aboutsummaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)AuthorFilesLines
2016-05-05Add dport/sport parameter to firewall ruleJames Slagle3-3/+29
The port parameter to puppetlabs-firewall is actually deprecated[1]. This adds support for using the new parameter names dport and sport. The port parameter is still retained in puppet-tripleo for backwards compatibily for anyone using that interface. It is marked deprecated in the documentation, however no deprecation warning is needed because there is already a warning from from puppetlabs-firewall. blueprint undercloud-elements Change-Id: I0598007f90018f80a3266193bb24dbf112de49b7
2016-04-22Add aodh and gnocchi to schema profilesGiulio Fidente2-16/+51
Change-Id: Ifb0cc7769ef99e4c7142c8f955f0ca721d61e9b5
2016-04-22Merge "Add steps to database profiles"Jenkins2-26/+37
2016-04-21Merge "Enable HAProxy forwardfor option for Horizon."Jenkins1-0/+2
2016-04-21Merge "Add destination parameter to firewall rule"Jenkins2-17/+28
2016-04-20Merge "Add Glance profiles"Jenkins3-0/+261
2016-04-20Add destination parameter to firewall ruleJames Slagle2-17/+28
Specifying a destination cidr is already supported by puppetlabs-firewall, we just need to pass through the parameter in rule.pp in puppet-tripleo. This will allow creating iptables rules that forward network traffic for a given cidr via puppet-tripleo. Change-Id: I23582a55cd97248be52f45e14de7e813ff499ff7
2016-04-20Add steps to database profilesMichael Chapman2-26/+37
Database schema profiles were missing step information, causing schemas to be created too early. Change-Id: Ic381804ce5f1aa257ece75d2e079f4b02f446344
2016-04-19IPv6 dual-stack supportEmilien Macchi2-12/+35
TL;DR: If keystone_public_api_vip and/or public_virtual_ip is an array of IPs, HAproxy will be configured to listen on all IPs that are given in the arrays. It allows to specify an array for keystone_public_api_vip and/or public_virtual_ip where one IP is v4 and another one is v6. HAproxy will configured to listen on both and redirect the traffic to the IPv6 network (Dual-Stack). Implementation & background: HAproxy requires binding options as an hash where each IP contains an array of binding options. TripleO does not support Puppet Parser [1] (yet) so we can't manipulate data iterations inside the manifests. This patch creates a custom function, called list_to_hash. Example: keystone_vips = ['192.168.0.1:5000', '192.168.0.2:5000'] $keystone_bind_opts = ['transparent'] Using this function: $keystone_vips_hash = list_to_hash($keystone_vips, $keystone_bind_opts) Would return: $keystone_vips_hash = { '192.168.0.1:5000' => ['transparent'], '192.168.0.2:5000' => ['transparent'], } This function will help us in loadbalancer.pp to construct binding options in dynamic way. It's backward compatible, so you don't have to give an array. But if you do, multiple binding will be configured in HAproxy and you'll also be able to deploy IPv6 Dual-Stack. [1] https://docs.puppetlabs.com/puppet/latest/reference/lang_iteration.html Change-Id: I003b6d7d171652654745861d4231882f9e0d373e
2016-04-18Merge "Disable ip_nonlocal_bind (rely on the HAProxy 'transparent' option)"Jenkins1-2/+0
2016-04-15Enable HAProxy forwardfor option for Horizon.Dimitri Savineau1-0/+2
Horizon's backends (httpd) see IP address of the haproxy in the logs instead of the client address. Adding forwardfor option allows to add the client address to the X-Forwarded-For HTTP header and can be replace in the logs by configured the backend servers with this header. Change-Id: I54f0f5549d64768dacca71539c71a28cc99d9d95
2016-04-14Merge "Add support for internal/admin endpoint TLS in HAProxy"Jenkins2-2/+20
2016-04-14Merge "Add generic manifest for loadbalancer endpoints"Jenkins2-458/+286
2016-04-13Refactor HAproxy and VIP creation.Sofer Athlan-Guyot1-0/+64
In tripleo heat template, overcloud_controller_pacemaker.pp has a lot of duplicate code to define haproxy and vip creation. This is an attempt to refactor this. Change-Id: I4cc6711911c1bfa1bc6063979e2b2a7ab5b8d37b
2016-04-11Merge "Fix Sahara SSL default port"Jenkins1-2/+2
2016-04-11Add Glance profilesEmilien Macchi3-0/+261
Add Glance profiles for non-ha & ha scenarios. Change-Id: Ifc388f7058ccfff2818f531bcbc00c7179874bbc Implements: blueprint refactor-puppet-manifests
2016-04-11Add support for internal/admin endpoint TLS in HAProxyJuan Antonio Osorio Robles2-2/+20
This commits adds the option to pass an internal certificate. The aforementioned certificate will be used to terminate TLS connections for the internal and admin endpoints. Change-Id: I9d781b42c63cf34bd1f5ba2c71014c6b9de0f990
2016-04-11Add generic manifest for loadbalancer endpointsJuan Antonio Osorio Robles2-458/+286
In order to reduce repeated code in the loadbalancer manifest, the repeated parts were moved into one manifest that contains the endpoint resource. Change-Id: Ib72abe9de7ab073dcbd780298385b0c519f363aa
