aboutsummaryrefslogtreecommitdiffstats
path: root/manifests/haproxy.pp
diff options
context:
space:
mode:
Diffstat (limited to 'manifests/haproxy.pp')
-rw-r--r--manifests/haproxy.pp120
1 files changed, 97 insertions, 23 deletions
diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp
index 2f3f062..cc21e37 100644
--- a/manifests/haproxy.pp
+++ b/manifests/haproxy.pp
@@ -117,6 +117,11 @@
# String that sets the default ssl options to force on all "bind" lines.
# Defaults to 'no-sslv3'
#
+# [*ca_bundle*]
+# Path to the CA bundle to be used for HAProxy to validate the certificates of
+# the servers it balances
+# Defaults to '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt'
+#
# [*haproxy_stats_certificate*]
# Filename of an HAProxy-compatible certificate and key file
# When set, enables SSL on the haproxy stats endpoint using the specified file.
@@ -162,6 +167,10 @@
# (optional) Enable or not Nova API binding
# Defaults to hiera('nova_api_enabled', false)
#
+# [*nova_placement*]
+# (optional) Enable or not Nova Placement API binding
+# Defaults to hiera('nova_placement_enabled', false)
+#
# [*nova_metadata*]
# (optional) Enable or not Nova metadata binding
# Defaults to hiera('nova_api_enabled', false)
@@ -271,6 +280,10 @@
# (optional) Enable or not OpenDaylight binding
# Defaults to hiera('opendaylight_api_enabled', false)
#
+# [*ovn_dbs*]
+# (optional) Enable or not OVN northd binding
+# Defaults to hiera('ovn_dbs_enabled', false)
+#
# [*zaqar_ws*]
# (optional) Enable or not Zaqar Websockets binding
# Defaults to false
@@ -375,6 +388,10 @@
# (optional) Specify the network panko is running on.
# Defaults to hiera('panko_api_network', undef)
#
+# [*ovn_dbs_network*]
+# (optional) Specify the network ovn_dbs is running on.
+# Defaults to hiera('ovn_dbs_network', undef)
+#
# [*sahara_network*]
# (optional) Specify the network sahara is running on.
# Defaults to hiera('sahara_api_network', undef)
@@ -431,11 +448,16 @@
# 'neutron_api_ssl_port' (Defaults to 13696)
# 'nova_api_port' (Defaults to 8774)
# 'nova_api_ssl_port' (Defaults to 13774)
+# 'nova_placement_port' (Defaults to 8778)
+# 'nova_placement_ssl_port' (Defaults to 13778)
# 'nova_metadata_port' (Defaults to 8775)
# 'nova_novnc_port' (Defaults to 6080)
# 'nova_novnc_ssl_port' (Defaults to 13080)
+# 'opendaylight_api_port' (Defaults to 8081)
# 'panko_api_port' (Defaults to 8779)
# 'panko_api_ssl_port' (Defaults to 13779)
+# 'ovn_nbdb_port' (Defaults to 6641)
+# 'ovn_sbdb_port' (Defaults to 6642)
# 'sahara_api_port' (Defaults to 8386)
# 'sahara_api_ssl_port' (Defaults to 13386)
# 'swift_proxy_port' (Defaults to 8080)
@@ -472,6 +494,7 @@ class tripleo::haproxy (
$enable_internal_tls = hiera('enable_internal_tls', false),
$ssl_cipher_suite = '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES',
$ssl_options = 'no-sslv3',
+ $ca_bundle = '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt',
$haproxy_stats_certificate = undef,
$keystone_admin = hiera('keystone_enabled', false),
$keystone_public = hiera('keystone_enabled', false),
@@ -483,6 +506,7 @@ class tripleo::haproxy (
$glance_api = hiera('glance_api_enabled', false),
$glance_registry = hiera('glance_registry_enabled', false),
$nova_osapi = hiera('nova_api_enabled', false),
+ $nova_placement = hiera('nova_placement_enabled', false),
$nova_metadata = hiera('nova_api_enabled', false),
