aboutsummaryrefslogtreecommitdiffstats
path: root/manifests/haproxy.pp
AgeCommit message (Collapse)AuthorFilesLines
2017-06-16For http service endpoints always redirect to httpsJuan Antonio Osorio Robles1-12/+3
If public TLS is enabled, this sets as default that services should always redirect to https. Change-Id: I19b9d07ac8925366ed27fefcaca4fdb9a9ab1b37
2017-06-14Merge "Remove condition to match hdr(host) in haproxy redirect rule"Jenkins1-1/+1
2017-06-12Remove condition to match hdr(host) in haproxy redirect ruleRyan O'Hara1-1/+1
The horizon proxy should redirect all HTTP requests to HTTPS, regardless of the 'Host' field in the header. The current rule will cause haproxy to redirect HTTP requests if the 'Host' field contains the public virtual IP address. It will not redirect if the 'Host' field contains a hostname, FQDN, etc. Change-Id: I6c8f58a30f97cdf4c668734793197ea976297733 Signed-off-by: Ryan O'Hara <rohara@redhat.com>
2017-06-08Use CRL for HAProxyJuan Antonio Osorio Robles1-1/+12
This sets up the CRL file to be triggered on the certmonger_user resource. Furtherly, HAProxy uses this CRL file in the member options, thus effectively enabling revocation for proxied nodes. So, if a certificate has been revoked by the CA, HAProxy will not proxy requests to it. bp tls-via-certmonger Change-Id: I4f1edc551488aa5bf6033442c4fa1fb0d3f735cd
2017-06-01Pacemaker support for OVN DB serversBabu Shanmugam1-1/+10
This patch enables OVN DB servers to be started in master/slave mode in the pacemaker cluster. A virtual IP resource is created first and then the pacemaker OVN OCF resource - "ovn:ovndb-servers" is created. The OVN OCF resource is configured to be colocated with the vip resource. The ovn-controller and Neutron OVN ML2 mechanism driver which depends on OVN DB servers will always connect to the vip address on which the master OVN DB servers listen on. The OVN OCF resource itself takes care of (re)starting ovn-northd service on the master node and we don't have to manage it. When HA is enabled for OVN DB servers, haproxy does not configure the OVN DB servers in its configuration. This patch requires OVS 2.7 in the overcloud. Co-authored:by: Numan Siddique <nusiddiq@redhat.com> Change-Id: I9dc366002ef5919339961e5deebbf8aa815c73db Partial-bug: #1670564
2017-04-25Merge "Enable internal network TLS for etcd"Jenkins1-0/+1
2017-04-21Merge "Allow to configure haproxy daemon's status"Jenkins1-14/+27
2017-04-19Allow to configure haproxy daemon's statusMichele Baldessari1-14/+27
Currently we hard-code the fact that haproxy starts as a daemon. When running haproxy in a container we need this to be configurable because the haproxy process will be pid number 1. We are not changing the current semantics which have the 'daemon' option always set, but we are allowing its disabling. Change-Id: I51c482b70731f15fee4025bbce14e46a49a49938
2017-04-18Haproxy: When using TLS everywhere, use verifyhost for the balancermembersJuan Antonio Osorio Robles1-0/+3
This checks that the subjectAltName in the backend server's certificate matches the server's name that was intended to be used. Change-Id: If1c61e1becf9cc84c9b18835aef1eaaa8c0d4341
2017-04-17HAproxy/heat_api: increase timeout to 10mEmilien Macchi1-2/+6
Default timeout is 2min but it doesn't reflect the rpc_response_timeout value that we set in THT and instack-undercloud, which is 600 (10 min). In some cases (in low-memory environments), Heat needs more than 2 minutes to reply to the client, when deploying the overcloud. It makes sense to increase the timeout to the value of rpc_timeout to give a chance to Heat to reply to the client, otherwise HAproxy will kill the connection and send 504 to the client. Depends-On: I9669d40d86d762101734704fcef153e360767690 Change-Id: I32c71fe7930c8798d306046d6933e4b20c22740c Related-Bug: 1666072
2017-04-12Enable internal network TLS for etcdFeng Pan1-0/+1
bp secure-etcd Change-Id: I0759deef7cbcf13b9056350e92f01afd33e9c649 Signed-off-by: Feng Pan <fpan@redhat.com>
2017-04-10etcd: Make HAProxy terminate TLS connectionsJuan Antonio Osorio Robles1-17/+14
When TLS is enabled for the internal network, HAProxy needs to handle etcd's TLS termination. Else it will use plain text. bp secure-etcd Change-Id: I20651240edcff0953741d4e8e01fa9a7ab185863
2017-04-07Merge "Adding listen_options for Contrail Webui https in haproxy"Jenkins1-0/+4
2017-04-07Merge "Add httpchk for http services"Jenkins1-87/+26
2017-04-05Merge "Add TLS in the internal network for Swift Proxy"Jenkins1-0/+1
2017-04-04Merge "Use correct manage_firewall hieradata"Jenkins1-2/+2
2017-04-04Add httpchk for http servicesAlex Schultz1-87/+26
