diff options
Diffstat (limited to 'manifests')
-rw-r--r-- | manifests/loadbalancer.pp | 47 | ||||
-rw-r--r-- | manifests/ssl/cinder_config.pp | 28 |
2 files changed, 75 insertions, 0 deletions
diff --git a/manifests/loadbalancer.pp b/manifests/loadbalancer.pp index c6d7f33..a6c4411 100644 --- a/manifests/loadbalancer.pp +++ b/manifests/loadbalancer.pp @@ -152,6 +152,11 @@ # When set, enables SSL on the Trove public API endpoint using the specified file. # Defaults to undef # +# [*gnocchi_certificate*] +# Filename of an HAProxy-compatible certificate and key file +# When set, enables SSL on the Gnocchi public API endpoint using the specified file. +# Defaults to undef +# # [*swift_certificate*] # Filename of an HAProxy-compatible certificate and key file # When set, enables SSL on the Swift public API endpoint using the specified file. @@ -232,6 +237,10 @@ # (optional) Enable or not Aodh API binding # Defaults to false # +# [*gnocchi*] +# (optional) Enable or not Gnocchi API binding +# Defaults to false +# # [*swift_proxy_server*] # (optional) Enable or not Swift API binding # Defaults to false @@ -305,6 +314,7 @@ class tripleo::loadbalancer ( $nova_certificate = undef, $ceilometer_certificate = undef, $aodh_certificate = undef, + $gnocchi_certificate = undef, $swift_certificate = undef, $heat_certificate = undef, $horizon_certificate = undef, @@ -324,6 +334,7 @@ class tripleo::loadbalancer ( $nova_novncproxy = false, $ceilometer = false, $aodh = false, + $gnocchi = false, $swift_proxy_server = false, $heat_api = false, $heat_cloudwatch = false, @@ -483,6 +494,11 @@ class tripleo::loadbalancer ( } else { $aodh_bind_certificate = $service_certificate } + if $gnocchi_certificate { + $gnocchi_bind_certificate = $gnocchi_certificate + } else { + $gnocchi_bind_certificate = $service_certificate + } if $swift_certificate { $swift_bind_certificate = $swift_certificate } else { @@ -659,6 +675,19 @@ class tripleo::loadbalancer ( } } + $gnocchi_api_vip = hiera('gnocchi_api_vip', $controller_virtual_ip) + if $gnocchi_bind_certificate { + $gnocchi_bind_opts = { + "${gnocchi_api_vip}:8041" => [], + "${public_virtual_ip}:13041" => ['ssl', 'crt', $gnocchi_bind_certificate], + } + } else { + $gnocchi_bind_opts = { + "${gnocchi_api_vip}:8041" => [], + "${public_virtual_ip}:8041" => [], + } + } + $swift_proxy_vip = hiera('swift_proxy_vip', $controller_virtual_ip) if $swift_bind_certificate { $swift_bind_opts = { @@ -819,6 +848,10 @@ class tripleo::loadbalancer ( haproxy::listen { 'cinder': bind => $cinder_bind_opts, collect_exported => false, + mode => 'http', # Needed for http-request option + options => { + 'http-request' => ['set-header X-Forwarded-Proto https if { ssl_fc }'], + }, } haproxy::balancermember { 'cinder': listening_service => 'cinder', @@ -993,6 +1026,20 @@ class tripleo::loadbalancer ( } } + if $gnocchi { + haproxy::listen { 'gnocchi': + bind => $gnocchi_bind_opts, + collect_exported => false, + } + haproxy::balancermember { 'gnocchi': + listening_service => 'gnocchi', + ports => '8041', + ipaddresses => hiera('gnocchi_api_node_ips', $controller_hosts_real), + server_names => $controller_hosts_names_real, + options => ['check', 'inter 2000', 'rise 2', 'fall 5'], + } + } + if $swift_proxy_server { haproxy::listen { 'swift_proxy_server': bind => $swift_bind_opts, diff --git a/manifests/ssl/cinder_config.pp b/manifests/ssl/cinder_config.pp new file mode 100644 index 0000000..e1ed113 --- /dev/null +++ b/manifests/ssl/cinder_config.pp @@ -0,0 +1,28 @@ +# Copyright 2016 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +# == Class: tripleo::ssl::cinder_config +# +# Enable SSL middleware for the cinder service's pipeline. +# + +class tripleo::ssl::cinder_config { + cinder_api_paste_ini { + 'filter:ssl_header_handler/paste.filter_factory': + value => 'oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory'; + 'pipeline:apiversions/pipeline': + value => 'ssl_header_handler faultwrap osvolumeversionapp'; + } +} |