aboutsummaryrefslogtreecommitdiffstats
path: root/manifests/loadbalancer.pp
diff options
context:
space:
mode:
Diffstat (limited to 'manifests/loadbalancer.pp')
-rw-r--r--manifests/loadbalancer.pp957
1 files changed, 371 insertions, 586 deletions
diff --git a/manifests/loadbalancer.pp b/manifests/loadbalancer.pp
index 2690a6e..e91e611 100644
--- a/manifests/loadbalancer.pp
+++ b/manifests/loadbalancer.pp
@@ -103,79 +103,40 @@
# A string.
# Defaults to false
#
-# [*service_certificate*]
-# Filename of an HAProxy-compatible certificate and key file
-# When set, enables SSL on the public API endpoints using the specified file.
-# Any service-specific certificates take precedence over this one.
-# Defaults to undef
-#
-# [*keystone_certificate*]
-# Filename of an HAProxy-compatible certificate and key file
-# When set, enables SSL on the Keystone public API endpoint using the specified file.
-# Defaults to undef
-#
-# [*neutron_certificate*]
-# Filename of an HAProxy-compatible certificate and key file
-# When set, enables SSL on the Neutron public API endpoint using the specified file.
-# Defaults to undef
-#
-# [*cinder_certificate*]
-# Filename of an HAProxy-compatible certificate and key file
-# When set, enables SSL on the Cinder public API endpoint using the specified file.
-# Defaults to undef
-#
-# [*manila_certificate*]
-# Filename of an HAProxy-compatible certificate and key file
-# When set, enables SSL on the Manila public API endpoint using the specified file.
-# Defaults to undef
-#
-# [*glance_certificate*]
-# Filename of an HAProxy-compatible certificate and key file
-# When set, enables SSL on the Glance public API endpoint using the specified file.
-# Defaults to undef
+# [*haproxy_stats_user*]
+# Username for haproxy stats authentication.
+# A string.
+# Defaults to 'admin'
#
-# [*nova_certificate*]
-# Filename of an HAProxy-compatible certificate and key file
-# When set, enables SSL on the Nova public API endpoint using the specified file.
+# [*haproxy_stats_password*]
+# Password for haproxy stats authentication. When set, authentication is
+# enabled on the haproxy stats endpoint.
+# A string.
# Defaults to undef
#
-# [*ceilometer_certificate*]
+# [*service_certificate*]
# Filename of an HAProxy-compatible certificate and key file
-# When set, enables SSL on the Ceilometer public API endpoint using the specified file.
+# When set, enables SSL on the public API endpoints using the specified file.
# Defaults to undef
#
-# [*aodh_certificate*]
+# [*internal_certificate*]
# Filename of an HAProxy-compatible certificate and key file
-# When set, enables SSL on the Aodh public API endpoint using the specified file.
-#
-# [*sahara_certificate*]
-# Filename of an HAProxy-compatible certificate and key file
-# When set, enables SSL on the Sahara public API endpoint using the specified file.
+# When set, enables SSL on the internal API endpoints using the specified file.
# Defaults to undef
#
-# [*trove_certificate*]
-# Filename of an HAProxy-compatible certificate and key file
-# When set, enables SSL on the Trove public API endpoint using the specified file.
-# Defaults to undef
+# [*ssl_cipher_suite*]
+# The default string describing the list of cipher algorithms ("cipher suite")
+# that are negotiated during the SSL/TLS handshake for all "bind" lines. This
+# value comes from the Fedora system crypto policy.
+# Defaults to '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES'
#
-# [*swift_certificate*]
-# Filename of an HAProxy-compatible certificate and key file
-# When set, enables SSL on the Swift public API endpoint using the specified file.
-# Defaults to undef
+# [*ssl_options*]
+# String that sets the default ssl options to force on all "bind" lines.
+# Defaults to 'no-sslv3'
#
-# [*heat_certificate*]
+# [*haproxy_stats_certificate*]
# Filename of an HAProxy-compatible certificate and key file
-# When set, enables SSL on the Heat public API endpoint using the specified file.
-# Defaults to undef
-#
-# [*horizon_certificate*]
-# Filename of an HAProxy-compatible certificate and key file
-# When set, enables SSL on the Horizon public API endpoint using the specified file.
-# Defaults to undef
-#
-# [*ironic_certificate*]
-# Filename of an HAProxy-compatible certificate and key file
-# When set, enables SSL on the Ironic public API endpoint using the specified file.
+# When set, enables SSL on the haproxy stats endpoint using the specified file.
