summaryrefslogtreecommitdiffstats
path: root/manifests
diff options
context:
space:
mode:
Diffstat (limited to 'manifests')
-rw-r--r--manifests/loadbalancer.pp640
-rw-r--r--manifests/loadbalancer/endpoint.pp120
-rw-r--r--manifests/pacemaker/haproxy_with_vip.pp64
3 files changed, 362 insertions, 462 deletions
diff --git a/manifests/loadbalancer.pp b/manifests/loadbalancer.pp
index ce83803..e91e611 100644
--- a/manifests/loadbalancer.pp
+++ b/manifests/loadbalancer.pp
@@ -119,6 +119,11 @@
# When set, enables SSL on the public API endpoints using the specified file.
# Defaults to undef
#
+# [*internal_certificate*]
+# Filename of an HAProxy-compatible certificate and key file
+# When set, enables SSL on the internal API endpoints using the specified file.
+# Defaults to undef
+#
# [*ssl_cipher_suite*]
# The default string describing the list of cipher algorithms ("cipher suite")
# that are negotiated during the SSL/TLS handshake for all "bind" lines. This
@@ -285,7 +290,7 @@
# 'nova_novnc_port' (Defaults to 6080)
# 'nova_novnc_ssl_port' (Defaults to 13080)
# 'sahara_api_port' (Defaults to 8386)
-# 'sahara_api_ssl_port' (Defaults to 13779)
+# 'sahara_api_ssl_port' (Defaults to 13386)
# 'swift_proxy_port' (Defaults to 8080)
# 'swift_proxy_ssl_port' (Defaults to 13808)
# 'trove_api_port' (Defaults to 8779)
@@ -314,6 +319,7 @@ class tripleo::loadbalancer (
$controller_hosts = undef,
$controller_hosts_names = undef,
$service_certificate = undef,
+ $internal_certificate = undef,
$ssl_cipher_suite = '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES',
$ssl_options = 'no-sslv3',
$haproxy_stats_certificate = undef,
@@ -383,7 +389,7 @@ class tripleo::loadbalancer (
nova_novnc_port => 6080,
nova_novnc_ssl_port => 13080,
sahara_api_port => 8386,
- sahara_api_ssl_port => 13786,
+ sahara_api_ssl_port => 13386,
swift_proxy_port => 8080,
swift_proxy_ssl_port => 13808,
trove_api_port => 8779,
@@ -493,235 +499,6 @@ class tripleo::loadbalancer (
$haproxy_stats_bind_certificate = $haproxy_stats_certificate
}
- $keystone_public_api_vip = hiera('keystone_public_api_vip', $controller_virtual_ip)
- $keystone_admin_api_vip = hiera('keystone_admin_api_vip', $controller_virtual_ip)
- if $service_certificate {
- $keystone_public_bind_opts = {
- "${keystone_public_api_vip}:${ports[keystone_public_api_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[keystone_public_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
- }
- $keystone_admin_bind_opts = {
- "${keystone_admin_api_vip}:${ports[keystone_admin_api_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[keystone_admin_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
- }
- } else {
- $keystone_public_bind_opts = {
- "${keystone_public_api_vip}:${ports[keystone_public_api_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[keystone_public_api_port]}" => $haproxy_listen_bind_param,
- }
- $keystone_admin_bind_opts = {
- "${keystone_admin_api_vip}:${ports[keystone_admin_api_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[keystone_admin_api_port]}" => $haproxy_listen_bind_param,
- }
- }
-
- $neutron_api_vip = hiera('neutron_api_vip', $controller_virtual_ip)
- if $service_certificate {
- $neutron_bind_opts = {
- "${neutron_api_vip}:${ports[neutron_api_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[neutron_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
- }
- } else {
- $neutron_bind_opts = {
- "${neutron_api_vip}:${ports[neutron_api_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[neutron_api_port]}" => $haproxy_listen_bind_param,
- }
- }
-
- $cinder_api_vip = hiera('cinder_api_vip', $controller_virtual_ip)
- if $service_certificate {
- $cinder_bind_opts = {
- "${cinder_api_vip}:${ports[cinder_api_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[cinder_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
- }
- } else {
- $cinder_bind_opts = {
- "${cinder_api_vip}:${ports[cinder_api_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[cinder_api_port]}" => $haproxy_listen_bind_param,
- }
- }
-
- $manila_api_vip = hiera('manila_api_vip', $controller_virtual_ip)
- if $service_certificate {
- $manila_bind_opts = {
- "${manila_api_vip}:${ports[manila_api_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[manila_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
