summaryrefslogtreecommitdiffstats
path: root/manifests/haproxy.pp
AgeCommit message (Collapse)AuthorFilesLines
2016-11-09Merge "Enable TLS in the internal network for Nova API"Jenkins1-0/+1
2016-11-09Merge "Better way to ensure keepalived before haproxy."Jenkins1-0/+2
2016-11-09Merge "Pass X-Forwarded-Proto for missing services"Jenkins1-0/+20
2016-11-08Better way to ensure keepalived before haproxy.Sofer Athlan-Guyot1-0/+2
The lastest patchset of https://review.openstack.org/393361 was actually not working. The `if defined` idiom depends on *evaluation* order. At the time it's red in the haproxy.pp class, the line that loads the class 'haproxy' has still not yet been reached and thus the `defined` result is false. The constraint is not added. For this reason, the use of `defined` in module is not advised by puppetlabs[1]. [1] https://docs.puppet.com/puppet/latest/reference/function.html#defined Change-Id: Ibd352cb313f8863d62db8987419378bed5b87256 Relates-To: #1638029
2016-11-08Merge "Enable TLS in the internal network for gnocchi"Jenkins1-0/+1
2016-11-08Merge "Improve failed mysql node removal time in HA deploys."Jenkins1-3/+20
2016-11-08Pass X-Forwarded-Proto for missing servicesJuan Antonio Osorio Robles1-0/+20
aodh, ceilometer, gnocchi and neutron need the X-Forwarded-Proto in order to return links with the correct protocol when SSL is enabled. This enables it in HAProxy Change-Id: Icceab92f86b1cc40d42195fa4ba0c75f302795b8 Closes-Bug: #1640126
2016-11-08Improve failed mysql node removal time in HA deploys.Chris Jones1-3/+20
In HA deployments, we now check mysql nodes every 1s and removed them immediately if they are failed. Previously we would check every 2s and allow them to fail 5 checks before being removed, producing errors from other OpenStack services for 10s, which causes confusion and delay for operators. Additionally, these check options are now also a class parameter so can be overridden by operators. Closes-Bug: #1639189 Change-Id: I0b915f790ae5a4b018a212d3aa83cca507be05e9
2016-11-07Increase haproxy timeoutsSteven Hardy1-2/+2
It's been proposed this may help with the ('Connection aborted.', BadStatusLine("''",)) errors. This patch increase queue, server and client timeouts to 2m (default is 1m) Related-Bug: #1638908 Change-Id: Ie4f059f3fad2271bb472697e85ede296eee91f5d
2016-11-01Fix default for barbican documentationJuan Antonio Osorio Robles1-1/+1
Change-Id: Id4dc2379b0c423012a0b3aaf49d1e1a7d633a03b
2016-11-01Merge "Add barbican profile"Jenkins1-0/+26
2016-11-01Merge "Fixes transparent binding to OpenDaylight in HA Proxy"Jenkins1-2/+2
2016-11-01Enable TLS in the internal network for Nova APIJuan Antonio Osorio Robles1-0/+1
This optionally enables TLS for Nova API in the internal network. If internal TLS is enabled, each node that is serving the Nova API service will use certmonger to request its certificate. Note that this doesn't enable internal TLS for the nova metadata service since it doesn't run over httpd. This will be handled in a later commit. bp tls-via-certmonger Change-Id: I88380a1ed8fd597a1a80488cbc6ce357f133bd70
2016-10-31Merge "Enable TLS in the internal network for aodh"Jenkins1-0/+1
2016-10-31Merge "Enable TLS in the internal network for ceilometer"Jenkins1-0/+1
2016-10-30Fixes transparent binding to OpenDaylight in HA ProxyTim Rozet1-2/+2
ODL was missing transparent binding mode, which causes HA deployments to fail since HA Proxy will try to come up on every node (even without VIP). Closes-Bug: 1637833 Change-Id: I0bb7839cdcfeacb4ca1a9fc6f878e8b51330be92 Signed-off-by: Tim Rozet <trozet@redhat.com>
2016-10-23Merge "Enable communication between UI and the Undercloud by making HAProxy ↵Jenkins1-0/+20
proxy for the UI"
2016-10-23Merge "Enable haproxy statistics unix socket"Jenkins1-0/+4
2016-10-22Merge "Increase haproxy client/server timeout for swift-proxy"Jenkins1-0/+5
2016-10-22Merge "Use HAProxy for docker-registry endpoint"Jenkins1-0/+26
2016-10-21Increase haproxy client/server timeout for swift-proxyJohn Trowbridge1-0/+5
The upload and extraction for the plan tarball to swift can take longer than the default one minute in slower environments. Doubling the timeout to two minutes has proven to help. This is only a partial fix, because the error reporting for this issue also needs to be improved. Change-Id: I06592d38fdfefacc8bdf76289a0bfa20eb33a89b Partial-Bug: 1635269
2016-10-20Use HAProxy for docker-registry endpointSteve Baker1-0/+26
