| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
This makes sure that we set the necessary options so HAProxy uses TLS
to contact nova. It was commented out when nova was moved to not run
over httpd. Since that is no longer the case we can re-enable it.
Change-Id: I026a7dab30b00a4e93966f650f098c570b0b624b
Depends-On: Iac35b7ddcd8a800901548c75ca8d5083ad17e4d3
|
|
|
|
Some people might or might not want to enable it. So this makes it
configurable. It defaults to true as we were always deploying it before.
Change-Id: I8d2a08cdaf3e5ec3d1a69d4f95e57522508c8610
|
|
Allows configurability of maxconn as applies to
the MySQL section of the HAProxy config, both
for clustercheck and single node.
Also adds a new test for the haproxy class
overall to exercise options.
Change-Id: I023682dd5e85cc78d6dd3e5214a53863acc4f303
|
|
|
|
If public TLS is enabled, this sets as default that services should
always redirect to https.
Change-Id: I19b9d07ac8925366ed27fefcaca4fdb9a9ab1b37
|
|
|
|
The horizon proxy should redirect all HTTP requests to HTTPS,
regardless of the 'Host' field in the header. The current rule will
cause haproxy to redirect HTTP requests if the 'Host' field contains
the public virtual IP address. It will not redirect if the 'Host'
field contains a hostname, FQDN, etc.
Change-Id: I6c8f58a30f97cdf4c668734793197ea976297733
Signed-off-by: Ryan O'Hara <rohara@redhat.com>
|
|
This sets up the CRL file to be triggered on the certmonger_user
resource. Furtherly, HAProxy uses this CRL file in the member options,
thus effectively enabling revocation for proxied nodes.
So, if a certificate has been revoked by the CA, HAProxy will not proxy
requests to it.
bp tls-via-certmonger
Change-Id: I4f1edc551488aa5bf6033442c4fa1fb0d3f735cd
|
|
The port used for Panko is conflicts with Trove[1]. According to the
official documentation[2] this should be 8777. The 8777 port has been
occupied by ceilometer. So set the panko api port to 8977.
[1]https://github.com/openstack/trove/blob/master/etc/apache2/trove#L20
[2]https://docs.openstack.org/developer/panko/install/manual.html#installing-the-api-server
Change-Id: I5ccfc97765fc8b8bf9686b2451eda9c44c77dffc
Closes-Bug: #1691283
Depends-On: I53b286d1d6466b574fdb286cc45f3138f96dff59
|
|
This patch enables OVN DB servers to be started in master/slave
mode in the pacemaker cluster.
A virtual IP resource is created first and then the pacemaker OVN OCF
resource - "ovn:ovndb-servers" is created. The OVN OCF resource is
configured to be colocated with the vip resource. The ovn-controller and
Neutron OVN ML2 mechanism driver which depends on OVN DB servers will
always connect to the vip address on which the master OVN DB servers
listen on.
The OVN OCF resource itself takes care of (re)starting ovn-northd service
on the master node and we don't have to manage it.
When HA is enabled for OVN DB servers, haproxy does not configure the OVN DB
servers in its configuration.
This patch requires OVS 2.7 in the overcloud.
Co-authored:by: Numan Siddique <nusiddiq@redhat.com>
Change-Id: I9dc366002ef5919339961e5deebbf8aa815c73db
Partial-bug: #1670564
|
|
|
|
|
|
Currently we hard-code the fact that haproxy starts as a daemon.
When running haproxy in a container we need this to be configurable
because the haproxy process will be pid number 1.
We are not changing the current semantics which have the 'daemon'
option always set, but we are allowing its disabling.
Change-Id: I51c482b70731f15fee4025bbce14e46a49a49938
|
|
This checks that the subjectAltName in the backend server's certificate
matches the server's name that was intended to be used.
Change-Id: If1c61e1becf9cc84c9b18835aef1eaaa8c0d4341
|
|
Default timeout is 2min but it doesn't reflect the rpc_response_timeout
value that we set in THT and instack-undercloud, which is 600 (10 min).
In some cases (in low-memory environments), Heat needs more than 2
minutes to reply to the client, when deploying the overcloud.
