diff options
Diffstat (limited to 'manifests/haproxy.pp')
| -rw-r--r-- | manifests/haproxy.pp | 50 |
1 files changed, 21 insertions, 29 deletions
diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp index 5a59c10..a3d088a 100644 --- a/manifests/haproxy.pp +++ b/manifests/haproxy.pp @@ -53,6 +53,11 @@ # Should haproxy run in daemon mode or not # Defaults to true # +# [*manage_firewall*] +# (optional) Enable or disable firewall settings for ports exposed by HAProxy +# (false means disabled, and true means enabled) +# Defaults to hiera('tripleo::firewall::manage_firewall', true) +# # [*controller_hosts*] # IPs of host or group of hosts to load-balance the services # Can be a string or an array. @@ -563,6 +568,7 @@ class tripleo::haproxy ( $haproxy_daemon = true, $haproxy_stats_user = 'admin', $haproxy_stats_password = undef, + $manage_firewall = hiera('tripleo::firewall::manage_firewall', true), $controller_hosts = hiera('controller_node_ips'), $controller_hosts_names = hiera('controller_node_names', undef), $contrail_config_hosts = hiera('contrail_config_node_ips', undef), @@ -766,12 +772,6 @@ class tripleo::haproxy ( $controller_hosts_names_real = downcase(any2array(split($controller_hosts_names, ','))) } - # TODO(bnemec): When we have support for SSL on private and admin endpoints, - # have the haproxy stats endpoint use that certificate by default. - if $haproxy_stats_certificate { - $haproxy_stats_bind_certificate = $haproxy_stats_certificate - } - $horizon_vip = hiera('horizon_vip', $controller_virtual_ip) if $service_certificate { # NOTE(jaosorior): If the horizon_vip and the public_virtual_ip are the @@ -809,16 +809,6 @@ class tripleo::haproxy ( } } - if $haproxy_stats_bind_certificate { - $haproxy_stats_bind_opts = { - "${controller_virtual_ip}:1993" => union($haproxy_listen_bind_param, ['ssl', 'crt', $haproxy_stats_bind_certificate]), - } - } else { - $haproxy_stats_bind_opts = { - "${controller_virtual_ip}:1993" => $haproxy_listen_bind_param, - } - } - $mysql_vip = hiera('mysql_vip', $controller_virtual_ip) $mysql_bind_opts = { "${mysql_vip}:3306" => $haproxy_listen_bind_param, @@ -881,22 +871,24 @@ class tripleo::haproxy ( use_internal_certificates => $use_internal_certificates, internal_certificates_specs => $internal_certificates_specs, listen_options => $default_listen_options, + manage_firewall => $manage_firewall, } if $haproxy_stats { - $stats_base = ['enable', 'uri /'] - if $haproxy_stats_password { - $stats_config = union($stats_base, ["auth ${haproxy_stats_user}:${haproxy_stats_password}"]) + if $haproxy_stats_certificate { + $haproxy_stats_certificate_real = $haproxy_stats_certificate + } elsif $use_internal_certificates { + # NOTE(jaosorior): Right now it's hardcoded to use the ctlplane network + $haproxy_stats_certificate_real = $internal_certificates_specs["haproxy-ctlplane"]['service_pem'] } else { - $stats_config = $stats_base + $haproxy_stats_certificate_real = undef } - haproxy::listen { 'haproxy.stats': - bind => $haproxy_stats_bind_opts, - mode => 'http', - options => { - 'stats' => $stats_config, - }, - collect_exported => false, + class { '::tripleo::haproxy::stats': + haproxy_listen_bind_param => $haproxy_listen_bind_param, + ip => $controller_virtual_ip, + password => $haproxy_stats_password, + certificate => $haproxy_stats_certificate_real, + user => $haproxy_stats_user, } } @@ -1361,7 +1353,7 @@ class tripleo::haproxy ( server_names => hiera('mysql_node_names', $controller_hosts_names_real), options => $mysql_member_options_real, } - if hiera('tripleo::firewall::manage_firewall', true) { + if $manage_firewall { include ::tripleo::firewall $mysql_firewall_rules = { '100 mysql_haproxy' => { @@ -1443,7 +1435,7 @@ class tripleo::haproxy ( server_names => hiera('redis_node_names', $controller_hosts_names_real), options => $haproxy_member_options, } - if hiera('tripleo::firewall::manage_firewall', true) { + if $manage_firewall { include ::tripleo::firewall $redis_firewall_rules = { '100 redis_haproxy' => { |