2016-04-11Fix Sahara SSL default portJuan Antonio Osorio Robles1-2/+2
There were two issues with the SSL port for sahara. * It was conflicting with Manila's port * It was documented incorrectly This has been fixed Change-Id: I9f710e014890b6daa6b3e511fd811c1e25bd0de3
2016-04-11Map gnocchi vip to haproxy_listen_bind_paramPradeep Kilambi1-4/+4
Change-Id: I7d2eb9405e0171fc54fa0b616122f69db5f51ce2
2016-04-11Merge "Fix comparison to control_virtual_ip"Jenkins1-3/+3
2016-04-08Remove individual service certificatesJuan Antonio Osorio Robles1-201/+36
They are not being used and add extra logic and unnecessary clutter to the code. So this CR removes them in favor of just configuring TLS with the service_certificate. The only individual cert left was the one for haproxy stats. Change-Id: Ic3b769423917e723ecc83e32bcbae17568345661
2016-04-07Add missing services ports to service_ports mapJuan Antonio Osorio Robles1-16/+32
AODH, Gnocchi, Sahara and Trove were missing from the service_ports maps and thus had hardcoded ports in the listener configuration. The addition of those ports to the map is required to give the possibility to deployers to configure those ports if needed. This commit adds them to that map. Change-Id: Id009d65bf68ba91f97b0d60d32028da50fc88fc3
2016-04-04Fix comparison to control_virtual_ipJames Slagle1-3/+3
When managing the vip's, we were incorrectly comparing the vip to $control_virtual_interface instead of $controller_virtual_ip when determining if we needed to actually create the vip or not. This caused the vips for internal api, storage, and storage mgmt to always be created even if they were the same as the control vip. Afaict, this didn't actually cause any problems, other than having extra vip's created when they weren't needed. Still, this corrects the code to do what it was intended to do. Change-Id: I29aee95afcba25008b8b7bee37ba636eb2595cca
2016-04-01Merge "Make cipher suite and SSL options configurable"Jenkins1-6/+20
2016-03-28Merge "Redirect to https for horizon"Jenkins1-3/+15
2016-03-27Merge "Add keystone and db sync profiles"Jenkins4-0/+357
2016-03-23Allow the Redis specific monitor to use authenticationGiulio Fidente1-1/+12
When accessing Redis, if password protected, we need to update the HAProxy checks so that they use a password or we won't be able to gather which node is the replica master. Also adds PING/PONG and QUIT/OK sequence before and after the info command is sent. More at https://bugzilla.redhat.com/show_bug.cgi?id=1320036 Change-Id: Ia9e61e66c5426061eab8172f0a25820989597780
2016-03-22Make cipher suite and SSL options configurableJuan Antonio Osorio Robles1-6/+20
This CR enables the ability to set the cipher suite to be used by HAproxy and the SSL options. So now the user can enable these through hiera. The cipher suite comes from the Fedora system crypto policy. Change-Id: Ia5751d4049026683fa13d4bc4cbf4eaffe054b48 Depends-On: I4943c6c74e0be96c1d7e190908b9262df05d059a
2016-03-22Add keystone and db sync profilesMichael Chapman4-0/+357
Implements: blueprint refactor-puppet-manifests Add keystone profiles for both pacemaker and non-ha. Add db sync profiles for pacemaker and non-ha. HA profiles are designed such that they include the base profiles, disabling features as needed, while the base profile can be used independently. Change-Id: I2faf5a78db802549053ec41678bf83bf28108189
2016-03-18Redirect to https for horizonJuan Antonio Osorio Robles1-3/+15
This adds a TLS binding listening on the internal network for horizon. And on the other hand, if the public binding for horizon is accessed via non-https, it will redirect to https. Change-Id: I1f92ecd0c4845450df4b24f6b621d313ba9cbfc4 Depends-On: I4943c6c74e0be96c1d7e190908b9262df05d059a
2016-03-17Hack to fix IPv6 parsing in facter.Sofer Athlan-Guyot1-0/+2
This kludge fixes the wrong regexp used in facter to report all IPv6 addresses. While the upstream bug[1] is being work out, this should do the job. Closes-Bug: 1558490 [1] https://tickets.puppetlabs.com/browse/FACT-1372 Change-Id: I85dabbd26bf8f25b2a03d22f547618b666421a83
2016-03-11Allow enabling authentication on haproxy.statsBen Nemec1-3/+42
Right now we always deploy the haproxy.stats endpoint with no authentication, which is a security concern. Allow setting a password on the endpoint so it isn't accessible to the world. While this allows configuring SSL on the stats endpoint, it does not use the service_certificate parameter because that certificate is intended to be used only for public endpoints, and the stats endpoint is actually on the admin VIP. Once we have support for SSL on admin endpoints we can have stats use it by default. Change-Id: I8a5844e89bd81a99d5101ab6bce7a8d79e069565
2016-03-09Merge "Make OpenStack service ports configurable in HAProxy"Jenkins1-62/+135
2016-03-08Make OpenStack service ports configurable in HAProxyJuan Antonio Osorio Robles1-62/+135
