aboutsummaryrefslogtreecommitdiffstats
path: root/manifests/haproxy.pp
diff options
context:
space:
mode:
Diffstat (limited to 'manifests/haproxy.pp')
-rw-r--r--manifests/haproxy.pp193
1 files changed, 77 insertions, 116 deletions
diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp
index 0b69245..a449a49 100644
--- a/manifests/haproxy.pp
+++ b/manifests/haproxy.pp
@@ -49,6 +49,10 @@
# The IPv4, IPv6 or filesystem socket path of the syslog server.
# Defaults to '/dev/log'
#
+# [*haproxy_daemon*]
+# Should haproxy run in daemon mode or not
+# Defaults to true
+#
# [*controller_hosts*]
# IPs of host or group of hosts to load-balance the services
# Can be a string or an array.
@@ -428,6 +432,10 @@
# (optional) Specify the network ec2_api_metadata is running on.
# Defaults to hiera('ec2_api_network', undef)
#
+# [*etcd_network*]
+# (optional) Specify the network etcd is running on.
+# Defaults to hiera('etcd_network', undef)
+#
# [*opendaylight_network*]
# (optional) Specify the network opendaylight is running on.
# Defaults to hiera('opendaylight_api_network', undef)
@@ -535,6 +543,7 @@ class tripleo::haproxy (
$haproxy_listen_bind_param = [ 'transparent' ],
$haproxy_member_options = [ 'check', 'inter 2000', 'rise 2', 'fall 5' ],
$haproxy_log_address = '/dev/log',
+ $haproxy_daemon = true,
$haproxy_stats_user = 'admin',
$haproxy_stats_password = undef,
$controller_hosts = hiera('controller_node_ips'),
@@ -623,6 +632,7 @@ class tripleo::haproxy (
$ovn_dbs_network = hiera('ovn_dbs_network', undef),
$ec2_api_network = hiera('ec2_api_network', undef),
$ec2_api_metadata_network = hiera('ec2_api_network', undef),
+ $etcd_network = hiera('etcd_network', undef),
$sahara_network = hiera('sahara_api_network', undef),
$swift_proxy_server_network = hiera('swift_proxy_network', undef),
$tacker_network = hiera('tacker_api_network', undef),
@@ -651,6 +661,7 @@ class tripleo::haproxy (
contrail_webui_https_port => 8143,
docker_registry_port => 8787,
docker_registry_ssl_port => 13787,
+ etcd_port => 2379,
glance_api_port => 9292,
glance_api_ssl_port => 13292,
gnocchi_api_port => 8041,
@@ -712,6 +723,9 @@ class tripleo::haproxy (
if $enable_internal_tls {
$internal_tls_member_options = ['ssl', 'verify required', "ca-file ${ca_bundle}"]
+ Haproxy::Balancermember {
+ verifyhost => true
+ }
} else {
$internal_tls_member_options = []
}
@@ -750,7 +764,7 @@ class tripleo::haproxy (
'rsprep' => '^Location:\ http://(.*) Location:\ https://\1',
# NOTE(jaosorior): We always redirect to https for the public_virtual_ip.
'redirect' => "scheme https code 301 if { hdr(host) -i ${public_virtual_ip} } !{ ssl_fc }",
- 'option' => 'forwardfor',
+ 'option' => [ 'forwardfor', 'httpchk' ],
'http-request' => [
'set-header X-Forwarded-Proto https if { ssl_fc }',
'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
@@ -762,7 +776,7 @@ class tripleo::haproxy (
}
$horizon_options = {
'cookie' => 'SERVERID insert indirect nocache',
- 'option' => 'forwardfor',
+ 'option' => [ 'forwardfor', 'httpchk' ],
}
}
@@ -791,27 +805,30 @@ class tripleo::haproxy (
"${redis_vip}:6379" => $haproxy_listen_bind_param,
}
- $etcd_vip = hiera('etcd_vip', $controller_virtual_ip)
- $etcd_bind_opts = {
- "${etcd_vip}:2379" => $haproxy_listen_bind_param,
+ $haproxy_global_options = {
+ 'log' => "${haproxy_log_address} local0",
+ 'pidfile' => '/var/run/haproxy.pid',
+ 'user' => 'haproxy',
+ 'group' => 'haproxy',
+ 'maxconn' => $haproxy_global_maxconn,
+ 'ssl-default-bind-ciphers' => $ssl_cipher_suite,
+ 'ssl-default-bind-options' => $ssl_options,
+ 'stats' => [
+ 'socket /var/lib/haproxy/stats mode 600 level user',
+ 'timeout 2m'
+ ],
+ }
+ if $haproxy_daemon == true {
+ $haproxy_daemonize = {
+ 'daemon' => '',
+ }
+ } else {
+ $haproxy_daemonize = {}
}
class { '::haproxy':
service_manage => $haproxy_service_manage,
- global_options => {
- 'log' => "${haproxy_log_address} local0",
- 'pidfile' => '/var/run/haproxy.pid',