- }
- } else {
- $manila_bind_opts = {
- "${manila_api_vip}:${ports[manila_api_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[manila_api_port]}" => $haproxy_listen_bind_param,
- }
- }
-
- $glance_api_vip = hiera('glance_api_vip', $controller_virtual_ip)
- if $service_certificate {
- $glance_bind_opts = {
- "${glance_api_vip}:${ports[glance_api_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[glance_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
- }
- } else {
- $glance_bind_opts = {
- "${glance_api_vip}:${ports[glance_api_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[glance_api_port]}" => $haproxy_listen_bind_param,
- }
- }
-
- $glance_registry_vip = hiera('glance_registry_vip', $controller_virtual_ip)
- $glance_registry_bind_opts = {
- "${glance_registry_vip}:${ports[glance_registry_port]}" => $haproxy_listen_bind_param,
- }
-
- $sahara_api_vip = hiera('sahara_api_vip', $controller_virtual_ip)
- if $service_certificate {
- $sahara_bind_opts = {
- "${sahara_api_vip}:${ports[sahara_api_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[sahara_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
- }
- } else {
- $sahara_bind_opts = {
- "${sahara_api_vip}:${ports[sahara_api_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[sahara_api_port]}" => $haproxy_listen_bind_param,
- }
- }
-
- $trove_api_vip = hiera('$trove_api_vip', $controller_virtual_ip)
- if $service_certificate {
- $trove_bind_opts = {
- "${trove_api_vip}:${ports[trove_api_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[trove_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
- }
- } else {
- $trove_bind_opts = {
- "${trove_api_vip}:${ports[trove_api_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[trove_api_port]}" => $haproxy_listen_bind_param,
- }
- }
-
- $nova_api_vip = hiera('nova_api_vip', $controller_virtual_ip)
- if $service_certificate {
- $nova_osapi_bind_opts = {
- "${nova_api_vip}:${ports[nova_api_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[nova_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
- }
- $nova_ec2_bind_opts = {
- "${nova_api_vip}:${ports[nova_ec2_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[nova_ec2_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
- }
- $nova_novnc_bind_opts = {
- "${nova_api_vip}:${ports[nova_novnc_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[nova_novnc_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
- }
- } else {
- $nova_osapi_bind_opts = {
- "${nova_api_vip}:${ports[nova_api_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[nova_api_port]}" => $haproxy_listen_bind_param,
- }
- $nova_ec2_bind_opts = {
- "${nova_api_vip}:${ports[nova_ec2_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[nova_ec2_port]}" => $haproxy_listen_bind_param,
- }
- $nova_novnc_bind_opts = {
- "${nova_api_vip}:${ports[nova_novnc_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[nova_novnc_port]}" => $haproxy_listen_bind_param,
- }
- }
-
- $nova_metadata_vip = hiera('nova_metadata_vip', $controller_virtual_ip)
- $nova_metadata_bind_opts = {
- "${nova_metadata_vip}:${ports[nova_metadata_port]}" => $haproxy_listen_bind_param,
- }
-
- $ceilometer_api_vip = hiera('ceilometer_api_vip', $controller_virtual_ip)
- if $service_certificate {
- $ceilometer_bind_opts = {
- "${ceilometer_api_vip}:${ports[ceilometer_api_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[ceilometer_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
- }
- } else {
- $ceilometer_bind_opts = {
- "${ceilometer_api_vip}:${ports[ceilometer_api_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[ceilometer_api_port]}" => $haproxy_listen_bind_param,
- }
- }
-
- $aodh_api_vip = hiera('aodh_api_vip', $controller_virtual_ip)
- if $service_certificate {
- $aodh_bind_opts = {
- "${aodh_api_vip}:${ports[aodh_api_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[aodh_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
- }
- } else {
- $aodh_bind_opts = {
- "${aodh_api_vip}:${ports[aodh_api_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[aodh_api_port]}" => $haproxy_listen_bind_param,
- }
- }
-
- $gnocchi_api_vip = hiera('gnocchi_api_vip', $controller_virtual_ip)
- if $service_certificate {
- $gnocchi_bind_opts = {
