diff options
Diffstat (limited to 'manifests')
-rw-r--r-- | manifests/loadbalancer.pp | 640 | ||||
-rw-r--r-- | manifests/loadbalancer/endpoint.pp | 120 | ||||
-rw-r--r-- | manifests/pacemaker/haproxy_with_vip.pp | 64 |
3 files changed, 362 insertions, 462 deletions
diff --git a/manifests/loadbalancer.pp b/manifests/loadbalancer.pp index ce83803..e91e611 100644 --- a/manifests/loadbalancer.pp +++ b/manifests/loadbalancer.pp @@ -119,6 +119,11 @@ # When set, enables SSL on the public API endpoints using the specified file. # Defaults to undef # +# [*internal_certificate*] +# Filename of an HAProxy-compatible certificate and key file +# When set, enables SSL on the internal API endpoints using the specified file. +# Defaults to undef +# # [*ssl_cipher_suite*] # The default string describing the list of cipher algorithms ("cipher suite") # that are negotiated during the SSL/TLS handshake for all "bind" lines. This @@ -285,7 +290,7 @@ # 'nova_novnc_port' (Defaults to 6080) # 'nova_novnc_ssl_port' (Defaults to 13080) # 'sahara_api_port' (Defaults to 8386) -# 'sahara_api_ssl_port' (Defaults to 13779) +# 'sahara_api_ssl_port' (Defaults to 13386) # 'swift_proxy_port' (Defaults to 8080) # 'swift_proxy_ssl_port' (Defaults to 13808) # 'trove_api_port' (Defaults to 8779) @@ -314,6 +319,7 @@ class tripleo::loadbalancer ( $controller_hosts = undef, $controller_hosts_names = undef, $service_certificate = undef, + $internal_certificate = undef, $ssl_cipher_suite = '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES', $ssl_options = 'no-sslv3', $haproxy_stats_certificate = undef, @@ -383,7 +389,7 @@ class tripleo::loadbalancer ( nova_novnc_port => 6080, nova_novnc_ssl_port => 13080, sahara_api_port => 8386, - sahara_api_ssl_port => 13786, + sahara_api_ssl_port => 13386, swift_proxy_port => 8080, swift_proxy_ssl_port => 13808, trove_api_port => 8779, @@ -493,235 +499,6 @@ class tripleo::loadbalancer ( $haproxy_stats_bind_certificate = $haproxy_stats_certificate } - $keystone_public_api_vip = hiera('keystone_public_api_vip', $controller_virtual_ip) - $keystone_admin_api_vip = hiera('keystone_admin_api_vip', $controller_virtual_ip) - if $service_certificate { - $keystone_public_bind_opts = { - "${keystone_public_api_vip}:${ports[keystone_public_api_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[keystone_public_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]), - } - $keystone_admin_bind_opts = { - "${keystone_admin_api_vip}:${ports[keystone_admin_api_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[keystone_admin_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]), - } - } else { - $keystone_public_bind_opts = { - "${keystone_public_api_vip}:${ports[keystone_public_api_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[keystone_public_api_port]}" => $haproxy_listen_bind_param, - } - $keystone_admin_bind_opts = { - "${keystone_admin_api_vip}:${ports[keystone_admin_api_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[keystone_admin_api_port]}" => $haproxy_listen_bind_param, - } - } - - $neutron_api_vip = hiera('neutron_api_vip', $controller_virtual_ip) - if $service_certificate { - $neutron_bind_opts = { - "${neutron_api_vip}:${ports[neutron_api_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[neutron_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]), - } - } else { - $neutron_bind_opts = { - "${neutron_api_vip}:${ports[neutron_api_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[neutron_api_port]}" => $haproxy_listen_bind_param, - } - } - - $cinder_api_vip = hiera('cinder_api_vip', $controller_virtual_ip) - if $service_certificate { - $cinder_bind_opts = { - "${cinder_api_vip}:${ports[cinder_api_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[cinder_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]), - } - } else { - $cinder_bind_opts = { - "${cinder_api_vip}:${ports[cinder_api_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[cinder_api_port]}" => $haproxy_listen_bind_param, - } - } - - $manila_api_vip = hiera('manila_api_vip', $controller_virtual_ip) - if $service_certificate { - $manila_bind_opts = { - "${manila_api_vip}:${ports[manila_api_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[manila_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]), - } - } else { - $manila_bind_opts = { - "${manila_api_vip}:${ports[manila_api_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[manila_api_port]}" => $haproxy_listen_bind_param, - } - } - - $glance_api_vip = hiera('glance_api_vip', $controller_virtual_ip) - if $service_certificate { - $glance_bind_opts = { - "${glance_api_vip}:${ports[glance_api_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[glance_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]), - } - } else { - $glance_bind_opts = { - "${glance_api_vip}:${ports[glance_api_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[glance_api_port]}" => $haproxy_listen_bind_param, - } - } - - $glance_registry_vip = hiera('glance_registry_vip', $controller_virtual_ip) - $glance_registry_bind_opts = { - "${glance_registry_vip}:${ports[glance_registry_port]}" => $haproxy_listen_bind_param, - } - - $sahara_api_vip = hiera('sahara_api_vip', $controller_virtual_ip) - if $service_certificate { - $sahara_bind_opts = { - "${sahara_api_vip}:${ports[sahara_api_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[sahara_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]), - } - } else { - $sahara_bind_opts = { - "${sahara_api_vip}:${ports[sahara_api_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[sahara_api_port]}" => $haproxy_listen_bind_param, - } - } - - $trove_api_vip = hiera('$trove_api_vip', $controller_virtual_ip) - if $service_certificate { - $trove_bind_opts = { - "${trove_api_vip}:${ports[trove_api_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[trove_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]), - } - } else { - $trove_bind_opts = { - "${trove_api_vip}:${ports[trove_api_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[trove_api_port]}" => $haproxy_listen_bind_param, - } - } - - $nova_api_vip = hiera('nova_api_vip', $controller_virtual_ip) - if $service_certificate { - $nova_osapi_bind_opts = { - "${nova_api_vip}:${ports[nova_api_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[nova_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]), - } - $nova_ec2_bind_opts = { - "${nova_api_vip}:${ports[nova_ec2_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[nova_ec2_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]), - } - $nova_novnc_bind_opts = { - "${nova_api_vip}:${ports[nova_novnc_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[nova_novnc_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]), - } - } else { - $nova_osapi_bind_opts = { - "${nova_api_vip}:${ports[nova_api_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[nova_api_port]}" => $haproxy_listen_bind_param, - } - $nova_ec2_bind_opts = { - "${nova_api_vip}:${ports[nova_ec2_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[nova_ec2_port]}" => $haproxy_listen_bind_param, - } - $nova_novnc_bind_opts = { - "${nova_api_vip}:${ports[nova_novnc_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[nova_novnc_port]}" => $haproxy_listen_bind_param, - } - } - - $nova_metadata_vip = hiera('nova_metadata_vip', $controller_virtual_ip) - $nova_metadata_bind_opts = { - "${nova_metadata_vip}:${ports[nova_metadata_port]}" => $haproxy_listen_bind_param, - } - - $ceilometer_api_vip = hiera('ceilometer_api_vip', $controller_virtual_ip) - if $service_certificate { - $ceilometer_bind_opts = { - "${ceilometer_api_vip}:${ports[ceilometer_api_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[ceilometer_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]), - } - } else { - $ceilometer_bind_opts = { - "${ceilometer_api_vip}:${ports[ceilometer_api_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[ceilometer_api_port]}" => $haproxy_listen_bind_param, - } - } - - $aodh_api_vip = hiera('aodh_api_vip', $controller_virtual_ip) - if $service_certificate { - $aodh_bind_opts = { - "${aodh_api_vip}:${ports[aodh_api_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[aodh_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]), - } - } else { - $aodh_bind_opts = { - "${aodh_api_vip}:${ports[aodh_api_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[aodh_api_port]}" => $haproxy_listen_bind_param, - } - } - - $gnocchi_api_vip = hiera('gnocchi_api_vip', $controller_virtual_ip) - if $service_certificate { - $gnocchi_bind_opts = { - "${gnocchi_api_vip}:${ports[gnocchi_api_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[gnocchi_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]), - } - } else { - $gnocchi_bind_opts = { - "${gnocchi_api_vip}:${ports[gnocchi_api_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[gnocchi_api_port]}" => $haproxy_listen_bind_param, - } - } - - $swift_proxy_vip = hiera('swift_proxy_vip', $controller_virtual_ip) - if $service_certificate { - $swift_bind_opts = { - "${swift_proxy_vip}:${ports[swift_proxy_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[swift_proxy_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]), - } - } else { - $swift_bind_opts = { - "${swift_proxy_vip}:${ports[swift_proxy_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[swift_proxy_port]}" => $haproxy_listen_bind_param, - } - } - - $heat_api_vip = hiera('heat_api_vip', $controller_virtual_ip) - $heat_base_options = { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }']} - if $service_certificate { - $heat_bind_opts = { - "${heat_api_vip}:${ports[heat_api_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[heat_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]), - } - $heat_ssl_options = { - 'rsprep' => "^Location:\\ http://${public_virtual_ip}(.*) Location:\\ https://${public_virtual_ip}\\1", - } - $heat_options = merge($heat_base_options, $heat_ssl_options) - $heat_cw_bind_opts = { - "${heat_api_vip}:${ports[heat_cw_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[heat_cw_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]), - } - $heat_cfn_bind_opts = { - "${heat_api_vip}:${ports[heat_cfn_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[heat_cfn_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]), - } - } else { - $heat_bind_opts = { - "${heat_api_vip}:${ports[heat_api_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[heat_api_port]}" => $haproxy_listen_bind_param, - } - $heat_options = $heat_base_options - $heat_cw_bind_opts = { - "${heat_api_vip}:${ports[heat_cw_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[heat_cw_port]}" => $haproxy_listen_bind_param, - } - $heat_cfn_bind_opts = { - "${heat_api_vip}:${ports[heat_cfn_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[heat_cfn_port]}" => $haproxy_listen_bind_param, - } - } - $horizon_vip = hiera('horizon_vip', $controller_virtual_ip) if $service_certificate { # NOTE(jaosorior): If the horizon_vip and the public_virtual_ip are the @@ -754,19 +531,6 @@ class tripleo::loadbalancer ( } } - $ironic_api_vip = hiera('ironic_api_vip', $controller_virtual_ip) - if $service_certificate { - $ironic_bind_opts = { - "${ironic_api_vip}:${ports[ironic_api_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[ironic_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]), - } - } else { - $ironic_bind_opts = { - "${ironic_api_vip}:${ports[ironic_api_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[ironic_api_port]}" => $haproxy_listen_bind_param, - } - } - if $haproxy_stats_bind_certificate { $haproxy_stats_bind_opts = { "${controller_virtual_ip}:1993" => union($haproxy_listen_bind_param, ['ssl', 'crt', $haproxy_stats_bind_certificate]), @@ -792,8 +556,6 @@ class tripleo::loadbalancer ( "${redis_vip}:6379" => $haproxy_listen_bind_param, } - sysctl::value { 'net.ipv4.ip_nonlocal_bind': value => '1' } - class { '::haproxy': service_manage => $haproxy_service_manage, global_options => { @@ -815,10 +577,11 @@ class tripleo::loadbalancer ( }, } - Haproxy::Listen { - options => { - 'option' => [], - } + Tripleo::Loadbalancer::Endpoint { + haproxy_listen_bind_param => $haproxy_listen_bind_param, + member_options => $haproxy_member_options, + public_certificate => $service_certificate, + internal_certificate => $internal_certificate, } $stats_base = ['enable', 'uri /'] @@ -837,312 +600,268 @@ class tripleo::loadbalancer ( } if $keystone_admin { - haproxy::listen { 'keystone_admin': - bind => $keystone_admin_bind_opts, - collect_exported => false, - mode => 'http', # Needed for http-request option - options => { + ::tripleo::loadbalancer::endpoint { 'keystone_admin': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('keystone_admin_api_vip', $controller_virtual_ip), + service_port => $ports[keystone_admin_api_port], + ip_addresses => hiera('keystone_admin_api_node_ips', $controller_hosts_real), + server_names => $controller_hosts_names_real, + mode => 'http', + listen_options => { 'http-request' => [ 'set-header X-Forwarded-Proto https if { ssl_fc }', 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], }, - } - haproxy::balancermember { 'keystone_admin': - listening_service => 'keystone_admin', - ports => '35357', - ipaddresses => hiera('keystone_admin_api_node_ips',$controller_hosts_real), - server_names => $controller_hosts_names_real, - options => $haproxy_member_options, + public_ssl_port => $ports[keystone_admin_api_ssl_port], } } if $keystone_public { - haproxy::listen { 'keystone_public': - bind => $keystone_public_bind_opts, - collect_exported => false, - mode => 'http', # Needed for http-request option - options => { + ::tripleo::loadbalancer::endpoint { 'keystone_public': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('keystone_public_api_vip', $controller_virtual_ip), + service_port => $ports[keystone_public_api_port], + ip_addresses => hiera('keystone_public_api_node_ips', $controller_hosts_real), + server_names => $controller_hosts_names_real, + mode => 'http', + listen_options => { 'http-request' => [ 'set-header X-Forwarded-Proto https if { ssl_fc }', 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], }, - } - haproxy::balancermember { 'keystone_public': - listening_service => 'keystone_public', - ports => '5000', - ipaddresses => hiera('keystone_public_api_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, - options => $haproxy_member_options, + public_ssl_port => $ports[keystone_public_api_ssl_port], } } if $neutron { - haproxy::listen { 'neutron': - bind => $neutron_bind_opts, - collect_exported => false, - } - haproxy::balancermember { 'neutron': - listening_service => 'neutron', - ports => '9696', - ipaddresses => hiera('neutron_api_node_ips', $controller_hosts_real), + ::tripleo::loadbalancer::endpoint { 'neutron': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('neutron_api_vip', $controller_virtual_ip), + service_port => $ports[neutron_api_port], + ip_addresses => hiera('neutron_api_node_ips', $controller_hosts_real), server_names => $controller_hosts_names_real, - options => $haproxy_member_options, + public_ssl_port => $ports[neutron_api_ssl_port], } } if $cinder { - haproxy::listen { 'cinder': - bind => $cinder_bind_opts, - collect_exported => false, - mode => 'http', # Needed for http-request option - options => { + ::tripleo::loadbalancer::endpoint { 'cinder': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('cinder_api_vip', $controller_virtual_ip), + service_port => $ports[cinder_api_port], + ip_addresses => hiera('cinder_api_node_ips', $controller_hosts_real), + server_names => $controller_hosts_names_real, + mode => 'http', + listen_options => { 'http-request' => [ 'set-header X-Forwarded-Proto https if { ssl_fc }', 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], }, - } - haproxy::balancermember { 'cinder': - listening_service => 'cinder', - ports => '8776', - ipaddresses => hiera('cinder_api_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, - options => $haproxy_member_options, + public_ssl_port => $ports[cinder_api_ssl_port], } } if $manila { - haproxy::listen { 'manila': - bind => $manila_bind_opts, - collect_exported => false, - } - haproxy::balancermember { 'manila': - listening_service => 'manila', - ports => '8786', - ipaddresses => hiera('manila_api_node_ips', $controller_hosts_real), + ::tripleo::loadbalancer::endpoint { 'manila': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('manila_api_vip', $controller_virtual_ip), + service_port => $ports[manila_api_port], + ip_addresses => hiera('manila_api_node_ips', $controller_hosts_real), server_names => $controller_hosts_names_real, - options => $haproxy_member_options, + public_ssl_port => $ports[manila_api_ssl_port], } } if $sahara { - haproxy::listen { 'sahara': - bind => $sahara_bind_opts, - collect_exported => false, - } - haproxy::balancermember { 'sahara': - listening_service => 'sahara', - ports => '8386', - ipaddresses => hiera('sahara_api_node_ips', $controller_hosts_real), + ::tripleo::loadbalancer::endpoint { 