- 'user' => 'haproxy',
- 'group' => 'haproxy',
- 'daemon' => '',
- 'maxconn' => $haproxy_global_maxconn,
- 'ssl-default-bind-ciphers' => $ssl_cipher_suite,
- 'ssl-default-bind-options' => $ssl_options,
- 'stats' => [
- 'socket /var/lib/haproxy/stats mode 600 level user',
- 'timeout 2m'
- ],
- },
+ global_options => merge($haproxy_global_options, $haproxy_daemonize),
defaults_options => {
'mode' => 'tcp',
'log' => 'global',
@@ -821,12 +838,20 @@ class tripleo::haproxy (
},
}
+
+ $default_listen_options = {
+ 'option' => [ 'httpchk', ],
+ 'http-request' => [
+ 'set-header X-Forwarded-Proto https if { ssl_fc }',
+ 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
+ }
Tripleo::Haproxy::Endpoint {
haproxy_listen_bind_param => $haproxy_listen_bind_param,
member_options => $haproxy_member_options,
public_certificate => $service_certificate,
use_internal_certificates => $use_internal_certificates,
internal_certificates_specs => $internal_certificates_specs,
+ listen_options => $default_listen_options,
}
$stats_base = ['enable', 'uri /']
@@ -852,11 +877,7 @@ class tripleo::haproxy (
ip_addresses => hiera('keystone_admin_api_node_ips', $controller_hosts_real),
server_names => hiera('keystone_admin_api_node_names', $controller_hosts_names_real),
mode => 'http',
- listen_options => {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- },
+ listen_options => merge($default_listen_options, { 'option' => [ 'httpchk GET /v3' ] }),
public_ssl_port => $ports[keystone_admin_api_ssl_port],
service_network => $keystone_admin_network,
member_options => union($haproxy_member_options, $internal_tls_member_options),
@@ -864,11 +885,6 @@ class tripleo::haproxy (
}
if $keystone_public {
- $keystone_listen_opts = {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- }
if $service_certificate {
$keystone_public_tls_listen_opts = {
'rsprep' => '^Location:\ http://(.*) Location:\ https://\1',
@@ -877,7 +893,9 @@ class tripleo::haproxy (
'option' => 'forwardfor',
}
} else {
- $keystone_public_tls_listen_opts = {}
+ $keystone_public_tls_listen_opts = {
+ 'option' => [ 'httpchk GET /v3', ],
+ }
}
::tripleo::haproxy::endpoint { 'keystone_public':
public_virtual_ip => $public_virtual_ip,
@@ -886,7 +904,7 @@ class tripleo::haproxy (
ip_addresses => hiera('keystone_public_api_node_ips', $controller_hosts_real),
server_names => hiera('keystone_public_api_node_names', $controller_hosts_names_real),
mode => 'http',
- listen_options => merge($keystone_listen_opts, $keystone_public_tls_listen_opts),
+ listen_options => merge($default_listen_options, $keystone_public_tls_listen_opts),
public_ssl_port => $ports[keystone_public_api_ssl_port],
service_network => $keystone_public_network,
member_options => union($haproxy_member_options, $internal_tls_member_options),
@@ -901,11 +919,6 @@ class tripleo::haproxy (
ip_addresses => hiera('neutron_api_node_ips', $controller_hosts_real),
server_names => hiera('neutron_api_node_names', $controller_hosts_names_real),
mode => 'http',
- listen_options => {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- },
public_ssl_port => $ports[neutron_api_ssl_port],
service_network => $neutron_network,
member_options => union($haproxy_member_options, $internal_tls_member_options),
@@ -920,11 +933,6 @@ class tripleo::haproxy (
ip_addresses => hiera('cinder_api_node_ips', $controller_hosts_real),
server_names => hiera('cinder_api_node_names', $controller_hosts_names_real),
mode => 'http',
- listen_options => {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- },
public_ssl_port => $ports[cinder_api_ssl_port],
service_network => $cinder_network,
member_options => union($haproxy_member_options, $internal_tls_member_options),
@@ -939,11 +947,6 @@ class tripleo::haproxy (
ip_addresses => hiera('congress_node_ips', $controller_hosts_real),
server_names => hiera('congress_api_node_names', $controller_hosts_names_real),
mode => 'http',