- "${gnocchi_api_vip}:${ports[gnocchi_api_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[gnocchi_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
- }
- } else {
- $gnocchi_bind_opts = {
- "${gnocchi_api_vip}:${ports[gnocchi_api_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[gnocchi_api_port]}" => $haproxy_listen_bind_param,
- }
- }
-
- $swift_proxy_vip = hiera('swift_proxy_vip', $controller_virtual_ip)
- if $service_certificate {
- $swift_bind_opts = {
- "${swift_proxy_vip}:${ports[swift_proxy_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[swift_proxy_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
- }
- } else {
- $swift_bind_opts = {
- "${swift_proxy_vip}:${ports[swift_proxy_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[swift_proxy_port]}" => $haproxy_listen_bind_param,
- }
- }
-
- $heat_api_vip = hiera('heat_api_vip', $controller_virtual_ip)
- $heat_base_options = {
- 'http-request' => [
- 'set-header X-Forwarded-Proto https if { ssl_fc }',
- 'set-header X-Forwarded-Proto http if !{ ssl_fc }']}
- if $service_certificate {
- $heat_bind_opts = {
- "${heat_api_vip}:${ports[heat_api_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[heat_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
- }
- $heat_ssl_options = {
- 'rsprep' => "^Location:\\ http://${public_virtual_ip}(.*) Location:\\ https://${public_virtual_ip}\\1",
- }
- $heat_options = merge($heat_base_options, $heat_ssl_options)
- $heat_cw_bind_opts = {
- "${heat_api_vip}:${ports[heat_cw_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[heat_cw_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
- }
- $heat_cfn_bind_opts = {
- "${heat_api_vip}:${ports[heat_cfn_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[heat_cfn_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
- }
- } else {
- $heat_bind_opts = {
- "${heat_api_vip}:${ports[heat_api_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[heat_api_port]}" => $haproxy_listen_bind_param,
- }
- $heat_options = $heat_base_options
- $heat_cw_bind_opts = {
- "${heat_api_vip}:${ports[heat_cw_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[heat_cw_port]}" => $haproxy_listen_bind_param,
- }
- $heat_cfn_bind_opts = {
- "${heat_api_vip}:${ports[heat_cfn_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[heat_cfn_port]}" => $haproxy_listen_bind_param,
- }
- }
-
$horizon_vip = hiera('horizon_vip', $controller_virtual_ip)
if $service_certificate {
# NOTE(jaosorior): If the horizon_vip and the public_virtual_ip are the
@@ -754,19 +531,6 @@ class tripleo::loadbalancer (
}
}
- $ironic_api_vip = hiera('ironic_api_vip', $controller_virtual_ip)
- if $service_certificate {
- $ironic_bind_opts = {
- "${ironic_api_vip}:${ports[ironic_api_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[ironic_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
- }
- } else {
- $ironic_bind_opts = {
- "${ironic_api_vip}:${ports[ironic_api_port]}" => $haproxy_listen_bind_param,
- "${public_virtual_ip}:${ports[ironic_api_port]}" => $haproxy_listen_bind_param,
- }
- }
-
if $haproxy_stats_bind_certificate {
$haproxy_stats_bind_opts = {
"${controller_virtual_ip}:1993" => union($haproxy_listen_bind_param, ['ssl', 'crt', $haproxy_stats_bind_certificate]),
@@ -792,8 +556,6 @@ class tripleo::loadbalancer (
"${redis_vip}:6379" => $haproxy_listen_bind_param,
}
- sysctl::value { 'net.ipv4.ip_nonlocal_bind': value => '1' }
-
class { '::haproxy':
service_manage => $haproxy_service_manage,
global_options => {
@@ -815,10 +577,11 @@ class tripleo::loadbalancer (
},
}
- Haproxy::Listen {
- options => {
- 'option' => [],
- }
+ Tripleo::Loadbalancer::Endpoint {
+ haproxy_listen_bind_param => $haproxy_listen_bind_param,
+ member_options => $haproxy_member_options,
+ public_certificate => $service_certificate,
+ internal_certificate => $internal_certificate,
}
$stats_base = ['enable', 'uri /']
@@ -837,312 +600,268 @@ class tripleo::loadbalancer (
}
if $keystone_admin {
- haproxy::listen { 'keystone_admin':
- bind => $keystone_admin_bind_opts,
- collect_exported => false,
- mode => 'http', # Needed for http-request option
- options => {
+ ::tripleo::loadbalancer::endpoint { 'keystone_admin':
+ public_virtual_ip => $public_virtual_ip,
+ internal_ip => hiera('keystone_admin_api_vip', $controller_virtual_ip),
+ service_port => $ports[keystone_admin_api_port],