# Defaults to undef
#
# [*keystone_admin*]
@@ -238,6 +199,10 @@
# (optional) Enable or not Aodh API binding
# Defaults to false
#
+# [*gnocchi*]
+# (optional) Enable or not Gnocchi API binding
+# Defaults to false
+#
# [*swift_proxy_server*]
# (optional) Enable or not Swift API binding
# Defaults to false
@@ -278,10 +243,60 @@
# (optional) Enable or not Redis binding
# Defaults to false
#
+# [*redis_password*]
+# (optional) Password for Redis authentication, eventually needed by the
+# specific monitoring we do from HAProxy for Redis
+# Defaults to undef
+#
# [*midonet_api*]
# (optional) Enable or not MidoNet API binding
# Defaults to false
#
+# [*service_ports*]
+# (optional) Hash that contains the values to override from the service ports
+# The available keys to modify the services' ports are:
+# 'aodh_api_port' (Defaults to 8042)
+# 'aodh_api_ssl_port' (Defaults to 13042)
+# 'ceilometer_api_port' (Defaults to 8777)
+# 'ceilometer_api_ssl_port' (Defaults to 13777)
+# 'cinder_api_port' (Defaults to 8776)
+# 'cinder_api_ssl_port' (Defaults to 13776)
+# 'glance_api_port' (Defaults to 9292)
+# 'glance_api_ssl_port' (Defaults to 13292)
+# 'glance_registry_port' (Defaults to 9191)
+# 'gnocchi_api_port' (Defaults to 8041)
+# 'gnocchi_api_ssl_port' (Defaults to 13041)
+# 'heat_api_port' (Defaults to 8004)
+# 'heat_api_ssl_port' (Defaults to 13004)
+# 'heat_cfn_port' (Defaults to 8000)
+# 'heat_cfn_ssl_port' (Defaults to 13800)
+# 'heat_cw_port' (Defaults to 8003)
+# 'heat_cw_ssl_port' (Defaults to 13003)
+# 'ironic_api_port' (Defaults to 6385)
+# 'ironic_api_ssl_port' (Defaults to 13385)
+# 'keystone_admin_api_port' (Defaults to 35357)
+# 'keystone_admin_api_ssl_port' (Defaults to 13357)
+# 'keystone_public_api_port' (Defaults to 5000)
+# 'keystone_public_api_ssl_port' (Defaults to 13000)
+# 'manila_api_port' (Defaults to 8786)
+# 'manila_api_ssl_port' (Defaults to 13786)
+# 'neutron_api_port' (Defaults to 9696)
+# 'neutron_api_ssl_port' (Defaults to 13696)
+# 'nova_api_port' (Defaults to 8774)
+# 'nova_api_ssl_port' (Defaults to 13774)
+# 'nova_ec2_port' (Defaults to 8773)
+# 'nova_ec2_ssl_port' (Defaults to 13773)
+# 'nova_metadata_port' (Defaults to 8775)
+# 'nova_novnc_port' (Defaults to 6080)
+# 'nova_novnc_ssl_port' (Defaults to 13080)
+# 'sahara_api_port' (Defaults to 8386)
+# 'sahara_api_ssl_port' (Defaults to 13386)
+# 'swift_proxy_port' (Defaults to 8080)
+# 'swift_proxy_ssl_port' (Defaults to 13808)
+# 'trove_api_port' (Defaults to 8779)
+# 'trove_api_ssl_port' (Defaults to 13779)
+# Defaults to {}
+#
class tripleo::loadbalancer (
$controller_virtual_ip,
$control_virtual_interface,
@@ -298,24 +313,16 @@ class tripleo::loadbalancer (
$haproxy_listen_bind_param = [ 'transparent' ],
$haproxy_member_options = [ 'check', 'inter 2000', 'rise 2', 'fall 5' ],
$haproxy_log_address = '/dev/log',
+ $haproxy_stats_user = 'admin',
+ $haproxy_stats_password = undef,
$controller_host = undef,
$controller_hosts = undef,
$controller_hosts_names = undef,
$service_certificate = undef,
- $keystone_certificate = undef,
- $neutron_certificate = undef,
- $cinder_certificate = undef,
- $sahara_certificate = undef,
- $trove_certificate = undef,
- $manila_certificate = undef,
- $glance_certificate = undef,
- $nova_certificate = undef,
- $ceilometer_certificate = undef,
- $aodh_certificate = undef,
- $swift_certificate = undef,
- $heat_certificate = undef,
- $horizon_certificate = undef,
- $ironic_certificate = undef,
+ $internal_certificate = undef,
+ $ssl_cipher_suite = '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES',
+ $ssl_options = 'no-sslv3',
+ $haproxy_stats_certificate = undef,
$keystone_admin = false,
$keystone_public = false,
$neutron = false,
@@ -331,6 +338,7 @@ class tripleo::loadbalancer (
$nova_novncproxy = false,
$ceilometer = false,
$aodh = false,
+ $gnocchi = false,
$swift_proxy_server = false,
$heat_api = false,
$heat_cloudwatch = false,
@@ -341,8 +349,53 @@ class tripleo::loadbalancer (
$mysql_clustercheck = false,
$rabbitmq = false,
$redis = false,
+ $redis_password = undef,
$midonet_api = false,
+ $service_ports = {}
) {
+ $default_service_ports = {
+ aodh_api_port => 8042,
+ aodh_api_ssl_port => 13042,
+ ceilometer_api_port => 8777,
+ ceilometer_api_ssl_port => 13777,
+ cinder_api_port => 8776,
+ cinder_api_ssl_port => 13776,
+ glance_api_port => 9292,
+ glance_api_ssl_port => 13292,
+ glance_registry_port => 9191,
+ gnocchi_api_port => 8041,
+ gnocchi_api_ssl_port => 13041,
+ heat_api_port => 8004,
+ heat_api_ssl_port => 13004,
+ heat_cfn_port => 8000,
+ heat_cfn_ssl_port => 13800,
+ heat_cw_port => 8003,
+ heat_cw_ssl_port => 13003,
+ ironic_api_port => 6385,
+ ironic_api_ssl_port => 13385,
+ keystone_admin_api_port => 35357,
+ keystone_admin_api_ssl_port => 13357,
+ keystone_public_api_port => 5000,
+ keystone_public_api_ssl_port => 13000,
+ manila_api_port => 8786,
+ manila_api_ssl_port => 13786,
+ neutron_api_port => 9696,
+ neutron_api_ssl_port => 13696,
+ nova_api_port => 8774,
+ nova_api_ssl_port => 13774,
+ nova_ec2_port => 8773,
+ nova_ec2_ssl_port => 13773,
+ nova_metadata_port => 8775,
+ nova_novnc_port => 6080,
+ nova_novnc_ssl_port => 13080,
+ sahara_api_port => 8386,
+ sahara_api_ssl_port => 13386,
+ swift_proxy_port => 8080,
+ swift_proxy_ssl_port => 13808,
+ trove_api_port => 8779,
+ trove_api_ssl_port => 13779,
+ }
+ $ports = merge($default_service_ports, $service_ports)
if !$controller_host and !$controller_hosts {
fail('$controller_hosts or $controller_host (now deprecated) is a mandatory parameter')
@@ -402,7 +455,7 @@ class tripleo::loadbalancer (