Some deployments were expecting specific ports for the OpenStack services; In case the default ports are not meeting those needs, we need to provide the means of changing the defaults. Change-Id: Idbbcc90e2af1b3a731b0b5ea955df6082541a9f7
2016-03-03Merge "loadbalancer: fix Redis timeout HAproxy config"Jenkins1-1/+0
2016-03-01Always override X-Forwarded-Proto header for HeatJuan Antonio Osorio Robles1-5/+7
Heat has the ssl middleware to handle the X-Forwarded-Proto header by default. We override this header when SSL is enabled because we need to, but overriding it even when we won't be terminating SSL will prevent some attacks using this header. Change-Id: I0b2c61cd4f47c8c08a84402af310983af752d3f2
2016-02-25loadbalancer: fix Redis timeout HAproxy configJason Guiditta1-1/+0
Current HAproxy config is broken for Redis timeout parameters. This is what we have today by default in HAproxy logs: [WARNING] 238/115010 (13878) : config : missing timeouts for proxy 'redis'. | While not properly invalid, you will certainly encounter various problems | with such a configuration. To fix this, please ensure that all following | timeouts are set to a non-zero value: 'client', 'connect', 'server'. This patch removes the explicit setting of client and server timeouts to 0, which is the cause of the above warning. Instead, Redis will simply inherit the haproxy defaults, which should be a more reasonable setting, and result in no warnings. Change-Id: Ibe7941bec02f5facf21732910c9ad96f547ff8e5
2016-02-22Override X-Forwarded-Proto headerJuan Antonio Osorio Robles1-5/+15
Right now, the only manipulation done to the X-Forwarded-Proto header is done if an SSL connection is established. This is not sufficient as one might be able to erroneously put values through that header. This patch disables that behaviour by defaulting to plain http if an SSL connection is not established. Change-Id: I4bf6def21e21148834c2baa9669190bab8fa95ef
2016-02-18Merge "packages: secure upgrade workflow from dependency cycles"Jenkins2-9/+12
2016-02-17Merge "Handle redirects for Horizon"Jenkins1-3/+8
2016-02-11Merge "Enable X-Forwarded-Proto header for keystone admin endpoint"Jenkins1-0/+4
2016-02-11Handle redirects for HorizonBen Nemec1-3/+8
As for Heat, we need to be able to handle 30X redirects from Horizon when configured to use SSL. Because Horizon's redirects are handled directly by Apache, we can't use middleware to handle the X-Forwarded-Proto header like we are planning to do for the other services. However, in this case we don't need to worry about rewriting urls in the payload like we do for the other services because Horizon is just serving standard web pages, not custom HTTP bodies with JSON contents. One other change from the previous Heat patch is to drop the IP from the rewrite regex. This is because Horizon will generally be accessed via a DNS name, so the IP won't appear in the Location header. The heat regex should probably be changed as well since we now support registering endpoints with DNS names, but since we plan to move all the other services to the X-Forwarded-Proto header middleware anyway we can probably just wait until that happens and then remove the Heat rule entirely. Change-Id: I039a3036be17eeabe3cff68e0ef24f70907cc568
2016-02-11Merge "Use HAProxy 'transparent' bind option for compat with IPv6"Jenkins1-91/+118
2016-02-11Merge "Make haproxy balancer default options configurable"Jenkins1-26/+31
2016-01-25Merge "loadbalancer: add Gnocchi API support"Jenkins1-0/+43
2016-01-25Merge "SSL/Cinder: enable ssl_header_handler filter"Jenkins1-0/+28
2016-01-22Drop webmock dependencyEmilien Macchi2-2/+0
webmock is not used anywhere in puppet-tripleo, let's clean it. Change-Id: Idd8646e69e31a63791a345765c459d094a23f813
2016-01-21SSL/Cinder: enable ssl_header_handler filterJuan Antonio Osorio Robles1-0/+28
Enable oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory in ssl_header_handler middlewarefilter so we can run Nova API with SSL support. Change-Id: If88dcdf9f4905e2a792b2fdc656eab51c85f637e
2016-01-20packages: secure upgrade workflow from dependency cyclesEmilien Macchi2-9/+12
Change the workflow to be: Upgrade all packages before any services that is notified & managed by Puppet. It also disable the Exec timeout so we rely on Heat timeout and not on the 300s that are the default in Puppet [1] Example: we upgrade and OpenStack config will change (obviously). Puppet catalog will contain 3 important things: * config resources * service resources * package-upgrade Exec resource with that patch, what will happen: * puppet will update config first or second and notify services * puppet will run package-upgrade first or second but before the package-upgrade Exec resource * at the very end, puppet will restart services That way, we avoid complications with Puppet dependency cycle issues. [1] https://docs.puppetlabs.com/references/latest/type.html#exec-attribute-timeout Closes-Bug: 1536349 Change-Id: I07310bdfc5b07b03ac9fa5f8c13e87eaa2bfef4d