+ ip_addresses => hiera('keystone_admin_api_node_ips', $controller_hosts_real),
+ server_names => $controller_hosts_names_real,
+ mode => 'http',
+ listen_options => {
'http-request' => [
'set-header X-Forwarded-Proto https if { ssl_fc }',
'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
},
- }
- haproxy::balancermember { 'keystone_admin':
- listening_service => 'keystone_admin',
- ports => '35357',
- ipaddresses => hiera('keystone_admin_api_node_ips',$controller_hosts_real),
- server_names => $controller_hosts_names_real,
- options => $haproxy_member_options,
+ public_ssl_port => $ports[keystone_admin_api_ssl_port],
}
}
if $keystone_public {
- haproxy::listen { 'keystone_public':
- bind => $keystone_public_bind_opts,
- collect_exported => false,
- mode => 'http', # Needed for http-request option
- options => {
+ ::tripleo::loadbalancer::endpoint { 'keystone_public':
+ public_virtual_ip => $public_virtual_ip,
+ internal_ip => hiera('keystone_public_api_vip', $controller_virtual_ip),
+ service_port => $ports[keystone_public_api_port],
+ ip_addresses => hiera('keystone_public_api_node_ips', $controller_hosts_real),
+ server_names => $controller_hosts_names_real,
+ mode => 'http',
+ listen_options => {
'http-request' => [
'set-header X-Forwarded-Proto https if { ssl_fc }',
'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
},
- }
- haproxy::balancermember { 'keystone_public':
- listening_service => 'keystone_public',
- ports => '5000',
- ipaddresses => hiera('keystone_public_api_node_ips', $controller_hosts_real),
- server_names => $controller_hosts_names_real,
- options => $haproxy_member_options,
+ public_ssl_port => $ports[keystone_public_api_ssl_port],
}
}
if $neutron {
- haproxy::listen { 'neutron':
- bind => $neutron_bind_opts,
- collect_exported => false,
- }
- haproxy::balancermember { 'neutron':
- listening_service => 'neutron',
- ports => '9696',
- ipaddresses => hiera('neutron_api_node_ips', $controller_hosts_real),
+ ::tripleo::loadbalancer::endpoint { 'neutron':
+ public_virtual_ip => $public_virtual_ip,
+ internal_ip => hiera('neutron_api_vip', $controller_virtual_ip),
+ service_port => $ports[neutron_api_port],
+ ip_addresses => hiera('neutron_api_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
- options => $haproxy_member_options,
+ public_ssl_port => $ports[neutron_api_ssl_port],
}
}
if $cinder {
- haproxy::listen { 'cinder':
- bind => $cinder_bind_opts,
- collect_exported => false,
- mode => 'http', # Needed for http-request option
- options => {
+ ::tripleo::loadbalancer::endpoint { 'cinder':
+ public_virtual_ip => $public_virtual_ip,
+ internal_ip => hiera('cinder_api_vip', $controller_virtual_ip),
+ service_port => $ports[cinder_api_port],
+ ip_addresses => hiera('cinder_api_node_ips', $controller_hosts_real),
+ server_names => $controller_hosts_names_real,
+ mode => 'http',
+ listen_options => {
'http-request' => [
'set-header X-Forwarded-Proto https if { ssl_fc }',
'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
},
- }
- haproxy::balancermember { 'cinder':
- listening_service => 'cinder',
- ports => '8776',
- ipaddresses => hiera('cinder_api_node_ips', $controller_hosts_real),
- server_names => $controller_hosts_names_real,
- options => $haproxy_member_options,
+ public_ssl_port => $ports[cinder_api_ssl_port],
}
}
if $manila {
- haproxy::listen { 'manila':
- bind => $manila_bind_opts,
- collect_exported => false,
- }
- haproxy::balancermember { 'manila':
- listening_service => 'manila',
- ports => '8786',
- ipaddresses => hiera('manila_api_node_ips', $controller_hosts_real),
+ ::tripleo::loadbalancer::endpoint { 'manila':
+ public_virtual_ip => $public_virtual_ip,
+ internal_ip => hiera('manila_api_vip', $controller_virtual_ip),
+ service_port => $ports[manila_api_port],
+ ip_addresses => hiera('manila_api_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
- options => $haproxy_member_options,
+ public_ssl_port => $ports[manila_api_ssl_port],
}
}
if $sahara {
- haproxy::listen { 'sahara':
- bind => $sahara_bind_opts,
- collect_exported => false,
- }
- haproxy::balancermember { 'sahara':
- listening_service => 'sahara',
- ports => '8386',
- ipaddresses => hiera('sahara_api_node_ips', $controller_hosts_real),
+ ::tripleo::loadbalancer::endpoint { 'sahara':
