aboutsummaryrefslogtreecommitdiffstats
path: root/manifests
diff options
context:
space:
mode:
Diffstat (limited to 'manifests')
-rw-r--r--manifests/loadbalancer.pp47
-rw-r--r--manifests/ssl/cinder_config.pp28
2 files changed, 75 insertions, 0 deletions
diff --git a/manifests/loadbalancer.pp b/manifests/loadbalancer.pp
index c6d7f33..a6c4411 100644
--- a/manifests/loadbalancer.pp
+++ b/manifests/loadbalancer.pp
@@ -152,6 +152,11 @@
# When set, enables SSL on the Trove public API endpoint using the specified file.
# Defaults to undef
#
+# [*gnocchi_certificate*]
+# Filename of an HAProxy-compatible certificate and key file
+# When set, enables SSL on the Gnocchi public API endpoint using the specified file.
+# Defaults to undef
+#
# [*swift_certificate*]
# Filename of an HAProxy-compatible certificate and key file
# When set, enables SSL on the Swift public API endpoint using the specified file.
@@ -232,6 +237,10 @@
# (optional) Enable or not Aodh API binding
# Defaults to false
#
+# [*gnocchi*]
+# (optional) Enable or not Gnocchi API binding
+# Defaults to false
+#
# [*swift_proxy_server*]
# (optional) Enable or not Swift API binding
# Defaults to false
@@ -305,6 +314,7 @@ class tripleo::loadbalancer (
$nova_certificate = undef,
$ceilometer_certificate = undef,
$aodh_certificate = undef,
+ $gnocchi_certificate = undef,
$swift_certificate = undef,
$heat_certificate = undef,
$horizon_certificate = undef,
@@ -324,6 +334,7 @@ class tripleo::loadbalancer (
$nova_novncproxy = false,
$ceilometer = false,
$aodh = false,
+ $gnocchi = false,
$swift_proxy_server = false,
$heat_api = false,
$heat_cloudwatch = false,
@@ -483,6 +494,11 @@ class tripleo::loadbalancer (
} else {
$aodh_bind_certificate = $service_certificate
}
+ if $gnocchi_certificate {
+ $gnocchi_bind_certificate = $gnocchi_certificate
+ } else {
+ $gnocchi_bind_certificate = $service_certificate
+ }
if $swift_certificate {
$swift_bind_certificate = $swift_certificate
} else {
@@ -659,6 +675,19 @@ class tripleo::loadbalancer (
}
}
+ $gnocchi_api_vip = hiera('gnocchi_api_vip', $controller_virtual_ip)
+ if $gnocchi_bind_certificate {
+ $gnocchi_bind_opts = {
+ "${gnocchi_api_vip}:8041" => [],
+ "${public_virtual_ip}:13041" => ['ssl', 'crt', $gnocchi_bind_certificate],
+ }
+ } else {
+ $gnocchi_bind_opts = {
+ "${gnocchi_api_vip}:8041" => [],
+ "${public_virtual_ip}:8041" => [],
+ }
+ }
+
$swift_proxy_vip = hiera('swift_proxy_vip', $controller_virtual_ip)
if $swift_bind_certificate {
$swift_bind_opts = {
@@ -819,6 +848,10 @@ class tripleo::loadbalancer (
haproxy::listen { 'cinder':
bind => $cinder_bind_opts,
collect_exported => false,
+ mode => 'http', # Needed for http-request option
+ options => {
+ 'http-request' => ['set-header X-Forwarded-Proto https if { ssl_fc }'],
+ },
}
haproxy::balancermember { 'cinder':
listening_service => 'cinder',
@@ -993,6 +1026,20 @@ class tripleo::loadbalancer (
}
}
+ if $gnocchi {
+ haproxy::listen { 'gnocchi':
+ bind => $gnocchi_bind_opts,
+ collect_exported => false,
+ }
+ haproxy::balancermember { 'gnocchi':
+ listening_service => 'gnocchi',
+ ports => '8041',
+ ipaddresses => hiera('gnocchi_api_node_ips', $controller_hosts_real),
+ server_names => $controller_hosts_names_real,
+ options => ['check', 'inter 2000', 'rise 2', 'fall 5'],
+ }
+ }
+
if $swift_proxy_server {
haproxy::listen { 'swift_proxy_server':
bind => $swift_bind_opts,
diff --git a/manifests/ssl/cinder_config.pp b/manifests/ssl/cinder_config.pp
new file mode 100644
index 0000000..e1ed113
--- /dev/null
+++ b/manifests/ssl/cinder_config.pp
@@ -0,0 +1,28 @@
+# Copyright 2016 Red Hat, Inc.
+# All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+# == Class: tripleo::ssl::cinder_config
+#
+# Enable SSL middleware for the cinder service's pipeline.
+#
+
+class tripleo::ssl::cinder_config {
+ cinder_api_paste_ini {
+ 'filter:ssl_header_handler/paste.filter_factory':
+ value => 'oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory';
+ 'pipeline:apiversions/pipeline':
+ value => 'ssl_header_handler faultwrap osvolumeversionapp';
+ }
+}