'sahara': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('sahara_api_vip', $controller_virtual_ip), + service_port => $ports[sahara_api_port], + ip_addresses => hiera('sahara_api_node_ips', $controller_hosts_real), server_names => $controller_hosts_names_real, - options => $haproxy_member_options, + public_ssl_port => $ports[sahara_api_ssl_port], } } if $trove { - haproxy::listen { 'trove': - bind => $trove_bind_opts, - collect_exported => false, - } - haproxy::balancermember { 'trove': - listening_service => 'trove', - ports => '8779', - ipaddresses => hiera('trove_api_node_ips', $controller_hosts_real), + ::tripleo::loadbalancer::endpoint { 'trove': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('trove_api_vip', $controller_virtual_ip), + service_port => $ports[trove_api_port], + ip_addresses => hiera('trove_api_node_ips', $controller_hosts_real), server_names => $controller_hosts_names_real, - options => $haproxy_member_options, + public_ssl_port => $ports[trove_api_ssl_port], } } if $glance_api { - haproxy::listen { 'glance_api': - bind => $glance_bind_opts, - collect_exported => false, - } - haproxy::balancermember { 'glance_api': - listening_service => 'glance_api', - ports => '9292', - ipaddresses => hiera('glance_api_node_ips', $controller_hosts_real), + ::tripleo::loadbalancer::endpoint { 'glance_api': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('glance_api_vip', $controller_virtual_ip), + service_port => $ports[glance_api_port], + ip_addresses => hiera('glance_api_node_ips', $controller_hosts_real), server_names => $controller_hosts_names_real, - options => $haproxy_member_options, + public_ssl_port => $ports[glance_api_ssl_port], } } if $glance_registry { - haproxy::listen { 'glance_registry': - bind => $glance_registry_bind_opts, - collect_exported => false, - } - haproxy::balancermember { 'glance_registry': - listening_service => 'glance_registry', - ports => '9191', - ipaddresses => hiera('glance_registry_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, - options => $haproxy_member_options, + ::tripleo::loadbalancer::endpoint { 'glance_registry': + internal_ip => hiera('glance_registry_vip', $controller_virtual_ip), + service_port => $ports[glance_registry_port], + ip_addresses => hiera('glance_registry_node_ips', $controller_hosts_real), + server_names => $controller_hosts_names_real, } } + $nova_api_vip = hiera('nova_api_vip', $controller_virtual_ip) if $nova_ec2 { - haproxy::listen { 'nova_ec2': - bind => $nova_ec2_bind_opts, - collect_exported => false, - } - haproxy::balancermember { 'nova_ec2': - listening_service => 'nova_ec2', - ports => '8773', - ipaddresses => hiera('nova_api_node_ips', $controller_hosts_real), + ::tripleo::loadbalancer::endpoint { 'nova_ec2': + public_virtual_ip => $public_virtual_ip, + internal_ip => $nova_api_vip, + service_port => $ports[nova_ec2_port], + ip_addresses => hiera('nova_api_node_ips', $controller_hosts_real), server_names => $controller_hosts_names_real, - options => $haproxy_member_options, + public_ssl_port => $ports[nova_ec2_ssl_port], } } if $nova_osapi { - haproxy::listen { 'nova_osapi': - bind => $nova_osapi_bind_opts, - collect_exported => false, - mode => 'http', - options => { + ::tripleo::loadbalancer::endpoint { 'nova_osapi': + public_virtual_ip => $public_virtual_ip, + internal_ip => $nova_api_vip, + service_port => $ports[nova_api_port], + ip_addresses => hiera('nova_api_node_ips', $controller_hosts_real), + server_names => $controller_hosts_names_real, + mode => 'http', + listen_options => { 'http-request' => [ 'set-header X-Forwarded-Proto https if { ssl_fc }', 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], }, - } - haproxy::balancermember { 'nova_osapi': - listening_service => 'nova_osapi', - ports => '8774', - ipaddresses => hiera('nova_api_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, - options => $haproxy_member_options, + public_ssl_port => $ports[nova_api_ssl_port], } } if $nova_metadata { - haproxy::listen { 'nova_metadata': - bind => $nova_metadata_bind_opts, - collect_exported => false, - } - haproxy::balancermember { 'nova_metadata': - listening_service => 'nova_metadata', - ports => '8775', - ipaddresses => hiera('nova_metadata_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, - options => $haproxy_member_options, + ::tripleo::loadbalancer::endpoint { 'nova_metadata': + internal_ip => hiera('nova_metadata_vip', $controller_virtual_ip), + service_port => $ports[nova_metadata_port], + ip_addresses => hiera('nova_metadata_node_ips', $controller_hosts_real), + server_names => $controller_hosts_names_real, } } if $nova_novncproxy { - haproxy::listen { 'nova_novncproxy': - bind => $nova_novnc_bind_opts, - options => { + ::tripleo::loadbalancer::endpoint { 'nova_novncproxy': + public_virtual_ip => $public_virtual_ip, + internal_ip => $nova_api_vip, + service_port => $ports[nova_novnc_port], + ip_addresses => hiera('nova_api_node_ips', $controller_hosts_real), + server_names => $controller_hosts_names_real, + listen_options => { 'balance' => 'source', 'timeout' => [ 'tunnel 1h' ], }, - collect_exported => false, - } - haproxy::balancermember { 'nova_novncproxy': - listening_service => 'nova_novncproxy', - ports => '6080', - ipaddresses => hiera('nova_api_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, - options => $haproxy_member_options, + public_ssl_port => $ports[nova_novnc_ssl_port], } } if $ceilometer { - haproxy::listen { 'ceilometer': - bind => $ceilometer_bind_opts, - collect_exported => false, - } - haproxy::balancermember { 'ceilometer': - listening_service => 'ceilometer', - ports => '8777', - ipaddresses => hiera('ceilometer_api_node_ips', $controller_hosts_real), + ::tripleo::loadbalancer::endpoint { 'ceilometer': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('ceilometer_api_vip', $controller_virtual_ip), + service_port => $ports[ceilometer_api_port], + ip_addresses => hiera('ceilometer_api_node_ips', $controller_hosts_real), server_names => $controller_hosts_names_real, - options => $haproxy_member_options, + public_ssl_port => $ports[ceilometer_api_ssl_port], } } if $aodh { - haproxy::listen { 'aodh': - bind => $aodh_bind_opts, - collect_exported => false, - } - haproxy::balancermember { 'aodh': - listening_service => 'aodh', - ports => '8042', - ipaddresses => hiera('aodh_api_node_ips', $controller_hosts_real), + ::tripleo::loadbalancer::endpoint { 'aodh': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('aodh_api_vip', $controller_virtual_ip), + service_port => $ports[aodh_api_port], + ip_addresses => hiera('aodh_api_node_ips', $controller_hosts_real), server_names => $controller_hosts_names_real, - options => $haproxy_member_options, + public_ssl_port => $ports[aodh_api_ssl_port], } } if $gnocchi { - haproxy::listen { 'gnocchi': - bind => $gnocchi_bind_opts, - collect_exported => false, - } - haproxy::balancermember { 'gnocchi': - listening_service => 'gnocchi', - ports => '8041', - ipaddresses => hiera('gnocchi_api_node_ips', $controller_hosts_real), + ::tripleo::loadbalancer::endpoint { 'gnocchi': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('gnocchi_api_vip', $controller_virtual_ip), + service_port => $ports[gnocchi_api_port], + ip_addresses => hiera('gnocchi_api_node_ips', $controller_hosts_real), server_names => $controller_hosts_names_real, - options => ['check', 'inter 2000', 'rise 2', 'fall 5'], + public_ssl_port => $ports[gnocchi_api_ssl_port], } } if $swift_proxy_server { - haproxy::listen { 'swift_proxy_server': - bind => $swift_bind_opts, - collect_exported => false, - } - haproxy::balancermember { 'swift_proxy_server': - listening_service => 'swift_proxy_server', - ports => '8080', - ipaddresses => hiera('swift_proxy_node_ips', $controller_hosts_real), + ::tripleo::loadbalancer::endpoint { 'swift_proxy_server': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('swift_proxy_vip', $controller_virtual_ip), + service_port => $ports[swift_proxy_port], + ip_addresses => hiera('swift_proxy_node_ips', $controller_hosts_real), server_names => $controller_hosts_names_real, - options => $haproxy_member_options, + public_ssl_port => $ports[swift_proxy_ssl_port], } } - if $heat_api { - haproxy::listen { 'heat_api': - bind => $heat_bind_opts, - options => $heat_options, - collect_exported => false, - mode => 'http', + $heat_api_vip = hiera('heat_api_vip', $controller_virtual_ip) + $heat_ip_addresses = hiera('heat_api_node_ips', $controller_hosts_real) + $heat_base_options = { + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }']} + if $service_certificate { + $heat_ssl_options = { + 'rsprep' => "^Location:\\ http://${public_virtual_ip}(.