The httpchk health check option should help reduce the situtations where haproxy thinks the service is up but the service is only listening and not actively serving http requests. Change-Id: I13cc5dcf2eea53731e756d078586ab9a97340912 Closes-Bug: #1629052
2017-04-04Add TLS in the internal network for Swift ProxyJuan Antonio Osorio Robles1-0/+1
This adds the necessary bits for a TLS Proxy to be placed in front of swift proxy when TLS-everywhere is enabled. This will be furtherly cleaned up once the t-h-t bits are added. bp tls-via-certmonger Change-Id: I6e7193cc5b4bb7e56cc89e0a293c91b0d391c68e
2017-04-03Use correct manage_firewall hieradataBen Nemec1-2/+2
The manage_firewall hieradata was moved to tripleo::firewall::manage_firewall but some of the references to it were not updated, which makes it impossible to completely disable the firewall rules. Change-Id: I5f40f3b8b07bd312cce862aa319b8a1ef331ee49 Closes-Bug: 1679189
2017-03-30Add tunnel timeout for ui proxy containerDan Trainor1-0/+6
Add an explicit tunnel timeout configuration option to increase the tunnel timeout for persistent socket connections from two minutes (2m) to one hour (3600s). A configuration was already present to apply a tunnel timeout to the zaqar_ws endpoint, but that only applies to connections made directly to the zaqar_ws endpoint directly. Since UI now uses mod_proxy to proxy WebSocket connections for Zaqar, the timeout is now applied for the same reasons to the ui haproxy server. Change-Id: If749dc9148ccf8f2fa12b56b6ed6740f42e65aeb Closes-Bug: 1672826
2017-03-22Adding listen_options for Contrail Webui https in haproxyMichael Henkel1-0/+4
Without balance source and hash-type consistent traffic to Contrail Webui https is not correctly load-balanced Change-Id: I05a5aeea7db801c1403ef3c4dd4f94480fd8692e
2017-03-13Correct haproxy's stat unix socket pathMichele Baldessari1-1/+1
We currently set the haproxy stat socket to /var/run/haproxy.sock. On Centos/RHEL with selinux enabled this will break: avc: denied { link } for pid=284010 comm="haproxy" name="haproxy.sock" dev="tmpfs" ino=330803 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file The blessed/correctly-labeled path is /var/lib/haproxy/stats Note: I am setting only Partial-Bug because I would still like to make this a parameter so other distros may just override the path. But that change is more apt for pike and not for ocata. Change-Id: I62aab6fb188a9103f1586edac1c2aa7949fdb08c Patial-Bug: #1671119
2017-03-07Deploy Heat APIs over httpdJuan Antonio Osorio Robles1-0/+3
This deploys the Heat APIs (api, cfn and cloudwatch) over httpd, and includes the TLS-everywhere bits. bp tls-via-certmonger Change-Id: I23971b0164468e67c9b3577772af84bd947e16f1
2017-02-28Revert "Add httpchk for http services"Emilien Macchi1-25/+87
https://bugs.launchpad.net/tripleo/+bug/1668493 I thought about a fix for ceph_rgw, but I realized we might have missed other services too, specially the ones we're not testing in CI. We need to revisit this work and probably make the code more robust for the services where no CI coverage is done. Related-Bug: #1668493 This reverts commit ebcc470ea8a632e6d5c13561a97e817d5f290aac. Change-Id: I3f79c881d8aeda361a59f9952948355986a7c835
2017-02-22Add httpchk for http servicesAlex Schultz1-87/+25
The httpchk health check option should help reduce the situtations where haproxy thinks the service is up but the service is only listening and not actively serving http requests. Change-Id: Ie72b96c76d7513f84003bc15b6527c97df7ba92f Closes-Bug: #1629052
2017-02-13Uncomment internal TLS options for placement APIJuan Antonio Osorio Robles1-1/+1
Placement API is still running over wsgi which can run with TLS on the internal network; These options were commented from haproxy and doing this breaks the TLS-everywhere setup. Change-Id: I1194f1f487cdcf45541c0d139806aa3dc4456d6e
2017-02-06Stop deploying Nova API in WSGI with ApacheEmilien Macchi1-2/+2
It was suggested by Nova team to not deploying Nova API in WSGI with Apache in production. It's causing some issues that we didn't catch until now (see in the bug report). Until we figure out what was wrong, let's disable it so we can move forward in the upgrade process. Related-Bug: 1661360 Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com> Change-Id: Ia87b5bdea79e500ed41c30beb9aa9d6be302e3ac
2017-01-31Merge "Re-organizes Contrail services to the correct roles"Jenkins1-1/+79
2017-01-27Re-organizes Contrail services to the correct rolesMichael Henkel1-1/+79
