diff options
Diffstat (limited to 'manifests/haproxy.pp')
-rw-r--r-- | manifests/haproxy.pp | 576 |
1 files changed, 457 insertions, 119 deletions
diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp index 1fc0312..58b73e0 100644 --- a/manifests/haproxy.pp +++ b/manifests/haproxy.pp @@ -19,10 +19,6 @@ # # === Parameters: # -# [*keepalived*] -# Whether to configure keepalived to manage the VIPs or not. -# Defaults to true -# # [*haproxy_service_manage*] # Will be passed as value for service_manage to HAProxy module. # Defaults to true @@ -37,7 +33,7 @@ # # [*haproxy_default_timeout*] # The value to use as timeout in the HAProxy default config section. -# Defaults to [ 'http-request 10s', 'queue 1m', 'connect 10s', 'client 1m', 'server 1m', 'check 10s' ] +# Defaults to [ 'http-request 10s', 'queue 2m', 'connect 10s', 'client 2m', 'server 2m', 'check 10s' ] # # [*haproxy_listen_bind_param*] # A list of params to be added to the HAProxy listener bind directive. By @@ -89,10 +85,27 @@ # When set, enables SSL on the public API endpoints using the specified file. # Defaults to undef # -# [*internal_certificate*] -# Filename of an HAProxy-compatible certificate and key file -# When set, enables SSL on the internal API endpoints using the specified file. -# Defaults to undef +# [*use_internal_certificates*] +# Flag that indicates if we'll use an internal certificate for this specific +# service. When set, enables SSL on the internal API endpoints using the file +# that certmonger is tracking; this is derived from the network the service is +# listening on. +# Defaults to false +# +# [*internal_certificates_specs*] +# A hash that should contain the specs that were used to create the +# certificates. As the name indicates, only the internal certificates will be +# fetched from here. And the keys should follow the following pattern +# "haproxy-<network name>". The network name should be as it was defined in +# tripleo-heat-templates. +# Note that this is only taken into account if the $use_internal_certificates +# flag is set. +# Defaults to {} +# +# [*enable_internal_tls*] +# A flag that indicates if the servers in the internal network are using TLS. +# This enables the 'ssl' option for the server members that are proxied. +# Defaults to hiera('enable_internal_tls', false) # # [*ssl_cipher_suite*] # The default string describing the list of cipher algorithms ("cipher suite") @@ -104,6 +117,11 @@ # String that sets the default ssl options to force on all "bind" lines. # Defaults to 'no-sslv3' # +# [*ca_bundle*] +# Path to the CA bundle to be used for HAProxy to validate the certificates of +# the servers it balances +# Defaults to '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt' +# # [*haproxy_stats_certificate*] # Filename of an HAProxy-compatible certificate and key file # When set, enables SSL on the haproxy stats endpoint using the specified file. @@ -165,6 +183,14 @@ # (optional) Enable or not Aodh API binding # Defaults to hiera('aodh_api_enabled', false) # +# [*panko*] +# (optional) Enable or not Panko API binding +# Defaults to hiera('panko_api_enabled', false) +# +# [*barbican*] +# (optional) Enable or not Barbican API binding +# Defaults to hiera('barbican_api_enabled', false) +# # [*gnocchi*] # (optional) Enable or not Gnocchi API binding # Defaults to hiera('gnocchi_api_enabled', false) @@ -209,10 +235,22 @@ # (optional) Enable check via clustercheck for mysql # Defaults to false # +# [*mysql_member_options*] +# The options to use for the mysql HAProxy balancer members. +# If this parameter is undefined, the actual value configured will depend +# on the value of $mysql_clustercheck. If cluster checking is enabled, +# the mysql member options will be: "['backup', 'port 9200', 'on-marked-down shutdown-sessions', 'check', 'inter 1s']" +# and if mysql cluster checking is disabled, the member options will be: "union($haproxy_member_options, ['backup'])" +# Defaults to undef +# # [*rabbitmq*] # (optional) Enable or not RabbitMQ binding # Defaults to false # +# [*docker_registry*] +# (optional) Enable or not the Docker Registry API binding +# Defaults to hiera('enable_docker_registry', false) +# # [*redis*] # (optional) Enable or not Redis binding # Defaults to hiera('redis_enabled', false) @@ -242,15 +280,135 @@ # (optional) Enable or not Zaqar Websockets binding # Defaults to false # +# [*ui*] +# (optional) Enable or not TripleO UI +# Defaults to false +# +# [*aodh_network*] +# (optional) Specify the network aodh is running on. +# Defaults to hiera('aodh_api_network', undef) +# +# [*barbican_network*] +# (optional) Specify the network barbican is running on. +# Defaults to hiera('barbican_api_network', undef) +# +# [*ceilometer_network*] +# (optional) Specify the network ceilometer is running on. +# Defaults to hiera('ceilometer_api_network', undef) +# +# [*ceph_rgw_network*] +# (optional) Specify