Age | Commit message (Collapse) | Author | Files | Lines |
|
In templates we use 13977 as the port for panko. The
old 13779 is reserved for trove so it conflicts.
Closes-bug: #1712566
Change-Id: I77444199eef6c2b9abbd819829b4fea2d698e2db
(cherry picked from commit 5064677dda8e4f140df6d024089e95afe11a91f1)
|
|
|
|
|
|
This adds a TLS proxy in front of it so it serves TLS in the internal
network.
bp tls-via-certmonger
Change-Id: I97ac2da29be468c75713fe2fae7e6d84cae8f67c
|
|
This removes clutter from the main haproxy manifest and allows TLS in
the internal network as well. Trying to keep the previous behavior.
bp tls-via-certmonger-containers
Change-Id: I1a68771cc7be7fb2b32abbad81db7890bd2c5502
|
|
The current code exposes an unused public listen directive in HAProxy
for the keystone admin endpoint. This is not ideal and should be
removed, as it exposes the service unnecessarily. We should stick to
just exposing it to the ctlplane network as is the default.
If folks really need to expose it to the public network, they can do so
by modifying the ServiceNetMap through t-h-t and setting the keystone
admin endpoint's network to external.
Now, for "single" or "internal" haproxy endpoints, this adds the ability
to detect if they're using the external network, and thus use TLS on it.
Which is something a deployer would want if they exposed the keystone
admin endpoint in such a way.
Change-Id: I79563f62fd49a4f7654779157ebda3c239d6dd22
Closes-Bug: #1710909
Closes-Bug: #1639996
|
|
|
|
|
|
This creates a new class for the stats interface and furtherly
configures it to also use the certificates that are provided by
certmonger (via the internal_certificates_specs variable).
Note that the already existing haproxy_stats_certificate still works and
will take precedence if it's set.
bp tls-via-certmonger
Change-Id: Iea65d91648ab13dbe6ec20241a1a7c95ce856e3e
|
|
This allows running Zaqar with SSL under Apache.
Change-Id: I4c68a662c2433398249f770ac50ba0791449fe71
|
|
When docker-puppet runs module tripleo::haproxy to generate haproxy
configuration file, and tripleo::firewall::manage_firewall is true,
iptables is called to set up firewall rules for the proxied services
and fails due to lack of NET_ADMIN capability.
Make the generation of firewall rule configurable by exposing a
new argument to the puppet module. That way, firewall management can
be temporarily disabled when being run through docker-puppet.
Change-Id: I2d6274d061039a9793ad162ed8e750bd87bf71e9
Partial-Bug: #1697921
|
|
optional dpdk"
|
|
This patch will move the Contrail roles communication towards
OpenStack APIs from the public/external network to the
internal_api network. I will also add the option to enable
dpdk for Contrail.
Change-Id: Ia835df656031cdf28de20f41ec6ab1c028dced23
Closes-Bug: 1698422
|
|
This makes sure that we set the necessary options so HAProxy uses TLS
to contact nova. It was commented out when nova was moved to not run
over httpd. Since that is no longer the case we can re-enable it.
Change-Id: I026a7dab30b00a4e93966f650f098c570b0b624b
Depends-On: Iac35b7ddcd8a800901548c75ca8d5083ad17e4d3
|
|
|
|
Some people might or might not want to enable it. So this makes it
configurable. It defaults to true as we were always deploying it before.
Change-Id: I8d2a08cdaf3e5ec3d1a69d4f95e57522508c8610
|
|
Allows configurability of maxconn as applies to
the MySQL section of the HAProxy config, both
for clustercheck and single node.
Also adds a new test for the haproxy class
overall to exercise options.
Change-Id: I023682dd5e85cc78d6dd3e5214a53863acc4f303
|
|
|
|
If public TLS is enabled, this sets as default that services should
always redirect to https.
Change-Id: I19b9d07ac8925366ed27fefcaca4fdb9a9ab1b37
|
|
|
|
The horizon proxy should redirect all HTTP requests to HTTPS,
regardless of the 'Host' field in the header. The current rule will
cause haproxy to redirect HTTP requests if the 'Host' field contains
the public virtual IP address. It will not redirect if the 'Host'
field contains a hostname, FQDN, etc.
