summaryrefslogtreecommitdiffstats
path: root/manifests/haproxy.pp
diff options
context:
space:
mode:
Diffstat (limited to 'manifests/haproxy.pp')
-rw-r--r--manifests/haproxy.pp85
1 files changed, 55 insertions, 30 deletions
diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp
index a449a49..2f29674 100644
--- a/manifests/haproxy.pp
+++ b/manifests/haproxy.pp
@@ -146,11 +146,19 @@
# the servers it balances
# Defaults to '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt'
#
+# [*crl_file*]
+# Path to the CRL file to be used for checking revoked certificates.
+# Defaults to undef
+#
# [*haproxy_stats_certificate*]
# Filename of an HAProxy-compatible certificate and key file
# When set, enables SSL on the haproxy stats endpoint using the specified file.
# Defaults to undef
#
+# [*haproxy_stats*]
+# (optional) Enable or not the haproxy stats interface
+# Defaults to true
+#
# [*keystone_admin*]
# (optional) Enable or not Keystone Admin API binding
# Defaults to hiera('keystone_enabled', false)
@@ -275,6 +283,10 @@
# (optional) Enable check via clustercheck for mysql
# Defaults to false
#
+# [*mysql_max_conn*]
+# (optional) Set the maxconn parameter for mysql
+# Defaults to undef
+#
# [*mysql_member_options*]
# The options to use for the mysql HAProxy balancer members.
# If this parameter is undefined, the actual value configured will depend
@@ -324,6 +336,11 @@
# (optional) Enable or not OVN northd binding
# Defaults to hiera('ovn_dbs_enabled', false)
#
+# [*ovn_dbs_manage_lb*]
+# (optional) Whether or not haproxy should configure OVN dbs for load balancing
+# if ovn_dbs is enabled.
+# Defaults to false
+#
# [*zaqar_ws*]
# (optional) Enable or not Zaqar Websockets binding
# Defaults to false
@@ -513,7 +530,7 @@
# 'nova_novnc_port' (Defaults to 6080)
# 'nova_novnc_ssl_port' (Defaults to 13080)
# 'opendaylight_api_port' (Defaults to 8081)
-# 'panko_api_port' (Defaults to 8779)
+# 'panko_api_port' (Defaults to 8977)
# 'panko_api_ssl_port' (Defaults to 13779)
# 'ovn_nbdb_port' (Defaults to 6641)
# 'ovn_sbdb_port' (Defaults to 6642)
@@ -560,7 +577,9 @@ class tripleo::haproxy (
$ssl_cipher_suite = '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES',
$ssl_options = 'no-sslv3',
$ca_bundle = '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt',
+ $crl_file = undef,
$haproxy_stats_certificate = undef,
+ $haproxy_stats = true,
$keystone_admin = hiera('keystone_enabled', false),
$keystone_public = hiera('keystone_enabled', false),
$neutron = hiera('neutron_api_enabled', false),
@@ -592,6 +611,7 @@ class tripleo::haproxy (
$ironic_inspector = hiera('ironic_inspector_enabled', false),
$mysql = hiera('mysql_enabled', false),
$mysql_clustercheck = false,
+ $mysql_max_conn = undef,
$mysql_member_options = undef,
$rabbitmq = false,
$etcd = hiera('etcd_enabled', false),
@@ -603,6 +623,7 @@ class tripleo::haproxy (
$ceph_rgw = hiera('ceph_rgw_enabled', false),
$opendaylight = hiera('opendaylight_api_enabled', false),
$ovn_dbs = hiera('ovn_dbs_enabled', false),
+ $ovn_dbs_manage_lb = false,
$zaqar_ws = hiera('zaqar_api_enabled', false),
$ui = hiera('enable_ui', false),
$aodh_network = hiera('aodh_api_network', undef),
@@ -695,7 +716,7 @@ class tripleo::haproxy (
nova_novnc_port => 6080,
nova_novnc_ssl_port => 13080,
opendaylight_api_port => 8081,
- panko_api_port => 8779,
+ panko_api_port => 8977,
panko_api_ssl_port => 13779,
ovn_nbdb_port => 6641,
ovn_sbdb_port => 6642,
@@ -722,7 +743,13 @@ class tripleo::haproxy (
$ports = merge($default_service_ports, $service_ports)
if $enable_internal_tls {
- $internal_tls_member_options = ['ssl', 'verify required', "ca-file ${ca_bundle}"]
+ $base_internal_tls_member_options = ['ssl', 'verify required', "ca-file ${ca_bundle}"]
+
+ if $crl_file {
+ $internal_tls_member_options = concat($base_internal_tls_member_options, "crl-file ${crl_file}")