the network ceph_rgw is running on. +# Defaults to hiera('ceph_rgw_network', undef) +# +# [*cinder_network*] +# (optional) Specify the network cinder is running on. +# Defaults to hiera('cinder_api_network', undef) +# +# [*docker_registry_network*] +# (optional) Specify the network docker-registry is running on. +# Defaults to hiera('docker_registry_network', undef) +# +# [*glance_api_network*] +# (optional) Specify the network glance_api is running on. +# Defaults to hiera('glance_api_network', undef) +# +# [*glance_registry_network*] +# (optional) Specify the network glance_registry is running on. +# Defaults to hiera('glance_registry_network', undef) +# +# [*gnocchi_network*] +# (optional) Specify the network gnocchi is running on. +# Defaults to hiera('gnocchi_api_network', undef) +# +# [*heat_api_network*] +# (optional) Specify the network heat_api is running on. +# Defaults to hiera('heat_api_network', undef) +# +# [*heat_cfn_network*] +# (optional) Specify the network heat_cfn is running on. +# Defaults to hiera('heat_api_cfn_network', undef) +# +# [*heat_cloudwatch_network*] +# (optional) Specify the network heat_cloudwatch is running on. +# Defaults to hiera('heat_api_cloudwatch_network', undef) +# +# [*ironic_inspector_network*] +# (optional) Specify the network ironic_inspector is running on. +# Defaults to hiera('ironic_inspector_network', undef) +# +# [*ironic_network*] +# (optional) Specify the network ironic is running on. +# Defaults to hiera('ironic_api_network', undef) +# +# [*keystone_admin_network*] +# (optional) Specify the network keystone_admin is running on. +# Defaults to hiera('keystone_network', undef) +# +# [*keystone_public_network*] +# (optional) Specify the network keystone_public is running on. +# Defaults to hiera('keystone_network', undef) +# +# [*manila_network*] +# (optional) Specify the network manila is running on. +# Defaults to hiera('manila_api_network', undef) +# +# [*mistral_network*] +# (optional) Specify the network mistral is running on. +# Defaults to hiera('mistral_api_network', undef) +# +# [*neutron_network*] +# (optional) Specify the network neutron is running on. +# Defaults to hiera('neutron_api_network', undef) +# +# [*nova_metadata_network*] +# (optional) Specify the network nova_metadata is running on. +# Defaults to hiera('nova_api_network', undef) +# +# [*nova_novncproxy_network*] +# (optional) Specify the network nova_novncproxy is running on. +# Defaults to hiera('nova_vncproxy_network', undef) +# +# [*nova_osapi_network*] +# (optional) Specify the network nova_osapi is running on. +# Defaults to hiera('nova_api_network', undef) +# +# [*opendaylight_network*] +# (optional) Specify the network opendaylight is running on. +# Defaults to hiera('opendaylight_api_network', undef) +# +# [*panko_network*] +# (optional) Specify the network panko is running on. +# Defaults to hiera('panko_api_network', undef) +# +# [*sahara_network*] +# (optional) Specify the network sahara is running on. +# Defaults to hiera('sahara_api_network', undef) +# +# [*swift_proxy_server_network*] +# (optional) Specify the network swift_proxy_server is running on. +# Defaults to hiera('swift_proxy_network', undef) +# +# [*trove_network*] +# (optional) Specify the network trove is running on. +# Defaults to hiera('trove_api_network', undef) +# +# [*zaqar_api_network*] +# (optional) Specify the network zaqar_api is running on. +# Defaults to hiera('zaqar_api_network', undef) +# # [*service_ports*] # (optional) Hash that contains the values to override from the service ports # The available keys to modify the services' ports are: # 'aodh_api_port' (Defaults to 8042) # 'aodh_api_ssl_port' (Defaults to 13042) +# 'barbican_api_port' (Defaults to 9311) +# 'barbican_api_ssl_port' (Defaults to 13311) # 'ceilometer_api_port' (Defaults to 8777) # 'ceilometer_api_ssl_port' (Defaults to 13777) # 'cinder_api_port' (Defaults to 8776) # 'cinder_api_ssl_port' (Defaults to 13776) +# 'docker_registry_port' (Defaults to 8787) +# 'docker_registry_ssl_port' (Defaults to 13787) # 'glance_api_port' (Defaults to 9292) # 'glance_api_ssl_port' (Defaults to 13292) # 'glance_registry_port' (Defaults to 9191) @@ -281,6 +439,8 @@ # 'nova_metadata_port' (Defaults to 8775) # 'nova_novnc_port' (Defaults to 6080) # 'nova_novnc_ssl_port' (Defaults to 13080) +# 'panko_api_port' (Defaults to 8779) +# 'panko_api_ssl_port' (Defaults to 13779) # 'sahara_api_port' (Defaults to 8386) # 'sahara_api_ssl_port' (Defaults to 13386) # 'swift_proxy_port' (Defaults to 8080) @@ -300,65 +460,103 @@ class tripleo::haproxy ( $controller_virtual_ip, $public_virtual_ip, - $keepalived = true, - $haproxy_service_manage = true, - $haproxy_global_maxconn = 20480, - $haproxy_default_maxconn = 4096, - $haproxy_default_timeout = [ 'http-request 10s', 'queue 1m', 'connect 10s', 'client 1m', 'server 1m', 'check 