aboutsummaryrefslogtreecommitdiffstats
AgeCommit message (Collapse)AuthorFilesLines
2016-04-15Enable HAProxy forwardfor option for Horizon.Dimitri Savineau1-0/+2
Horizon's backends (httpd) see IP address of the haproxy in the logs instead of the client address. Adding forwardfor option allows to add the client address to the X-Forwarded-For HTTP header and can be replace in the logs by configured the backend servers with this header. Change-Id: I54f0f5549d64768dacca71539c71a28cc99d9d95
2016-04-14Merge "Add support for internal/admin endpoint TLS in HAProxy"Jenkins2-2/+20
2016-04-14Merge "Add generic manifest for loadbalancer endpoints"Jenkins2-458/+286
2016-04-13Refactor HAproxy and VIP creation.Sofer Athlan-Guyot1-0/+64
In tripleo heat template, overcloud_controller_pacemaker.pp has a lot of duplicate code to define haproxy and vip creation. This is an attempt to refactor this. Change-Id: I4cc6711911c1bfa1bc6063979e2b2a7ab5b8d37b
2016-04-11Merge "Fix Sahara SSL default port"Jenkins1-2/+2
2016-04-11Add support for internal/admin endpoint TLS in HAProxyJuan Antonio Osorio Robles2-2/+20
This commits adds the option to pass an internal certificate. The aforementioned certificate will be used to terminate TLS connections for the internal and admin endpoints. Change-Id: I9d781b42c63cf34bd1f5ba2c71014c6b9de0f990
2016-04-11Add generic manifest for loadbalancer endpointsJuan Antonio Osorio Robles2-458/+286
In order to reduce repeated code in the loadbalancer manifest, the repeated parts were moved into one manifest that contains the endpoint resource. Change-Id: Ib72abe9de7ab073dcbd780298385b0c519f363aa
2016-04-11Fix Sahara SSL default portJuan Antonio Osorio Robles1-2/+2
There were two issues with the SSL port for sahara. * It was conflicting with Manila's port * It was documented incorrectly This has been fixed Change-Id: I9f710e014890b6daa6b3e511fd811c1e25bd0de3
2016-04-11Map gnocchi vip to haproxy_listen_bind_paramPradeep Kilambi1-4/+4
Change-Id: I7d2eb9405e0171fc54fa0b616122f69db5f51ce2
2016-04-11Merge "Fix comparison to control_virtual_ip"Jenkins1-3/+3
2016-04-08Remove individual service certificatesJuan Antonio Osorio Robles1-201/+36
They are not being used and add extra logic and unnecessary clutter to the code. So this CR removes them in favor of just configuring TLS with the service_certificate. The only individual cert left was the one for haproxy stats. Change-Id: Ic3b769423917e723ecc83e32bcbae17568345661
2016-04-07Add missing services ports to service_ports mapJuan Antonio Osorio Robles1-16/+32
AODH, Gnocchi, Sahara and Trove were missing from the service_ports maps and thus had hardcoded ports in the listener configuration. The addition of those ports to the map is required to give the possibility to deployers to configure those ports if needed. This commit adds them to that map. Change-Id: Id009d65bf68ba91f97b0d60d32028da50fc88fc3
2016-04-04Fix comparison to control_virtual_ipJames Slagle1-3/+3
When managing the vip's, we were incorrectly comparing the vip to $control_virtual_interface instead of $controller_virtual_ip when determining if we needed to actually create the vip or not. This caused the vips for internal api, storage, and storage mgmt to always be created even if they were the same as the control vip. Afaict, this didn't actually cause any problems, other than having extra vip's created when they weren't needed. Still, this corrects the code to do what it was intended to do. Change-Id: I29aee95afcba25008b8b7bee37ba636eb2595cca
2016-04-01Merge "Make cipher suite and SSL options configurable"Jenkins1-6/+20
2016-03-28Merge "Redirect to https for horizon"Jenkins1-3/+15
2016-03-27Merge "Add keystone and db sync profiles"Jenkins4-0/+357
2016-03-23Allow the Redis specific monitor to use authenticationGiulio Fidente1-1/+12
When accessing Redis, if password protected, we need to update the HAProxy checks so that they use a password or we won't be able to gather which node is the replica master. Also adds PING/PONG and QUIT/OK sequence before and after the info command is sent. More at https://bugzilla.redhat.com/show_bug.cgi?id=1320036 Change-Id: Ia9e61e66c5426061eab8172f0a25820989597780