In current setup some Contrail services belong to the wrong roles. The Contrail control plane can be impacted if the Analytics database has problems. Furthermore contrail tripleo puppet modules are being refactored to conform to the new interface of the puppet-contrail modules. Closes-Bug: 1659560 Change-Id: Id0dd35b95c5fe9d0fcc1e16c4b7d6cc601f10818
2017-01-27Merge "Use TLS proxy for neutron server's internal TLS"Jenkins1-0/+1
2017-01-26Use TLS proxy for neutron server's internal TLSJuan Antonio Osorio Robles1-0/+1
This uses the tls_proxy resource added in a previous commit [1] in front of the neutron server when internal TLS is enabled. Right now values are passed quite manually, but a subsequent commit will use t-h-t to pass the appropriate hieradata, and then we'll be able to clean it up from here. Note that the proxy is only deployed when internal TLS is enabled. [1] I82243fd3acfe4f23aab373116b78e1daf9d08467 bp tls-via-certmonger Change-Id: I6dfbf49f45aef9f47e58b5c0dbedd2b4e239979e
2017-01-26Adding congress serviceDan Radez1-0/+30
Change-Id: Ic74ccd5fa7b3b04ca810416e5160463252f17474 Signed-off-by: Dan Radez <dradez@redhat.com>
2017-01-25Adding tacker serviceDan Radez1-0/+30
Change-Id: I3d6bbc05644e840395f87333ec80e3b844f69903
2017-01-24Merge "Use TLS proxy for Glance API's internal TLS"Jenkins1-0/+1
2017-01-23Merge "Implement Nova ec2api profile"Jenkins1-0/+51
2017-01-23Use TLS proxy for Glance API's internal TLSJuan Antonio Osorio Robles1-0/+1
This uses the tls_proxy resource added in the previous commit [1] in front of the Glance API server when internal TLS is enabled. Right now values are passed quite manually, but a subsequent commit will use t-h-t to pass the appropriate hieradata, and then we'll be able to clean it up from here. Note that the proxy is only deployed when internal TLS is enabled. [1] I82243fd3acfe4f23aab373116b78e1daf9d08467 bp tls-via-certmonger Depends-On: Id5dfb38852cf2420f4195a3c1cb98d5c47bbd45e Change-Id: Id35a846d43ecae8903a0d58306d9803d5ea00bee
2017-01-23Remove last bits of Glance RegistryEmilien Macchi1-22/+0
Glance Registry has been removed in TripleO. So we can clean puppet-tripleo and remove last bits that used to deploy this service. Change-Id: Iea8f6340349ab366606205305a3ec9a6e4f11ba6
2017-01-23Merge "Add haproxy firewall rules for galera and redis"Jenkins1-0/+18
2017-01-20Implement Nova ec2api profileSven Anderson1-0/+51
Change-Id: If4b091e1ca02f43aa9c65392baf8ceea007b7cfb
2017-01-19Merge "Adds etcd"Jenkins1-0/+27
2017-01-18Adds etcdFeng Pan1-0/+27
etcd is used by networking-vpp ML2 driver as the messaging mechanism. This patch adds etcd service which can be used by other services. Implements: blueprint fdio-integration-tripleo Change-Id: Idaa3e3deddf9be3d278e90b569466c2717e2d517 Signed-off-by: Feng Pan <fpan@redhat.com>
2017-01-19Use network entries for nova placementJuan Antonio Osorio Robles1-1/+6
Having these available from t-h-t, we should be able to use these now. Change-Id: I7272df25c4fdba152fe15d40444311bc35ace4d9 Depends-On: Id0d34c7c3939ee81126ffd26d0658c0a87805a44
2017-01-11Implement Nova Placement API profileEmilien Macchi1-0/+29
Allow TripleO to deploy Nova Placement API with a new profile. Change-Id: I5e25a50f3d7a9b39f4146a61cb528963ee09e90c
2017-01-09Add haproxy firewall rules for galera and redisMichele Baldessari1-0/+18
This change adds haproxy rules for galera and redis. They are not there because these haproxy entries do not use the ::tripleo::haproxy::endpoint function which does this automatically. Rabbit does not need them because it does not go through haproxy. Closes-Bug: #1654280 Change-Id: If995d5c36341f3c089cbda9a0827ea28c19c796b
2017-01-04Merge "Fixes missing haproxy firewall rules for OpenDaylight"Jenkins1-17/+9
2017-01-04Fixes missing haproxy firewall rules for OpenDaylightTim Rozet1-17/+9
This migrates the haproxy config for ODL to use the tripleo::haproxy::endpoint class. This class automatically configures firewall rules for each haproxy endpoint. Also removes listening on public network for IP and adds listening on ctlplane network for admin access. Partial-Bug: 1651476 Change-Id: I1f2af2793d040fda17bf73252afe59434d99f31f Signed-off-by: Tim Rozet <trozet@redhat.com>
2016-12-22Merge "Split ovn plugin and northd configuration"Jenkins1-0/+47
2016-12-19Merge "Fix a typo in haproxy.pp"Jenkins1-1/+1
2016-12-11Merge "Changes default MidoNet API port on HAProxy"Jenkins1-4/+5
2016-11-30Add verify required and CA bundle to haproxyJuan Antonio Osorio Robles1-2/+7
This only takes effect is internal-tls is used, and forces haproxy to do proper verifications of the SSL certificates provided by the servers. bp tls-via-certmonger Change-Id: Ibd98ec46dd6570887db29f55fe183deb1c9dc642