+ } else {
+ $internal_tls_member_options = $base_internal_tls_member_options
+ }
Haproxy::Balancermember {
verifyhost => true
}
@@ -763,7 +790,7 @@ class tripleo::haproxy (
'cookie' => 'SERVERID insert indirect nocache',
'rsprep' => '^Location:\ http://(.*) Location:\ https://\1',
# NOTE(jaosorior): We always redirect to https for the public_virtual_ip.
- 'redirect' => "scheme https code 301 if { hdr(host) -i ${public_virtual_ip} } !{ ssl_fc }",
+ 'redirect' => 'scheme https code 301 if !{ ssl_fc }',
'option' => [ 'forwardfor', 'httpchk' ],
'http-request' => [
'set-header X-Forwarded-Proto https if { ssl_fc }',
@@ -854,19 +881,21 @@ class tripleo::haproxy (
listen_options => $default_listen_options,
}
- $stats_base = ['enable', 'uri /']
- if $haproxy_stats_password {
- $stats_config = union($stats_base, ["auth ${haproxy_stats_user}:${haproxy_stats_password}"])
- } else {
- $stats_config = $stats_base
- }
- haproxy::listen { 'haproxy.stats':
- bind => $haproxy_stats_bind_opts,
- mode => 'http',
- options => {
- 'stats' => $stats_config,
- },
- collect_exported => false,
+ if $haproxy_stats {
+ $stats_base = ['enable', 'uri /']
+ if $haproxy_stats_password {
+ $stats_config = union($stats_base, ["auth ${haproxy_stats_user}:${haproxy_stats_password}"])
+ } else {
+ $stats_config = $stats_base
+ }
+ haproxy::listen { 'haproxy.stats':
+ bind => $haproxy_stats_bind_opts,
+ mode => 'http',
+ options => {
+ 'stats' => $stats_config,
+ },
+ collect_exported => false,
+ }
}
if $keystone_admin {
@@ -885,17 +914,8 @@ class tripleo::haproxy (
}
if $keystone_public {
- if $service_certificate {
- $keystone_public_tls_listen_opts = {
- 'rsprep' => '^Location:\ http://(.*) Location:\ https://\1',
- # NOTE(jaosorior): We always redirect to https for the public_virtual_ip.
- 'redirect' => "scheme https code 301 if { hdr(host) -i ${public_virtual_ip} } !{ ssl_fc }",
- 'option' => 'forwardfor',
- }
- } else {
- $keystone_public_tls_listen_opts = {
- 'option' => [ 'httpchk GET /v3', ],
- }
+ $keystone_listen_opts = {
+ 'option' => [ 'httpchk GET /v3', ],
}
::tripleo::haproxy::endpoint { 'keystone_public':
public_virtual_ip => $public_virtual_ip,
@@ -904,7 +924,7 @@ class tripleo::haproxy (
ip_addresses => hiera('keystone_public_api_node_ips', $controller_hosts_real),
server_names => hiera('keystone_public_api_node_names', $controller_hosts_names_real),
mode => 'http',
- listen_options => merge($default_listen_options, $keystone_public_tls_listen_opts),
+ listen_options => merge($default_listen_options, $keystone_listen_opts),
public_ssl_port => $ports[keystone_public_api_ssl_port],
service_network => $keystone_public_network,
member_options => union($haproxy_member_options, $internal_tls_member_options),
@@ -1306,6 +1326,7 @@ class tripleo::haproxy (
'timeout server' => '90m',
'stick-table' => 'type ip size 1000',
'stick' => 'on dst',
+ 'maxconn' => $mysql_max_conn
}
if $mysql_member_options {
$mysql_member_options_real = $mysql_member_options
@@ -1316,6 +1337,7 @@ class tripleo::haproxy (
$mysql_listen_options = {
'timeout client' => '90m',
'timeout server' => '90m',
+ 'maxconn' => $mysql_max_conn
}
if $mysql_member_options {
$mysql_member_options_real = $mysql_member_options
@@ -1489,9 +1511,12 @@ class tripleo::haproxy (
}
- if $ovn_dbs {
+ if $ovn_dbs and $ovn_dbs_manage_lb {
# FIXME: is this config enough to ensure we only hit the first node in
# ovn_northd_node_ips ?
+ # We only configure ovn_dbs_vip in haproxy if HA for OVN DB servers is
+ # disabled.
+ # If HA is enabled, pacemaker configures the OVN DB servers accordingly.
$ovn_db_listen_options = {
'option' => [ 'tcpka' ],
'timeout client' => '90m',