diff options
Diffstat (limited to 'manifests/loadbalancer.pp')
-rw-r--r-- | manifests/loadbalancer.pp | 957 |
1 files changed, 371 insertions, 586 deletions
diff --git a/manifests/loadbalancer.pp b/manifests/loadbalancer.pp index 2690a6e..e91e611 100644 --- a/manifests/loadbalancer.pp +++ b/manifests/loadbalancer.pp @@ -103,79 +103,40 @@ # A string. # Defaults to false # -# [*service_certificate*] -# Filename of an HAProxy-compatible certificate and key file -# When set, enables SSL on the public API endpoints using the specified file. -# Any service-specific certificates take precedence over this one. -# Defaults to undef -# -# [*keystone_certificate*] -# Filename of an HAProxy-compatible certificate and key file -# When set, enables SSL on the Keystone public API endpoint using the specified file. -# Defaults to undef -# -# [*neutron_certificate*] -# Filename of an HAProxy-compatible certificate and key file -# When set, enables SSL on the Neutron public API endpoint using the specified file. -# Defaults to undef -# -# [*cinder_certificate*] -# Filename of an HAProxy-compatible certificate and key file -# When set, enables SSL on the Cinder public API endpoint using the specified file. -# Defaults to undef -# -# [*manila_certificate*] -# Filename of an HAProxy-compatible certificate and key file -# When set, enables SSL on the Manila public API endpoint using the specified file. -# Defaults to undef -# -# [*glance_certificate*] -# Filename of an HAProxy-compatible certificate and key file -# When set, enables SSL on the Glance public API endpoint using the specified file. -# Defaults to undef +# [*haproxy_stats_user*] +# Username for haproxy stats authentication. +# A string. +# Defaults to 'admin' # -# [*nova_certificate*] -# Filename of an HAProxy-compatible certificate and key file -# When set, enables SSL on the Nova public API endpoint using the specified file. +# [*haproxy_stats_password*] +# Password for haproxy stats authentication. When set, authentication is +# enabled on the haproxy stats endpoint. +# A string. # Defaults to undef # -# [*ceilometer_certificate*] +# [*service_certificate*] # Filename of an HAProxy-compatible certificate and key file -# When set, enables SSL on the Ceilometer public API endpoint using the specified file. +# When set, enables SSL on the public API endpoints using the specified file. # Defaults to undef # -# [*aodh_certificate*] +# [*internal_certificate*] # Filename of an HAProxy-compatible certificate and key file -# When set, enables SSL on the Aodh public API endpoint using the specified file. -# -# [*sahara_certificate*] -# Filename of an HAProxy-compatible certificate and key file -# When set, enables SSL on the Sahara public API endpoint using the specified file. +# When set, enables SSL on the internal API endpoints using the specified file. # Defaults to undef # -# [*trove_certificate*] -# Filename of an HAProxy-compatible certificate and key file -# When set, enables SSL on the Trove public API endpoint using the specified file. -# Defaults to undef +# [*ssl_cipher_suite*] +# The default string describing the list of cipher algorithms ("cipher suite") +# that are negotiated during the SSL/TLS handshake for all "bind" lines. This +# value comes from the Fedora system crypto policy. +# Defaults to '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES' # -# [*swift_certificate*] -# Filename of an HAProxy-compatible certificate and key file -# When set, enables SSL on the Swift public API endpoint using the specified file. -# Defaults to undef +# [*ssl_options*] +# String that sets the default ssl options to force on all "bind" lines. +# Defaults to 'no-sslv3' # -# [*heat_certificate*] +# [*haproxy_stats_certificate*] # Filename of an HAProxy-compatible certificate and key file -# When set, enables SSL on the Heat public API endpoint using the specified file. -# Defaults to undef -# -# [*horizon_certificate*] -# Filename of an HAProxy-compatible certificate and key file -# When set, enables SSL on the Horizon public API endpoint using the specified file. -# Defaults to undef -# -# [*ironic_certificate*] -# Filename of an HAProxy-compatible certificate and key file -# When set, enables SSL on the Ironic public API endpoint using the specified file. +# When set, enables SSL on the haproxy stats endpoint using the specified file. # Defaults to undef # # [*keystone_admin*] @@ -238,6 +199,10 @@ # (optional) Enable or not Aodh API binding # Defaults to false # +# [*gnocchi*] +# (optional) Enable or not Gnocchi API binding +# Defaults to false +# # [*swift_proxy_server*] # (optional) Enable or not Swift API binding # Defaults to false @@ -278,10 +243,60 @@ # (optional) Enable or not Redis binding # Defaults to false # +# [*redis_password*] +# (optional) Password for Redis authentication, eventually needed by the +# specific monitoring we do from HAProxy for Redis +# Defaults to undef +# # [*midonet_api*] # (optional) Enable or not MidoNet API binding # Defaults to false # +# [*service_ports*] +# (optional) Hash that contains the values to override from the service ports +# The available keys to modify the services' ports are: +# 'aodh_api_port' (Defaults to 8042) +# 