}
- if $internal_api_virtual_ip and $internal_api_virtual_ip != $control_virtual_interface {
+ if $internal_api_virtual_ip and $internal_api_virtual_ip != $controller_virtual_ip {
$internal_api_virtual_interface = interface_for_ip($internal_api_virtual_ip)
# KEEPALIVE INTERNAL API NETWORK
keepalived::instance { '53':
@@ -414,7 +467,7 @@ class tripleo::loadbalancer (
}
}
- if $storage_virtual_ip and $storage_virtual_ip != $control_virtual_interface {
+ if $storage_virtual_ip and $storage_virtual_ip != $controller_virtual_ip {
$storage_virtual_interface = interface_for_ip($storage_virtual_ip)
# KEEPALIVE STORAGE NETWORK
keepalived::instance { '54':
@@ -426,7 +479,7 @@ class tripleo::loadbalancer (
}
}
- if $storage_mgmt_virtual_ip and $storage_mgmt_virtual_ip != $control_virtual_interface {
+ if $storage_mgmt_virtual_ip and $storage_mgmt_virtual_ip != $controller_virtual_ip {
$storage_mgmt_virtual_interface = interface_for_ip($storage_mgmt_virtual_ip)
# KEEPALIVE STORAGE MANAGEMENT NETWORK
keepalived::instance { '55':
@@ -440,312 +493,51 @@ class tripleo::loadbalancer (
}
- if $keystone_certificate {
- $keystone_bind_certificate = $keystone_certificate
- } else {
- $keystone_bind_certificate = $service_certificate
- }
- if $neutron_certificate {
- $neutron_bind_certificate = $neutron_certificate
- } else {
- $neutron_bind_certificate = $service_certificate
- }
- if $cinder_certificate {
- $cinder_bind_certificate = $cinder_certificate
- } else {
- $cinder_bind_certificate = $service_certificate
- }
- if $sahara_certificate {
- $sahara_bind_certificate = $sahara_certificate
- } else {
- $sahara_bind_certificate = $service_certificate
- }
- if $trove_certificate {
- $trove_bind_certificate = $trove_certificate
- } else {
- $trove_bind_certificate = $trove_certificate
- }
- if $manila_certificate {
- $manila_bind_certificate = $manila_certificate
- } else {
- $manila_bind_certificate = $service_certificate
- }
- if $glance_certificate {
- $glance_bind_certificate = $glance_certificate
- } else {
- $glance_bind_certificate = $service_certificate
- }
- if $nova_certificate {
- $nova_bind_certificate = $nova_certificate
- } else {
- $nova_bind_certificate = $service_certificate
- }
- if $ceilometer_certificate {
- $ceilometer_bind_certificate = $ceilometer_certificate
- } else {
- $ceilometer_bind_certificate = $service_certificate
- }
- if $aodh_certificate {
- $aodh_bind_certificate = $aodh_certificate
- } else {
- $aodh_bind_certificate = $service_certificate
- }
- if $swift_certificate {
- $swift_bind_certificate = $swift_certificate
- } else {
- $swift_bind_certificate = $service_certificate
- }
- if $heat_certificate {
- $heat_bind_certificate = $heat_certificate
- } else {
- $heat_bind_certificate = $service_certificate
- }
- if $horizon_certificate {
- $horizon_bind_certificate = $horizon_certificate
- } else {
- $horizon_bind_certificate = $service_certificate
- }
- if $ironic_certificate {
- $ironic_bind_certificate = $ironic_certificate
- } else {
- $ironic_bind_certificate = $service_certificate
- }
-
- $keystone_public_api_vip = hiera('keystone_public_api_vip', $controller_virtual_ip)
- $keystone_admin_api_vip = hiera('keystone_admin_api_vip', $controller_virtual_ip)
- if $keystone_bind_certificate {
- $keystone_public_bind_opts = {
- "${keystone_public_api_vip}:5000" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:13000" => union($haproxy_listen_bind_param, ['ssl', 'crt', $keystone_bind_certificate]),
- }
- $keystone_admin_bind_opts = {
- "${keystone_admin_api_vip}:35357" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:13357" => union($haproxy_listen_bind_param, ['ssl', 'crt', $keystone_bind_certificate]),
- }
- } else {
- $keystone_public_bind_opts = {
- "${keystone_public_api_vip}:5000" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:5000" => $haproxy_listen_bind_param,
- }
- $keystone_admin_bind_opts = {
- "${keystone_admin_api_vip}:35357" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:35357" => $haproxy_listen_bind_param,
- }
- }
-
- $neutron_api_vip = hiera('neutron_api_vip', $controller_virtual_ip)
- if $neutron_bind_certificate {
- $neutron_bind_opts = {
- "${neutron_api_vip}:9696" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:13696" => union($haproxy_listen_bind_param, ['ssl', 'crt', $neutron_bind_certificate]),
- }
- } else {
- $neutron_bind_opts = {
- "${neutron_api_vip}:9696" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:9696" => $haproxy_listen_bind_param,
- }
- }
-
- $cinder_api_vip = hiera('cinder_api_vip', $controller_virtual_ip)
- if $cinder_bind_certificate {
- $cinder_bind_opts = {
- "${cinder_api_vip}:8776" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:13776" => union($haproxy_listen_bind_param, ['ssl', 'crt', $cinder_bind_certificate]),
- }
- } else {
- $cinder_bind_opts = {
- "${cinder_api_vip}:8776" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:8776" => $haproxy_listen_bind_param,
- }
- }
-
- $manila_api_vip = hiera('manila_api_vip', $controller_virtual_ip)
- if $manila_bind_certificate {
- $manila_bind_opts = {
- "${manila_api_vip}:8786" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:13786" => union($haproxy_listen_bind_param, ['ssl', 'crt', $manila_bind_certificate]),
- }
- } else {
- $manila_bind_opts = {
- "${manila_api_vip}:8786" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:8786" => $haproxy_listen_bind_param,
- }
- }
-
- $glance_api_vip = hiera('glance_api_vip', $controller_virtual_ip)
- if $glance_bind_certificate {
- $glance_bind_opts = {