Change-Id: I6c8f58a30f97cdf4c668734793197ea976297733
Signed-off-by: Ryan O'Hara <rohara@redhat.com>
|
|
This sets up the CRL file to be triggered on the certmonger_user
resource. Furtherly, HAProxy uses this CRL file in the member options,
thus effectively enabling revocation for proxied nodes.
So, if a certificate has been revoked by the CA, HAProxy will not proxy
requests to it.
bp tls-via-certmonger
Change-Id: I4f1edc551488aa5bf6033442c4fa1fb0d3f735cd
|
|
The port used for Panko is conflicts with Trove[1]. According to the
official documentation[2] this should be 8777. The 8777 port has been
occupied by ceilometer. So set the panko api port to 8977.
[1]https://github.com/openstack/trove/blob/master/etc/apache2/trove#L20
[2]https://docs.openstack.org/developer/panko/install/manual.html#installing-the-api-server
Change-Id: I5ccfc97765fc8b8bf9686b2451eda9c44c77dffc
Closes-Bug: #1691283
Depends-On: I53b286d1d6466b574fdb286cc45f3138f96dff59
|
|
This patch enables OVN DB servers to be started in master/slave
mode in the pacemaker cluster.
A virtual IP resource is created first and then the pacemaker OVN OCF
resource - "ovn:ovndb-servers" is created. The OVN OCF resource is
configured to be colocated with the vip resource. The ovn-controller and
Neutron OVN ML2 mechanism driver which depends on OVN DB servers will
always connect to the vip address on which the master OVN DB servers
listen on.
The OVN OCF resource itself takes care of (re)starting ovn-northd service
on the master node and we don't have to manage it.
When HA is enabled for OVN DB servers, haproxy does not configure the OVN DB
servers in its configuration.
This patch requires OVS 2.7 in the overcloud.
Co-authored:by: Numan Siddique <nusiddiq@redhat.com>
Change-Id: I9dc366002ef5919339961e5deebbf8aa815c73db
Partial-bug: #1670564
|
|
|
|
|
|
Currently we hard-code the fact that haproxy starts as a daemon.
When running haproxy in a container we need this to be configurable
because the haproxy process will be pid number 1.
We are not changing the current semantics which have the 'daemon'
option always set, but we are allowing its disabling.
Change-Id: I51c482b70731f15fee4025bbce14e46a49a49938
|
|
This checks that the subjectAltName in the backend server's certificate
matches the server's name that was intended to be used.
Change-Id: If1c61e1becf9cc84c9b18835aef1eaaa8c0d4341
|
|
Default timeout is 2min but it doesn't reflect the rpc_response_timeout
value that we set in THT and instack-undercloud, which is 600 (10 min).
In some cases (in low-memory environments), Heat needs more than 2
minutes to reply to the client, when deploying the overcloud.
It makes sense to increase the timeout to the value of rpc_timeout to
give a chance to Heat to reply to the client, otherwise HAproxy will
kill the connection and send 504 to the client.
Depends-On: I9669d40d86d762101734704fcef153e360767690
Change-Id: I32c71fe7930c8798d306046d6933e4b20c22740c
Related-Bug: 1666072
|
|
bp secure-etcd
Change-Id: I0759deef7cbcf13b9056350e92f01afd33e9c649
Signed-off-by: Feng Pan <fpan@redhat.com>
|
|
When TLS is enabled for the internal network, HAProxy needs to handle
etcd's TLS termination. Else it will use plain text.
bp secure-etcd
Change-Id: I20651240edcff0953741d4e8e01fa9a7ab185863
|
|
|
|
|
|
|
|
|
|
The httpchk health check option should help reduce the situtations
where haproxy thinks the service is up but the service is only
listening and not actively serving http requests.
Change-Id: I13cc5dcf2eea53731e756d078586ab9a97340912
Closes-Bug: #1629052
|
|
This adds the necessary bits for a TLS Proxy to be placed in front of
swift proxy when TLS-everywhere is enabled.
This will be furtherly cleaned up once the t-h-t bits are added.
bp tls-via-certmonger
Change-Id: I6e7193cc5b4bb7e56cc89e0a293c91b0d391c68e
|
|
The manage_firewall hieradata was moved to
tripleo::firewall::manage_firewall but some of the references to it
were not updated, which makes it impossible to completely disable
the firewall rules.