+ public_virtual_ip => $public_virtual_ip,
+ internal_ip => hiera('sahara_api_vip', $controller_virtual_ip),
+ service_port => $ports[sahara_api_port],
+ ip_addresses => hiera('sahara_api_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
- options => $haproxy_member_options,
+ public_ssl_port => $ports[sahara_api_ssl_port],
}
}
if $trove {
- haproxy::listen { 'trove':
- bind => $trove_bind_opts,
- collect_exported => false,
- }
- haproxy::balancermember { 'trove':
- listening_service => 'trove',
- ports => '8779',
- ipaddresses => hiera('trove_api_node_ips', $controller_hosts_real),
+ ::tripleo::loadbalancer::endpoint { 'trove':
+ public_virtual_ip => $public_virtual_ip,
+ internal_ip => hiera('trove_api_vip', $controller_virtual_ip),
+ service_port => $ports[trove_api_port],
+ ip_addresses => hiera('trove_api_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
- options => $haproxy_member_options,
+ public_ssl_port => $ports[trove_api_ssl_port],
}
}
if $glance_api {
- haproxy::listen { 'glance_api':
- bind => $glance_bind_opts,
- collect_exported => false,
- }
- haproxy::balancermember { 'glance_api':
- listening_service => 'glance_api',
- ports => '9292',
- ipaddresses => hiera('glance_api_node_ips', $controller_hosts_real),
+ ::tripleo::loadbalancer::endpoint { 'glance_api':
+ public_virtual_ip => $public_virtual_ip,
+ internal_ip => hiera('glance_api_vip', $controller_virtual_ip),
+ service_port => $ports[glance_api_port],
+ ip_addresses => hiera('glance_api_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
- options => $haproxy_member_options,
+ public_ssl_port => $ports[glance_api_ssl_port],
}
}
if $glance_registry {
- haproxy::listen { 'glance_registry':
- bind => $glance_registry_bind_opts,
- collect_exported => false,
- }
- haproxy::balancermember { 'glance_registry':
- listening_service => 'glance_registry',
- ports => '9191',
- ipaddresses => hiera('glance_registry_node_ips', $controller_hosts_real),
- server_names => $controller_hosts_names_real,
- options => $haproxy_member_options,
+ ::tripleo::loadbalancer::endpoint { 'glance_registry':
+ internal_ip => hiera('glance_registry_vip', $controller_virtual_ip),
+ service_port => $ports[glance_registry_port],
+ ip_addresses => hiera('glance_registry_node_ips', $controller_hosts_real),
+ server_names => $controller_hosts_names_real,
}
}
+ $nova_api_vip = hiera('nova_api_vip', $controller_virtual_ip)
if $nova_ec2 {
- haproxy::listen { 'nova_ec2':
- bind => $nova_ec2_bind_opts,
- collect_exported => false,
- }
- haproxy::balancermember { 'nova_ec2':
- listening_service => 'nova_ec2',
- ports => '8773',
- ipaddresses => hiera('nova_api_node_ips', $controller_hosts_real),
+ ::tripleo::loadbalancer::endpoint { 'nova_ec2':
+ public_virtual_ip => $public_virtual_ip,
+ internal_ip => $nova_api_vip,
+ service_port => $ports[nova_ec2_port],
+ ip_addresses => hiera('nova_api_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
- options => $haproxy_member_options,
+ public_ssl_port => $ports[nova_ec2_ssl_port],
}
}
if $nova_osapi {
- haproxy::listen { 'nova_osapi':
- bind => $nova_osapi_bind_opts,
- collect_exported => false,
- mode => 'http',
- options => {
+ ::tripleo::loadbalancer::endpoint { 'nova_osapi':
+ public_virtual_ip => $public_virtual_ip,
+ internal_ip => $nova_api_vip,
+ service_port => $ports[nova_api_port],
+ ip_addresses => hiera('nova_api_node_ips', $controller_hosts_real),
+ server_names => $controller_hosts_names_real,
+ mode => 'http',
+ listen_options => {
'http-request' => [
'set-header X-Forwarded-Proto https if { ssl_fc }',
'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
},
- }
- haproxy::balancermember { 'nova_osapi':
- listening_service => 'nova_osapi',
- ports => '8774',
- ipaddresses => hiera('nova_api_node_ips', $controller_hosts_real),
- server_names => $controller_hosts_names_real,
- options => $haproxy_member_options,
+ public_ssl_port => $ports[nova_api_ssl_port],
}
}
if $nova_metadata {
- haproxy::listen { 'nova_metadata':
- bind => $nova_metadata_bind_opts,
- collect_exported => false,
- }
- haproxy::balancermember { 'nova_metadata':
- listening_service => 'nova_metadata',
- ports => '8775',
- ipaddresses => hiera('nova_metadata_node_ips', $controller_hosts_real),
- server_names => $controller_hosts_names_real,
- options => $haproxy_member_options,