*) Location:\\ https://${public_virtual_ip}\\1", } - haproxy::balancermember { 'heat_api': - listening_service => 'heat_api', - ports => '8004', - ipaddresses => hiera('heat_api_node_ips', $controller_hosts_real), + $heat_options = merge($heat_base_options, $heat_ssl_options) + } else { + $heat_options = $heat_base_options + } + + if $heat_api { + ::tripleo::loadbalancer::endpoint { 'heat_api': + public_virtual_ip => $public_virtual_ip, + internal_ip => $heat_api_vip, + service_port => $ports[heat_api_port], + ip_addresses => $heat_ip_addresses, server_names => $controller_hosts_names_real, - options => $haproxy_member_options, + mode => 'http', + listen_options => $heat_options, + public_ssl_port => $ports[heat_api_ssl_port], } } if $heat_cloudwatch { - haproxy::listen { 'heat_cloudwatch': - bind => $heat_cw_bind_opts, - collect_exported => false, - } - haproxy::balancermember { 'heat_cloudwatch': - listening_service => 'heat_cloudwatch', - ports => '8003', - ipaddresses => hiera('heat_api_node_ips', $controller_hosts_real), + ::tripleo::loadbalancer::endpoint { 'heat_cloudwatch': + public_virtual_ip => $public_virtual_ip, + internal_ip => $heat_api_vip, + service_port => $ports[heat_cw_port], + ip_addresses => $heat_ip_addresses, server_names => $controller_hosts_names_real, - options => $haproxy_member_options, + mode => 'http', + listen_options => $heat_options, + public_ssl_port => $ports[heat_cw_ssl_port], } } if $heat_cfn { - haproxy::listen { 'heat_cfn': - bind => $heat_cfn_bind_opts, - collect_exported => false, - } - haproxy::balancermember { 'heat_cfn': - listening_service => 'heat_cfn', - ports => '8000', - ipaddresses => hiera('heat_api_node_ips', $controller_hosts_real), + ::tripleo::loadbalancer::endpoint { 'heat_cfn': + public_virtual_ip => $public_virtual_ip, + internal_ip => $heat_api_vip, + service_port => $ports[heat_cfn_port], + ip_addresses => $heat_ip_addresses, server_names => $controller_hosts_names_real, - options => $haproxy_member_options, + mode => 'http', + listen_options => $heat_options, + public_ssl_port => $ports[heat_cfn_ssl_port], } } @@ -1162,6 +881,17 @@ class tripleo::loadbalancer ( } } + if $ironic { + ::tripleo::loadbalancer::endpoint { 'ironic': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('ironic_api_vip', $controller_virtual_ip), + service_port => $ports[ironic_api_port], + ip_addresses => hiera('ironic_api_node_ips', $controller_hosts_real), + server_names => $controller_hosts_names_real, + public_ssl_port => $ports[ironic_api_ssl_port], + } + } + if $mysql_clustercheck { $mysql_listen_options = { 'option' => [ 'tcpka', 'httpchk' ], @@ -1179,20 +909,6 @@ class tripleo::loadbalancer ( $mysql_member_options = union($haproxy_member_options, ['backup']) } - if $ironic { - haproxy::listen { 'ironic': - bind => $ironic_bind_opts, - collect_exported => false, - } - haproxy::balancermember { 'ironic': - listening_service => 'ironic', - ports => '6385', - ipaddresses => hiera('ironic_api_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, - options => $haproxy_member_options, - } - } - if $mysql { haproxy::listen { 'mysql': bind => $mysql_bind_opts, diff --git a/manifests/loadbalancer/endpoint.pp b/manifests/loadbalancer/endpoint.pp new file mode 100644 index 0000000..f75f79a --- /dev/null +++ b/manifests/loadbalancer/endpoint.pp @@ -0,0 +1,120 @@ +# Copyright 2014 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +# == Class: tripleo::loadbalancer::endpoint +# +# Configure a HAProxy listen endpoint +# +# [*internal_ip*] +# The IP in which the proxy endpoint will be listening in the internal +# network. +# +# [*service_port*] +# The default port on which the endpoint will be listening. +# +# [*ip_addresses*] +# The ordered list of IPs to be used to contact the balancer member. +# +# [*server_names*] +# The names of the balancer members, which usually should be the hostname. +# +# [*member_options*] +# Options for the balancer member, specified after the server declaration. +# These should go in the member's configuration block. +# +# [*public_virtual_ip*] +# Address in which the proxy endpoint will be