'aodh_api_ssl_port' (Defaults to 13042) +# 'ceilometer_api_port' (Defaults to 8777) +# 'ceilometer_api_ssl_port' (Defaults to 13777) +# 'cinder_api_port' (Defaults to 8776) +# 'cinder_api_ssl_port' (Defaults to 13776) +# 'glance_api_port' (Defaults to 9292) +# 'glance_api_ssl_port' (Defaults to 13292) +# 'glance_registry_port' (Defaults to 9191) +# 'gnocchi_api_port' (Defaults to 8041) +# 'gnocchi_api_ssl_port' (Defaults to 13041) +# 'heat_api_port' (Defaults to 8004) +# 'heat_api_ssl_port' (Defaults to 13004) +# 'heat_cfn_port' (Defaults to 8000) +# 'heat_cfn_ssl_port' (Defaults to 13800) +# 'heat_cw_port' (Defaults to 8003) +# 'heat_cw_ssl_port' (Defaults to 13003) +# 'ironic_api_port' (Defaults to 6385) +# 'ironic_api_ssl_port' (Defaults to 13385) +# 'keystone_admin_api_port' (Defaults to 35357) +# 'keystone_admin_api_ssl_port' (Defaults to 13357) +# 'keystone_public_api_port' (Defaults to 5000) +# 'keystone_public_api_ssl_port' (Defaults to 13000) +# 'manila_api_port' (Defaults to 8786) +# 'manila_api_ssl_port' (Defaults to 13786) +# 'neutron_api_port' (Defaults to 9696) +# 'neutron_api_ssl_port' (Defaults to 13696) +# 'nova_api_port' (Defaults to 8774) +# 'nova_api_ssl_port' (Defaults to 13774) +# 'nova_ec2_port' (Defaults to 8773) +# 'nova_ec2_ssl_port' (Defaults to 13773) +# 'nova_metadata_port' (Defaults to 8775) +# 'nova_novnc_port' (Defaults to 6080) +# 'nova_novnc_ssl_port' (Defaults to 13080) +# 'sahara_api_port' (Defaults to 8386) +# 'sahara_api_ssl_port' (Defaults to 13386) +# 'swift_proxy_port' (Defaults to 8080) +# 'swift_proxy_ssl_port' (Defaults to 13808) +# 'trove_api_port' (Defaults to 8779) +# 'trove_api_ssl_port' (Defaults to 13779) +# Defaults to {} +# class tripleo::loadbalancer ( $controller_virtual_ip, $control_virtual_interface, @@ -298,24 +313,16 @@ class tripleo::loadbalancer ( $haproxy_listen_bind_param = [ 'transparent' ], $haproxy_member_options = [ 'check', 'inter 2000', 'rise 2', 'fall 5' ], $haproxy_log_address = '/dev/log', + $haproxy_stats_user = 'admin', + $haproxy_stats_password = undef, $controller_host = undef, $controller_hosts = undef, $controller_hosts_names = undef, $service_certificate = undef, - $keystone_certificate = undef, - $neutron_certificate = undef, - $cinder_certificate = undef, - $sahara_certificate = undef, - $trove_certificate = undef, - $manila_certificate = undef, - $glance_certificate = undef, - $nova_certificate = undef, - $ceilometer_certificate = undef, - $aodh_certificate = undef, - $swift_certificate = undef, - $heat_certificate = undef, - $horizon_certificate = undef, - $ironic_certificate = undef, + $internal_certificate = undef, + $ssl_cipher_suite = '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES', + $ssl_options = 'no-sslv3', + $haproxy_stats_certificate = undef, $keystone_admin = false, $keystone_public = false, $neutron = false, @@ -331,6 +338,7 @@ class tripleo::loadbalancer ( $nova_novncproxy = false, $ceilometer = false, $aodh = false, + $gnocchi = false, $swift_proxy_server = false, $heat_api = false, $heat_cloudwatch = false, @@ -341,8 +349,53 @@ class tripleo::loadbalancer ( $mysql_clustercheck = false, $rabbitmq = false, $redis = false, + $redis_password = undef, $midonet_api = false, + $service_ports = {} ) { + $default_service_ports = { + aodh_api_port => 8042, + aodh_api_ssl_port => 13042, + ceilometer_api_port => 8777, + ceilometer_api_ssl_port => 13777, + cinder_api_port => 8776, + cinder_api_ssl_port => 13776, + glance_api_port => 9292, + glance_api_ssl_port => 13292, + glance_registry_port => 9191, + gnocchi_api_port => 8041, + gnocchi_api_ssl_port => 13041, + heat_api_port => 8004, + heat_api_ssl_port => 13004, + heat_cfn_port => 8000, + heat_cfn_ssl_port => 13800, + heat_cw_port => 8003, + heat_cw_ssl_port => 13003, + ironic_api_port => 6385, + ironic_api_ssl_port => 13385, + keystone_admin_api_port => 35357, + keystone_admin_api_ssl_port => 13357, + keystone_public_api_port => 5000, + keystone_public_api_ssl_port => 13000, + manila_api_port => 8786, + manila_api_ssl_port => 13786, + neutron_api_port => 9696, + neutron_api_ssl_port => 13696, + nova_api_port => 8774, + nova_api_ssl_port => 13774, + nova_ec2_port => 8773, + nova_ec2_ssl_port => 13773, + nova_metadata_port => 8775, + nova_novnc_port => 6080, + nova_novnc_ssl_port => 13080, + sahara_api_port => 8386, + sahara_api_ssl_port => 13386, + swift_proxy_port => 8080, + swift_proxy_ssl_port => 13808, + trove_api_port => 8779, + trove_api_ssl_port => 13779, + } + $ports = merge($default_service_ports, $service_ports) if !$controller_host and !