- listen_options => {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- },
public_ssl_port => $ports[congress_api_ssl_port],
service_network => $congress_network,
}
@@ -957,11 +960,6 @@ class tripleo::haproxy (
ip_addresses => hiera('manila_api_node_ips', $controller_hosts_real),
server_names => hiera('manila_api_node_names', $controller_hosts_names_real),
mode => 'http',
- listen_options => {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- },
public_ssl_port => $ports[manila_api_ssl_port],
service_network => $manila_network,
}
@@ -987,11 +985,6 @@ class tripleo::haproxy (
ip_addresses => hiera('tacker_node_ips', $controller_hosts_real),
server_names => hiera('tacker_api_node_names', $controller_hosts_names_real),
mode => 'http',
- listen_options => {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- },
public_ssl_port => $ports[tacker_api_ssl_port],
service_network => $tacker_network,
}
@@ -1018,11 +1011,7 @@ class tripleo::haproxy (
server_names => hiera('glance_api_node_names', $controller_hosts_names_real),
public_ssl_port => $ports[glance_api_ssl_port],
mode => 'http',
- listen_options => {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- },
+ listen_options => merge($default_listen_options, { 'option' => [ 'httpchk GET /healthcheck', ]}),
service_network => $glance_api_network,
member_options => union($haproxy_member_options, $internal_tls_member_options),
}
@@ -1037,11 +1026,6 @@ class tripleo::haproxy (
ip_addresses => hiera('nova_api_node_ips', $controller_hosts_real),
server_names => hiera('nova_api_node_names', $controller_hosts_names_real),
mode => 'http',
- listen_options => {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- },
public_ssl_port => $ports[nova_api_ssl_port],
service_network => $nova_osapi_network,
#member_options => union($haproxy_member_options, $internal_tls_member_options),
@@ -1057,11 +1041,6 @@ class tripleo::haproxy (
ip_addresses => hiera('nova_placement_node_ips', $controller_hosts_real),
server_names => hiera('nova_placement_node_names', $controller_hosts_names_real),
mode => 'http',
- listen_options => {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- },
public_ssl_port => $ports[nova_placement_ssl_port],
service_network => $nova_placement_network,
member_options => union($haproxy_member_options, $internal_tls_member_options),
@@ -1074,6 +1053,9 @@ class tripleo::haproxy (
service_port => $ports[nova_metadata_port],
ip_addresses => hiera('nova_metadata_node_ips', $controller_hosts_real),
server_names => hiera('nova_metadata_node_names', $controller_hosts_names_real),
+ listen_options => {
+ 'option' => [ 'httpchk', ],
+ },
service_network => $nova_metadata_network,
}
}
@@ -1085,10 +1067,11 @@ class tripleo::haproxy (
service_port => $ports[nova_novnc_port],
ip_addresses => hiera('nova_api_node_ips', $controller_hosts_real),
server_names => hiera('nova_api_node_names', $controller_hosts_names_real),
- listen_options => {
+ listen_options => merge($default_listen_options, {
+ 'option' => [ 'tcpka' ],
'balance' => 'source',
'timeout' => [ 'tunnel 1h' ],
- },
+ }),
public_ssl_port => $ports[nova_novnc_ssl_port],
service_network => $nova_novncproxy_network,
}
@@ -1102,11 +1085,6 @@ class tripleo::haproxy (
ip_addresses => hiera('ec2_api_node_ips', $controller_hosts_real),
server_names => hiera('ec2_api_node_names', $controller_hosts_names_real),
mode => 'http',
- listen_options => {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- },
public_ssl_port => $ports[ec2_api_ssl_port],
service_network => $ec2_api_network,
}
@@ -1130,11 +1108,6 @@ class tripleo::haproxy (
ip_addresses => hiera('ceilometer_api_node_ips', $controller_hosts_real),
server_names => hiera('ceilometer_api_node_names', $controller_hosts_names_real),
mode => 'http',
- listen_options => {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- },
public_ssl_port => $ports[ceilometer_api_ssl_port],
service_network => $ceilometer_network,