- "${glance_api_vip}:9292" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:13292" => union($haproxy_listen_bind_param, ['ssl', 'crt', $glance_bind_certificate]),
- }
- } else {
- $glance_bind_opts = {
- "${glance_api_vip}:9292" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:9292" => $haproxy_listen_bind_param,
- }
- }
-
- $glance_registry_vip = hiera('glance_registry_vip', $controller_virtual_ip)
- $glance_registry_bind_opts = {
- "${glance_registry_vip}:9191" => $haproxy_listen_bind_param,
- }
-
- $sahara_api_vip = hiera('sahara_api_vip', $controller_virtual_ip)
- if $sahara_bind_certificate {
- $sahara_bind_opts = {
- "${sahara_api_vip}:8386" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:13786" => union($haproxy_listen_bind_param, ['ssl', 'crt', $sahara_bind_certificate]),
- }
- } else {
- $sahara_bind_opts = {
- "${sahara_api_vip}:8386" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:8386" => $haproxy_listen_bind_param,
- }
- }
-
- $trove_api_vip = hiera('$trove_api_vip', $controller_virtual_ip)
- if $trove_bind_certificate {
- $trove_bind_opts = {
- "${trove_api_vip}:8779" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:13779" => union($haproxy_listen_bind_param, ['ssl', 'crt', $trove_bind_certificate]),
- }
- } else {
- $trove_bind_opts = {
- "${trove_api_vip}:8779" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:8779" => $haproxy_listen_bind_param,
- }
- }
-
- $nova_api_vip = hiera('nova_api_vip', $controller_virtual_ip)
- if $nova_bind_certificate {
- $nova_osapi_bind_opts = {
- "${nova_api_vip}:8774" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:13774" => union($haproxy_listen_bind_param, ['ssl', 'crt', $nova_bind_certificate]),
- }
- $nova_ec2_bind_opts = {
- "${nova_api_vip}:8773" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:13773" => union($haproxy_listen_bind_param, ['ssl', 'crt', $nova_bind_certificate]),
- }
- $nova_novnc_bind_opts = {
- "${nova_api_vip}:6080" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:13080" => union($haproxy_listen_bind_param, ['ssl', 'crt', $nova_bind_certificate]),
- }
- } else {
- $nova_osapi_bind_opts = {
- "${nova_api_vip}:8774" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:8774" => $haproxy_listen_bind_param,
- }
- $nova_ec2_bind_opts = {
- "${nova_api_vip}:8773" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:8773" => $haproxy_listen_bind_param,
- }
- $nova_novnc_bind_opts = {
- "${nova_api_vip}:6080" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:6080" => $haproxy_listen_bind_param,
- }
- }
-
- $nova_metadata_vip = hiera('nova_metadata_vip', $controller_virtual_ip)
- $nova_metadata_bind_opts = {
- "${nova_metadata_vip}:8775" => $haproxy_listen_bind_param,
- }
-
- $ceilometer_api_vip = hiera('ceilometer_api_vip', $controller_virtual_ip)
- if $ceilometer_bind_certificate {
- $ceilometer_bind_opts = {
- "${ceilometer_api_vip}:8777" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:13777" => union($haproxy_listen_bind_param, ['ssl', 'crt', $ceilometer_bind_certificate]),
- }
- } else {
- $ceilometer_bind_opts = {
- "${ceilometer_api_vip}:8777" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:8777" => $haproxy_listen_bind_param,
- }
- }
-
- $aodh_api_vip = hiera('aodh_api_vip', $controller_virtual_ip)
- if $aodh_bind_certificate {
- $aodh_bind_opts = {
- "${aodh_api_vip}:8042" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:13042" => union($haproxy_listen_bind_param, ['ssl', 'crt', $aodh_bind_certificate]),
- }
- } else {
- $aodh_bind_opts = {
- "${aodh_api_vip}:8042" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:8042" => $haproxy_listen_bind_param,
- }
- }
-
- $swift_proxy_vip = hiera('swift_proxy_vip', $controller_virtual_ip)
- if $swift_bind_certificate {
- $swift_bind_opts = {
- "${swift_proxy_vip}:8080" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:13808" => union($haproxy_listen_bind_param, ['ssl', 'crt', $swift_bind_certificate]),
- }
- } else {
- $swift_bind_opts = {
- "${swift_proxy_vip}:8080" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:8080" => $haproxy_listen_bind_param,
- }
- }
-
- $heat_api_vip = hiera('heat_api_vip', $controller_virtual_ip)
- if $heat_bind_certificate {
- $heat_bind_opts = {
- "${heat_api_vip}:8004" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:13004" => union($haproxy_listen_bind_param, ['ssl', 'crt', $heat_bind_certificate]),
- }
- $heat_options = {
- 'rsprep' => "^Location:\\ http://${public_virtual_ip}(.*) Location:\\ https://${public_virtual_ip}\\1",
- 'http-request' => ['set-header X-Forwarded-Proto https if { ssl_fc }'],
- }
- $heat_cw_bind_opts = {
- "${heat_api_vip}:8003" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:13003" => union($haproxy_listen_bind_param, ['ssl', 'crt', $heat_bind_certificate]),
- }
- $heat_cfn_bind_opts = {
- "${heat_api_vip}:8000" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:13800" => union($haproxy_listen_bind_param, ['ssl', 'crt', $heat_bind_certificate]),
- }
- } else {
- $heat_bind_opts = {
- "${heat_api_vip}:8004" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:8004" => $haproxy_listen_bind_param,
- }
- $heat_options = {}
- $heat_cw_bind_opts = {
- "${heat_api_vip}:8003" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:8003" => $haproxy_listen_bind_param,
- }
- $heat_cfn_bind_opts = {
- "${heat_api_vip}:8000" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:8000" => $haproxy_listen_bind_param,
- }
+ # TODO(bnemec): When we have support for SSL on private and admin endpoints,
+ # have the haproxy stats endpoint use that certificate by default.