10s' ], - $haproxy_listen_bind_param = [ 'transparent' ], - $haproxy_member_options = [ 'check', 'inter 2000', 'rise 2', 'fall 5' ], - $haproxy_log_address = '/dev/log', - $haproxy_stats_user = 'admin', - $haproxy_stats_password = undef, - $controller_hosts = hiera('controller_node_ips'), - $controller_hosts_names = hiera('controller_node_names', undef), - $service_certificate = undef, - $internal_certificate = undef, - $ssl_cipher_suite = '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES', - $ssl_options = 'no-sslv3', - $haproxy_stats_certificate = undef, - $keystone_admin = hiera('keystone_enabled', false), - $keystone_public = hiera('keystone_enabled', false), - $neutron = hiera('neutron_api_enabled', false), - $cinder = hiera('cinder_api_enabled', false), - $manila = hiera('manila_api_enabled', false), - $sahara = hiera('sahara_api_enabled', false), - $trove = hiera('trove_api_enabled', false), - $glance_api = hiera('glance_api_enabled', false), - $glance_registry = hiera('glance_registry_enabled', false), - $nova_osapi = hiera('nova_api_enabled', false), - $nova_metadata = hiera('nova_api_enabled', false), - $nova_novncproxy = hiera('nova_vnc_proxy_enabled', false), - $ceilometer = hiera('ceilometer_api_enabled', false), - $aodh = hiera('aodh_api_enabled', false), - $gnocchi = hiera('gnocchi_api_enabled', false), - $mistral = hiera('mistral_api_enabled', false), - $swift_proxy_server = hiera('swift_proxy_enabled', false), - $heat_api = hiera('heat_api_enabled', false), - $heat_cloudwatch = hiera('heat_api_cloudwatch_enabled', false), - $heat_cfn = hiera('heat_api_cfn_enabled', false), - $horizon = hiera('horizon_enabled', false), - $ironic = hiera('ironic_api_enabled', false), - $ironic_inspector = hiera('ironic_inspector_enabled', false), - $mysql = hiera('mysql_enabled', false), - $mysql_clustercheck = false, - $rabbitmq = false, - $redis = hiera('redis_enabled', false), - $redis_password = undef, - $midonet_api = false, - $zaqar_api = hiera('zaqar_api_enabled', false), - $ceph_rgw = hiera('ceph_rgw_enabled', false), - $opendaylight = hiera('opendaylight_api_enabled', false), - $zaqar_ws = hiera('zaqar_api_enabled', false), - $service_ports = {} + $haproxy_service_manage = true, + $haproxy_global_maxconn = 20480, + $haproxy_default_maxconn = 4096, + $haproxy_default_timeout = [ 'http-request 10s', 'queue 2m', 'connect 10s', 'client 2m', 'server 2m', 'check 10s' ], + $haproxy_listen_bind_param = [ 'transparent' ], + $haproxy_member_options = [ 'check', 'inter 2000', 'rise 2', 'fall 5' ], + $haproxy_log_address = '/dev/log', + $haproxy_stats_user = 'admin', + $haproxy_stats_password = undef, + $controller_hosts = hiera('controller_node_ips'), + $controller_hosts_names = hiera('controller_node_names', undef), + $service_certificate = undef, + $use_internal_certificates = false, + $internal_certificates_specs = {}, + $enable_internal_tls = hiera('enable_internal_tls', false), + $ssl_cipher_suite = '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES', + $ssl_options = 'no-sslv3', + $ca_bundle = '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt', + $haproxy_stats_certificate = undef, + $keystone_admin = hiera('keystone_enabled', false), + $keystone_public = hiera('keystone_enabled', false), + $neutron = hiera('neutron_api_enabled', false), + $cinder = hiera('cinder_api_enabled', false), + $manila = hiera('manila_api_enabled', false), + $sahara = hiera('sahara_api_enabled', false), + $trove = hiera('trove_api_enabled', false), + $glance_api = hiera('glance_api_enabled', false), + $glance_registry = hiera('glance_registry_enabled', false), + $nova_osapi = hiera('nova_api_enabled', false), + $nova_metadata = hiera('nova_api_enabled', false), + $nova_novncproxy = hiera('nova_vnc_proxy_enabled', false), + $ceilometer = hiera('ceilometer_api_enabled', false), + $aodh = hiera('aodh_api_enabled', false), + $panko = hiera('panko_api_enabled', false), + $barbican = hiera('barbican_api_enabled', false), + $gnocchi = hiera('gnocchi_api_enabled', false), + $mistral = hiera('mistral_api_enabled', false), + $swift_proxy_server = hiera('swift_proxy_enabled', false), + $heat_api = hiera('heat_api_enabled', false), + $heat_cloudwatch = hiera('heat_api_cloudwatch_enabled', false), + $heat_cfn = hiera('heat_api_cfn_enabled', false), + $horizon = hiera('horizon_enabled', false), + $ironic = hiera('ironic_api_enabled', false), + $ironic_inspector = hiera('ironic_inspector_enabled', false), + $mysql = hiera('mysql_enabled', false), + $mysql_clustercheck = false, + $mysql_member_options = undef, + $rabbitmq = false, + $docker_registry = hiera('enable_docker_registry', false), + $redis = hiera('redis_enabled', false), + $redis_password = undef, + $midonet_api = false, + $zaqar_api = hiera('zaqar_api_enabled', false), + $ceph_rgw = hiera('ceph_rgw_enabled', false), + $opendaylight = hiera('opendaylight_api_enabled', false), + $zaqar_ws = hiera('zaqar_api_enabled', false), + $ui = hiera('enable_ui', false), + $aodh_network = hiera('aodh_api_network', undef), + $barbican_network = hiera('barbican_api_network', false), + $ceilometer_network = hiera('ceilometer_api_network', undef), + $ceph_rgw_network = hiera('ceph_rgw_network', undef), + $cinder_network = hiera('cinder_api_network', undef), + $docker_registry_network = hiera('docker_registry_network', undef), + $glance_api_network = hiera('glance_api_network', undef), + $glance_registry_network = hiera('glance_registry_network', undef), + $gnocchi_network = hiera('gnocchi_api_network', undef), + $heat_api_network = hiera('heat_api_network', undef), + $heat_cfn_network = hiera('heat_api_cfn_network', undef), + $heat_cloudwatch_network = hiera('heat_api_cloudwatch_network', undef), + $ironic_inspector_network = hiera('ironic_inspector_network', undef), + $ironic_network = hiera('ironic_api_network', undef), + $keystone_admin_network = hiera('keystone_admin_api_network', undef), + $keystone_public_network = hiera('keystone_public_api_network', undef), + $manila_network = hiera('manila_api_network', undef), + $mistral_network = hiera('mistral_api_network', undef), + $neutron_network = hiera('neutron_api_network', undef), + $nova_metadata_network = hiera('nova_api_network', undef), + $nova_novncproxy_network = hiera('nova_vnc_proxy_network', undef), + $nova_osapi_network = hiera('nova_api_network', undef), + $panko_network = hiera('panko_api_network', undef), + $sahara_network = hiera('sahara_api_network', undef), + $swift_proxy_server_network = hiera('swift_proxy_network', undef), + $trove_network = hiera('trove_api_network', undef), + $zaqar_api_network = hiera('zaqar_api_network', undef), + $service_ports = {} ) { $default_service_ports = { aodh_api_port => 8042, aodh_api_ssl_port => 13042, + barbican_api_port => 9311, + barbican_api_ssl_port => 13311, ceilometer_api_port => 8777, ceilometer_api_ssl_port => 13777, cinder_api_port => 8776, cinder_api_ssl_port => 13776, + docker_registry_port => 8787, + docker_registry_ssl_port => 13787, glance_api_port => 9292, glance_api_ssl_port => 13292, glance_registry_port => 9191, @@ -382,6 +580,7 @@ class tripleo::haproxy ( keystone_public_api_ssl_port => 13000, manila_api_port => 8786, manila_api_ssl_port => 13786, + midonet_cluster_port => 8181, neutron_api_port => 9696, neutron_api_ssl_port => 13696, nova_api_port => 8774, @@ -389,12 +588,16 @@ class tripleo::haproxy ( nova_metadata_port => 8775, nova_novnc_port => 6080, nova_novnc_ssl_port => 13080, + panko_api_port => 8779, + panko_api_ssl_port => 13779, sahara_api_port => 8386, sahara_api_ssl_port => 13386, swift_proxy_port => 8080, swift_proxy_ssl_port => 13808, trove_api_port => 8779, trove_api_ssl_port => 13779, + ui_port => 3000, + ui_ssl_port => 443, zaqar_api_port => 8888, zaqar_api_ssl_port => 13888, ceph_rgw_port => 8080, @@ -404,6 +607,12 @@ class tripleo::haproxy ( } $ports = merge($default_service_ports, $service_ports) + if $enable_internal_tls { + $internal_tls_member_options = ['ssl', 'verify required', "ca-file ${ca_bundle}"] + } else { + $internal_tls_member_options = [] + } + $controller_hosts_real = any2array(split($controller_hosts, ',')) if ! $controller_hosts_names { $controller_hosts_names_real = $controller_hosts_real @@ -411,11 +620,6 @@ class tripleo::haproxy ( $controller_hosts_names_real = downcase(any2array(split($controller_hosts_names, ','))) } - # This code will be removed once we switch undercloud and overcloud to use both haproxy & keepalived roles. - if $keepalived { - include ::tripleo::keepalived - } - # TODO(bnemec): When we have support for SSL on private and admin endpoints, # have the haproxy stats endpoint use that certificate by default. if $haproxy_stats_certificate { @@ -439,11 +643,14 @@ class tripleo::haproxy ( "${public_virtual_ip}:443" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]), } $horizon_options = { - 'cookie' => 'SERVERID insert indirect nocache', - 'rsprep' => '^Location:\ http://(.*) Location:\ https://\1', + 'cookie' => 'SERVERID insert indirect nocache', + 'rsprep' => '^Location:\ http://(.*) Location:\ https://\1', # NOTE(jaosorior): We always redirect to https for the public_virtual_ip. - 'redirect' => "scheme https code 301 if { hdr(host) -i ${public_virtual_ip} } !{ ssl_fc }", - 'option' => 'forwardfor', + 'redirect' => "scheme https code 301 if { hdr(host) -i ${public_virtual_ip} } !