diff options
Diffstat (limited to 'manifests/haproxy.pp')
| -rw-r--r-- | manifests/haproxy.pp | 171 |
1 files changed, 146 insertions, 25 deletions
diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp index d925da0..c57666d 100644 --- a/manifests/haproxy.pp +++ b/manifests/haproxy.pp @@ -19,10 +19,6 @@ # # === Parameters: # -# [*keepalived*] -# Whether to configure keepalived to manage the VIPs or not. -# Defaults to true -# # [*haproxy_service_manage*] # Will be passed as value for service_manage to HAProxy module. # Defaults to true @@ -37,7 +33,7 @@ # # [*haproxy_default_timeout*] # The value to use as timeout in the HAProxy default config section. -# Defaults to [ 'http-request 10s', 'queue 1m', 'connect 10s', 'client 1m', 'server 1m', 'check 10s' ] +# Defaults to [ 'http-request 10s', 'queue 2m', 'connect 10s', 'client 2m', 'server 2m', 'check 10s' ] # # [*haproxy_listen_bind_param*] # A list of params to be added to the HAProxy listener bind directive. By @@ -121,6 +117,11 @@ # String that sets the default ssl options to force on all "bind" lines. # Defaults to 'no-sslv3' # +# [*ca_bundle*] +# Path to the CA bundle to be used for HAProxy to validate the certificates of +# the servers it balances +# Defaults to '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt' +# # [*haproxy_stats_certificate*] # Filename of an HAProxy-compatible certificate and key file # When set, enables SSL on the haproxy stats endpoint using the specified file. @@ -182,9 +183,13 @@ # (optional) Enable or not Aodh API binding # Defaults to hiera('aodh_api_enabled', false) # +# [*panko*] +# (optional) Enable or not Panko API binding +# Defaults to hiera('panko_api_enabled', false) +# # [*barbican*] # (optional) Enable or not Barbican API binding -# Defaults to false +# Defaults to hiera('barbican_api_enabled', false) # # [*gnocchi*] # (optional) Enable or not Gnocchi API binding @@ -230,6 +235,14 @@ # (optional) Enable check via clustercheck for mysql # Defaults to false # +# [*mysql_member_options*] +# The options to use for the mysql HAProxy balancer members. +# If this parameter is undefined, the actual value configured will depend +# on the value of $mysql_clustercheck. If cluster checking is enabled, +# the mysql member options will be: "['backup', 'port 9200', 'on-marked-down shutdown-sessions', 'check', 'inter 1s']" +# and if mysql cluster checking is disabled, the member options will be: "union($haproxy_member_options, ['backup'])" +# Defaults to undef +# # [*rabbitmq*] # (optional) Enable or not RabbitMQ binding # Defaults to false @@ -263,6 +276,10 @@ # (optional) Enable or not OpenDaylight binding # Defaults to hiera('opendaylight_api_enabled', false) # +# [*ovn_dbs*] +# (optional) Enable or not OVN northd binding +# Defaults to hiera('ovn_dbs_enabled', false) +# # [*zaqar_ws*] # (optional) Enable or not Zaqar Websockets binding # Defaults to false @@ -363,6 +380,14 @@ # (optional) Specify the network opendaylight is running on. # Defaults to hiera('opendaylight_api_network', undef) # +# [*panko_network*] +# (optional) Specify the network panko is running on. +# Defaults to hiera('panko_api_network', undef) +# +# [*ovn_dbs_network*] +# (optional) Specify the network ovn_dbs is running on. +# Defaults to hiera('ovn_dbs_network', undef) +# # [*sahara_network*] # (optional) Specify the network sahara is running on. # Defaults to hiera('sahara_api_network', undef) @@ -422,6 +447,10 @@ # 'nova_metadata_port' (Defaults to 8775) # 'nova_novnc_port' (Defaults to 6080) # 'nova_novnc_ssl_port' (Defaults to 13080) +# 'panko_api_port' (Defaults to 8779) +# 'panko_api_ssl_port' (Defaults to 13779) +# 'ovn_nbdb_port' (Defaults to 6641) +# 'ovn_sbdb_port' (Defaults to 6642) # 'sahara_api_port' (Defaults to 8386) # 'sahara_api_ssl_port' (Defaults to 13386) # 'swift_proxy_port' (Defaults to 8080) @@ -441,11 +470,10 @@ class tripleo::haproxy ( $controller_virtual_ip, $public_virtual_ip, - $keepalived = true, $haproxy_service_manage = true, $haproxy_global_maxconn = 20480, $haproxy_default_maxconn = 4096, - $haproxy_default_timeout = [ 'http-request 10s', 'queue 1m', 'connect 10s', 'client 1m', 'server 1m', 'check 10s' ], + $haproxy_default_timeout = [ 'http-request 10s', 'queue 2m', 'connect 10s', 'client 2m', 'server 2m', 'check 10s' ], $haproxy_listen_bind_param = [ 'transparent' ], $haproxy_member_options = [ 'check', 'inter 2000', 'rise 2', 'fall 5' ], $haproxy_log_address = '/dev/log', @@ -459,6 +487,7 @@ class tripleo::haproxy ( $enable_internal_tls = hiera('enable_internal_tls', false), $ssl_cipher_suite = '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES', $ssl_options = 'no-sslv3', + $ca_bundle = '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt', $haproxy_stats_certificate = undef, $keystone_admin = hiera('keystone_enabled', false), $keystone_public = hiera('keystone_enabled', false), @@ -474,6 +503,7 @@ class tripleo::haproxy ( $nova_novncproxy = hiera('nova_vnc_proxy_enabled', false), $ceilometer = hiera('ceilometer_api_enabled', false), $aodh = hiera('aodh_api_enabled', false), + $panko = hiera('panko_api_enabled', false), $barbican = hiera('barbican_api_enabled', false), $gnocchi = hiera('gnocchi_api_enabled', false), $mistral = hiera('mistral_api_enabled', false), @@ -486,6 +516,7 @@ class tripleo::haproxy ( $ironic_inspector = hiera('ironic_inspector_enabled', false), $mysql = hiera('mysql_enabled', false), $mysql_clustercheck = false, + $mysql_member_options = undef, $rabbitmq = false, $docker_registry = hiera('enable_docker_registry', false), $redis = hiera('redis_enabled', false), @@ -494,6 +525,7 @@ class tripleo::haproxy ( $zaqar_api = hiera('zaqar_api_enabled', false), $ceph_rgw = hiera('ceph_rgw_enabled', false), $opendaylight = hiera('opendaylight_api_enabled', false), + $ovn_dbs = hiera('ovn_dbs_enabled', false), $zaqar_ws = hiera('zaqar_api_enabled', false), $ui = hiera('enable_ui', false), $aodh_network = hiera('aodh_api_network', undef), @@ -518,6 +550,8 @@ class tripleo::haproxy ( $nova_metadata_network = hiera('nova_api_network', undef), $nova_novncproxy_network = hiera('nova_vnc_proxy_network', undef), $nova_osapi_network = hiera('nova_api_network', undef), + $panko_network = hiera('panko_api_network', undef), + $ovn_dbs_network = hiera('ovn_dbs_network', undef), $sahara_network = hiera('sahara_api_network', undef), $swift_proxy_server_network = hiera('swift_proxy_network', undef), $trove_network = hiera('trove_api_network', undef), @@ -558,6 +592,7 @@ class tripleo::haproxy ( keystone_public_api_ssl_port => 13000, manila_api_port => 8786, manila_api_ssl_port => 13786, + midonet_cluster_port => 8181, neutron_api_port => 9696, neutron_api_ssl_port => 13696, nova_api_port => 8774, @@ -565,6 +600,10 @@ class tripleo::haproxy ( nova_metadata_port => 8775, nova_novnc_port => 6080, nova_novnc_ssl_port => 13080, + panko_api_port => 8779, + panko_api_ssl_port => 13779, + ovn_nbdb_port => 6641, + ovn_sbdb_port => 6642, sahara_api_port => 8386, sahara_api_ssl_port => 13386, swift_proxy_port => 8080, @@ -583,8 +622,7 @@ class tripleo::haproxy ( $ports = merge($default_service_ports, $service_ports) if $enable_internal_tls { - # TODO(jaosorior): change verify none to verify required. - $internal_tls_member_options = ['ssl', 'verify none'] + $internal_tls_member_options = ['ssl', 'verify required', "ca-file ${ca_bundle}"] } else { $internal_tls_member_options = [] } @@ -596,11 +634,6 @@ class tripleo::haproxy ( $controller_hosts_names_real = downcase(any2array(split($controller_hosts_names, ','))) } - # This code will be removed once we switch undercloud and overcloud to use both haproxy & keepalived roles. - if $keepalived { - include ::tripleo::keepalived - } - # TODO(bnemec): When we have support for SSL on private and admin endpoints, # have the haproxy stats endpoint use that certificate