+ if $haproxy_stats_certificate {
+ $haproxy_stats_bind_certificate = $haproxy_stats_certificate
}
$horizon_vip = hiera('horizon_vip', $controller_virtual_ip)
- if $horizon_bind_certificate {
+ if $service_certificate {
+ # NOTE(jaosorior): If the horizon_vip and the public_virtual_ip are the
+ # same, the first option takes precedence. Which is the case when network
+ # isolation is not enabled. This is not a problem as both options are
+ # identical. If network isolation is enabled, this works correctly and
+ # will add a TLS binding to both the horizon_vip and the
+ # public_virtual_ip.
+ # Even though for the public_virtual_ip the port 80 is listening, we
+ # redirect to https in the horizon_options below.
$horizon_bind_opts = {
- "${horizon_vip}:80" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:443" => union($haproxy_listen_bind_param, ['ssl', 'crt', $horizon_bind_certificate]),
+ "${horizon_vip}:80" => $haproxy_listen_bind_param,
+ "${horizon_vip}:443" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
+ "${public_virtual_ip}:80" => $haproxy_listen_bind_param,
+ "${public_virtual_ip}:443" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
+ }
+ $horizon_options = {
+ 'cookie' => 'SERVERID insert indirect nocache',
+ 'rsprep' => '^Location:\ http://(.*) Location:\ https://\1',
+ # NOTE(jaosorior): We always redirect to https for the public_virtual_ip.
+ 'redirect' => "scheme https code 301 if { hdr(host) -i ${public_virtual_ip} } !{ ssl_fc }",
}
} else {
$horizon_bind_opts = {
"${horizon_vip}:80" => $haproxy_listen_bind_param,
"${public_virtual_ip}:80" => $haproxy_listen_bind_param,
}
+ $horizon_options = {
+ 'cookie' => 'SERVERID insert indirect nocache',
+ }
}
- $ironic_api_vip = hiera('ironic_api_vip', $controller_virtual_ip)
- if $ironic_bind_certificate {
- $ironic_bind_opts = {
- "${ironic_api_vip}:6385" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:13385" => union($haproxy_listen_bind_param, ['ssl', 'crt', $ironic_bind_certificate]),
+ if $haproxy_stats_bind_certificate {
+ $haproxy_stats_bind_opts = {
+ "${controller_virtual_ip}:1993" => union($haproxy_listen_bind_param, ['ssl', 'crt', $haproxy_stats_bind_certificate]),
}
} else {
- $ironic_bind_opts = {
- "${ironic_api_vip}:6385" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:6385" => $haproxy_listen_bind_param,
+ $haproxy_stats_bind_opts = {
+ "${controller_virtual_ip}:1993" => $haproxy_listen_bind_param,
}
}
@@ -767,12 +559,14 @@ class tripleo::loadbalancer (
class { '::haproxy':
service_manage => $haproxy_service_manage,
global_options => {
- 'log' => "${haproxy_log_address} local0",
- 'pidfile' => '/var/run/haproxy.pid',
- 'user' => 'haproxy',
- 'group' => 'haproxy',
- 'daemon' => '',
- 'maxconn' => $haproxy_global_maxconn,
+ 'log' => "${haproxy_log_address} local0",
+ 'pidfile' => '/var/run/haproxy.pid',
+ 'user' => 'haproxy',
+ 'group' => 'haproxy',
+ 'daemon' => '',
+ 'maxconn' => $haproxy_global_maxconn,
+ 'ssl-default-bind-ciphers' => $ssl_cipher_suite,
+ 'ssl-default-bind-options' => $ssl_options,
},
defaults_options => {
'mode' => 'tcp',
@@ -783,308 +577,298 @@ class tripleo::loadbalancer (
},
}
- Haproxy::Listen {
- options => {
- 'option' => [],
- }
+ Tripleo::Loadbalancer::Endpoint {
+ haproxy_listen_bind_param => $haproxy_listen_bind_param,
+ member_options => $haproxy_member_options,
+ public_certificate => $service_certificate,
+ internal_certificate => $internal_certificate,
}
+ $stats_base = ['enable', 'uri /']
+ if $haproxy_stats_password {
+ $stats_config = union($stats_base, ["auth ${haproxy_stats_user}:${haproxy_stats_password}"])
+ } else {
+ $stats_config = $stats_base
+ }
haproxy::listen { 'haproxy.stats':
- ipaddress => $controller_virtual_ip,
- ports => '1993',
+ bind => $haproxy_stats_bind_opts,
mode => 'http',
options => {
- 'stats' => ['enable', 'uri /'],
+ 'stats' => $stats_config,
},
collect_exported => false,
}
if $keystone_admin {
- haproxy::listen { 'keystone_admin':
- bind => $keystone_admin_bind_opts,
- collect_exported => false,
- }
- haproxy::balancermember { 'keystone_admin':
- listening_service => 'keystone_admin',
- ports => '35357',
- ipaddresses => hiera('keystone_admin_api_node_ips',$controller_hosts_real),
+ ::tripleo::loadbalancer::endpoint { 'keystone_admin':
+ public_virtual_ip => $public_virtual_ip,
+ internal_ip => hiera('keystone_admin_api_vip', $controller_virtual_ip),
+ service_port => $ports[keystone_admin_api_port],
+ ip_addresses => hiera('keystone_admin_api_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
- options => $haproxy_member_options,
+ mode => 'http',
+ listen_options => {
+ 'http-request' => [
+ 'set-header X-Forwarded-Proto https if { ssl_fc }',
+ 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
+ },
+ public_ssl_port => $ports[keystone_admin_api_ssl_port],
}
}
if $keystone_public {
- haproxy::listen { 'keystone_public':
- bind => $keystone_public_bind_opts,
- collect_exported => false,
- mode => 'http', # Needed for http-request option
- options => {
- 'http-request' => ['set-header X-Forwarded-Proto https if { ssl_fc }'],
- },
- }
- haproxy::balancermember { 'keystone_public':
- listening_service => 'keystone_public',
- ports => '5000',