It makes sense to increase the timeout to the value of rpc_timeout to
give a chance to Heat to reply to the client, otherwise HAproxy will
kill the connection and send 504 to the client.
Depends-On: I9669d40d86d762101734704fcef153e360767690
Change-Id: I32c71fe7930c8798d306046d6933e4b20c22740c
Related-Bug: 1666072
|
|
bp secure-etcd
Change-Id: I0759deef7cbcf13b9056350e92f01afd33e9c649
Signed-off-by: Feng Pan <fpan@redhat.com>
|
|
When TLS is enabled for the internal network, HAProxy needs to handle
etcd's TLS termination. Else it will use plain text.
bp secure-etcd
Change-Id: I20651240edcff0953741d4e8e01fa9a7ab185863
|
|
|
|
|
|
|
|
|
|
The httpchk health check option should help reduce the situtations
where haproxy thinks the service is up but the service is only
listening and not actively serving http requests.
Change-Id: I13cc5dcf2eea53731e756d078586ab9a97340912
Closes-Bug: #1629052
|
|
This adds the necessary bits for a TLS Proxy to be placed in front of
swift proxy when TLS-everywhere is enabled.
This will be furtherly cleaned up once the t-h-t bits are added.
bp tls-via-certmonger
Change-Id: I6e7193cc5b4bb7e56cc89e0a293c91b0d391c68e
|
|
The manage_firewall hieradata was moved to
tripleo::firewall::manage_firewall but some of the references to it
were not updated, which makes it impossible to completely disable
the firewall rules.
Change-Id: I5f40f3b8b07bd312cce862aa319b8a1ef331ee49
Closes-Bug: 1679189
|
|
Add an explicit tunnel timeout configuration option to increase the
tunnel timeout for persistent socket connections from two minutes (2m)
to one hour (3600s). A configuration was already present to apply a
tunnel timeout to the zaqar_ws endpoint, but that only applies to
connections made directly to the zaqar_ws endpoint directly. Since UI
now uses mod_proxy to proxy WebSocket connections for Zaqar, the timeout
is now applied for the same reasons to the ui haproxy server.
Change-Id: If749dc9148ccf8f2fa12b56b6ed6740f42e65aeb
Closes-Bug: 1672826
|
|
Without balance source and hash-type consistent traffic to
Contrail Webui https is not correctly load-balanced
Change-Id: I05a5aeea7db801c1403ef3c4dd4f94480fd8692e
|
|
We currently set the haproxy stat socket to /var/run/haproxy.sock.
On Centos/RHEL with selinux enabled this will break:
avc: denied { link } for pid=284010 comm="haproxy"
name="haproxy.sock" dev="tmpfs" ino=330803
scontext=system_u:system_r:haproxy_t:s0
tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
The blessed/correctly-labeled path is /var/lib/haproxy/stats
Note: I am setting only Partial-Bug because I would still like
to make this a parameter so other distros may just override the path.
But that change is more apt for pike and not for ocata.
Change-Id: I62aab6fb188a9103f1586edac1c2aa7949fdb08c
Patial-Bug: #1671119
|
|
This deploys the Heat APIs (api, cfn and cloudwatch) over httpd, and
includes the TLS-everywhere bits.
bp tls-via-certmonger
Change-Id: I23971b0164468e67c9b3577772af84bd947e16f1
|
|
https://bugs.launchpad.net/tripleo/+bug/1668493
I thought about a fix for ceph_rgw, but I realized
we might have missed other services too, specially
the ones we're not testing in CI.
We need to revisit this work and probably
make the code more robust for the services where
no CI coverage is done.
Related-Bug: #1668493
This reverts commit ebcc470ea8a632e6d5c13561a97e817d5f290aac.
Change-Id: I3f79c881d8aeda361a59f9952948355986a7c835
|
|
The httpchk health check option should help reduce the situtations
where haproxy thinks the service is up but the service is only
listening and not actively serving http requests.
Change-Id: Ie72b96c76d7513f84003bc15b6527c97df7ba92f
Closes-Bug: #1629052
|
|
Placement API is still running over wsgi which can run with TLS on the
internal network; These options were commented from haproxy and doing
this breaks the TLS-everywhere setup.
