summaryrefslogtreecommitdiffstats
path: root/manifests/haproxy.pp
AgeCommit message (Collapse)AuthorFilesLines
2017-08-25Fix panko port to match thtPradeep Kilambi1-2/+2
In templates we use 13977 as the port for panko. The old 13779 is reserved for trove so it conflicts. Closes-bug: #1712566 Change-Id: I77444199eef6c2b9abbd819829b4fea2d698e2db (cherry picked from commit 5064677dda8e4f140df6d024089e95afe11a91f1)
2017-08-19Merge "Add TLS for nova metadata service"Jenkins1-0/+1
2017-08-18Merge "Create separate resource for HAProxy horizon endpoint"Jenkins1-49/+16
2017-08-17Add TLS for nova metadata serviceJuan Antonio Osorio Robles1-0/+1
This adds a TLS proxy in front of it so it serves TLS in the internal network. bp tls-via-certmonger Change-Id: I97ac2da29be468c75713fe2fae7e6d84cae8f67c
2017-08-17Create separate resource for HAProxy horizon endpointJuan Antonio Osorio Robles1-49/+16
This removes clutter from the main haproxy manifest and allows TLS in the internal network as well. Trying to keep the previous behavior. bp tls-via-certmonger-containers Change-Id: I1a68771cc7be7fb2b32abbad81db7890bd2c5502
2017-08-16Remove extra keystone admin haproxy listen and allow TLSJuan Antonio Osorio Robles1-12/+8
The current code exposes an unused public listen directive in HAProxy for the keystone admin endpoint. This is not ideal and should be removed, as it exposes the service unnecessarily. We should stick to just exposing it to the ctlplane network as is the default. If folks really need to expose it to the public network, they can do so by modifying the ServiceNetMap through t-h-t and setting the keystone admin endpoint's network to external. Now, for "single" or "internal" haproxy endpoints, this adds the ability to detect if they're using the external network, and thus use TLS on it. Which is something a deployer would want if they exposed the keystone admin endpoint in such a way. Change-Id: I79563f62fd49a4f7654779157ebda3c239d6dd22 Closes-Bug: #1710909 Closes-Bug: #1639996
2017-07-31Merge "Enable TLS for the HAProxy stats interface"Jenkins1-28/+13
2017-07-31Merge "Prevent haproxy to run iptables during docker-puppet configuration"Jenkins1-2/+9
2017-07-31Enable TLS for the HAProxy stats interfaceJuan Antonio Osorio Robles1-28/+13
This creates a new class for the stats interface and furtherly configures it to also use the certificates that are provided by certmonger (via the internal_certificates_specs variable). Note that the already existing haproxy_stats_certificate still works and will take precedence if it's set. bp tls-via-certmonger Change-Id: Iea65d91648ab13dbe6ec20241a1a7c95ce856e3e
2017-07-27Handle SSL options for ZaqarThomas Herve1-0/+1
This allows running Zaqar with SSL under Apache. Change-Id: I4c68a662c2433398249f770ac50ba0791449fe71
2017-07-27Prevent haproxy to run iptables during docker-puppet configurationDamien Ciabrini1-2/+9
When docker-puppet runs module tripleo::haproxy to generate haproxy configuration file, and tripleo::firewall::manage_firewall is true, iptables is called to set up firewall rules for the proxied services and fails due to lack of NET_ADMIN capability. Make the generation of firewall rule configurable by exposing a new argument to the puppet module. That way, firewall management can be temporarily disabled when being run through docker-puppet. Change-Id: I2d6274d061039a9793ad162ed8e750bd87bf71e9 Partial-Bug: #1697921
2017-07-14Merge "Contrail: Fix controlplane/dataplane network asignments & enable ↵Jenkins1-5/+15
optional dpdk"
2017-07-05Contrail: Fix controlplane/dataplane network asignments & enable optional dpdkMichael Henkel1-5/+15
This patch will move the Contrail roles communication towards OpenStack APIs from the public/external network to the internal_api network. I will also add the option to enable dpdk for Contrail. Change-Id: Ia835df656031cdf28de20f41ec6ab1c028dced23 Closes-Bug: 1698422