$nova_novncproxy = hiera('nova_vnc_proxy_enabled', false),
$ceilometer = hiera('ceilometer_api_enabled', false),
@@ -509,6 +533,7 @@ class tripleo::haproxy (
$zaqar_api = hiera('zaqar_api_enabled', false),
$ceph_rgw = hiera('ceph_rgw_enabled', false),
$opendaylight = hiera('opendaylight_api_enabled', false),
+ $ovn_dbs = hiera('ovn_dbs_enabled', false),
$zaqar_ws = hiera('zaqar_api_enabled', false),
$ui = hiera('enable_ui', false),
$aodh_network = hiera('aodh_api_network', undef),
@@ -534,6 +559,7 @@ class tripleo::haproxy (
$nova_novncproxy_network = hiera('nova_vnc_proxy_network', undef),
$nova_osapi_network = hiera('nova_api_network', undef),
$panko_network = hiera('panko_api_network', undef),
+ $ovn_dbs_network = hiera('ovn_dbs_network', undef),
$sahara_network = hiera('sahara_api_network', undef),
$swift_proxy_server_network = hiera('swift_proxy_network', undef),
$trove_network = hiera('trove_api_network', undef),
@@ -574,15 +600,21 @@ class tripleo::haproxy (
keystone_public_api_ssl_port => 13000,
manila_api_port => 8786,
manila_api_ssl_port => 13786,
+ midonet_cluster_port => 8181,
neutron_api_port => 9696,
neutron_api_ssl_port => 13696,
nova_api_port => 8774,
nova_api_ssl_port => 13774,
+ nova_placement_port => 8778,
+ nova_placement_ssl_port => 13778,
nova_metadata_port => 8775,
nova_novnc_port => 6080,
nova_novnc_ssl_port => 13080,
+ opendaylight_api_port => 8081,
panko_api_port => 8779,
panko_api_ssl_port => 13779,
+ ovn_nbdb_port => 6641,
+ ovn_sbdb_port => 6642,
sahara_api_port => 8386,
sahara_api_ssl_port => 13386,
swift_proxy_port => 8080,
@@ -601,8 +633,7 @@ class tripleo::haproxy (
$ports = merge($default_service_ports, $service_ports)
if $enable_internal_tls {
- # TODO(jaosorior): change verify none to verify required.
- $internal_tls_member_options = ['ssl', 'verify none']
+ $internal_tls_member_options = ['ssl', 'verify required', "ca-file ${ca_bundle}"]
} else {
$internal_tls_member_options = []
}
@@ -906,6 +937,26 @@ class tripleo::haproxy (
}
}
+ $nova_placement_vip = hiera('nova_placement_vip', $controller_virtual_ip)
+ if $nova_placement {
+ ::tripleo::haproxy::endpoint { 'nova_placement':
+ public_virtual_ip => $public_virtual_ip,
+ internal_ip => $nova_placement_vip,
+ service_port => $ports[nova_placement_port],
+ ip_addresses => hiera('nova_placement_node_ips', $controller_hosts_real),
+ server_names => hiera('nova_placement_node_names', $controller_hosts_names_real),
+ mode => 'http',
+ listen_options => {
+ 'http-request' => [
+ 'set-header X-Forwarded-Proto https if { ssl_fc }',
+ 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
+ },
+ public_ssl_port => $ports[nova_placement_ssl_port],
+ service_network => $nova_osapi_network,
+ member_options => union($haproxy_member_options, $internal_tls_member_options),
+ }
+ }
+
if $nova_metadata {
::tripleo::haproxy::endpoint { 'nova_metadata':
internal_ip => hiera('nova_metadata_vip', $controller_virtual_ip),
@@ -1245,10 +1296,10 @@ class tripleo::haproxy (
}
}
- $midonet_api_vip = hiera('midonet_api_vip', $controller_virtual_ip)
+ $midonet_cluster_vip = hiera('midonet_cluster_vip', $controller_virtual_ip)
$midonet_bind_opts = {
- "${midonet_api_vip}:8081" => [],
- "${public_virtual_ip}:8081" => [],
+ "${midonet_cluster_vip}:${ports[midonet_cluster_port]}" => [],
+ "${public_virtual_ip}:${ports[midonet_cluster_port]}" => [],
}