$controller_hosts { fail('$controller_hosts or $controller_host (now deprecated) is a mandatory parameter') @@ -402,7 +455,7 @@ class tripleo::loadbalancer ( } - if $internal_api_virtual_ip and $internal_api_virtual_ip != $control_virtual_interface { + if $internal_api_virtual_ip and $internal_api_virtual_ip != $controller_virtual_ip { $internal_api_virtual_interface = interface_for_ip($internal_api_virtual_ip) # KEEPALIVE INTERNAL API NETWORK keepalived::instance { '53': @@ -414,7 +467,7 @@ class tripleo::loadbalancer ( } } - if $storage_virtual_ip and $storage_virtual_ip != $control_virtual_interface { + if $storage_virtual_ip and $storage_virtual_ip != $controller_virtual_ip { $storage_virtual_interface = interface_for_ip($storage_virtual_ip) # KEEPALIVE STORAGE NETWORK keepalived::instance { '54': @@ -426,7 +479,7 @@ class tripleo::loadbalancer ( } } - if $storage_mgmt_virtual_ip and $storage_mgmt_virtual_ip != $control_virtual_interface { + if $storage_mgmt_virtual_ip and $storage_mgmt_virtual_ip != $controller_virtual_ip { $storage_mgmt_virtual_interface = interface_for_ip($storage_mgmt_virtual_ip) # KEEPALIVE STORAGE MANAGEMENT NETWORK keepalived::instance { '55': @@ -440,312 +493,51 @@ class tripleo::loadbalancer ( } - if $keystone_certificate { - $keystone_bind_certificate = $keystone_certificate - } else { - $keystone_bind_certificate = $service_certificate - } - if $neutron_certificate { - $neutron_bind_certificate = $neutron_certificate - } else { - $neutron_bind_certificate = $service_certificate - } - if $cinder_certificate { - $cinder_bind_certificate = $cinder_certificate - } else { - $cinder_bind_certificate = $service_certificate - } - if $sahara_certificate { - $sahara_bind_certificate = $sahara_certificate - } else { - $sahara_bind_certificate = $service_certificate - } - if $trove_certificate { - $trove_bind_certificate = $trove_certificate - } else { - $trove_bind_certificate = $trove_certificate - } - if $manila_certificate { - $manila_bind_certificate = $manila_certificate - } else { - $manila_bind_certificate = $service_certificate - } - if $glance_certificate { - $glance_bind_certificate = $glance_certificate - } else { - $glance_bind_certificate = $service_certificate - } - if $nova_certificate { - $nova_bind_certificate = $nova_certificate - } else { - $nova_bind_certificate = $service_certificate - } - if $ceilometer_certificate { - $ceilometer_bind_certificate = $ceilometer_certificate - } else { - $ceilometer_bind_certificate = $service_certificate - } - if $aodh_certificate { - $aodh_bind_certificate = $aodh_certificate - } else { - $aodh_bind_certificate = $service_certificate - } - if $swift_certificate { - $swift_bind_certificate = $swift_certificate - } else { - $swift_bind_certificate = $service_certificate - } - if $heat_certificate { - $heat_bind_certificate = $heat_certificate - } else { - $heat_bind_certificate = $service_certificate - } - if $horizon_certificate { - $horizon_bind_certificate = $horizon_certificate - } else { - $horizon_bind_certificate = $service_certificate - } - if $ironic_certificate { - $ironic_bind_certificate = $ironic_certificate - } else { - $ironic_bind_certificate = $service_certificate - } - - $keystone_public_api_vip = hiera('keystone_public_api_vip', $controller_virtual_ip) - $keystone_admin_api_vip = hiera('keystone_admin_api_vip', $controller_virtual_ip) - if $keystone_bind_certificate { - $keystone_public_bind_opts = { - "${keystone_public_api_vip}:5000" => $haproxy_listen_bind_param, - "${public_virtual_ip}:13000" => union($haproxy_listen_bind_param, ['ssl', 'crt', $keystone_bind_certificate]), - } - $keystone_admin_bind_opts = { - "${keystone_admin_api_vip}:35357" => $haproxy_listen_bind_param, - "${public_virtual_ip}:13357" => union($haproxy_listen_bind_param, ['ssl', 'crt', $keystone_bind_certificate]), - } - } else { - $keystone_public_bind_opts = { - "${keystone_public_api_vip}:5000" => $haproxy_listen_bind_param, - "${public_virtual_ip}:5000" => $haproxy_listen_bind_param, - } - $keystone_admin_bind_opts = { - "${keystone_admin_api_vip}:35357" => $haproxy_listen_bind_param, - "${public_virtual_ip}:35357" => $haproxy_listen_bind_param, - } - } - - $neutron_api_vip = hiera('neutron_api_vip', $controller_virtual_ip) - if $neutron_bind_certificate { - $neutron_bind_opts = { - "${neutron_api_vip}:9696" => $haproxy_listen_bind_param, - "${public_virtual_ip}:13696" => union($haproxy_listen_bind_param, ['ssl', 'crt', $neutron_bind_certificate]), - } - } else { - $neutron_bind_opts = { - "${neutron_api_vip}:9696" => $haproxy_listen_bind_param, - "${public_virtual_ip}:9696" => $haproxy_listen_bind_param, - } - } - - $cinder_api_vip = hiera('cinder_api_vip', $controller_virtual_ip) - if $cinder_bind_certificate { - $cinder_bind_opts = { - "${cinder_api_vip}:8776" => $haproxy_listen_bind_param, - "${public_virtual_ip}:13776" => union($haproxy_listen_bind_param, ['ssl', 'crt', $cinder_bind_certificate]), - } - } else { - $cinder_bind_opts = { - "${cinder_api_vip}:8776" => $haproxy_listen_bind_param, - "${public_virtual_ip}:8776" => $haproxy_listen_bind_param, - } - } - - $manila_api_vip = hiera('manila_api_vip', $controller_virtual_ip) - if $manila_bind_certificate { - $manila_bind_opts = { - "${manila_api_vip}:8786" => $haproxy_listen_bind_param, - "${public_virtual_ip}:13786" => union($haproxy_listen_bind_param, ['ssl', 'crt', $manila_bind_certificate]), - } - } else { - $manila_bind_opts = { - "${manila_api_vip}:8786" => $haproxy_listen_bind_param, - "${public_virtual_ip}:8786" => $haproxy_listen_bind_param, - } - } - - $glance_api_vip = hiera('glance_api_vip', $controller_virtual_ip) - if $glance_bind_certificate { - $glance_bind_opts = { - "${glance_api_vip}:9292" => $haproxy_listen_bind_param, - "${public_virtual_ip}:13292" => union($haproxy_listen_bind_param, ['ssl', 