listening in the public network. +# If this service is internal only this should be ommited. +# Defaults to undef. +# +# [*mode*] +# HAProxy mode in which the endpoint will be listening. This can be undef, +# tcp, http or health. +# Defaults to undef. +# +# [*haproxy_listen_bind_param*] +# A list of params to be added to the HAProxy listener bind directive. +# Defaults to undef. +# +# [*listen_options*] +# Options specified for the listening service's configuration block (in +# HAproxy terms, the frontend). +# defaults to {'option' => []} +# +# [*public_ssl_port*] +# The port used for the public proxy endpoint if it differs from the default +# one. This is used only if SSL is enabled, and it's used in order to avoid +# overriding with the internal proxy endpoint (which could happen if they were +# in the same network). +# Defaults to undef. +# +# [*public_certificate*] +# Certificate path used to enable TLS for the public proxy endpoint. +# Defaults to undef. +# +# [*internal_certificate*] +# Certificate path used to enable TLS for the internal proxy endpoint. +# Defaults to undef. +# +define tripleo::loadbalancer::endpoint ( + $internal_ip, + $service_port, + $ip_addresses, + $server_names, + $member_options, + $public_virtual_ip = undef, + $mode = undef, + $haproxy_listen_bind_param = undef, + $listen_options = { + 'option' => [], + }, + $public_ssl_port = undef, + $public_certificate = undef, + $internal_certificate = undef, +) { + if $public_virtual_ip { + # service exposed to the public network + + if $public_certificate { + $public_bind_opts = list_to_hash(suffix(any2array($public_virtual_ip), ":${public_ssl_port}"), union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate])) + } else { + $public_bind_opts = list_to_hash(suffix(any2array($public_virtual_ip), ":${service_port}"), $haproxy_listen_bind_param) + } + } else { + # internal service only + $public_bind_opts = {} + } + + if $internal_certificate { + $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"), union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate])) + } else { + $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"), $haproxy_listen_bind_param) + } + $bind_opts = merge($internal_bind_opts, $public_bind_opts) + + haproxy::listen { "${name}": + bind => $bind_opts, + collect_exported => false, + mode => $mode, + options => $listen_options, + } + haproxy::balancermember { "${name}": + listening_service => $name, + ports => $service_port, + ipaddresses => $ip_addresses, + server_names => $server_names, + options => $member_options, + } +} diff --git a/manifests/pacemaker/haproxy_with_vip.pp b/manifests/pacemaker/haproxy_with_vip.pp new file mode 100644 index 0000000..0539beb --- /dev/null +++ b/manifests/pacemaker/haproxy_with_vip.pp @@ -0,0 +1,64 @@ +# Copyright 2016 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Define: tripleo::pacemaker::haproxy_with_vip +# +# Configure the vip with the haproxy under pacemaker +# +# === Parameters: +# +# [*vip_name*] +# (String) Logical name of the vip (control, public, storage ...) +# Required +# +# [*ip_address*] +# (String) IP address on which HAProxy is colocated +# Required +# +# [*ensure*] +# (Boolean) Create the all the resources only if true. False won't +# destroy the resource, it will just not create them. +# Default to true +define tripleo::pacemaker::haproxy_with_vip($vip_name, $ip_address, $ensure = true) { + if($ensure) { + if is_ipv6_address($ip_address) { + $netmask = '64' + } else { + $netmask = '32' + } + + pacemaker::resource::ip { "${vip_name}_vip": + ip_address => $ip_address, + cidr_netmask => $netmask, + } + pacemaker::constraint::base { "${vip_name}_vip-then-haproxy": + constraint_type => 'order', + first_resource => "ip-${ip_address}", + second_resource => 'haproxy-clone', + first_action => 'start', + second_action => 'start', + constraint_params => 'kind=Optional', + require => [Pacemaker::Resource::Service['haproxy'], + Pacemaker::Resource::Ip["${vip_name}_vip"]], + } + pacemaker::constraint::colocation { "${vip_name}_vip-with-haproxy": + source => "ip-${ip_address}", + target => 'haproxy-clone', + score => 'INFINITY', + require => [Pacemaker::Resource::Service['haproxy'], + Pacemaker::Resource::Ip["${vip_name}_vip"]], + } + } +} |