member_options => union($haproxy_member_options, $internal_tls_member_options),
@@ -1149,11 +1122,6 @@ class tripleo::haproxy (
ip_addresses => hiera('aodh_api_node_ips', $controller_hosts_real),
server_names => hiera('aodh_api_node_names', $controller_hosts_names_real),
mode => 'http',
- listen_options => {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- },
public_ssl_port => $ports[aodh_api_ssl_port],
service_network => $aodh_network,
member_options => union($haproxy_member_options, $internal_tls_member_options),
@@ -1167,11 +1135,6 @@ class tripleo::haproxy (
service_port => $ports[panko_api_port],
ip_addresses => hiera('panko_api_node_ips', $controller_hosts_real),
server_names => hiera('panko_api_node_names', $controller_hosts_names_real),
- listen_options => {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- },
public_ssl_port => $ports[panko_api_ssl_port],
service_network => $panko_network,
member_options => union($haproxy_member_options, $internal_tls_member_options),
@@ -1199,11 +1162,6 @@ class tripleo::haproxy (
ip_addresses => hiera('gnocchi_api_node_ips', $controller_hosts_real),
server_names => hiera('gnocchi_api_node_names', $controller_hosts_names_real),
mode => 'http',
- listen_options => {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
- },
public_ssl_port => $ports[gnocchi_api_ssl_port],
service_network => $gnocchi_network,
member_options => union($haproxy_member_options, $internal_tls_member_options),
@@ -1224,6 +1182,7 @@ class tripleo::haproxy (
if $swift_proxy_server {
$swift_proxy_server_listen_options = {
+ 'option' => [ 'httpchk GET /healthcheck', ],
'timeout client' => '2m',
'timeout server' => '2m',
}
@@ -1242,17 +1201,17 @@ class tripleo::haproxy (
$heat_api_vip = hiera('heat_api_vip', $controller_virtual_ip)
$heat_ip_addresses = hiera('heat_api_node_ips', $controller_hosts_real)
- $heat_base_options = {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }']}
+ $heat_timeout_options = {
+ 'timeout client' => '10m',
+ 'timeout server' => '10m',
+ }
if $service_certificate {
$heat_ssl_options = {
'rsprep' => "^Location:\\ http://${public_virtual_ip}(.*) Location:\\ https://${public_virtual_ip}\\1",
}
- $heat_options = merge($heat_base_options, $heat_ssl_options)
+ $heat_options = merge($default_listen_options, $heat_ssl_options, $heat_timeout_options)
} else {
- $heat_options = $heat_base_options
+ $heat_options = merge($default_listen_options, $heat_timeout_options)
}
if $heat_api {
@@ -1408,19 +1367,16 @@ class tripleo::haproxy (
}
if $etcd {
- haproxy::listen { 'etcd':
- bind => $etcd_bind_opts,
- options => {
+ ::tripleo::haproxy::endpoint { 'etcd':
+ internal_ip => hiera('etcd_vip', $controller_virtual_ip),
+ service_port => $ports[etcd_port],
+ ip_addresses => hiera('etcd_node_ips', $controller_hosts_real),
+ server_names => hiera('etcd_node_names', $controller_hosts_names_real),
+ service_network => $etcd_network,
+ member_options => union($haproxy_member_options, $internal_tls_member_options),
+ listen_options => {
'balance' => 'source',
- },
- collect_exported => false,
- }
- haproxy::balancermember { 'etcd':
- listening_service => 'etcd',
- ports => '2379',
- ipaddresses => hiera('etcd_node_ips', $controller_hosts_real),
- server_names => hiera('etcd_node_names', $controller_hosts_names_real),
- options => $haproxy_member_options,
+ }
}
}
@@ -1515,6 +1471,7 @@ class tripleo::haproxy (
server_names => hiera('ceph_rgw_node_names', $controller_hosts_names_real),
public_ssl_port => $ports[ceph_rgw_ssl_port],
service_network => $ceph_rgw_network,
+ listen_options => merge($default_listen_options, { 'option' => [ 'httpchk HEAD /' ] }),
}
}
@@ -1648,6 +1605,10 @@ class tripleo::haproxy (
ip_addresses => hiera('contrail_config_node_ips'),
server_names => hiera('contrail_config_node_ips'),
public_ssl_port => $ports[contrail_webui_https_port],
+ listen_options => {
+ 'balance' => 'source',
+ 'hash-type' => 'consistent',
+ }
}
}
}