- ipaddresses => hiera('keystone_public_api_node_ips', $controller_hosts_real),
+ ::tripleo::loadbalancer::endpoint { 'keystone_public':
+ public_virtual_ip => $public_virtual_ip,
+ internal_ip => hiera('keystone_public_api_vip', $controller_virtual_ip),
+ service_port => $ports[keystone_public_api_port],
+ ip_addresses => hiera('keystone_public_api_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
- options => $haproxy_member_options,
+ mode => 'http',
+ listen_options => {
+ 'http-request' => [
+ 'set-header X-Forwarded-Proto https if { ssl_fc }',
+ 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
+ },
+ public_ssl_port => $ports[keystone_public_api_ssl_port],
}
}
if $neutron {
- haproxy::listen { 'neutron':
- bind => $neutron_bind_opts,
- collect_exported => false,
- }
- haproxy::balancermember { 'neutron':
- listening_service => 'neutron',
- ports => '9696',
- ipaddresses => hiera('neutron_api_node_ips', $controller_hosts_real),
+ ::tripleo::loadbalancer::endpoint { 'neutron':
+ public_virtual_ip => $public_virtual_ip,
+ internal_ip => hiera('neutron_api_vip', $controller_virtual_ip),
+ service_port => $ports[neutron_api_port],
+ ip_addresses => hiera('neutron_api_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
- options => $haproxy_member_options,
+ public_ssl_port => $ports[neutron_api_ssl_port],
}
}
if $cinder {
- haproxy::listen { 'cinder':
- bind => $cinder_bind_opts,
- collect_exported => false,
- }
- haproxy::balancermember { 'cinder':
- listening_service => 'cinder',
- ports => '8776',
- ipaddresses => hiera('cinder_api_node_ips', $controller_hosts_real),
+ ::tripleo::loadbalancer::endpoint { 'cinder':
+ public_virtual_ip => $public_virtual_ip,
+ internal_ip => hiera('cinder_api_vip', $controller_virtual_ip),
+ service_port => $ports[cinder_api_port],
+ ip_addresses => hiera('cinder_api_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
- options => $haproxy_member_options,
+ mode => 'http',
+ listen_options => {
+ 'http-request' => [
+ 'set-header X-Forwarded-Proto https if { ssl_fc }',
+ 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
+ },
+ public_ssl_port => $ports[cinder_api_ssl_port],
}
}
if $manila {
- haproxy::listen { 'manila':
- bind => $manila_bind_opts,
- collect_exported => false,
- }
- haproxy::balancermember { 'manila':
- listening_service => 'manila',
- ports => '8786',
- ipaddresses => hiera('manila_api_node_ips', $controller_hosts_real),
+ ::tripleo::loadbalancer::endpoint { 'manila':
+ public_virtual_ip => $public_virtual_ip,
+ internal_ip => hiera('manila_api_vip', $controller_virtual_ip),
+ service_port => $ports[manila_api_port],
+ ip_addresses => hiera('manila_api_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
- options => $haproxy_member_options,
+ public_ssl_port => $ports[manila_api_ssl_port],
}
}
if $sahara {
- haproxy::listen { 'sahara':
- bind => $sahara_bind_opts,
- collect_exported => false,
- }
- haproxy::balancermember { 'sahara':
- listening_service => 'sahara',
- ports => '8386',
- ipaddresses => hiera('sahara_api_node_ips', $controller_hosts_real),
+ ::tripleo::loadbalancer::endpoint { 'sahara':
+ public_virtual_ip => $public_virtual_ip,
+ internal_ip => hiera('sahara_api_vip', $controller_virtual_ip),
+ service_port => $ports[sahara_api_port],
+ ip_addresses => hiera('sahara_api_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
- options => $haproxy_member_options,
+ public_ssl_port => $ports[sahara_api_ssl_port],
}
}
if $trove {
- haproxy::listen { 'trove':
- bind => $trove_bind_opts,
- collect_exported => false,
- }
- haproxy::balancermember { 'trove':
- listening_service => 'trove',
- ports => '8779',
- ipaddresses => hiera('trove_api_node_ips', $controller_hosts_real),
+ ::tripleo::loadbalancer::endpoint { 'trove':
+ public_virtual_ip => $public_virtual_ip,
+ internal_ip => hiera('trove_api_vip', $controller_virtual_ip),
+ service_port => $ports[trove_api_port],
+ ip_addresses => hiera('trove_api_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
- options => $haproxy_member_options,
+ public_ssl_port => $ports[trove_api_ssl_port],
}
}
if $glance_api {
- haproxy::listen { 'glance_api':
- bind => $glance_bind_opts,
- collect_exported => false,
- }
- haproxy::balancermember { 'glance_api':
- listening_service => 'glance_api',
- ports => '9292',
- ipaddresses => hiera('glance_api_node_ips', $controller_hosts_real),
+ ::tripleo::loadbalancer::endpoint { 'glance_api':
+ public_virtual_ip => $public_virtual_ip,
+ internal_ip => hiera('glance_api_vip', $controller_virtual_ip),
+ service_port => $ports[glance_api_port],
+ ip_addresses => hiera('glance_api_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
- options => $haproxy_member_options,
+ public_ssl_port => $ports[glance_api_ssl_port],
}
}
if $glance_registry {
- haproxy::listen { 'glance_registry':
- bind => $glance_registry_bind_opts,
- collect_exported => false,
- }
- haproxy::balancermember { 'glance_registry':
- listening_service => 'glance_registry',
- ports => '9191',
- ipaddresses => hiera('glance_registry_node_ips', $controller_hosts_real),
- server_names => $controller_hosts_names_real,
- options => $haproxy_member_options,
+ ::tripleo::loadbalancer::endpoint { 'glance_registry':