+ ::tripleo::loadbalancer::endpoint { 'nova_metadata':
+ internal_ip => hiera('nova_metadata_vip', $controller_virtual_ip),
+ service_port => $ports[nova_metadata_port],
+ ip_addresses => hiera('nova_metadata_node_ips', $controller_hosts_real),
+ server_names => $controller_hosts_names_real,
}
}
if $nova_novncproxy {
- haproxy::listen { 'nova_novncproxy':
- bind => $nova_novnc_bind_opts,
- options => {
+ ::tripleo::loadbalancer::endpoint { 'nova_novncproxy':
+ public_virtual_ip => $public_virtual_ip,
+ internal_ip => $nova_api_vip,
+ service_port => $ports[nova_novnc_port],
+ ip_addresses => hiera('nova_api_node_ips', $controller_hosts_real),
+ server_names => $controller_hosts_names_real,
+ listen_options => {
'balance' => 'source',
'timeout' => [ 'tunnel 1h' ],
},
- collect_exported => false,
- }
- haproxy::balancermember { 'nova_novncproxy':
- listening_service => 'nova_novncproxy',
- ports => '6080',
- ipaddresses => hiera('nova_api_node_ips', $controller_hosts_real),
- server_names => $controller_hosts_names_real,
- options => $haproxy_member_options,
+ public_ssl_port => $ports[nova_novnc_ssl_port],
}
}
if $ceilometer {
- haproxy::listen { 'ceilometer':
- bind => $ceilometer_bind_opts,
- collect_exported => false,
- }
- haproxy::balancermember { 'ceilometer':
- listening_service => 'ceilometer',
- ports => '8777',
- ipaddresses => hiera('ceilometer_api_node_ips', $controller_hosts_real),
+ ::tripleo::loadbalancer::endpoint { 'ceilometer':
+ public_virtual_ip => $public_virtual_ip,
+ internal_ip => hiera('ceilometer_api_vip', $controller_virtual_ip),
+ service_port => $ports[ceilometer_api_port],
+ ip_addresses => hiera('ceilometer_api_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
- options => $haproxy_member_options,
+ public_ssl_port => $ports[ceilometer_api_ssl_port],
}
}
if $aodh {
- haproxy::listen { 'aodh':
- bind => $aodh_bind_opts,
- collect_exported => false,
- }
- haproxy::balancermember { 'aodh':
- listening_service => 'aodh',
- ports => '8042',
- ipaddresses => hiera('aodh_api_node_ips', $controller_hosts_real),
+ ::tripleo::loadbalancer::endpoint { 'aodh':
+ public_virtual_ip => $public_virtual_ip,
+ internal_ip => hiera('aodh_api_vip', $controller_virtual_ip),
+ service_port => $ports[aodh_api_port],
+ ip_addresses => hiera('aodh_api_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
- options => $haproxy_member_options,
+ public_ssl_port => $ports[aodh_api_ssl_port],
}
}
if $gnocchi {
- haproxy::listen { 'gnocchi':
- bind => $gnocchi_bind_opts,
- collect_exported => false,
- }
- haproxy::balancermember { 'gnocchi':
- listening_service => 'gnocchi',
- ports => '8041',
- ipaddresses => hiera('gnocchi_api_node_ips', $controller_hosts_real),
+ ::tripleo::loadbalancer::endpoint { 'gnocchi':
+ public_virtual_ip => $public_virtual_ip,
+ internal_ip => hiera('gnocchi_api_vip', $controller_virtual_ip),
+ service_port => $ports[gnocchi_api_port],
+ ip_addresses => hiera('gnocchi_api_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
- options => ['check', 'inter 2000', 'rise 2', 'fall 5'],
+ public_ssl_port => $ports[gnocchi_api_ssl_port],
}
}
if $swift_proxy_server {
- haproxy::listen { 'swift_proxy_server':
- bind => $swift_bind_opts,
- collect_exported => false,
- }
- haproxy::balancermember { 'swift_proxy_server':
- listening_service => 'swift_proxy_server',
- ports => '8080',
- ipaddresses => hiera('swift_proxy_node_ips', $controller_hosts_real),
+ ::tripleo::loadbalancer::endpoint { 'swift_proxy_server':
+ public_virtual_ip => $public_virtual_ip,
+ internal_ip => hiera('swift_proxy_vip', $controller_virtual_ip),
+ service_port => $ports[swift_proxy_port],
+ ip_addresses => hiera('swift_proxy_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
- options => $haproxy_member_options,
+ public_ssl_port => $ports[swift_proxy_ssl_port],
}
}
- if $heat_api {
- haproxy::listen { 'heat_api':
- bind => $heat_bind_opts,
- options => $heat_options,
- collect_exported => false,
- mode => 'http',
+ $heat_api_vip = hiera('heat_api_vip', $controller_virtual_ip)
+ $heat_ip_addresses = hiera('heat_api_node_ips', $controller_hosts_real)
+ $heat_base_options = {
+ 'http-request' => [
+ 'set-header X-Forwarded-Proto https if { ssl_fc }',
+ 'set-header X-Forwarded-Proto http if !{ ssl_fc }']}