2017-06-28Merge the nova HAproxy TLS optionsRob Crittenden1-1/+1
This makes sure that we set the necessary options so HAProxy uses TLS to contact nova. It was commented out when nova was moved to not run over httpd. Since that is no longer the case we can re-enable it. Change-Id: I026a7dab30b00a4e93966f650f098c570b0b624b Depends-On: Iac35b7ddcd8a800901548c75ca8d5083ad17e4d3
2017-06-21Merge "Make enabling haproxy stats interface configurable"Jenkins1-13/+20
2017-06-20Make enabling haproxy stats interface configurableJuan Antonio Osorio Robles1-13/+20
Some people might or might not want to enable it. So this makes it configurable. It defaults to true as we were always deploying it before. Change-Id: I8d2a08cdaf3e5ec3d1a69d4f95e57522508c8610
2017-06-20Add maxconn parameter to MySQL / HAProxyMike Bayer1-0/+7
Allows configurability of maxconn as applies to the MySQL section of the HAProxy config, both for clustercheck and single node. Also adds a new test for the haproxy class overall to exercise options. Change-Id: I023682dd5e85cc78d6dd3e5214a53863acc4f303
2017-06-19Merge "Fix the port for Panko API"Jenkins1-2/+2
2017-06-16For http service endpoints always redirect to httpsJuan Antonio Osorio Robles1-12/+3
If public TLS is enabled, this sets as default that services should always redirect to https. Change-Id: I19b9d07ac8925366ed27fefcaca4fdb9a9ab1b37
2017-06-14Merge "Remove condition to match hdr(host) in haproxy redirect rule"Jenkins1-1/+1
2017-06-12Remove condition to match hdr(host) in haproxy redirect ruleRyan O'Hara1-1/+1
The horizon proxy should redirect all HTTP requests to HTTPS, regardless of the 'Host' field in the header. The current rule will cause haproxy to redirect HTTP requests if the 'Host' field contains the public virtual IP address. It will not redirect if the 'Host' field contains a hostname, FQDN, etc. Change-Id: I6c8f58a30f97cdf4c668734793197ea976297733 Signed-off-by: Ryan O'Hara <rohara@redhat.com>
2017-06-08Use CRL for HAProxyJuan Antonio Osorio Robles1-1/+12
This sets up the CRL file to be triggered on the certmonger_user resource. Furtherly, HAProxy uses this CRL file in the member options, thus effectively enabling revocation for proxied nodes. So, if a certificate has been revoked by the CA, HAProxy will not proxy requests to it. bp tls-via-certmonger Change-Id: I4f1edc551488aa5bf6033442c4fa1fb0d3f735cd
2017-06-08Fix the port for Panko APIZhongShengping1-2/+2
The port used for Panko is conflicts with Trove[1]. According to the official documentation[2] this should be 8777. The 8777 port has been occupied by ceilometer. So set the panko api port to 8977. [1]https://github.com/openstack/trove/blob/master/etc/apache2/trove#L20 [2]https://docs.openstack.org/developer/panko/install/manual.html#installing-the-api-server Change-Id: I5ccfc97765fc8b8bf9686b2451eda9c44c77dffc Closes-Bug: #1691283 Depends-On: I53b286d1d6466b574fdb286cc45f3138f96dff59
2017-06-01Pacemaker support for OVN DB serversBabu Shanmugam1-1/+10
This patch enables OVN DB servers to be started in master/slave mode in the pacemaker cluster. A virtual IP resource is created first and then the pacemaker OVN OCF resource - "ovn:ovndb-servers" is created. The OVN OCF resource is configured to be colocated with the vip resource. The ovn-controller and Neutron OVN ML2 mechanism driver which depends on OVN DB servers will always connect to the vip address on which the master OVN DB servers listen on. The OVN OCF resource itself takes care of (re)starting ovn-northd service on the master node and we don't have to manage it. When HA is enabled for OVN DB servers, haproxy does not configure the OVN DB servers in its configuration. This patch requires OVS 2.7 in the overcloud. Co-authored:by: Numan Siddique <nusiddiq@redhat.com> Change-Id: I9dc366002ef5919339961e5deebbf8aa815c73db Partial-bug: #1670564
2017-04-25Merge "Enable internal network TLS for etcd"Jenkins1-0/+1