by default. if $haproxy_stats_certificate { @@ -773,6 +806,12 @@ class tripleo::haproxy ( service_port => $ports[neutron_api_port], ip_addresses => hiera('neutron_api_node_ips', $controller_hosts_real), server_names => hiera('neutron_api_node_names', $controller_hosts_names_real), + mode => 'http', + listen_options => { + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], + }, public_ssl_port => $ports[neutron_api_ssl_port], service_network => $neutron_network, } @@ -793,6 +832,7 @@ class tripleo::haproxy ( }, public_ssl_port => $ports[cinder_api_ssl_port], service_network => $cinder_network, + member_options => union($haproxy_member_options, $internal_tls_member_options), } } @@ -803,6 +843,7 @@ class tripleo::haproxy ( service_port => $ports[manila_api_port], ip_addresses => hiera('manila_api_node_ips', $controller_hosts_real), server_names => hiera('manila_api_node_names', $controller_hosts_names_real), + mode => 'http', listen_options => { 'http-request' => [ 'set-header X-Forwarded-Proto https if { ssl_fc }', @@ -881,6 +922,7 @@ class tripleo::haproxy ( }, public_ssl_port => $ports[nova_api_ssl_port], service_network => $nova_osapi_network, + member_options => union($haproxy_member_options, $internal_tls_member_options), } } @@ -917,6 +959,12 @@ class tripleo::haproxy ( service_port => $ports[ceilometer_api_port], ip_addresses => hiera('ceilometer_api_node_ips', $controller_hosts_real), server_names => hiera('ceilometer_api_node_names', $controller_hosts_names_real), + mode => 'http', + listen_options => { + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], + }, public_ssl_port => $ports[ceilometer_api_ssl_port], service_network => $ceilometer_network, member_options => union($haproxy_member_options, $internal_tls_member_options), @@ -930,21 +978,46 @@ class tripleo::haproxy ( service_port => $ports[aodh_api_port], ip_addresses => hiera('aodh_api_node_ips', $controller_hosts_real), server_names => hiera('aodh_api_node_names', $controller_hosts_names_real), + mode => 'http', + listen_options => { + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], + }, public_ssl_port => $ports[aodh_api_ssl_port], service_network => $aodh_network, member_options => union($haproxy_member_options, $internal_tls_member_options), } } + if $panko { + ::tripleo::haproxy::endpoint { 'panko': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('panko_api_vip', $controller_virtual_ip), + service_port => $ports[panko_api_port], + ip_addresses => hiera('panko_api_node_ips', $controller_hosts_real), + server_names => hiera('panko_api_node_names', $controller_hosts_names_real), + listen_options => { + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], + }, + public_ssl_port => $ports[panko_api_ssl_port], + service_network => $panko_network, + member_options => union($haproxy_member_options, $internal_tls_member_options), + } + } + if $barbican { ::tripleo::haproxy::endpoint { 'barbican': public_virtual_ip => $public_virtual_ip, internal_ip => hiera('barbican_api_vip', $controller_virtual_ip), service_port => $ports[barbican_api_port], ip_addresses => hiera('barbican_api_node_ips', $controller_hosts_real), - server_names => hiera('aodh_api_node_names', $controller_hosts_names_real), + server_names => hiera('barbican_api_node_names', $controller_hosts_names_real), public_ssl_port => $ports[barbican_api_ssl_port], - service_network => $barbican_network + service_network => $barbican_network, + member_options => union($haproxy_member_options, $internal_tls_member_options), } } @@ -955,8 +1028,15 @@ class tripleo::haproxy ( service_port => $ports[gnocchi_api_port], ip_addresses => hiera('gnocchi_api_node_ips', $controller_hosts_real), server_names => hiera('gnocchi_api_node_names', $controller_hosts_names_real), + mode => 'http', + listen_options => { + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], + }, public_ssl_port => $ports[gnocchi_api_ssl_port], service_network => $gnocchi_network, + member_options => union($haproxy_member_options, $internal_tls_member_options), } } @@ -1094,13 +1174,21 @@ class tripleo::haproxy ( 'stick-table' => 'type ip size 1000', 'stick' => 'on dst', } - $mysql_member_options = union($haproxy_member_options, ['backup', 'port 9200', 'on-marked-down shutdown-sessions']) + if $mysql_member_options { + $mysql_member_options_real = $mysql_member_options + } else { + $mysql_member_options_real = ['backup', 'port 9200', 'on-marked-down shutdown-sessions', 'check', 'inter 1s'] + } } else { $mysql_listen_options = { 'timeout client' => '90m', 'timeout server' => '90m', } - $mysql_member_options = union($haproxy_member_options, ['backup']) + if $mysql_member_options { + $mysql_member_options_real = $mysql_member_options + } else { + $mysql_member_options_real = union($haproxy_member_options, ['backup']) + } } if $mysql { @@ -1114,7 +1202,7 @@ class tripleo::haproxy ( ports => '3306', ipaddresses => hiera('mysql_node_ips', $controller_hosts_real), server_names => hiera('mysql_node_names', $controller_hosts_names_real), - options => $mysql_member_options, + options => $mysql_member_options_real, } } @@ -1177,10 +1265,10 @@ class tripleo::haproxy ( } } - $midonet_api_vip = hiera('midonet_api_vip', $controller_virtual_ip) + $midonet_cluster_vip = hiera('midonet_cluster_vip', $controller_virtual_ip) $midonet_bind_opts = { - "${midonet_api_vip}:8081" => [], - "${public_virtual_ip}:8081" => [], + "${midonet_cluster_vip}:${ports[midonet_cluster_port]}" => [], + "${public_virtual_ip}:${ports[midonet_cluster_port]}" => [], } if $midonet_api { @@ -1190,7 +1278,7 @@ class tripleo::haproxy ( } haproxy::balancermember { 'midonet_api': listening_service => 'midonet_api', - ports => '8081', + ports => $ports[midonet_cluster_port], ipaddresses => hiera('midonet_api_node_ips', $controller_hosts_real), server_names => hiera('midonet_api_node_names', $controller_hosts_names_real), options => $haproxy_member_options, @@ -1244,6 +1332,39 @@ class tripleo::haproxy ( } } + + if $ovn_dbs { + # FIXME: is this config enough to ensure we only hit the first node in + # ovn_northd_node_ips ? + $ovn_db_listen_options = { + 'option' => [ 'tcpka' ], + 'timeout client' => '90m', + 'timeout server' => '90m', + 'stick-table' => 'type ip size 1000', + 'stick' => 'on dst', + } + ::tripleo::haproxy::endpoint { 'ovn_nbdb': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('ovn_dbs_vip', $controller_virtual_ip), + service_port => $ports[ovn_nbdb_port], + ip_addresses => hiera('ovn_dbs_node_ips', $controller_hosts_real), + server_names => hiera('ovn_dbs_node_names', $controller_hosts_names_real), + service_network => $ovn_dbs_network, + listen_options => $ovn_db_listen_options, + mode => 'tcp' + } + ::tripleo::haproxy::endpoint { 'ovn_sbdb': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('ovn_dbs_vip', $controller_virtual_ip), + service_port => $ports[ovn_sbdb_port], + ip_addresses => hiera('ovn_dbs_node_ips', $controller_hosts_real), + server_names => hiera('ovn_dbs_node_names', $controller_hosts_names_real), + service_network => $ovn_dbs_network, + listen_options => $ovn_db_listen_options, + mode => 'tcp' + } + } + if $zaqar_ws { ::tripleo::haproxy::endpoint { 'zaqar_ws': public_virtual_ip => $public_virtual_ip, @@ -1257,7 +1378,7 @@ class tripleo::haproxy ( # NOTE(jaosorior): Websockets have more overhead in establishing # connections than regular HTTP connections. Also, since it begins # as an HTTP connection and then "upgrades" to a TCP connection, some - # timeouts get overriden by others at certain times of the connection. + # timeouts get overridden by others at certain times of the connection. # The following values were taken from the following site: # http://blog.haproxy.com/2012/11/07/websockets-load-balancing-with-haproxy/ 'timeout' => ['connect 5s', 'client 25s', 'server 25s', 'tunnel 3600s'], |