diff options
Diffstat (limited to 'manifests/haproxy.pp')
-rw-r--r-- | manifests/haproxy.pp | 76 |
1 files changed, 74 insertions, 2 deletions
diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp index e17dc90..d925da0 100644 --- a/manifests/haproxy.pp +++ b/manifests/haproxy.pp @@ -106,6 +106,11 @@ # flag is set. # Defaults to {} # +# [*enable_internal_tls*] +# A flag that indicates if the servers in the internal network are using TLS. +# This enables the 'ssl' option for the server members that are proxied. +# Defaults to hiera('enable_internal_tls', false) +# # [*ssl_cipher_suite*] # The default string describing the list of cipher algorithms ("cipher suite") # that are negotiated during the SSL/TLS handshake for all "bind" lines. This @@ -229,6 +234,10 @@ # (optional) Enable or not RabbitMQ binding # Defaults to false # +# [*docker_registry*] +# (optional) Enable or not the Docker Registry API binding +# Defaults to hiera('enable_docker_registry', false) +# # [*redis*] # (optional) Enable or not Redis binding # Defaults to hiera('redis_enabled', false) @@ -258,6 +267,10 @@ # (optional) Enable or not Zaqar Websockets binding # Defaults to false # +# [*ui*] +# (optional) Enable or not TripleO UI +# Defaults to false +# # [*aodh_network*] # (optional) Specify the network aodh is running on. # Defaults to hiera('aodh_api_network', undef) @@ -278,6 +291,10 @@ # (optional) Specify the network cinder is running on. # Defaults to hiera('cinder_api_network', undef) # +# [*docker_registry_network*] +# (optional) Specify the network docker-registry is running on. +# Defaults to hiera('docker_registry_network', undef) +# # [*glance_api_network*] # (optional) Specify the network glance_api is running on. # Defaults to hiera('glance_api_network', undef) @@ -373,6 +390,8 @@ # 'ceilometer_api_ssl_port' (Defaults to 13777) # 'cinder_api_port' (Defaults to 8776) # 'cinder_api_ssl_port' (Defaults to 13776) +# 'docker_registry_port' (Defaults to 8787) +# 'docker_registry_ssl_port' (Defaults to 13787) # 'glance_api_port' (Defaults to 9292) # 'glance_api_ssl_port' (Defaults to 13292) # 'glance_registry_port' (Defaults to 9191) @@ -437,6 +456,7 @@ class tripleo::haproxy ( $service_certificate = undef, $use_internal_certificates = false, $internal_certificates_specs = {}, + $enable_internal_tls = hiera('enable_internal_tls', false), $ssl_cipher_suite = '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES', $ssl_options = 'no-sslv3', $haproxy_stats_certificate = undef, @@ -467,6 +487,7 @@ class tripleo::haproxy ( $mysql = hiera('mysql_enabled', false), $mysql_clustercheck = false, $rabbitmq = false, + $docker_registry = hiera('enable_docker_registry', false), $redis = hiera('redis_enabled', false), $redis_password = undef, $midonet_api = false, @@ -474,11 +495,13 @@ class tripleo::haproxy ( $ceph_rgw = hiera('ceph_rgw_enabled', false), $opendaylight = hiera('opendaylight_api_enabled', false), $zaqar_ws = hiera('zaqar_api_enabled', false), + $ui = hiera('enable_ui', false), $aodh_network = hiera('aodh_api_network', undef), $barbican_network = hiera('barbican_api_network', false), $ceilometer_network = hiera('ceilometer_api_network', undef), $ceph_rgw_network = hiera('ceph_rgw_network', undef), $cinder_network = hiera('cinder_api_network', undef), + $docker_registry_network = hiera('docker_registry_network', undef), $glance_api_network = hiera('glance_api_network', undef), $glance_registry_network = hiera('glance_registry_network', undef), $gnocchi_network = hiera('gnocchi_api_network', undef), @@ -510,6 +533,8 @@ class tripleo::haproxy ( ceilometer_api_ssl_port => 13777, cinder_api_port => 8776, cinder_api_ssl_port => 13776, + docker_registry_port => 8787, + docker_registry_ssl_port => 13787, glance_api_port => 9292, glance_api_ssl_port => 13292, glance_registry_port => 9191, @@ -546,6 +571,8 @@ class tripleo::haproxy ( swift_proxy_ssl_port => 13808, trove_api_port => 8779, trove_api_ssl_port => 13779, + ui_port => 3000, + ui_ssl_port => 443, zaqar_api_port => 8888, zaqar_api_ssl_port => 13888, ceph_rgw_port => 8080, @@ -555,6 +582,13 @@ class tripleo::haproxy ( } $ports = merge($default_service_ports, $service_ports) + if $enable_internal_tls { + # TODO(jaosorior): change verify none to verify required. + $internal_tls_member_options = ['ssl', 'verify none'] + } else { + $internal_tls_member_options = [] + } + $controller_hosts_real = any2array(split($controller_hosts, ',')) if ! $controller_hosts_names { $controller_hosts_names_real = $controller_hosts_real @@ -646,6 +680,10 @@ class tripleo::haproxy ( 'maxconn' => $haproxy_global_maxconn, 'ssl-default-bind-ciphers' => $ssl_cipher_suite, 'ssl-default-bind-options' => $ssl_options, + 'stats' => [ + 'socket /var/run/haproxy.sock mode 600 level user', + 'timeout 2m' + ], }, defaults_options => { 'mode' => 'tcp', @@ -694,6 +732,7 @@ class tripleo::haproxy ( }, public_ssl_port => $ports[keystone_admin_api_ssl_port], service_network => $keystone_admin_network, + member_options => union($haproxy_member_options, $internal_tls_member_options), } } @@ -723,6 +762,7 @@ class tripleo::haproxy ( listen_options => merge($keystone_listen_opts, $keystone_public_tls_listen_opts), public_ssl_port => $ports[keystone_public_api_ssl_port], service_network => $keystone_public_network, + member_options => union($haproxy_member_options, $internal_tls_member_options), } } @@ -879,6 +919,7 @@ class tripleo::haproxy ( server_names => hiera('ceilometer_api_node_names', $controller_hosts_names_real), public_ssl_port => $ports[ceilometer_api_ssl_port], service_network => $ceilometer_network, + member_options => union($haproxy_member_options, $internal_tls_member_options), } } @@ -891,6 +932,7 @@ class tripleo::haproxy ( server_names => hiera('aodh_api_node_names', $controller_hosts_names_real), public_ssl_port => $ports[aodh_api_ssl_port], service_network => $aodh_network, + member_options => union($haproxy_member_options, $internal_tls_member_options), } } @@ -931,12 +973,17 @@ class tripleo::haproxy ( } if $swift_proxy_server { + $swift_proxy_server_listen_options = { + 'timeout client' => '2m', + 'timeout server' => '2m', + } ::tripleo::haproxy::endpoint { 'swift_proxy_server': public_virtual_ip => $public_virtual_ip, internal_ip => hiera('swift_proxy_vip', $controller_virtual_ip), service_port => $ports[swift_proxy_port], ip_addresses => hiera('swift_proxy_node_ips', $controller_hosts_real), server_names => hiera('swift_proxy_node_names', $controller_hosts_names_real), + listen_options => $swift_proxy_server_listen_options, public_ssl_port => $ports[swift_proxy_ssl_port], service_network => $swift_proxy_server_network, } @@ -1089,6 +1136,18 @@ class tripleo::haproxy ( } } + if $docker_registry { + ::tripleo::haproxy::endpoint { 'docker-registry': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('docker_registry_vip', $controller_virtual_ip), + service_port => $ports[docker_registry_port], + ip_addresses => hiera('docker_registry_node_ips', $controller_hosts_real), + server_names => hiera('docker_registry_node_names', $controller_hosts_names_real), + public_ssl_port => $ports[docker_registry_ssl_port], + service_network => $docker_registry_network, + } + } + if $redis { if $redis_password { $redis_tcp_check_options = ["send AUTH\\ ${redis_password}\\r\\n"] @@ -1164,8 +1223,8 @@ class tripleo::haproxy ( $opendaylight_api_vip = hiera('opendaylight_api_vip', $controller_virtual_ip) $opendaylight_bind_opts = { - "${opendaylight_api_vip}:8081" => [], - "${public_virtual_ip}:8081" => [], + "${opendaylight_api_vip}:8081" => $haproxy_listen_bind_param, + "${public_virtual_ip}:8081" => $haproxy_listen_bind_param, } if $opendaylight { @@ -1207,4 +1266,17 @@ class tripleo::haproxy ( service_network => $zaqar_api_network, } } + + if $ui { + ::tripleo::haproxy::endpoint { 'ui': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('ui_vip', $controller_virtual_ip), + service_port => $ports[ui_port], + ip_addresses => hiera('ui_ips', $controller_hosts_real), + server_names => $controller_hosts_names_real, + mode => 'http', + public_ssl_port => $ports[ui_ssl_port], + } + } + } |