2017-04-21Merge "Allow to configure haproxy daemon's status"Jenkins1-14/+27
2017-04-19Allow to configure haproxy daemon's statusMichele Baldessari1-14/+27
Currently we hard-code the fact that haproxy starts as a daemon. When running haproxy in a container we need this to be configurable because the haproxy process will be pid number 1. We are not changing the current semantics which have the 'daemon' option always set, but we are allowing its disabling. Change-Id: I51c482b70731f15fee4025bbce14e46a49a49938
2017-04-18Haproxy: When using TLS everywhere, use verifyhost for the balancermembersJuan Antonio Osorio Robles1-0/+3
This checks that the subjectAltName in the backend server's certificate matches the server's name that was intended to be used. Change-Id: If1c61e1becf9cc84c9b18835aef1eaaa8c0d4341
2017-04-17HAproxy/heat_api: increase timeout to 10mEmilien Macchi1-2/+6
Default timeout is 2min but it doesn't reflect the rpc_response_timeout value that we set in THT and instack-undercloud, which is 600 (10 min). In some cases (in low-memory environments), Heat needs more than 2 minutes to reply to the client, when deploying the overcloud. It makes sense to increase the timeout to the value of rpc_timeout to give a chance to Heat to reply to the client, otherwise HAproxy will kill the connection and send 504 to the client. Depends-On: I9669d40d86d762101734704fcef153e360767690 Change-Id: I32c71fe7930c8798d306046d6933e4b20c22740c Related-Bug: 1666072
2017-04-12Enable internal network TLS for etcdFeng Pan1-0/+1
bp secure-etcd Change-Id: I0759deef7cbcf13b9056350e92f01afd33e9c649 Signed-off-by: Feng Pan <fpan@redhat.com>
2017-04-10etcd: Make HAProxy terminate TLS connectionsJuan Antonio Osorio Robles1-17/+14
When TLS is enabled for the internal network, HAProxy needs to handle etcd's TLS termination. Else it will use plain text. bp secure-etcd Change-Id: I20651240edcff0953741d4e8e01fa9a7ab185863
2017-04-07Merge "Adding listen_options for Contrail Webui https in haproxy"Jenkins1-0/+4
2017-04-07Merge "Add httpchk for http services"Jenkins1-87/+26
2017-04-05Merge "Add TLS in the internal network for Swift Proxy"Jenkins1-0/+1
2017-04-04Merge "Use correct manage_firewall hieradata"Jenkins1-2/+2
2017-04-04Add httpchk for http servicesAlex Schultz1-87/+26
The httpchk health check option should help reduce the situtations where haproxy thinks the service is up but the service is only listening and not actively serving http requests. Change-Id: I13cc5dcf2eea53731e756d078586ab9a97340912 Closes-Bug: #1629052
2017-04-04Add TLS in the internal network for Swift ProxyJuan Antonio Osorio Robles1-0/+1
This adds the necessary bits for a TLS Proxy to be placed in front of swift proxy when TLS-everywhere is enabled. This will be furtherly cleaned up once the t-h-t bits are added. bp tls-via-certmonger Change-Id: I6e7193cc5b4bb7e56cc89e0a293c91b0d391c68e
2017-04-03Use correct manage_firewall hieradataBen Nemec1-2/+2
The manage_firewall hieradata was moved to tripleo::firewall::manage_firewall but some of the references to it were not updated, which makes it impossible to completely disable the firewall rules. Change-Id: I5f40f3b8b07bd312cce862aa319b8a1ef331ee49 Closes-Bug: 1679189
2017-03-30Add tunnel timeout for ui proxy containerDan Trainor1-0/+6
Add an explicit tunnel timeout configuration option to increase the tunnel timeout for persistent socket connections from two minutes (2m) to one hour (3600s). A configuration was already present to apply a tunnel timeout to the zaqar_ws endpoint, but that only applies to connections made directly to the zaqar_ws endpoint directly. Since UI now uses mod_proxy to proxy WebSocket connections for Zaqar, the timeout is now applied for the same reasons to the ui haproxy server. Change-Id: If749dc9148ccf8f2fa12b56b6ed6740f42e65aeb Closes-Bug: 1672826
2017-03-22Adding listen_options for Contrail Webui https in haproxyMichael Henkel1-0/+4