+ internal_ip => hiera('glance_registry_vip', $controller_virtual_ip),
+ service_port => $ports[glance_registry_port],
+ ip_addresses => hiera('glance_registry_node_ips', $controller_hosts_real),
+ server_names => $controller_hosts_names_real,
}
}
+ $nova_api_vip = hiera('nova_api_vip', $controller_virtual_ip)
if $nova_ec2 {
- haproxy::listen { 'nova_ec2':
- bind => $nova_ec2_bind_opts,
- collect_exported => false,
- }
- haproxy::balancermember { 'nova_ec2':
- listening_service => 'nova_ec2',
- ports => '8773',
- ipaddresses => hiera('nova_api_node_ips', $controller_hosts_real),
+ ::tripleo::loadbalancer::endpoint { 'nova_ec2':
+ public_virtual_ip => $public_virtual_ip,
+ internal_ip => $nova_api_vip,
+ service_port => $ports[nova_ec2_port],
+ ip_addresses => hiera('nova_api_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
- options => $haproxy_member_options,
+ public_ssl_port => $ports[nova_ec2_ssl_port],
}
}
if $nova_osapi {
- haproxy::listen { 'nova_osapi':
- bind => $nova_osapi_bind_opts,
- collect_exported => false,
- mode => 'http',
- options => {
- 'http-request' => ['set-header X-Forwarded-Proto https if { ssl_fc }'],
- },
- }
- haproxy::balancermember { 'nova_osapi':
- listening_service => 'nova_osapi',
- ports => '8774',
- ipaddresses => hiera('nova_api_node_ips', $controller_hosts_real),
+ ::tripleo::loadbalancer::endpoint { 'nova_osapi':
+ public_virtual_ip => $public_virtual_ip,
+ internal_ip => $nova_api_vip,
+ service_port => $ports[nova_api_port],
+ ip_addresses => hiera('nova_api_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
- options => $haproxy_member_options,
+ mode => 'http',
+ listen_options => {
+ 'http-request' => [
+ 'set-header X-Forwarded-Proto https if { ssl_fc }',
+ 'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
+ },
+ public_ssl_port => $ports[nova_api_ssl_port],
}
}
if $nova_metadata {
- haproxy::listen { 'nova_metadata':
- bind => $nova_metadata_bind_opts,
- collect_exported => false,
- }
- haproxy::balancermember { 'nova_metadata':
- listening_service => 'nova_metadata',
- ports => '8775',
- ipaddresses => hiera('nova_metadata_node_ips', $controller_hosts_real),
- server_names => $controller_hosts_names_real,
- options => $haproxy_member_options,
+ ::tripleo::loadbalancer::endpoint { 'nova_metadata':
+ internal_ip => hiera('nova_metadata_vip', $controller_virtual_ip),
+ service_port => $ports[nova_metadata_port],
+ ip_addresses => hiera('nova_metadata_node_ips', $controller_hosts_real),
+ server_names => $controller_hosts_names_real,
}
}
if $nova_novncproxy {
- haproxy::listen { 'nova_novncproxy':
- bind => $nova_novnc_bind_opts,
- options => {
+ ::tripleo::loadbalancer::endpoint { 'nova_novncproxy':
+ public_virtual_ip => $public_virtual_ip,
+ internal_ip => $nova_api_vip,
+ service_port => $ports[nova_novnc_port],
+ ip_addresses => hiera('nova_api_node_ips', $controller_hosts_real),
+ server_names => $controller_hosts_names_real,
+ listen_options => {
'balance' => 'source',
'timeout' => [ 'tunnel 1h' ],
},
- collect_exported => false,
- }
- haproxy::balancermember { 'nova_novncproxy':
- listening_service => 'nova_novncproxy',
- ports => '6080',
- ipaddresses => hiera('nova_api_node_ips', $controller_hosts_real),
- server_names => $controller_hosts_names_real,
- options => $haproxy_member_options,
+ public_ssl_port => $ports[nova_novnc_ssl_port],
}
}
if $ceilometer {
- haproxy::listen { 'ceilometer':
- bind => $ceilometer_bind_opts,
- collect_exported => false,
- }
- haproxy::balancermember { 'ceilometer':
- listening_service => 'ceilometer',
- ports => '8777',
- ipaddresses => hiera('ceilometer_api_node_ips', $controller_hosts_real),
+ ::tripleo::loadbalancer::endpoint { 'ceilometer':
+ public_virtual_ip => $public_virtual_ip,
+ internal_ip => hiera('ceilometer_api_vip', $controller_virtual_ip),
+ service_port => $ports[ceilometer_api_port],
+ ip_addresses => hiera('ceilometer_api_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
- options => $haproxy_member_options,
+ public_ssl_port => $ports[ceilometer_api_ssl_port],
}
}
if $aodh {
- haproxy::listen { 'aodh':
- bind => $aodh_bind_opts,
- collect_exported => false,
+ ::tripleo::loadbalancer::endpoint { 'aodh':
+ public_virtual_ip => $public_virtual_ip,
+ internal_ip => hiera('aodh_api_vip', $controller_virtual_ip),
+ service_port => $ports[aodh_api_port],
+ ip_addresses => hiera('aodh_api_node_ips', $controller_hosts_real),
+ server_names => $controller_hosts_names_real,
+ public_ssl_port => $ports[aodh_api_ssl_port],
}
- haproxy::balancermember { 'aodh':
- listening_service => 'aodh',
- ports => '8042',
- ipaddresses => hiera('aodh_api_node_ips', $controller_hosts_real),
+ }
+
+ if $gnocchi {
+ ::tripleo::loadbalancer::endpoint { 'gnocchi':
+ public_virtual_ip => $public_virtual_ip,
+ internal_ip => hiera('gnocchi_api_vip', $controller_virtual_ip),
+ service_port => $ports[gnocchi_api_port],
+ ip_addresses => hiera('gnocchi_api_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
- options => $haproxy_member_options,
+ public_ssl_port => $ports[gnocchi_api_ssl_port],
}
}
if $swift_proxy_server {
- haproxy::listen { 'swift_proxy_server':
- bind => $swift_bind_opts,
- collect_exported => false,