Change-Id: I5f40f3b8b07bd312cce862aa319b8a1ef331ee49
Closes-Bug: 1679189
|
|
Add an explicit tunnel timeout configuration option to increase the
tunnel timeout for persistent socket connections from two minutes (2m)
to one hour (3600s). A configuration was already present to apply a
tunnel timeout to the zaqar_ws endpoint, but that only applies to
connections made directly to the zaqar_ws endpoint directly. Since UI
now uses mod_proxy to proxy WebSocket connections for Zaqar, the timeout
is now applied for the same reasons to the ui haproxy server.
Change-Id: If749dc9148ccf8f2fa12b56b6ed6740f42e65aeb
Closes-Bug: 1672826
|
|
Without balance source and hash-type consistent traffic to
Contrail Webui https is not correctly load-balanced
Change-Id: I05a5aeea7db801c1403ef3c4dd4f94480fd8692e
|
|
We currently set the haproxy stat socket to /var/run/haproxy.sock.
On Centos/RHEL with selinux enabled this will break:
avc: denied { link } for pid=284010 comm="haproxy"
name="haproxy.sock" dev="tmpfs" ino=330803
scontext=system_u:system_r:haproxy_t:s0
tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
The blessed/correctly-labeled path is /var/lib/haproxy/stats
Note: I am setting only Partial-Bug because I would still like
to make this a parameter so other distros may just override the path.
But that change is more apt for pike and not for ocata.
Change-Id: I62aab6fb188a9103f1586edac1c2aa7949fdb08c
Patial-Bug: #1671119
|
|
This deploys the Heat APIs (api, cfn and cloudwatch) over httpd, and
includes the TLS-everywhere bits.
bp tls-via-certmonger
Change-Id: I23971b0164468e67c9b3577772af84bd947e16f1
|
|
https://bugs.launchpad.net/tripleo/+bug/1668493
I thought about a fix for ceph_rgw, but I realized
we might have missed other services too, specially
the ones we're not testing in CI.
We need to revisit this work and probably
make the code more robust for the services where
no CI coverage is done.
Related-Bug: #1668493
This reverts commit ebcc470ea8a632e6d5c13561a97e817d5f290aac.
Change-Id: I3f79c881d8aeda361a59f9952948355986a7c835
|
|
The httpchk health check option should help reduce the situtations
where haproxy thinks the service is up but the service is only
listening and not actively serving http requests.
Change-Id: Ie72b96c76d7513f84003bc15b6527c97df7ba92f
Closes-Bug: #1629052
|
|
Placement API is still running over wsgi which can run with TLS on the
internal network; These options were commented from haproxy and doing
this breaks the TLS-everywhere setup.
Change-Id: I1194f1f487cdcf45541c0d139806aa3dc4456d6e
|
|
It was suggested by Nova team to not deploying Nova API in WSGI with
Apache in production.
It's causing some issues that we didn't catch until now (see in the bug
report). Until we figure out what was wrong, let's disable it so we can
move forward in the upgrade process.
Related-Bug: 1661360
Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Change-Id: Ia87b5bdea79e500ed41c30beb9aa9d6be302e3ac
|
|
|
|
In current setup some Contrail services belong to the wrong roles.
The Contrail control plane can be impacted if the Analytics database has problems.
Furthermore contrail tripleo puppet modules are being refactored to conform to the
new interface of the puppet-contrail modules.
Closes-Bug: 1659560
Change-Id: Id0dd35b95c5fe9d0fcc1e16c4b7d6cc601f10818
|
|
|
|
This uses the tls_proxy resource added in a previous commit [1] in
front of the neutron server when internal TLS is enabled. Right
now values are passed quite manually, but a subsequent commit will use
t-h-t to pass the appropriate hieradata, and then we'll be able to
clean it up from here.
Note that the proxy is only deployed when internal TLS is enabled.
[1] I82243fd3acfe4f23aab373116b78e1daf9d08467
bp tls-via-certmonger
Change-Id: I6dfbf49f45aef9f47e58b5c0dbedd2b4e239979e
|