+ if $service_certificate {
+ $heat_ssl_options = {
+ 'rsprep' => "^Location:\\ http://${public_virtual_ip}(.*) Location:\\ https://${public_virtual_ip}\\1",
}
- haproxy::balancermember { 'heat_api':
- listening_service => 'heat_api',
- ports => '8004',
- ipaddresses => hiera('heat_api_node_ips', $controller_hosts_real),
+ $heat_options = merge($heat_base_options, $heat_ssl_options)
+ } else {
+ $heat_options = $heat_base_options
+ }
+
+ if $heat_api {
+ ::tripleo::loadbalancer::endpoint { 'heat_api':
+ public_virtual_ip => $public_virtual_ip,
+ internal_ip => $heat_api_vip,
+ service_port => $ports[heat_api_port],
+ ip_addresses => $heat_ip_addresses,
server_names => $controller_hosts_names_real,
- options => $haproxy_member_options,
+ mode => 'http',
+ listen_options => $heat_options,
+ public_ssl_port => $ports[heat_api_ssl_port],
}
}
if $heat_cloudwatch {
- haproxy::listen { 'heat_cloudwatch':
- bind => $heat_cw_bind_opts,
- collect_exported => false,
- }
- haproxy::balancermember { 'heat_cloudwatch':
- listening_service => 'heat_cloudwatch',
- ports => '8003',
- ipaddresses => hiera('heat_api_node_ips', $controller_hosts_real),
+ ::tripleo::loadbalancer::endpoint { 'heat_cloudwatch':
+ public_virtual_ip => $public_virtual_ip,
+ internal_ip => $heat_api_vip,
+ service_port => $ports[heat_cw_port],
+ ip_addresses => $heat_ip_addresses,
server_names => $controller_hosts_names_real,
- options => $haproxy_member_options,
+ mode => 'http',
+ listen_options => $heat_options,
+ public_ssl_port => $ports[heat_cw_ssl_port],
}
}
if $heat_cfn {
- haproxy::listen { 'heat_cfn':
- bind => $heat_cfn_bind_opts,
- collect_exported => false,
- }
- haproxy::balancermember { 'heat_cfn':
- listening_service => 'heat_cfn',
- ports => '8000',
- ipaddresses => hiera('heat_api_node_ips', $controller_hosts_real),
+ ::tripleo::loadbalancer::endpoint { 'heat_cfn':
+ public_virtual_ip => $public_virtual_ip,
+ internal_ip => $heat_api_vip,
+ service_port => $ports[heat_cfn_port],
+ ip_addresses => $heat_ip_addresses,
server_names => $controller_hosts_names_real,
- options => $haproxy_member_options,
+ mode => 'http',
+ listen_options => $heat_options,
+ public_ssl_port => $ports[heat_cfn_ssl_port],
}
}
@@ -1162,6 +881,17 @@ class tripleo::loadbalancer (
}
}
+ if $ironic {
+ ::tripleo::loadbalancer::endpoint { 'ironic':
+ public_virtual_ip => $public_virtual_ip,
+ internal_ip => hiera('ironic_api_vip', $controller_virtual_ip),
+ service_port => $ports[ironic_api_port],
+ ip_addresses => hiera('ironic_api_node_ips', $controller_hosts_real),
+ server_names => $controller_hosts_names_real,
+ public_ssl_port => $ports[ironic_api_ssl_port],
+ }
+ }
+
if $mysql_clustercheck {
$mysql_listen_options = {
'option' => [ 'tcpka', 'httpchk' ],
@@ -1179,20 +909,6 @@ class tripleo::loadbalancer (
$mysql_member_options = union($haproxy_member_options, ['backup'])
}
- if $ironic {
- haproxy::listen { 'ironic':
- bind => $ironic_bind_opts,
- collect_exported => false,
- }
- haproxy::balancermember { 'ironic':
- listening_service => 'ironic',
- ports => '6385',
- ipaddresses => hiera('ironic_api_node_ips', $controller_hosts_real),
- server_names => $controller_hosts_names_real,
- options => $haproxy_member_options,
- }
- }
-
if $mysql {
haproxy::listen { 'mysql':
bind => $mysql_bind_opts,
diff --git a/manifests/loadbalancer/endpoint.pp b/manifests/loadbalancer/endpoint.pp
new file mode 100644
index 0000000..f75f79a
--- /dev/null
+++ b/manifests/loadbalancer/endpoint.pp
@@ -0,0 +1,120 @@
+# Copyright 2014 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+# == Class: tripleo::loadbalancer::endpoint
+#
+# Configure a HAProxy listen endpoint
+#
+# [*internal_ip*]
+# The IP in which the proxy endpoint will be listening in the internal
+# network.
+#
+# [*service_port*]
+# The default port on which the endpoint will be listening.
+#
+# [*ip_addresses*]
+# The ordered list of IPs to be used to contact the balancer member.
+#
+# [*server_names*]
+# The names of the balancer members, which usually should be the hostname.
+#
+# [*member_options*]
+# Options for the balancer member, specified after the server declaration.
+# These should go in the member's configuration block.
+#
+# [*public_virtual_ip*]
+# Address in which the proxy endpoint will be listening in the public network.