{ ssl_fc }", + 'option' => 'forwardfor', + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], } } else { $horizon_bind_opts = { @@ -492,6 +699,10 @@ class tripleo::haproxy ( 'maxconn' => $haproxy_global_maxconn, 'ssl-default-bind-ciphers' => $ssl_cipher_suite, 'ssl-default-bind-options' => $ssl_options, + 'stats' => [ + 'socket /var/run/haproxy.sock mode 600 level user', + 'timeout 2m' + ], }, defaults_options => { 'mode' => 'tcp', @@ -503,10 +714,11 @@ class tripleo::haproxy ( } Tripleo::Haproxy::Endpoint { - haproxy_listen_bind_param => $haproxy_listen_bind_param, - member_options => $haproxy_member_options, - public_certificate => $service_certificate, - internal_certificate => $internal_certificate, + haproxy_listen_bind_param => $haproxy_listen_bind_param, + member_options => $haproxy_member_options, + public_certificate => $service_certificate, + use_internal_certificates => $use_internal_certificates, + internal_certificates_specs => $internal_certificates_specs, } $stats_base = ['enable', 'uri /'] @@ -530,7 +742,7 @@ class tripleo::haproxy ( internal_ip => hiera('keystone_admin_api_vip', $controller_virtual_ip), service_port => $ports[keystone_admin_api_port], ip_addresses => hiera('keystone_admin_api_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, + server_names => hiera('keystone_admin_api_node_names', $controller_hosts_names_real), mode => 'http', listen_options => { 'http-request' => [ @@ -538,6 +750,8 @@ class tripleo::haproxy ( 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], }, public_ssl_port => $ports[keystone_admin_api_ssl_port], + service_network => $keystone_admin_network, + member_options => union($haproxy_member_options, $internal_tls_member_options), } } @@ -562,10 +776,12 @@ class tripleo::haproxy ( internal_ip => hiera('keystone_public_api_vip', $controller_virtual_ip), service_port => $ports[keystone_public_api_port], ip_addresses => hiera('keystone_public_api_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, + server_names => hiera('keystone_public_api_node_names', $controller_hosts_names_real), mode => 'http', listen_options => merge($keystone_listen_opts, $keystone_public_tls_listen_opts), public_ssl_port => $ports[keystone_public_api_ssl_port], + service_network => $keystone_public_network, + member_options => union($haproxy_member_options, $internal_tls_member_options), } } @@ -575,8 +791,15 @@ class tripleo::haproxy ( internal_ip => hiera('neutron_api_vip', $controller_virtual_ip), service_port => $ports[neutron_api_port], ip_addresses => hiera('neutron_api_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, + server_names => hiera('neutron_api_node_names', $controller_hosts_names_real), + mode => 'http', + listen_options => { + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], + }, public_ssl_port => $ports[neutron_api_ssl_port], + service_network => $neutron_network, } } @@ -586,7 +809,7 @@ class tripleo::haproxy ( internal_ip => hiera('cinder_api_vip', $controller_virtual_ip), service_port => $ports[cinder_api_port], ip_addresses => hiera('cinder_api_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, + server_names => hiera('cinder_api_node_names', $controller_hosts_names_real), mode => 'http', listen_options => { 'http-request' => [ @@ -594,6 +817,8 @@ class tripleo::haproxy ( 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], }, public_ssl_port => $ports[cinder_api_ssl_port], + service_network => $cinder_network, + member_options => union($haproxy_member_options, $internal_tls_member_options), } } @@ -603,13 +828,15 @@ class tripleo::haproxy ( internal_ip => hiera('manila_api_vip', $controller_virtual_ip), service_port => $ports[manila_api_port], ip_addresses => hiera('manila_api_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, + server_names => hiera('manila_api_node_names', $controller_hosts_names_real), + mode => 'http', listen_options => { 'http-request' => [ 'set-header X-Forwarded-Proto https if { ssl_fc }', 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], }, public_ssl_port => $ports[manila_api_ssl_port], + service_network => $manila_network, } } @@ -619,8 +846,9 @@ class tripleo::haproxy ( internal_ip => hiera('sahara_api_vip', $controller_virtual_ip), service_port => $ports[sahara_api_port], ip_addresses => hiera('sahara_api_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, + server_names => hiera('sahara_api_node_names', $controller_hosts_names_real), public_ssl_port => $ports[sahara_api_ssl_port], + service_network => $sahara_network, } } @@ -630,8 +858,9 @@ class tripleo::haproxy ( internal_ip => hiera('trove_api_vip', $controller_virtual_ip), service_port => $ports[trove_api_port], ip_addresses => hiera('trove_api_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, + server_names => hiera('trove_api_node_names', $controller_hosts_names_real), public_ssl_port => $ports[trove_api_ssl_port], + service_network => $trove_network, } } @@ -641,7 +870,7 @@ class tripleo::haproxy ( internal_ip => hiera('glance_api_vip', $controller_virtual_ip), service_port => $ports[glance_api_port], ip_addresses => hiera('glance_api_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, + server_names => hiera('glance_api_node_names', $controller_hosts_names_real), public_ssl_port => $ports[glance_api_ssl_port], mode => 'http', listen_options => { @@ -649,15 +878,17 @@ class tripleo::haproxy ( 'set-header X-Forwarded-Proto https if { ssl_fc }', 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], }, + service_network => $glance_api_network, } } if $glance_registry { ::tripleo::haproxy::endpoint { 'glance_registry': - internal_ip => hiera('glance_registry_vip', $controller_virtual_ip), - service_port => $ports[glance_registry_port], - ip_addresses => hiera('glance_registry_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, + internal_ip => hiera('glance_registry_vip', $controller_virtual_ip), + service_port => $ports[glance_registry_port], + ip_addresses => hiera('glance_registry_node_ips', $controller_hosts_real), + server_names => hiera('glance_registry_node_names', $controller_hosts_names_real), + service_network => $glance_registry_network, } } @@ -668,7 +899,7 @@ class tripleo::haproxy ( internal_ip => $nova_api_vip, service_port => $ports[nova_api_port], ip_addresses => hiera('nova_api_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, + server_names => hiera('nova_api_node_names', $controller_hosts_names_real), mode => 'http', listen_options => { 'http-request' => [ @@ -676,15 +907,18 @@ class tripleo::haproxy ( 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], }, public_ssl_port => $ports[nova_api_ssl_port], + service_network => $nova_osapi_network, + member_options => union($haproxy_member_options, $internal_tls_member_options), } } if $nova_metadata { ::tripleo::haproxy::endpoint { 'nova_metadata': - internal_ip => hiera('nova_metadata_vip', $controller_virtual_ip), - service_port => $ports[nova_metadata_port], - ip_addresses => hiera('nova_metadata_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, + internal_ip => hiera('nova_metadata_vip', $controller_virtual_ip), + service_port => $ports[nova_metadata_port], + ip_addresses => hiera('nova_metadata_node_ips', $controller_hosts_real), + server_names => hiera('nova_metadata_node_names', $controller_hosts_names_real), + service_network => $nova_metadata_network, } } @@ -694,12 +928,13 @@ class tripleo::haproxy ( internal_ip => $nova_api_vip, service_port => $ports[nova_novnc_port], ip_addresses => hiera('nova_api_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, + server_names => hiera('nova_api_node_names', $controller_hosts_names_real), listen_options => { 'balance' => 'source', 'timeout' => [ 'tunnel 1h' ], }, public_ssl_port => $ports[nova_novnc_ssl_port], + service_network => $nova_novncproxy_network, } } @@ -709,8 +944,16 @@ class tripleo::haproxy ( internal_ip => hiera('ceilometer_api_vip', $controller_virtual_ip), service_port => $ports[ceilometer_api_port], ip_addresses => hiera('ceilometer_api_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, + server_names => hiera('ceilometer_api_node_names', $controller_hosts_names_real), + mode => 'http', + listen_options => { + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], + }, public_ssl_port => $ports[ceilometer_api_ssl_port], + service_network => $ceilometer_network, + member_options => union($haproxy_member_options, $internal_tls_member_options), } } @@ -720,8 +963,47 @@ class tripleo::haproxy ( internal_ip => hiera('aodh_api_vip', $controller_virtual_ip), service_port => $ports[aodh_api_port], ip_addresses => hiera('aodh_api_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, + server_names => hiera('aodh_api_node_names', $controller_hosts_names_real), + mode => 'http', + listen_options => { + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], + }, public_ssl_port => $ports[aodh_api_ssl_port], + service_network => $aodh_network, + member_options => union($haproxy_member_options, $internal_tls_member_options), + } + } + + if $panko { + ::tripleo::haproxy::endpoint { 'panko': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('panko_api_vip', $controller_virtual_ip), + service_port => $ports[panko_api_port], + ip_addresses => hiera('panko_api_node_ips', $controller_hosts_real), + server_names => hiera('panko_api_node_names', $controller_hosts_names_real), + listen_options => { + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], + }, + public_ssl_port => $ports[panko_api_ssl_port], + service_network => $panko_network, + member_options => union($haproxy_member_options, $internal_tls_member_options), + } + } + + if $barbican { + ::tripleo::haproxy::endpoint { 'barbican': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('barbican_api_vip', $controller_virtual_ip), + service_port => $ports[barbican_api_port], + ip_addresses => hiera('barbican_api_node_ips', $controller_hosts_real), + server_names => hiera('barbican_api_node_names', $controller_hosts_names_real), + public_ssl_port => $ports[barbican_api_ssl_port], + service_network => $barbican_network, + member_options => union($haproxy_member_options, $internal_tls_member_options), } } @@ -731,8 +1013,16 @@ class tripleo::haproxy ( internal_ip => hiera('gnocchi_api_vip', $controller_virtual_ip), service_port => $ports[gnocchi_api_port], ip_addresses => hiera('gnocchi_api_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, + server_names => hiera('gnocchi_api_node_names', $controller_hosts_names_real), + mode => 'http', + listen_options => { + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], + }, public_ssl_port => $ports[gnocchi_api_ssl_port], + service_network => $gnocchi_network, + member_options => union($haproxy_member_options, $internal_tls_member_options), } } @@ -742,19 +1032,26 @@ class tripleo::haproxy ( internal_ip => hiera('mistral_api_vip', $controller_virtual_ip), service_port => $ports[mistral_api_port], ip_addresses => hiera('mistral_api_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, + server_names => hiera('mistral_api_node_names', $controller_hosts_names_real), public_ssl_port => $ports[mistral_api_ssl_port], + service_network => $mistral_network, } } if $swift_proxy_server { + $swift_proxy_server_listen_options = { + 'timeout client' => '2m', + 'timeout server' => '2m', + } ::tripleo::haproxy::endpoint { 'swift_proxy_server': public_virtual_ip => $public_virtual_ip, internal_ip => hiera('swift_proxy_vip', $controller_virtual_ip), service_port => $ports[swift_proxy_port], ip_addresses => hiera('swift_proxy_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, + server_names => hiera('swift_proxy_node_names', $controller_hosts_names_real), + listen_options => $swift_proxy_server_listen_options, public_ssl_port => $ports[swift_proxy_ssl_port], + service_network => $swift_proxy_server_network, } } @@ -779,10 +1076,11 @@ class tripleo::haproxy ( internal_ip => $heat_api_vip, service_port => $ports[heat_api_port], ip_addresses => $heat_ip_addresses, - server_names => $controller_hosts_names_real, + server_names => hiera('heat_api_node_names', $controller_hosts_names_real), mode => 'http', listen_options => $heat_options, public_ssl_port => $ports[heat_api_ssl_port], + service_network => $heat_api_network, } } @@ -792,10 +1090,11 @@ class tripleo::haproxy ( internal_ip => $heat_api_vip, service_port => $ports[heat_cw_port], ip_addresses => $heat_ip_addresses, - server_names => $controller_hosts_names_real, + server_names => hiera('heat_api_node_names', $controller_hosts_names_real), mode => 'http', listen_options => $heat_options, public_ssl_port => $ports[heat_cw_ssl_port], + service_network => $heat_cloudwatch_network, } } @@ -805,10 +1104,11 @@ class tripleo::haproxy ( internal_ip => $heat_api_vip, service_port => $ports[heat_cfn_port], ip_addresses => $heat_ip_addresses, - server_names => $controller_hosts_names_real, + server_names => hiera('heat_api_node_names', $controller_hosts_names_real), mode => 'http', listen_options => $heat_options, public_ssl_port => $ports[heat_cfn_ssl_port], + service_network => $heat_cfn_network, } } @@ -823,7 +1123,7 @@ class tripleo::haproxy ( listening_service => 'horizon', ports => '80', ipaddresses => hiera('horizon_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, + server_names => hiera('horizon_node_names', $controller_hosts_names_real), options => union($haproxy_member_options, ["cookie ${::hostname}"]), } } @@ -834,8 +1134,9 @@ class tripleo::haproxy ( internal_ip => hiera('ironic_api_vip', $controller_virtual_ip), service_port => $ports[ironic_api_port], ip_addresses => hiera('ironic_api_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, + server_names => hiera('ironic_api_node_names', $controller_hosts_names_real), public_ssl_port => $ports[ironic_api_ssl_port], + service_network => $ironic_network, } } @@ -845,8 +1146,9 @@ class tripleo::haproxy ( internal_ip => hiera('ironic_inspector_vip', $controller_virtual_ip), service_port => $ports[ironic_inspector_port], ip_addresses => hiera('ironic_inspector_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, + server_names => hiera('ironic_inspector_node_names', $controller_hosts_names_real), public_ssl_port => $ports[ironic_inspector_ssl_port], + service_network => $ironic_inspector_network, } } @@ -858,13 +1160,21 @@ class tripleo::haproxy ( 'stick-table' => 'type ip size 1000', 'stick' => 'on dst', } - $mysql_member_options = union($haproxy_member_options, ['backup', 'port 9200', 'on-marked-down shutdown-sessions']) + if $mysql_member_options { + $mysql_member_options_real = $mysql_member_options + } else { + $mysql_member_options_real = ['backup', 'port 9200', 'on-marked-down shutdown-sessions', 'check', 'inter 1s'] + } } else { $mysql_listen_options = { 'timeout client' => '90m', 'timeout server' => '90m', } - $mysql_member_options = union($haproxy_member_options, ['backup']) + if $mysql_member_options { + $mysql_member_options_real = $mysql_member_options + } else { + $mysql_member_options_real = union($haproxy_member_options, ['backup']) + } } if $mysql { @@ -877,8 +1187,8 @@ class tripleo::haproxy ( listening_service => 'mysql', ports => '3306', ipaddresses => hiera('mysql_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, - options => $mysql_member_options, + server_names => hiera('mysql_node_names', $controller_hosts_names_real), + options => $mysql_member_options_real, } } @@ -895,11 +1205,23 @@ class tripleo::haproxy ( listening_service => 'rabbitmq', ports => '5672', ipaddresses => hiera('rabbitmq_network', $controller_hosts_real), - server_names => $controller_hosts_names_real, + server_names => hiera('rabbitmq_node_names', $controller_hosts_names_real), options => $haproxy_member_options, } } + if $docker_registry { + ::tripleo::haproxy::endpoint { 'docker-registry': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('docker_registry_vip', $controller_virtual_ip), + service_port => $ports[docker_registry_port], + ip_addresses => hiera('docker_registry_node_ips', $controller_hosts_real), + server_names => hiera('docker_registry_node_names', $controller_hosts_names_real), + public_ssl_port => $ports[docker_registry_ssl_port], + service_network => $docker_registry_network, + } + } + if $redis { if $redis_password { $redis_tcp_check_options = ["send AUTH\\ ${redis_password}\\r\\n"] @@ -924,15 +1246,15 @@ class tripleo::haproxy ( listening_service => 'redis', ports => '6379', ipaddresses => hiera('redis_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, + server_names => hiera('redis_node_names', $controller_hosts_names_real), options => $haproxy_member_options, } } - $midonet_api_vip = hiera('midonet_api_vip', $controller_virtual_ip) + $midonet_cluster_vip = hiera('midonet_cluster_vip', $controller_virtual_ip) $midonet_bind_opts = { - "${midonet_api_vip}:8081" => [], - "${public_virtual_ip}:8081" => [], + "${midonet_cluster_vip}:${ports[midonet_cluster_port]}" => [], + "${public_virtual_ip}:${ports[midonet_cluster_port]}" => [], } if $midonet_api { @@ -942,9 +1264,9 @@ class tripleo::haproxy ( } haproxy::balancermember { 'midonet_api': listening_service => 'midonet_api', - ports => '8081', + ports => $ports[midonet_cluster_port], ipaddresses => hiera('midonet_api_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, + server_names => hiera('midonet_api_node_names', $controller_hosts_names_real), options => $haproxy_member_options, } } @@ -954,9 +1276,10 @@ class tripleo::haproxy ( internal_ip => hiera('zaqar_api_vip', $controller_virtual_ip), service_port => $ports[zaqar_api_port], ip_addresses => hiera('zaqar_api_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, + server_names => hiera('zaqar_api_node_names', $controller_hosts_names_real), mode => 'http', public_ssl_port => $ports[zaqar_api_ssl_port], + service_network => $zaqar_api_network, } } @@ -966,15 +1289,16 @@ class tripleo::haproxy ( internal_ip => hiera('ceph_rgw_vip', $controller_virtual_ip), service_port => $ports[ceph_rgw_port], ip_addresses => hiera('ceph_rgw_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, + server_names => hiera('ceph_rgw_node_names', $controller_hosts_names_real), public_ssl_port => $ports[ceph_rgw_ssl_port], + service_network => $ceph_rgw_network, } } $opendaylight_api_vip = hiera('opendaylight_api_vip', $controller_virtual_ip) $opendaylight_bind_opts = { - "${opendaylight_api_vip}:8081" => [], - "${public_virtual_ip}:8081" => [], + "${opendaylight_api_vip}:8081" => $haproxy_listen_bind_param, + "${public_virtual_ip}:8081" => $haproxy_listen_bind_param, } if $opendaylight { @@ -989,7 +1313,7 @@ class tripleo::haproxy ( listening_service => 'opendaylight', ports => '8081', ipaddresses => hiera('opendaylight_api_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, + server_names => hiera('opendaylight_api_node_names', $controller_hosts_names_real), options => ['check', 'inter 2000', 'rise 2', 'fall 5'], } } @@ -1000,7 +1324,7 @@ class tripleo::haproxy ( internal_ip => hiera('zaqar_ws_vip', $controller_virtual_ip), service_port => $ports[zaqar_ws_port], ip_addresses => hiera('zaqar_ws_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, + server_names => hiera('zaqar_ws_node_names', $controller_hosts_names_real), mode => 'http', haproxy_listen_bind_param => [], # We don't use a transparent proxy here listen_options => { @@ -1013,6 +1337,20 @@ class tripleo::haproxy ( 'timeout' => ['connect 5s', 'client 25s', 'server 25s', 'tunnel 3600s'], }, public_ssl_port => $ports[zaqar_ws_ssl_port], + service_network => $zaqar_api_network, + } + } + + if $ui { + ::tripleo::haproxy::endpoint { 'ui': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('ui_vip', $controller_virtual_ip), + service_port => $ports[ui_port], + ip_addresses => hiera('ui_ips', $controller_hosts_real), + server_names => $controller_hosts_names_real, + mode => 'http', + public_ssl_port => $ports[ui_ssl_port], } } + } |