aboutsummaryrefslogtreecommitdiffstats
path: root/manifests/haproxy.pp
diff options
context:
space:
mode:
Diffstat (limited to 'manifests/haproxy.pp')
-rw-r--r--manifests/haproxy.pp50
1 files changed, 50 insertions, 0 deletions
diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp
index e345013..02dddf1 100644
--- a/manifests/haproxy.pp
+++ b/manifests/haproxy.pp
@@ -106,6 +106,11 @@
# flag is set.
# Defaults to {}
#
+# [*enable_internal_tls*]
+# A flag that indicates if the servers in the internal network are using TLS.
+# This enables the 'ssl' option for the server members that are proxied.
+# Defaults to hiera('enable_internal_tls', false)
+#
# [*ssl_cipher_suite*]
# The default string describing the list of cipher algorithms ("cipher suite")
# that are negotiated during the SSL/TLS handshake for all "bind" lines. This
@@ -225,6 +230,10 @@
# (optional) Enable or not RabbitMQ binding
# Defaults to false
#
+# [*docker_registry*]
+# (optional) Enable or not the Docker Registry API binding
+# Defaults to hiera('enable_docker_registry', false)
+#
# [*redis*]
# (optional) Enable or not Redis binding
# Defaults to hiera('redis_enabled', false)
@@ -274,6 +283,10 @@
# (optional) Specify the network cinder is running on.
# Defaults to hiera('cinder_api_network', undef)
#
+# [*docker_registry_network*]
+# (optional) Specify the network docker-registry is running on.
+# Defaults to hiera('docker_registry_network', undef)
+#
# [*glance_api_network*]
# (optional) Specify the network glance_api is running on.
# Defaults to hiera('glance_api_network', undef)
@@ -367,6 +380,8 @@
# 'ceilometer_api_ssl_port' (Defaults to 13777)
# 'cinder_api_port' (Defaults to 8776)
# 'cinder_api_ssl_port' (Defaults to 13776)
+# 'docker_registry_port' (Defaults to 8787)
+# 'docker_registry_ssl_port' (Defaults to 13787)
# 'glance_api_port' (Defaults to 9292)
# 'glance_api_ssl_port' (Defaults to 13292)
# 'glance_registry_port' (Defaults to 9191)
@@ -431,6 +446,7 @@ class tripleo::haproxy (
$service_certificate = undef,
$use_internal_certificates = false,
$internal_certificates_specs = {},
+ $enable_internal_tls = hiera('enable_internal_tls', false),
$ssl_cipher_suite = '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES',
$ssl_options = 'no-sslv3',
$haproxy_stats_certificate = undef,
@@ -460,6 +476,7 @@ class tripleo::haproxy (
$mysql = hiera('mysql_enabled', false),
$mysql_clustercheck = false,
$rabbitmq = false,
+ $docker_registry = hiera('enable_docker_registry', false),
$redis = hiera('redis_enabled', false),
$redis_password = undef,
$midonet_api = false,
@@ -472,6 +489,7 @@ class tripleo::haproxy (
$ceilometer_network = hiera('ceilometer_api_network', undef),
$ceph_rgw_network = hiera('ceph_rgw_network', undef),
$cinder_network = hiera('cinder_api_network', undef),
+ $docker_registry_network = hiera('docker_registry_network', undef),
$glance_api_network = hiera('glance_api_network', undef),
$glance_registry_network = hiera('glance_registry_network', undef),
$gnocchi_network = hiera('gnocchi_api_network', undef),
@@ -501,6 +519,8 @@ class tripleo::haproxy (
ceilometer_api_ssl_port => 13777,
cinder_api_port => 8776,
cinder_api_ssl_port => 13776,
+ docker_registry_port => 8787,
+ docker_registry_ssl_port => 13787,
glance_api_port => 9292,
glance_api_ssl_port => 13292,
glance_registry_port => 9191,
@@ -548,6 +568,13 @@ class tripleo::haproxy (
}
$ports = merge($default_service_ports, $service_ports)
+ if $enable_internal_tls {
+ # TODO(jaosorior): change verify none to verify required.
+ $internal_tls_member_options = ['ssl', 'verify none']
+ } else {
+ $internal_tls_member_options = []
+ }
+
$controller_hosts_real = any2array(split($controller_hosts, ','))
if ! $controller_hosts_names {
$controller_hosts_names_real = $controller_hosts_real
@@ -639,6 +666,10 @@ class tripleo::haproxy (
'maxconn' => $haproxy_global_maxconn,
'ssl-default-bind-ciphers' => $ssl_cipher_suite,
'ssl-default-bind-options' => $ssl_options,
+ 'stats' => [
+ 'socket /var/run/haproxy.sock mode 600 level user',
+ 'timeout 2m'
+ ],
},
defaults_options => {
'mode' => 'tcp',
@@ -687,6 +718,7 @@ class tripleo::haproxy (
},
public_ssl_port => $ports[keystone_admin_api_ssl_port],
service_network => $keystone_admin_network,
+ member_options => union($haproxy_member_options, $internal_tls_member_options),
}
}
@@ -716,6 +748,7 @@ class tripleo::haproxy (
listen_options => merge($keystone_listen_opts, $keystone_public_tls_listen_opts),
public_ssl_port => $ports[keystone_public_api_ssl_port],
service_network => $keystone_public_network,
+ member_options => union($haproxy_member_options, $internal_tls_member_options),
}
}
@@ -912,12 +945,17 @@ class tripleo::haproxy (
}
if $swift_proxy_server {
+ $swift_proxy_server_listen_options = {
+ 'timeout client' => '2m',
+ 'timeout server' => '2m',
+ }
::tripleo::haproxy::endpoint { 'swift_proxy_server':
public_virtual_ip => $public_virtual_ip,
internal_ip => hiera('swift_proxy_vip', $controller_virtual_ip),
service_port => $ports[swift_proxy_port],
ip_addresses => hiera('swift_proxy_node_ips', $controller_hosts_real),
server_names => hiera('swift_proxy_node_names', $controller_hosts_names_real),
+ listen_options => $swift_proxy_server_listen_options,
public_ssl_port => $ports[swift_proxy_ssl_port],
service_network => $swift_proxy_server_network,
}
@@ -1070,6 +1108,18 @@ class tripleo::haproxy (
}
}
+ if $docker_registry {
+ ::tripleo::haproxy::endpoint { 'docker-registry':
+ public_virtual_ip => $public_virtual_ip,
+ internal_ip => hiera('docker_registry_vip', $controller_virtual_ip),
+ service_port => $ports[docker_registry_port],
+ ip_addresses => hiera('docker_registry_node_ips', $controller_hosts_real),
+ server_names => hiera('docker_registry_node_names', $controller_hosts_names_real),
+ public_ssl_port => $ports[docker_registry_ssl_port],
+ service_network => $docker_registry_network,
+ }
+ }
+
if $redis {
if $redis_password {
$redis_tcp_check_options = ["send AUTH\\ ${redis_password}\\r\\n"]