+# If this service is internal only this should be ommited.
+# Defaults to undef.
+#
+# [*mode*]
+# HAProxy mode in which the endpoint will be listening. This can be undef,
+# tcp, http or health.
+# Defaults to undef.
+#
+# [*haproxy_listen_bind_param*]
+# A list of params to be added to the HAProxy listener bind directive.
+# Defaults to undef.
+#
+# [*listen_options*]
+# Options specified for the listening service's configuration block (in
+# HAproxy terms, the frontend).
+# defaults to {'option' => []}
+#
+# [*public_ssl_port*]
+# The port used for the public proxy endpoint if it differs from the default
+# one. This is used only if SSL is enabled, and it's used in order to avoid
+# overriding with the internal proxy endpoint (which could happen if they were
+# in the same network).
+# Defaults to undef.
+#
+# [*public_certificate*]
+# Certificate path used to enable TLS for the public proxy endpoint.
+# Defaults to undef.
+#
+# [*internal_certificate*]
+# Certificate path used to enable TLS for the internal proxy endpoint.
+# Defaults to undef.
+#
+define tripleo::loadbalancer::endpoint (
+ $internal_ip,
+ $service_port,
+ $ip_addresses,
+ $server_names,
+ $member_options,
+ $public_virtual_ip = undef,
+ $mode = undef,
+ $haproxy_listen_bind_param = undef,
+ $listen_options = {
+ 'option' => [],
+ },
+ $public_ssl_port = undef,
+ $public_certificate = undef,
+ $internal_certificate = undef,
+) {
+ if $public_virtual_ip {
+ # service exposed to the public network
+
+ if $public_certificate {
+ $public_bind_opts = list_to_hash(suffix(any2array($public_virtual_ip), ":${public_ssl_port}"), union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate]))
+ } else {
+ $public_bind_opts = list_to_hash(suffix(any2array($public_virtual_ip), ":${service_port}"), $haproxy_listen_bind_param)
+ }
+ } else {
+ # internal service only
+ $public_bind_opts = {}
+ }
+
+ if $internal_certificate {
+ $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"), union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate]))
+ } else {
+ $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"), $haproxy_listen_bind_param)
+ }
+ $bind_opts = merge($internal_bind_opts, $public_bind_opts)
+
+ haproxy::listen { "${name}":
+ bind => $bind_opts,
+ collect_exported => false,
+ mode => $mode,
+ options => $listen_options,
+ }
+ haproxy::balancermember { "${name}":
+ listening_service => $name,
+ ports => $service_port,
+ ipaddresses => $ip_addresses,
+ server_names => $server_names,
+ options => $member_options,
+ }
+}
diff --git a/manifests/pacemaker/haproxy_with_vip.pp b/manifests/pacemaker/haproxy_with_vip.pp
new file mode 100644
index 0000000..0539beb
--- /dev/null
+++ b/manifests/pacemaker/haproxy_with_vip.pp
@@ -0,0 +1,64 @@
+# Copyright 2016 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Define: tripleo::pacemaker::haproxy_with_vip
+#
+# Configure the vip with the haproxy under pacemaker
+#
+# === Parameters:
+#
+# [*vip_name*]
+# (String) Logical name of the vip (control, public, storage ...)
+# Required
+#
+# [*ip_address*]
+# (String) IP address on which HAProxy is colocated
+# Required
+#
+# [*ensure*]
+# (Boolean) Create the all the resources only if true. False won't
+# destroy the resource, it will just not create them.
+# Default to true
+define tripleo::pacemaker::haproxy_with_vip($vip_name, $ip_address, $ensure = true) {
+ if($ensure) {
+ if is_ipv6_address($ip_address) {
+ $netmask = '64'
+ } else {
+ $netmask = '32'
+ }
+
+ pacemaker::resource::ip { "${vip_name}_vip":
+ ip_address => $ip_address,
+ cidr_netmask => $netmask,
+ }
+ pacemaker::constraint::base { "${vip_name}_vip-then-haproxy":
+ constraint_type => 'order',
+ first_resource => "ip-${ip_address}",
+ second_resource => 'haproxy-clone',
+ first_action => 'start',
+ second_action => 'start',
+ constraint_params => 'kind=Optional',
+ require => [Pacemaker::Resource::Service['haproxy'],
+ Pacemaker::Resource::Ip["${vip_name}_vip"]],
+ }
+ pacemaker::constraint::colocation { "${vip_name}_vip-with-haproxy":
+ source => "ip-${ip_address}",
+ target => 'haproxy-clone',
+ score => 'INFINITY',
+ require => [Pacemaker::Resource::Service['haproxy'],
+ Pacemaker::Resource::Ip["${vip_name}_vip"]],
+ }
+ }
+}