- }
- haproxy::balancermember { 'swift_proxy_server':
- listening_service => 'swift_proxy_server',
- ports => '8080',
- ipaddresses => hiera('swift_proxy_node_ips', $controller_hosts_real),
+ ::tripleo::loadbalancer::endpoint { 'swift_proxy_server':
+ public_virtual_ip => $public_virtual_ip,
+ internal_ip => hiera('swift_proxy_vip', $controller_virtual_ip),
+ service_port => $ports[swift_proxy_port],
+ ip_addresses => hiera('swift_proxy_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
- options => $haproxy_member_options,
+ public_ssl_port => $ports[swift_proxy_ssl_port],
}
}
- if $heat_api {
- haproxy::listen { 'heat_api':
- bind => $heat_bind_opts,
- options => $heat_options,
- collect_exported => false,
- mode => 'http',
+ $heat_api_vip = hiera('heat_api_vip', $controller_virtual_ip)
+ $heat_ip_addresses = hiera('heat_api_node_ips', $controller_hosts_real)
+ $heat_base_options = {
+ 'http-request' => [
+ 'set-header X-Forwarded-Proto https if { ssl_fc }',
+ 'set-header X-Forwarded-Proto http if !{ ssl_fc }']}
+ if $service_certificate {
+ $heat_ssl_options = {
+ 'rsprep' => "^Location:\\ http://${public_virtual_ip}(.*) Location:\\ https://${public_virtual_ip}\\1",
}
- haproxy::balancermember { 'heat_api':
- listening_service => 'heat_api',
- ports => '8004',
- ipaddresses => hiera('heat_api_node_ips', $controller_hosts_real),
+ $heat_options = merge($heat_base_options, $heat_ssl_options)
+ } else {
+ $heat_options = $heat_base_options
+ }
+
+ if $heat_api {
+ ::tripleo::loadbalancer::endpoint { 'heat_api':
+ public_virtual_ip => $public_virtual_ip,
+ internal_ip => $heat_api_vip,
+ service_port => $ports[heat_api_port],
+ ip_addresses => $heat_ip_addresses,
server_names => $controller_hosts_names_real,
- options => $haproxy_member_options,
+ mode => 'http',
+ listen_options => $heat_options,
+ public_ssl_port => $ports[heat_api_ssl_port],
}
}
if $heat_cloudwatch {
- haproxy::listen { 'heat_cloudwatch':
- bind => $heat_cw_bind_opts,
- collect_exported => false,
- }
- haproxy::balancermember { 'heat_cloudwatch':
- listening_service => 'heat_cloudwatch',
- ports => '8003',
- ipaddresses => hiera('heat_api_node_ips', $controller_hosts_real),
+ ::tripleo::loadbalancer::endpoint { 'heat_cloudwatch':
+ public_virtual_ip => $public_virtual_ip,
+ internal_ip => $heat_api_vip,
+ service_port => $ports[heat_cw_port],
+ ip_addresses => $heat_ip_addresses,
server_names => $controller_hosts_names_real,
- options => $haproxy_member_options,
+ mode => 'http',
+ listen_options => $heat_options,
+ public_ssl_port => $ports[heat_cw_ssl_port],
}
}
if $heat_cfn {
- haproxy::listen { 'heat_cfn':
- bind => $heat_cfn_bind_opts,
- collect_exported => false,
- }
- haproxy::balancermember { 'heat_cfn':
- listening_service => 'heat_cfn',
- ports => '8000',
- ipaddresses => hiera('heat_api_node_ips', $controller_hosts_real),
+ ::tripleo::loadbalancer::endpoint { 'heat_cfn':
+ public_virtual_ip => $public_virtual_ip,
+ internal_ip => $heat_api_vip,
+ service_port => $ports[heat_cfn_port],
+ ip_addresses => $heat_ip_addresses,
server_names => $controller_hosts_names_real,
- options => $haproxy_member_options,
+ mode => 'http',
+ listen_options => $heat_options,
+ public_ssl_port => $ports[heat_cfn_ssl_port],
}
}
if $horizon {
haproxy::listen { 'horizon':
bind => $horizon_bind_opts,
- options => {
- 'cookie' => 'SERVERID insert indirect nocache',
- },
+ options => $horizon_options,
mode => 'http',
collect_exported => false,
}
@@ -1097,6 +881,17 @@ class tripleo::loadbalancer (
}
}
+ if $ironic {
+ ::tripleo::loadbalancer::endpoint { 'ironic':
+ public_virtual_ip => $public_virtual_ip,
+ internal_ip => hiera('ironic_api_vip', $controller_virtual_ip),
+ service_port => $ports[ironic_api_port],
+ ip_addresses => hiera('ironic_api_node_ips', $controller_hosts_real),
+ server_names => $controller_hosts_names_real,
+ public_ssl_port => $ports[ironic_api_ssl_port],
+ }
+ }
+
if $mysql_clustercheck {
$mysql_listen_options = {
'option' => [ 'tcpka', 'httpchk' ],
@@ -1114,20 +909,6 @@ class tripleo::loadbalancer (
$mysql_member_options = union($haproxy_member_options, ['backup'])
}
- if $ironic {
- haproxy::listen { 'ironic':
- bind => $ironic_bind_opts,
- collect_exported => false,
- }
- haproxy::balancermember { 'ironic':
- listening_service => 'ironic',
- ports => '6385',
- ipaddresses => hiera('ironic_api_node_ips', $controller_hosts_real),
- server_names => $controller_hosts_names_real,
- options => $haproxy_member_options,
- }
- }
-
if $mysql {
haproxy::listen { 'mysql':
bind => $mysql_bind_opts,
@@ -1162,13 +943,17 @@ class tripleo::loadbalancer (
}
if $redis {
+ if $redis_password {
+ $redis_tcp_check_options = ["send AUTH\\ ${redis_password}\\r\\n"]
+ } else {
+ $redis_tcp_check_options = []
+ }
haproxy::listen { 'redis':
bind => $redis_bind_opts,
options => {
- 'timeout' => [ 'client 0', 'server 0' ],
'balance' => 'first',
'option' => ['tcp-check',],
- 'tcp-check' => ['send info\ replication\r\n','expect string role:master'],
+ 'tcp-check' => union($redis_tcp_check_options, ['send PING\r\n','expect string +PONG','send info\ replication\r\n','expect string role:master','send QUIT\r\n','expect string +OK']),
},
collect_exported => false,
}