Change-Id: I1194f1f487cdcf45541c0d139806aa3dc4456d6e
|
|
It was suggested by Nova team to not deploying Nova API in WSGI with
Apache in production.
It's causing some issues that we didn't catch until now (see in the bug
report). Until we figure out what was wrong, let's disable it so we can
move forward in the upgrade process.
Related-Bug: 1661360
Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Change-Id: Ia87b5bdea79e500ed41c30beb9aa9d6be302e3ac
|
|
|
|
In current setup some Contrail services belong to the wrong roles.
The Contrail control plane can be impacted if the Analytics database has problems.
Furthermore contrail tripleo puppet modules are being refactored to conform to the
new interface of the puppet-contrail modules.
Closes-Bug: 1659560
Change-Id: Id0dd35b95c5fe9d0fcc1e16c4b7d6cc601f10818
|
|
|
|
This uses the tls_proxy resource added in a previous commit [1] in
front of the neutron server when internal TLS is enabled. Right
now values are passed quite manually, but a subsequent commit will use
t-h-t to pass the appropriate hieradata, and then we'll be able to
clean it up from here.
Note that the proxy is only deployed when internal TLS is enabled.
[1] I82243fd3acfe4f23aab373116b78e1daf9d08467
bp tls-via-certmonger
Change-Id: I6dfbf49f45aef9f47e58b5c0dbedd2b4e239979e
|
|
Change-Id: Ic74ccd5fa7b3b04ca810416e5160463252f17474
Signed-off-by: Dan Radez <dradez@redhat.com>
|
|
Change-Id: I3d6bbc05644e840395f87333ec80e3b844f69903
|
|
|
|
|
|
This uses the tls_proxy resource added in the previous commit [1] in
front of the Glance API server when internal TLS is enabled. Right
now values are passed quite manually, but a subsequent commit will use
t-h-t to pass the appropriate hieradata, and then we'll be able to clean
it up from here.
Note that the proxy is only deployed when internal TLS is enabled.
[1] I82243fd3acfe4f23aab373116b78e1daf9d08467
bp tls-via-certmonger
Depends-On: Id5dfb38852cf2420f4195a3c1cb98d5c47bbd45e
Change-Id: Id35a846d43ecae8903a0d58306d9803d5ea00bee
|
|
Glance Registry has been removed in TripleO. So we can clean
puppet-tripleo and remove last bits that used to deploy this service.
Change-Id: Iea8f6340349ab366606205305a3ec9a6e4f11ba6
|
|
|
|
Change-Id: If4b091e1ca02f43aa9c65392baf8ceea007b7cfb
|
|
|
|
etcd is used by networking-vpp ML2 driver as the messaging mechanism. This
patch adds etcd service which can be used by other services.
Implements: blueprint fdio-integration-tripleo
Change-Id: Idaa3e3deddf9be3d278e90b569466c2717e2d517
Signed-off-by: Feng Pan <fpan@redhat.com>
|
|
Having these available from t-h-t, we should be able to use these now.
Change-Id: I7272df25c4fdba152fe15d40444311bc35ace4d9
Depends-On: Id0d34c7c3939ee81126ffd26d0658c0a87805a44
|
|
Allow TripleO to deploy Nova Placement API with a new profile.
Change-Id: I5e25a50f3d7a9b39f4146a61cb528963ee09e90c
|
|
This change adds haproxy rules for galera and redis. They are not there
because these haproxy entries do not use the ::tripleo::haproxy::endpoint
function which does this automatically.
Rabbit does not need them because it does not go through haproxy.
Closes-Bug: #1654280
Change-Id: If995d5c36341f3c089cbda9a0827ea28c19c796b
|
Rob Crittenden
Jenkins
Juan Antonio Osorio Robles
Mike Bayer
Ryan O'Hara
ZhongShengping
Babu Shanmugam
Michele Baldessari
Emilien Macchi
Feng Pan
Alex Schultz
Ben Nemec
Dan Trainor
Michael Henkel
Dan Radez
Sven Anderson