'crt', $glance_bind_certificate]), - } - } else { - $glance_bind_opts = { - "${glance_api_vip}:9292" => $haproxy_listen_bind_param, - "${public_virtual_ip}:9292" => $haproxy_listen_bind_param, - } - } - - $glance_registry_vip = hiera('glance_registry_vip', $controller_virtual_ip) - $glance_registry_bind_opts = { - "${glance_registry_vip}:9191" => $haproxy_listen_bind_param, - } - - $sahara_api_vip = hiera('sahara_api_vip', $controller_virtual_ip) - if $sahara_bind_certificate { - $sahara_bind_opts = { - "${sahara_api_vip}:8386" => $haproxy_listen_bind_param, - "${public_virtual_ip}:13786" => union($haproxy_listen_bind_param, ['ssl', 'crt', $sahara_bind_certificate]), - } - } else { - $sahara_bind_opts = { - "${sahara_api_vip}:8386" => $haproxy_listen_bind_param, - "${public_virtual_ip}:8386" => $haproxy_listen_bind_param, - } - } - - $trove_api_vip = hiera('$trove_api_vip', $controller_virtual_ip) - if $trove_bind_certificate { - $trove_bind_opts = { - "${trove_api_vip}:8779" => $haproxy_listen_bind_param, - "${public_virtual_ip}:13779" => union($haproxy_listen_bind_param, ['ssl', 'crt', $trove_bind_certificate]), - } - } else { - $trove_bind_opts = { - "${trove_api_vip}:8779" => $haproxy_listen_bind_param, - "${public_virtual_ip}:8779" => $haproxy_listen_bind_param, - } - } - - $nova_api_vip = hiera('nova_api_vip', $controller_virtual_ip) - if $nova_bind_certificate { - $nova_osapi_bind_opts = { - "${nova_api_vip}:8774" => $haproxy_listen_bind_param, - "${public_virtual_ip}:13774" => union($haproxy_listen_bind_param, ['ssl', 'crt', $nova_bind_certificate]), - } - $nova_ec2_bind_opts = { - "${nova_api_vip}:8773" => $haproxy_listen_bind_param, - "${public_virtual_ip}:13773" => union($haproxy_listen_bind_param, ['ssl', 'crt', $nova_bind_certificate]), - } - $nova_novnc_bind_opts = { - "${nova_api_vip}:6080" => $haproxy_listen_bind_param, - "${public_virtual_ip}:13080" => union($haproxy_listen_bind_param, ['ssl', 'crt', $nova_bind_certificate]), - } - } else { - $nova_osapi_bind_opts = { - "${nova_api_vip}:8774" => $haproxy_listen_bind_param, - "${public_virtual_ip}:8774" => $haproxy_listen_bind_param, - } - $nova_ec2_bind_opts = { - "${nova_api_vip}:8773" => $haproxy_listen_bind_param, - "${public_virtual_ip}:8773" => $haproxy_listen_bind_param, - } - $nova_novnc_bind_opts = { - "${nova_api_vip}:6080" => $haproxy_listen_bind_param, - "${public_virtual_ip}:6080" => $haproxy_listen_bind_param, - } - } - - $nova_metadata_vip = hiera('nova_metadata_vip', $controller_virtual_ip) - $nova_metadata_bind_opts = { - "${nova_metadata_vip}:8775" => $haproxy_listen_bind_param, - } - - $ceilometer_api_vip = hiera('ceilometer_api_vip', $controller_virtual_ip) - if $ceilometer_bind_certificate { - $ceilometer_bind_opts = { - "${ceilometer_api_vip}:8777" => $haproxy_listen_bind_param, - "${public_virtual_ip}:13777" => union($haproxy_listen_bind_param, ['ssl', 'crt', $ceilometer_bind_certificate]), - } - } else { - $ceilometer_bind_opts = { - "${ceilometer_api_vip}:8777" => $haproxy_listen_bind_param, - "${public_virtual_ip}:8777" => $haproxy_listen_bind_param, - } - } - - $aodh_api_vip = hiera('aodh_api_vip', $controller_virtual_ip) - if $aodh_bind_certificate { - $aodh_bind_opts = { - "${aodh_api_vip}:8042" => $haproxy_listen_bind_param, - "${public_virtual_ip}:13042" => union($haproxy_listen_bind_param, ['ssl', 'crt', $aodh_bind_certificate]), - } - } else { - $aodh_bind_opts = { - "${aodh_api_vip}:8042" => $haproxy_listen_bind_param, - "${public_virtual_ip}:8042" => $haproxy_listen_bind_param, - } - } - - $swift_proxy_vip = hiera('swift_proxy_vip', $controller_virtual_ip) - if $swift_bind_certificate { - $swift_bind_opts = { - "${swift_proxy_vip}:8080" => $haproxy_listen_bind_param, - "${public_virtual_ip}:13808" => union($haproxy_listen_bind_param, ['ssl', 'crt', $swift_bind_certificate]), - } - } else { - $swift_bind_opts = { - "${swift_proxy_vip}:8080" => $haproxy_listen_bind_param, - "${public_virtual_ip}:8080" => $haproxy_listen_bind_param, - } - } - - $heat_api_vip = hiera('heat_api_vip', $controller_virtual_ip) - if $heat_bind_certificate { - $heat_bind_opts = { - "${heat_api_vip}:8004" => $haproxy_listen_bind_param, - "${public_virtual_ip}:13004" => union($haproxy_listen_bind_param, ['ssl', 'crt', $heat_bind_certificate]), - } - $heat_options = { - 'rsprep' => "^Location:\\ http://${public_virtual_ip}(.*) Location:\\ https://${public_virtual_ip}\\1", - 'http-request' => ['set-header X-Forwarded-Proto https if { ssl_fc }'], - } - $heat_cw_bind_opts = { - "${heat_api_vip}:8003" => $haproxy_listen_bind_param, - "${public_virtual_ip}:13003" => union($haproxy_listen_bind_param, ['ssl', 'crt', $heat_bind_certificate]), - } - $heat_cfn_bind_opts = { - "${heat_api_vip}:8000" => $haproxy_listen_bind_param, - "${public_virtual_ip}:13800" => union($haproxy_listen_bind_param, ['ssl', 'crt', $heat_bind_certificate]), - } - } else { - $heat_bind_opts = { - "${heat_api_vip}:8004" => $haproxy_listen_bind_param, - "${public_virtual_ip}:8004" => $haproxy_listen_bind_param, - } - $heat_options = {} - $heat_cw_bind_opts = { - "${heat_api_vip}:8003" => $haproxy_listen_bind_param, - "${public_virtual_ip}:8003" => $haproxy_listen_bind_param, - } - $heat_cfn_bind_opts = { - "${heat_api_vip}:8000" => $haproxy_listen_bind_param, - "${public_virtual_ip}:8000" => $haproxy_listen_bind_param, - } + # TODO(bnemec): When we have support for SSL on private and admin endpoints, + # have the haproxy stats endpoint use that certificate by default. + if $haproxy_stats_certificate { + $haproxy_stats_bind_certificate = $haproxy_stats_certificate } $horizon_vip = hiera('horizon_vip', $controller_virtual_ip) - if $horizon_bind_certificate { + if $service_certificate { + # NOTE(jaosorior): If the horizon_vip and the public_virtual_ip are the + # same, the first option takes precedence. Which is the case when network + # isolation is not enabled. This is not a problem as both options are + # identical. If network isolation is enabled, this works correctly and + # will add a TLS binding to both the horizon_vip and the + # public_virtual_ip. + # Even though for the public_virtual_ip the port 80 is listening, we + # redirect to https in the horizon_options below. $horizon_bind_opts = { - "${horizon_vip}:80" => $haproxy_listen_bind_param, - "${public_virtual_ip}:443" => union($haproxy_listen_bind_param, ['ssl', 'crt', $horizon_bind_certificate]), + "${horizon_vip}:80" => $haproxy_listen_bind_param, + "${horizon_vip}:443" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]), + "${public_virtual_ip}:80" => $haproxy_listen_bind_param, + "${public_virtual_ip}:443" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]), + } + $horizon_options = { + 'cookie' => 'SERVERID insert indirect nocache', + 'rsprep' => '^Location:\ http://(.*) Location:\ https://\1', + # NOTE(jaosorior): We always redirect to https for the public_virtual_ip. + 'redirect' => "scheme https code 301 if { hdr(host) -i ${public_virtual_ip} } !{ ssl_fc }", } } else { $horizon_bind_opts = { "${horizon_vip}:80" => $haproxy_listen_bind_param, "${public_virtual_ip}:80" => $haproxy_listen_bind_param, } + $horizon_options = { + 'cookie' => 'SERVERID insert indirect nocache', + } } - $ironic_api_vip = hiera('ironic_api_vip', $controller_virtual_ip) - if $ironic_bind_certificate { - $ironic_bind_opts = { - "${ironic_api_vip}:6385" => $haproxy_listen_bind_param, - "${public_virtual_ip}:13385" => union($haproxy_listen_bind_param, ['ssl', 'crt', $ironic_bind_certificate]), + if $haproxy_stats_bind_certificate { + $haproxy_stats_bind_opts = { + "${controller_virtual_ip}:1993" => union($haproxy_listen_bind_param, ['ssl', 'crt', $haproxy_stats_bind_certificate]), } } else { - $ironic_bind_opts = { - "${ironic_api_vip}:6385" => $haproxy_listen_bind_param, - "${public_virtual_ip}:6385" => $haproxy_listen_bind_param, + $haproxy_stats_bind_opts = { + "${controller_virtual_ip}:1993" => $haproxy_listen_bind_param, } } @@ -767,12 +559,14 @@ class tripleo::loadbalancer ( class { '::haproxy': service_manage => $haproxy_service_manage, global_options => { - 'log' => "${haproxy_log_address} local0", - 'pidfile' => '/var/run/haproxy.pid', - 'user' => 'haproxy', - 'group' => 'haproxy', - 'daemon' => '', - 'maxconn' => $haproxy_global_maxconn, + 'log' => "${haproxy_log_address} local0", + 'pidfile' => '/var/run/haproxy.pid', + 'user' => 'haproxy', + 'group' => 'haproxy', + 'daemon' => '', + 'maxconn' => $haproxy_global_maxconn, + 'ssl-default-bind-ciphers' => $ssl_cipher_suite, + 'ssl-default-bind-options' => $ssl_options, }, defaults_options => { 'mode' => 'tcp', @@ -783,308 +577,298 @@ class tripleo::loadbalancer ( }, } - Haproxy::Listen { - options => { - 'option' => [], - } + Tripleo::Loadbalancer::Endpoint { + haproxy_listen_bind_param => $haproxy_listen_bind_param, + member_options => $haproxy_member_options, + public_certificate => $service_certificate, + internal_certificate => $internal_certificate, } + $stats_base = ['enable', 'uri /'] + if $haproxy_stats_password { + $stats_config = union($stats_base, ["auth ${haproxy_stats_user}:${haproxy_stats_password}"]) + } else { + $stats_config = $stats_base + } haproxy::listen { 'haproxy.stats': - ipaddress => $controller_virtual_ip, - ports => '1993', + bind => $haproxy_stats_bind_opts, mode => 'http', options => { - 'stats' => ['enable', 'uri /'], + 'stats' => $stats_config, }, collect_exported => false, } if $keystone_admin { - haproxy::listen { 'keystone_admin': - bind => $keystone_admin_bind_opts, - collect_exported => false, - } - haproxy::balancermember { 'keystone_admin': - listening_service => 'keystone_admin', - ports => '35357', - ipaddresses => hiera('keystone_admin_api_node_ips',$controller_hosts_real), + ::tripleo::loadbalancer::endpoint { 'keystone_admin': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('keystone_admin_api_vip', $controller_virtual_ip), + service_port => $ports[keystone_admin_api_port], + ip_addresses => hiera('keystone_admin_api_node_ips', $controller_hosts_real), server_names => $controller_hosts_names_real, - options => $haproxy_member_options, + mode => 'http', + listen_options => { + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], + }, + public_ssl_port => $ports[keystone_admin_api_ssl_port], } } if $keystone_public { - haproxy::listen { 'keystone_public': - bind => $keystone_public_bind_opts, - collect_exported => false, - mode => 'http', # Needed