_api_node_names', $controller_hosts_names_real), mode => 'http', - listen_options => merge($default_listen_options, $keystone_public_tls_listen_opts), + listen_options => merge($default_listen_options, $keystone_listen_opts), public_ssl_port => $ports[keystone_public_api_ssl_port], service_network => $keystone_public_network, member_options => union($haproxy_member_options, $internal_tls_member_options), @@ -1306,6 +1326,7 @@ class tripleo::haproxy ( 'timeout server' => '90m', 'stick-table' => 'type ip size 1000', 'stick' => 'on dst', + 'maxconn' => $mysql_max_conn } if $mysql_member_options { $mysql_member_options_real = $mysql_member_options @@ -1316,6 +1337,7 @@ class tripleo::haproxy ( $mysql_listen_options = { 'timeout client' => '90m', 'timeout server' => '90m', + 'maxconn' => $mysql_max_conn } if $mysql_member_options { $mysql_member_options_real = $mysql_member_options @@ -1489,9 +1511,12 @@ class tripleo::haproxy ( } - if $ovn_dbs { + if $ovn_dbs and $ovn_dbs_manage_lb { # FIXME: is this config enough to ensure we only hit the first node in # ovn_northd_node_ips ? + # We only configure ovn_dbs_vip in haproxy if HA for OVN DB servers is + # disabled. + # If HA is enabled, pacemaker configures the OVN DB servers accordingly. $ovn_db_listen_options = { 'option' => [ 'tcpka' ], 'timeout client' => '90m', |