The docker tooling has a preference for interacting with encrypted endpoints. Terminating the docker-registry endpoint with HAProxy allows the SSL VIP to be used for this purpose. Change-Id: Ifebfa7256e0887d6f26a478ff8dc82b0ef5f65f6
2016-10-19Enable TLS in the internal network for gnocchiJuan Antonio Osorio Robles1-0/+1
This optionally enables TLS for gnocchi in the internal network. If internal TLS is enabled, each node that is serving the gnocchi service will use certmonger to request its certificate. bp tls-via-certmonger Change-Id: Ie983933e062ac6a7f0af4d88b32634e6ce17838b
2016-10-19Enable TLS in the internal network for aodhJuan Antonio Osorio Robles1-0/+1
This optionally enables TLS for aodh in the internal network. If internal TLS is enabled, each node that is serving the aodh service will use certmonger to request its certificate. This, in turn should also configure a command that should be ran when the certificate is refreshed (which requires the service to be restarted). bp tls-via-certmonger Change-Id: I50ef0c8fbecb19d6597a28290daa61a91f3b13fc
2016-10-19Enable TLS in the internal network for ceilometerJuan Antonio Osorio Robles1-0/+1
This optionally enables TLS for aodh in the internal network. If internal TLS is enabled, each node that is serving the ceilometer service will use certmonger to request its certificate. This, in turn should also configure a command that should be ran when the certificate is refreshed (which requires the service to be restarted). bp tls-via-certmonger Change-Id: Ib5609f77a31b17ed12baea419ecfab5d5f676496
2016-10-19Enable TLS in the internal network for keystoneJuan Antonio Osorio Robles1-0/+15
This optionally enables TLS for keystone in the internal network. If internal TLS is enabled, each node that is serving the keystone service will use certmonger to request its certificate. This, in turn should also configure a command that should be ran when the certificate is refreshed (which requires the service to be restarted). bp tls-via-certmonger Change-Id: I303f6cf47859284785c0cdc65284a7eb89a4e039
2016-10-19Add barbican profileAde Lee1-0/+26
Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com> Change-Id: If2804b469eb3ee08f3f194c7dd3290d23a245a7a
2016-10-17Enable communication between UI and the Undercloud by making HAProxyDan Trainor1-0/+20
proxy for the UI Change-Id: I74eac4bbfc16720eeb6e2bf0ee251689dde3bafc Implements: enable-communication-ui-undercloud
2016-10-16Enable haproxy statistics unix socketMichele Baldessari1-0/+4
By enabling the statistics socket we allow the collection of statistics over time for haproxy. This socket is set to "user" level, so this socket is limited to read-only. The "stats timeout" line is optional, but since the default timeout of the stats socket is 10s, we set this higher. Change-Id: I22d3ab771e981be0d2c74b60443d276973bc1639
2016-10-05Fetch internal certificates for HAProxy based on networkJuan Antonio Osorio Robles1-67/+230
The service profile in HAProxy has the capability of creating certificates based on a map. The idea is to standardize this, as some of those certificates should match certain networks the services are listening on (with the exception of the external network which is handled differently and the tenant network which doesn't need a certificate). So, based on which network a certain service is listening on, we fetch the appropriate certificate. bp tls-via-certmonger Change-Id: I89001ae32f46c9682aecc118753ef6cd647baa62
2016-10-05Use service-specific servernames for haproxyJuan Antonio Osorio Robles1-31/+31
Right now we're hardcoding the server names for the services to be the controllers. This is problematic if we start using custom roles for services, which listen on nodes that are not controllers. We already have the server names for each service, so using this mapping instead fixes the issue. Change-Id: Ic4b65edb3dc1b75abbc3421a87cab97425b058c4 Closes-Bug: #1629098
2016-10-03Merge "Added X-Forwarded-Proto headers for horizon"Jenkins1-4/+7
2016-09-20Merge "Terminate Zaqar websocket endpoint in HAProxy"Jenkins1-0/+33
2016-09-20Terminate Zaqar websocket endpoint in HAProxyJuan Antonio Osorio Robles1-0/+33
Note that there was a need to modify different timeouts due to the nature of how websockets work. The source where the reasoning and value came from is listed as a comment in the code. Related-Bug: #1625448 Co-Authored-By: Brad P. Crochet <brad@redhat.com> Change-Id: I9de77d5f692c1c9d04e3c59c5de5312e63f81aed