2016-03-22Make cipher suite and SSL options configurableJuan Antonio Osorio Robles1-6/+20
This CR enables the ability to set the cipher suite to be used by HAproxy and the SSL options. So now the user can enable these through hiera. The cipher suite comes from the Fedora system crypto policy. Change-Id: Ia5751d4049026683fa13d4bc4cbf4eaffe054b48 Depends-On: I4943c6c74e0be96c1d7e190908b9262df05d059a
2016-03-22Add keystone and db sync profilesMichael Chapman4-0/+357
Implements: blueprint refactor-puppet-manifests Add keystone profiles for both pacemaker and non-ha. Add db sync profiles for pacemaker and non-ha. HA profiles are designed such that they include the base profiles, disabling features as needed, while the base profile can be used independently. Change-Id: I2faf5a78db802549053ec41678bf83bf28108189
2016-03-18Redirect to https for horizonJuan Antonio Osorio Robles1-3/+15
This adds a TLS binding listening on the internal network for horizon. And on the other hand, if the public binding for horizon is accessed via non-https, it will redirect to https. Change-Id: I1f92ecd0c4845450df4b24f6b621d313ba9cbfc4 Depends-On: I4943c6c74e0be96c1d7e190908b9262df05d059a
2016-03-17Hack to fix IPv6 parsing in facter.Sofer Athlan-Guyot1-0/+2
This kludge fixes the wrong regexp used in facter to report all IPv6 addresses. While the upstream bug[1] is being work out, this should do the job. Closes-Bug: 1558490 [1] https://tickets.puppetlabs.com/browse/FACT-1372 Change-Id: I85dabbd26bf8f25b2a03d22f547618b666421a83
2016-03-11Allow enabling authentication on haproxy.statsBen Nemec1-3/+42
Right now we always deploy the haproxy.stats endpoint with no authentication, which is a security concern. Allow setting a password on the endpoint so it isn't accessible to the world. While this allows configuring SSL on the stats endpoint, it does not use the service_certificate parameter because that certificate is intended to be used only for public endpoints, and the stats endpoint is actually on the admin VIP. Once we have support for SSL on admin endpoints we can have stats use it by default. Change-Id: I8a5844e89bd81a99d5101ab6bce7a8d79e069565
2016-03-09Merge "Make OpenStack service ports configurable in HAProxy"Jenkins1-62/+135
2016-03-08Make OpenStack service ports configurable in HAProxyJuan Antonio Osorio Robles1-62/+135
Some deployments were expecting specific ports for the OpenStack services; In case the default ports are not meeting those needs, we need to provide the means of changing the defaults. Change-Id: Idbbcc90e2af1b3a731b0b5ea955df6082541a9f7
2016-03-03Merge "loadbalancer: fix Redis timeout HAproxy config"Jenkins1-1/+0
2016-03-01Always override X-Forwarded-Proto header for HeatJuan Antonio Osorio Robles1-5/+7
Heat has the ssl middleware to handle the X-Forwarded-Proto header by default. We override this header when SSL is enabled because we need to, but overriding it even when we won't be terminating SSL will prevent some attacks using this header. Change-Id: I0b2c61cd4f47c8c08a84402af310983af752d3f2
2016-02-25loadbalancer: fix Redis timeout HAproxy configJason Guiditta1-1/+0
Current HAproxy config is broken for Redis timeout parameters. This is what we have today by default in HAproxy logs: [WARNING] 238/115010 (13878) : config : missing timeouts for proxy 'redis'. | While not properly invalid, you will certainly encounter various problems | with such a configuration. To fix this, please ensure that all following | timeouts are set to a non-zero value: 'client', 'connect', 'server'. This patch removes the explicit setting of client and server timeouts to 0, which is the cause of the above warning. Instead, Redis will simply inherit the haproxy defaults, which should be a more reasonable setting, and result in no warnings. Change-Id: Ibe7941bec02f5facf21732910c9ad96f547ff8e5
2016-02-22Override X-Forwarded-Proto headerJuan Antonio Osorio Robles1-5/+15
Right now, the only manipulation done to the X-Forwarded-Proto header is done if an SSL connection is established. This is not sufficient as one might be able to erroneously put values through that header. This patch disables that behaviour by defaulting to plain http if an SSL connection is not established. Change-Id: I4bf6def21e21148834c2baa9669190bab8fa95ef