for http-request option - options => { - 'http-request' => ['set-header X-Forwarded-Proto https if { ssl_fc }'], - }, - } - haproxy::balancermember { 'keystone_public': - listening_service => 'keystone_public', - ports => '5000', - ipaddresses => hiera('keystone_public_api_node_ips', $controller_hosts_real), + ::tripleo::loadbalancer::endpoint { 'keystone_public': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('keystone_public_api_vip', $controller_virtual_ip), + service_port => $ports[keystone_public_api_port], + ip_addresses => hiera('keystone_public_api_node_ips', $controller_hosts_real), server_names => $controller_hosts_names_real, - options => $haproxy_member_options, + mode => 'http', + listen_options => { + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], + }, + public_ssl_port => $ports[keystone_public_api_ssl_port], } } if $neutron { - haproxy::listen { 'neutron': - bind => $neutron_bind_opts, - collect_exported => false, - } - haproxy::balancermember { 'neutron': - listening_service => 'neutron', - ports => '9696', - ipaddresses => hiera('neutron_api_node_ips', $controller_hosts_real), + ::tripleo::loadbalancer::endpoint { 'neutron': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('neutron_api_vip', $controller_virtual_ip), + service_port => $ports[neutron_api_port], + ip_addresses => hiera('neutron_api_node_ips', $controller_hosts_real), server_names => $controller_hosts_names_real, - options => $haproxy_member_options, + public_ssl_port => $ports[neutron_api_ssl_port], } } if $cinder { - haproxy::listen { 'cinder': - bind => $cinder_bind_opts, - collect_exported => false, - } - haproxy::balancermember { 'cinder': - listening_service => 'cinder', - ports => '8776', - ipaddresses => hiera('cinder_api_node_ips', $controller_hosts_real), + ::tripleo::loadbalancer::endpoint { 'cinder': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('cinder_api_vip', $controller_virtual_ip), + service_port => $ports[cinder_api_port], + ip_addresses => hiera('cinder_api_node_ips', $controller_hosts_real), server_names => $controller_hosts_names_real, - options => $haproxy_member_options, + mode => 'http', + listen_options => { + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], + }, + public_ssl_port => $ports[cinder_api_ssl_port], } } if $manila { - haproxy::listen { 'manila': - bind => $manila_bind_opts, - collect_exported => false, - } - haproxy::balancermember { 'manila': - listening_service => 'manila', - ports => '8786', - ipaddresses => hiera('manila_api_node_ips', $controller_hosts_real), + ::tripleo::loadbalancer::endpoint { 'manila': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('manila_api_vip', $controller_virtual_ip), + service_port => $ports[manila_api_port], + ip_addresses => hiera('manila_api_node_ips', $controller_hosts_real), server_names => $controller_hosts_names_real, - options => $haproxy_member_options, + public_ssl_port => $ports[manila_api_ssl_port], } } if $sahara { - haproxy::listen { 'sahara': - bind => $sahara_bind_opts, - collect_exported => false, - } - haproxy::balancermember { 'sahara': - listening_service => 'sahara', - ports => '8386', - ipaddresses => hiera('sahara_api_node_ips', $controller_hosts_real), + ::tripleo::loadbalancer::endpoint { 'sahara': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('sahara_api_vip', $controller_virtual_ip), + service_port => $ports[sahara_api_port], + ip_addresses => hiera('sahara_api_node_ips', $controller_hosts_real), server_names => $controller_hosts_names_real, - options => $haproxy_member_options, + public_ssl_port => $ports[sahara_api_ssl_port], } } if $trove { - haproxy::listen { 'trove': - bind => $trove_bind_opts, - collect_exported => false, - } - haproxy::balancermember { 'trove': - listening_service => 'trove', - ports => '8779', - ipaddresses => hiera('trove_api_node_ips', $controller_hosts_real), + ::tripleo::loadbalancer::endpoint { 'trove': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('trove_api_vip', $controller_virtual_ip), + service_port => $ports[trove_api_port], + ip_addresses => hiera('trove_api_node_ips', $controller_hosts_real), server_names => $controller_hosts_names_real, - options => $haproxy_member_options, + public_ssl_port => $ports[trove_api_ssl_port], } } if $glance_api { - haproxy::listen { 'glance_api': - bind => $glance_bind_opts, - collect_exported => false, - } - haproxy::balancermember { 'glance_api': - listening_service => 'glance_api', - ports => '9292', - ipaddresses => hiera('glance_api_node_ips', $controller_hosts_real), + ::tripleo::loadbalancer::endpoint { 'glance_api': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('glance_api_vip', $controller_virtual_ip), + service_port => $ports[glance_api_port], + ip_addresses => hiera('glance_api_node_ips', $controller_hosts_real), server_names => $controller_hosts_names_real, - options => $haproxy_member_options, + public_ssl_port => $ports[glance_api_ssl_port], } } if $glance_registry { - haproxy::listen { 'glance_registry': - bind => $glance_registry_bind_opts, - collect_exported => false, - } - haproxy::balancermember { 'glance_registry': - listening_service => 'glance_registry', - ports => '9191', - ipaddresses => hiera('glance_registry_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, - options => $haproxy_member_options, + ::tripleo::loadbalancer::endpoint { 'glance_registry': + internal_ip => hiera('glance_registry_vip', $controller_virtual_ip), + service_port => $ports[glance_registry_port], + ip_addresses => hiera('glance_registry_node_ips', $controller_hosts_real), + server_names => $controller_hosts_names_real, } } + $nova_api_vip = hiera('nova_api_vip', $controller_virtual_ip) if $nova_ec2 { - haproxy::listen { 'nova_ec2': - bind => $nova_ec2_bind_opts, - collect_exported => false, - } - haproxy::balancermember { 'nova_ec2': - listening_service => 'nova_ec2', - ports => '8773', - ipaddresses => hiera('nova_api_node_ips', $controller_hosts_real), + ::tripleo::loadbalancer::endpoint { 'nova_ec2': + public_virtual_ip => $public_virtual_ip, + internal_ip => $nova_api_vip, + service_port => $ports[nova_ec2_port], + ip_addresses => hiera('nova_api_node_ips', $controller_hosts_real), server_names => $controller_hosts_names_real, - options => $haproxy_member_options, + public_ssl_port => $ports[nova_ec2_ssl_port], } } if $nova_osapi { - haproxy::listen { 'nova_osapi': - bind => $nova_osapi_bind_opts, - collect_exported => false, - mode => 'http', - options => { - 'http-request' => ['set-header X-Forwarded-Proto https if { ssl_fc }'], - }, - } - haproxy::balancermember { 'nova_osapi': - listening_service => 'nova_osapi', - ports => '8774', - ipaddresses => hiera('nova_api_node_ips', $controller_hosts_real), + ::tripleo::loadbalancer::endpoint { 'nova_osapi': + public_virtual_ip => $public_virtual_ip, + internal_ip => $nova_api_vip, + service_port => $ports[nova_api_port], + ip_addresses => hiera('nova_api_node_ips', $controller_hosts_real), server_names => $controller_hosts_names_real, - options => $haproxy_member_options, + mode => 'http', + listen_options => { + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], + }, + public_ssl_port => $ports[nova_api_ssl_port], } } if $nova_metadata { - haproxy::listen { 'nova_metadata': - bind => $nova_metadata_bind_opts, - collect_exported => false, - } - haproxy::balancermember { 'nova_metadata': - listening_service => 'nova_metadata', - ports => '8775', - ipaddresses => hiera('nova_metadata_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, - options => $haproxy_member_options, + ::tripleo::loadbalancer::endpoint { 'nova_metadata': + internal_ip => hiera('nova_metadata_vip', $controller_virtual_ip), + service_port => $ports[nova_metadata_port], + ip_addresses => hiera('nova_metadata_node_ips', $controller_hosts_real), + server_names => $controller_hosts_names_real, } } if $nova_novncproxy { - haproxy::listen { 'nova_novncproxy': - bind => $nova_novnc_bind_opts, - options => { + ::tripleo::loadbalancer::endpoint { 'nova_novncproxy': + public_virtual_ip => $public_virtual_ip, + internal_ip => $nova_api_vip, + service_port => $ports[nova_novnc_port], + ip_addresses => hiera('nova_api_node_ips', $controller_hosts_real), + server_names => $controller_hosts_names_real, + listen_options => { 'balance' => 'source', 'timeout' => [ 'tunnel 1h' ], }, - collect_exported => false, - } - haproxy::balancermember { 'nova_novncproxy': - listening_service => 'nova_novncproxy', - ports => '6080', - ipaddresses => hiera('nova_api_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, - options => $haproxy_member_options, + public_ssl_port => $ports[nova_novnc_ssl_port], } } if $ceilometer { - haproxy::listen { 'ceilometer': - bind => $ceilometer_bind_opts, - collect_exported => false, - } - haproxy::balancermember { 'ceilometer': - listening_service => 'ceilometer', - ports => '8777', - ipaddresses => hiera('ceilometer_api_node_ips', $controller_hosts_real), + ::tripleo::loadbalancer::endpoint { 'ceilometer': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('ceilometer_api_vip', $controller_virtual_ip), + service_port => $ports[ceilometer_api_port], + ip_addresses => hiera('ceilometer_api_node_ips', $controller_hosts_real), server_names => $controller_hosts_names_real, - options => $haproxy_member_options, + public_ssl_port => $ports[ceilometer_api_ssl_port], } } if $aodh { - haproxy::listen { 'aodh': - bind => $aodh_bind_opts, - collect_exported => false, + ::tripleo::loadbalancer::endpoint { 'aodh': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('aodh_api_vip', $controller_virtual_ip), + service_port => $ports[aodh_api_port], + ip_addresses => hiera('aodh_api_node_ips', $controller_hosts_real), + server_names => $controller_hosts_names_real, + public_ssl_port => $ports[aodh_api_ssl_port], } - haproxy::balancermember { 'aodh': - listening_service => 'aodh', - ports => '8042', - ipaddresses => hiera('aodh_api_node_ips', $controller_hosts_real), + } + + if $gnocchi { + ::tripleo::loadbalancer::endpoint { 'gnocchi': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('gnocchi_api_vip', $controller_virtual_ip), + service_port => $ports[gnocchi_api_port], + ip_addresses => hiera('gnocchi_api_node_ips', $controller_hosts_real), server_names => $controller_hosts_names_real, - options => $haproxy_member_options, + public_ssl_port => $ports[gnocchi_api_ssl_port], } } if $swift_proxy_server { - haproxy::listen { 'swift_proxy_server': - bind => $swift_bind_opts, - collect_exported => false, - } - haproxy::balancermember { 'swift_proxy_server': - listening_service => 'swift_proxy_server', - ports => '8080', - ipaddresses => hiera('swift_proxy_node_ips', $controller_hosts_real), + ::tripleo::loadbalancer::endpoint { 'swift_proxy_server': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('swift_proxy_vip', $controller_virtual_ip), + service_port => $ports[swift_proxy_port], + ip_addresses => hiera('swift_proxy_node_ips', $controller_hosts_real), server_names => $controller_hosts_names_real, - options => $haproxy_member_options, + public_ssl_port => $ports[swift_proxy_ssl_port], } } - if $heat_api { - haproxy::listen { 'heat_api': - bind => $heat_bind_opts, - options => $heat_options, - collect_exported => false, - mode => 'http', + $heat_api_vip = hiera('heat_api_vip', $controller_virtual_ip) + $heat_ip_addresses = hiera('heat_api_node_ips', $controller_hosts_real) + $heat_base_options = { + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }']} + if $service_certificate { + $heat_ssl_options = { + 'rsprep' => "^Location:\\ http://${public_virtual_ip}(.*) Location:\\ https://${public_virtual_ip}\\1", } - haproxy::balancermember { 'heat_api': - listening_service => 'heat_api', - ports => '8004', - ipaddresses => hiera('heat_api_node_ips', $controller_hosts_real), + $heat_options = merge($heat_base_options, $heat_ssl_options) + } else { + $heat_options = $heat_base_options + } + + if $heat_api { + ::tripleo::loadbalancer::endpoint { 'heat_api': + public_virtual_ip => $public_virtual_ip, + internal_ip => $heat_api_vip, + service_port => $ports[heat_api_port], + ip_addresses => $heat_ip_addresses, server_names => $controller_hosts_names_real, - options => $haproxy_member_options, + mode => 'http', + listen_options => $heat_options, + public_ssl_port => $ports[heat_api_ssl_port], } } if $heat_cloudwatch { - haproxy::listen { 'heat_cloudwatch': - bind => $heat_cw_bind_opts, - collect_exported => false, - } - haproxy::balancermember { 'heat_cloudwatch': - listening_service => 'heat_cloudwatch', - ports => '8003', - ipaddresses => hiera('heat_api_node_ips', $controller_hosts_real), + ::tripleo::loadbalancer::endpoint { 'heat_cloudwatch': + public_virtual_ip => $public_virtual_ip, + internal_ip => $heat_api_vip, + service_port => $ports[heat_cw_port], + ip_addresses => $heat_ip_addresses, server_names => $controller_hosts_names_real, - options => $haproxy_member_options, + mode => 'http', + listen_options => $heat_options, + public_ssl_port => $ports[heat_cw_ssl_port], } } if $heat_cfn { - haproxy::listen { 'heat_cfn': - bind => $heat_cfn_bind_opts, - collect_exported => false, - } - haproxy::balancermember { 'heat_cfn': - listening_service => 'heat_cfn', - ports => '8000', - ipaddresses => hiera('heat_api_node_ips', $controller_hosts_real), + ::tripleo::loadbalancer::endpoint { 'heat_cfn': + public_virtual_ip => $public_virtual_ip, + internal_ip => $heat_api_vip, + service_port => $ports[heat_cfn_port], + ip_addresses => $heat_ip_addresses, server_names => $controller_hosts_names_real, - options => $haproxy_member_options, + mode => 'http', + listen_options => $heat_options, + public_ssl_port => $ports[heat_cfn_ssl_port], } } if $horizon { haproxy::listen { 'horizon': bind => $horizon_bind_opts, - options => { - 'cookie' => 'SERVERID insert indirect nocache', - }, + options => $horizon_options, mode => 'http', collect_exported => false, } @@ -1097,6 +881,17 @@ class tripleo::loadbalancer ( } } + if $ironic { + ::tripleo::loadbalancer::endpoint { 'ironic': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('ironic_api_vip', $controller_virtual_ip), + service_port => $ports[ironic_api_port], + ip_addresses => hiera('ironic_api_node_ips', $controller_hosts_real), + server_names => $controller_hosts_names_real, + public_ssl_port => $ports[ironic_api_ssl_port], + } + } + if $mysql_clustercheck { $mysql_listen_options = { 'option' => [ 'tcpka', 'httpchk' ], @@ -1114,20 +909,6 @@ class tripleo::loadbalancer ( $mysql_member_options = union($haproxy_member_options, ['backup']) } - if $ironic { - haproxy::listen { 'ironic': - bind => $ironic_bind_opts, - collect_exported => false, - } - haproxy::balancermember { 'ironic': - listening_service => 'ironic', - ports => '6385', - ipaddresses => hiera('ironic_api_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, - options => $haproxy_member_options, - } - } - if $mysql { haproxy::listen { 'mysql': bind => $mysql_bind_opts, @@ -1162,13 +943,17 @@ class tripleo::loadbalancer ( } if $redis { + if $redis_password { + $redis_tcp_check_options = ["send AUTH\\ ${redis_password}\\r\\n"] + } else { + $redis_tcp_check_options = [] + } haproxy::listen { 'redis': bind => $redis_bind_opts, options => { - 'timeout' => [ 'client 0', 'server 0' ], 'balance' => 'first', 'option' => ['tcp-check',], - 'tcp-check' => ['send info\ replication\r\n','expect string role:master'], + 'tcp-check' => union($redis_tcp_check_options, ['send PING\r\n','expect string +PONG','send info\ replication\r\n','expect string role:master','send QUIT\r\n','expect string +OK']), }, collect_exported => false, } |