Without balance source and hash-type consistent traffic to Contrail Webui https is not correctly load-balanced Change-Id: I05a5aeea7db801c1403ef3c4dd4f94480fd8692e
2017-03-13Correct haproxy's stat unix socket pathMichele Baldessari1-1/+1
We currently set the haproxy stat socket to /var/run/haproxy.sock. On Centos/RHEL with selinux enabled this will break: avc: denied { link } for pid=284010 comm="haproxy" name="haproxy.sock" dev="tmpfs" ino=330803 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file The blessed/correctly-labeled path is /var/lib/haproxy/stats Note: I am setting only Partial-Bug because I would still like to make this a parameter so other distros may just override the path. But that change is more apt for pike and not for ocata. Change-Id: I62aab6fb188a9103f1586edac1c2aa7949fdb08c Patial-Bug: #1671119
2017-03-07Deploy Heat APIs over httpdJuan Antonio Osorio Robles1-0/+3
This deploys the Heat APIs (api, cfn and cloudwatch) over httpd, and includes the TLS-everywhere bits. bp tls-via-certmonger Change-Id: I23971b0164468e67c9b3577772af84bd947e16f1
2017-02-28Revert "Add httpchk for http services"Emilien Macchi1-25/+87
https://bugs.launchpad.net/tripleo/+bug/1668493 I thought about a fix for ceph_rgw, but I realized we might have missed other services too, specially the ones we're not testing in CI. We need to revisit this work and probably make the code more robust for the services where no CI coverage is done. Related-Bug: #1668493 This reverts commit ebcc470ea8a632e6d5c13561a97e817d5f290aac. Change-Id: I3f79c881d8aeda361a59f9952948355986a7c835
2017-02-22Add httpchk for http servicesAlex Schultz1-87/+25
The httpchk health check option should help reduce the situtations where haproxy thinks the service is up but the service is only listening and not actively serving http requests. Change-Id: Ie72b96c76d7513f84003bc15b6527c97df7ba92f Closes-Bug: #1629052
2017-02-13Uncomment internal TLS options for placement APIJuan Antonio Osorio Robles1-1/+1
Placement API is still running over wsgi which can run with TLS on the internal network; These options were commented from haproxy and doing this breaks the TLS-everywhere setup. Change-Id: I1194f1f487cdcf45541c0d139806aa3dc4456d6e
2017-02-06Stop deploying Nova API in WSGI with ApacheEmilien Macchi1-2/+2
It was suggested by Nova team to not deploying Nova API in WSGI with Apache in production. It's causing some issues that we didn't catch until now (see in the bug report). Until we figure out what was wrong, let's disable it so we can move forward in the upgrade process. Related-Bug: 1661360 Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com> Change-Id: Ia87b5bdea79e500ed41c30beb9aa9d6be302e3ac
2017-01-31Merge "Re-organizes Contrail services to the correct roles"Jenkins1-1/+79
2017-01-27Re-organizes Contrail services to the correct rolesMichael Henkel1-1/+79
In current setup some Contrail services belong to the wrong roles. The Contrail control plane can be impacted if the Analytics database has problems. Furthermore contrail tripleo puppet modules are being refactored to conform to the new interface of the puppet-contrail modules. Closes-Bug: 1659560 Change-Id: Id0dd35b95c5fe9d0fcc1e16c4b7d6cc601f10818
2017-01-27Merge "Use TLS proxy for neutron server's internal TLS"Jenkins1-0/+1
2017-01-26Use TLS proxy for neutron server's internal TLSJuan Antonio Osorio Robles1-0/+1
This uses the tls_proxy resource added in a previous commit [1] in front of the neutron server when internal TLS is enabled. Right now values are passed quite manually, but a subsequent commit will use t-h-t to pass the appropriate hieradata, and then we'll be able to clean it up from here. Note that the proxy is only deployed when internal TLS is enabled. [1] I82243fd3acfe4f23aab373116b78e1daf9d08467 bp tls-via-certmonger Change-Id: I6dfbf49f45aef9f47e58b5c0dbedd2b4e239979e