2016-02-18Merge "packages: secure upgrade workflow from dependency cycles"Jenkins2-9/+12
2016-02-17Merge "Handle redirects for Horizon"Jenkins1-3/+8
2016-02-11Merge "Enable X-Forwarded-Proto header for keystone admin endpoint"Jenkins1-0/+4
2016-02-11Handle redirects for HorizonBen Nemec1-3/+8
As for Heat, we need to be able to handle 30X redirects from Horizon when configured to use SSL. Because Horizon's redirects are handled directly by Apache, we can't use middleware to handle the X-Forwarded-Proto header like we are planning to do for the other services. However, in this case we don't need to worry about rewriting urls in the payload like we do for the other services because Horizon is just serving standard web pages, not custom HTTP bodies with JSON contents. One other change from the previous Heat patch is to drop the IP from the rewrite regex. This is because Horizon will generally be accessed via a DNS name, so the IP won't appear in the Location header. The heat regex should probably be changed as well since we now support registering endpoints with DNS names, but since we plan to move all the other services to the X-Forwarded-Proto header middleware anyway we can probably just wait until that happens and then remove the Heat rule entirely. Change-Id: I039a3036be17eeabe3cff68e0ef24f70907cc568
2016-02-11Merge "Use HAProxy 'transparent' bind option for compat with IPv6"Jenkins1-91/+118
2016-02-11Merge "Make haproxy balancer default options configurable"Jenkins1-26/+31
2016-01-25Merge "loadbalancer: add Gnocchi API support"Jenkins1-0/+43
2016-01-25Merge "SSL/Cinder: enable ssl_header_handler filter"Jenkins1-0/+28
2016-01-22Drop webmock dependencyEmilien Macchi2-2/+0
webmock is not used anywhere in puppet-tripleo, let's clean it. Change-Id: Idd8646e69e31a63791a345765c459d094a23f813
2016-01-21SSL/Cinder: enable ssl_header_handler filterJuan Antonio Osorio Robles1-0/+28
Enable oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory in ssl_header_handler middlewarefilter so we can run Nova API with SSL support. Change-Id: If88dcdf9f4905e2a792b2fdc656eab51c85f637e
2016-01-20packages: secure upgrade workflow from dependency cyclesEmilien Macchi2-9/+12
Change the workflow to be: Upgrade all packages before any services that is notified & managed by Puppet. It also disable the Exec timeout so we rely on Heat timeout and not on the 300s that are the default in Puppet [1] Example: we upgrade and OpenStack config will change (obviously). Puppet catalog will contain 3 important things: * config resources * service resources * package-upgrade Exec resource with that patch, what will happen: * puppet will update config first or second and notify services * puppet will run package-upgrade first or second but before the package-upgrade Exec resource * at the very end, puppet will restart services That way, we avoid complications with Puppet dependency cycle issues. [1] https://docs.puppetlabs.com/references/latest/type.html#exec-attribute-timeout Closes-Bug: 1536349 Change-Id: I07310bdfc5b07b03ac9fa5f8c13e87eaa2bfef4d
2016-01-14Enable X-Forwarded-Proto header for keystone admin endpointJuan Antonio Osorio Robles1-0/+4
This is useful for handling URLs properly when TLS is enabled. Change-Id: I4defed679cf3b2980dcc4ce1db030c0fdf154bfe
2016-01-13Use HAProxy 'transparent' bind option for compat with IPv6Giulio Fidente1-91/+118
Change-Id: Iddf1fdaabc1c758546999e7af7e7412158400e7f
2016-01-13Enable X-Forwarded-Proto header for cinderJuan Antonio Osorio Robles1-0/+4
Change-Id: I3bd836140537fc5b7e3fba600a712d6a9d6f1185
2016-01-08Make haproxy balancer default options configurableGiulio Fidente1-26/+31
Change-Id: Id5e119e0949d27a6e3b3f21ecd5e2eb39f1eeb13
2016-01-07Merge "Haproxy has non-working Horizon session persistence."Jenkins1-1/+1
2016-01-07Merge "Upgrade all packages after puppet managed ones"Jenkins2-1/+72
2016-01-06Merge "loadbalancer: fix MySQL timeout HAproxy config"Jenkins1-5/+7
2016-01-05Merge "Trove integration"Jenkins1-0/+43
2016-01-05Merge "Sahara integration"Jenkins1-0/+42
2016-01-05Merge "Enable X-Forwarded-Proto header for Heat and Nova"Jenkins1-0/+5
2016-01-05Merge "Enable X-Forwarded-Proto header for keystone_public"Jenkins1-0/+4