2016-09-15Fix wrong flag name for VNC Proxy in HAProxyJuan Antonio Osorio Robles1-2/+2
The name was wrong, and so fixing it will actually enable VNC Proxy when the service is enabled. Change-Id: I65e90479fd33844b4dcd70c19cec3cd838aeff69 Closes-Bug: #1623796
2016-09-12Enable X-Forwarded-Proto for manilaJuan Antonio Osorio Robles1-0/+5
This is necessary so the middleware in manila can set the protocol correctly in case we're terminating SSL in HAProxy. Depends-On: Ice78b0abceb6a956bb8c1dc6212ee1b56b62b43f Change-Id: Iedaabaf1379466c22e3b9bb2307e940459d26de7
2016-08-31Add Ceph RGW listener to HAProxyGiulio Fidente1-0/+20
Shares the same (ssl)port with Swift Proxy Change-Id: I2e1de1a3fa6ad62895a1e972e43858f23c08bbea
2016-08-31Default haproxy listeners activation on hiera service _enabledGiulio Fidente1-54/+54
Change-Id: I5c620ba717f782b39c599aff24b4ac56fb695a04
2016-08-29Merge "Removing WARNING: line has more than 140 characters in puppet-tripleo ↵Jenkins1-1/+6
profiles"
2016-08-24Added X-Forwarded-Proto headers for horizonGraeme Gillies1-4/+7
When enabling federated authentication with keystone, and then enabling websso in horizon, the URL horizon constructs for the redirect is done internally, and django needs to be able to know if it has to construct the url with http or https. By setting this header at the haproxy level, horizon can make the correct decision. Change-Id: I0281fe1e5efa0d3f5983342dec70752246d9fca8
2016-08-13Adds OpenDaylightTim Rozet1-0/+28
Partially-Implements: blueprint opendaylight-integration Note this patch only adds support for a single ODL instance. - neutron/opendaylight.pp handles installing ODL to control nodes - ml2/opendaylight.pp handles configuring ML2 to work with ODL - ovs/opendaylight.pp handles configuring OVS to connect to ODL Change-Id: I666dc0874f1d11a72a62d796f4f6d41f7aa87a3f Signed-off-by: Tim Rozet <trozet@redhat.com>
2016-08-11Removing WARNING: line has more than 140 characters in puppet-tripleo profilesCarlos Camacho1-1/+6
Some lint checks are returning: WARNING: line has more than 140 characters in puppet-tripleo profiles This patch will remove those warnings by adding \'s Change-Id: I19b56c93db82948fb0498a4c9851b522c81946f8
2016-08-10Handle redirects for keystoneJuan Antonio Osorio Robles1-5/+16
If keystone sends a redirect and we have TLS enabled, we need to modify the response in order to indicate https. Change-Id: Icd61f527473bfe5153e058e94f9ed141cf13812d
2016-08-07Merge "Add passing of X-Forwarded-Proto to Glance API endpoint"Jenkins1-0/+6
2016-08-05Add passing of X-Forwarded-Proto to Glance API endpointJuan Antonio Osorio Robles1-0/+6
Glance supports the http_proxy_to_wsgi middlware, and it was recently enabled in the overcloud [1]. However, for it to work properly, we need to add the X-Forwarded-Proto header which was missing from the HAProxy configuration. [1] I4a8f7fc079ca93c50aa0ef7b0548dc64f6c5cfa0 Change-Id: I82e2db1145b0476cec27676fdfbb97e86cbd8182
2016-08-05Add zaqar API endpoint in HAProxyJuan Antonio Osorio Robles1-0/+20
This will enable us to terminate SSL connections for Zaqar's API. Change-Id: If75e2947a2dca95b3e53e1b1ffd93f36fc7fb1cc
2016-07-14Add Mistral profilesBrad P. Crochet1-0/+20
Add Mistral profiles for non-ha and ha scenarios Change-Id: I1a072326091fd3b0c21d2f78041e3532b67c60eb Implements: blueprint refactor-puppet-manifests Depends-On: I6ce61054384c15876c498ba8cf582f88d9f7f54c
2016-06-22Add ironic inspector as a terminated HAProxy endpointJuan Antonio Osorio Robles1-0/+20
This is needed for the undercloud, as it's in HAProxy where we make the SSL terminations. Change-Id: Ie4d652b4e5a95849c2fa32a5ce5ecec09ccb6bd9 Related-Bug: #1595047
2016-06-02Remove tripleo::loadbalancerEmilien Macchi1-7/+8
The split has been done on both undercloud & overcloud, they now use tripleo::haproxy and tripleo::keepalived. We can move forward with removing tripleo::loadbalancer and tripleo::loadbalancer::endpoint, not used anymore. Simplify tripleo::profile::base::loadbalancer to just include tripleo::haproxy and rely on Hiera for parameters. Change-Id: Ieeb1e94117ae9cb8b11320306de3a9b236bd989a
2016-06-02loadbalancer: remove controller_hostEmilien Macchi1-20/+4
controller_host was deprecated and is not used anymore anywhere. Let's drop it. Also make controller_hosts really required, by not setting a default paramter, so Puppet catalog will fail if no value is given. Change-Id: Iad760115f925e848e4b72009db5177f88ceb4ad8