if $midonet_api {
@@ -1258,7 +1309,7 @@ class tripleo::haproxy (
}
haproxy::balancermember { 'midonet_api':
listening_service => 'midonet_api',
- ports => '8081',
+ ports => $ports[midonet_cluster_port],
ipaddresses => hiera('midonet_api_node_ips', $controller_hosts_real),
server_names => hiera('midonet_api_node_names', $controller_hosts_names_real),
options => $haproxy_member_options,
@@ -1289,26 +1340,49 @@ class tripleo::haproxy (
}
}
- $opendaylight_api_vip = hiera('opendaylight_api_vip', $controller_virtual_ip)
- $opendaylight_bind_opts = {
- "${opendaylight_api_vip}:8081" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:8081" => $haproxy_listen_bind_param,
- }
-
if $opendaylight {
- haproxy::listen { 'opendaylight':
- bind => $opendaylight_bind_opts,
- options => {
+ ::tripleo::haproxy::endpoint { 'opendaylight':
+ internal_ip => unique([hiera('opendaylight_api_vip', $controller_virtual_ip), $controller_virtual_ip]),
+ service_port => $ports[opendaylight_api_port],
+ ip_addresses => hiera('opendaylight_api_node_ips', $controller_hosts_real),
+ server_names => hiera('opendaylight_api_node_names', $controller_hosts_names_real),
+ mode => 'http',
+ listen_options => {
'balance' => 'source',
},
- collect_exported => false,
}
- haproxy::balancermember { 'opendaylight':
- listening_service => 'opendaylight',
- ports => '8081',
- ipaddresses => hiera('opendaylight_api_node_ips', $controller_hosts_real),
- server_names => hiera('opendaylight_api_node_names', $controller_hosts_names_real),
- options => ['check', 'inter 2000', 'rise 2', 'fall 5'],
+ }
+
+
+ if $ovn_dbs {
+ # FIXME: is this config enough to ensure we only hit the first node in
+ # ovn_northd_node_ips ?
+ $ovn_db_listen_options = {
+ 'option' => [ 'tcpka' ],
+ 'timeout client' => '90m',
+ 'timeout server' => '90m',
+ 'stick-table' => 'type ip size 1000',
+ 'stick' => 'on dst',
+ }
+ ::tripleo::haproxy::endpoint { 'ovn_nbdb':
+ public_virtual_ip => $public_virtual_ip,
+ internal_ip => hiera('ovn_dbs_vip', $controller_virtual_ip),
+ service_port => $ports[ovn_nbdb_port],
+ ip_addresses => hiera('ovn_dbs_node_ips', $controller_hosts_real),
+ server_names => hiera('ovn_dbs_node_names', $controller_hosts_names_real),
+ service_network => $ovn_dbs_network,
+ listen_options => $ovn_db_listen_options,
+ mode => 'tcp'
+ }
+ ::tripleo::haproxy::endpoint { 'ovn_sbdb':
+ public_virtual_ip => $public_virtual_ip,
+ internal_ip => hiera('ovn_dbs_vip', $controller_virtual_ip),
+ service_port => $ports[ovn_sbdb_port],
+ ip_addresses => hiera('ovn_dbs_node_ips', $controller_hosts_real),
+ server_names => hiera('ovn_dbs_node_names', $controller_hosts_names_real),
+ service_network => $ovn_dbs_network,
+ listen_options => $ovn_db_listen_options,
+ mode => 'tcp'
}
}
@@ -1325,7 +1399,7 @@ class tripleo::haproxy (
# NOTE(jaosorior): Websockets have more overhead in establishing
# connections than regular HTTP connections. Also, since it begins
# as an HTTP connection and then "upgrades" to a TCP connection, some
- # timeouts get overriden by others at certain times of the connection.
+ # timeouts get overridden by others at certain times of the connection.
# The following values were taken from the following site:
# http://blog.haproxy.com/2012/11/07/websockets-load-balancing-with-haproxy/
'timeout' => ['connect 5s', 'client 25s', 'server 25s', 'tunnel 3600s'],