aboutsummaryrefslogtreecommitdiffstats
path: root/manifests/haproxy.pp
AgeCommit message (Collapse)AuthorFilesLines
2017-04-05Merge "Add TLS in the internal network for Swift Proxy"Jenkins1-0/+1
2017-04-04Merge "Use correct manage_firewall hieradata"Jenkins1-2/+2
2017-04-04Add TLS in the internal network for Swift ProxyJuan Antonio Osorio Robles1-0/+1
This adds the necessary bits for a TLS Proxy to be placed in front of swift proxy when TLS-everywhere is enabled. This will be furtherly cleaned up once the t-h-t bits are added. bp tls-via-certmonger Change-Id: I6e7193cc5b4bb7e56cc89e0a293c91b0d391c68e
2017-04-03Use correct manage_firewall hieradataBen Nemec1-2/+2
The manage_firewall hieradata was moved to tripleo::firewall::manage_firewall but some of the references to it were not updated, which makes it impossible to completely disable the firewall rules. Change-Id: I5f40f3b8b07bd312cce862aa319b8a1ef331ee49 Closes-Bug: 1679189
2017-03-30Add tunnel timeout for ui proxy containerDan Trainor1-0/+6
Add an explicit tunnel timeout configuration option to increase the tunnel timeout for persistent socket connections from two minutes (2m) to one hour (3600s). A configuration was already present to apply a tunnel timeout to the zaqar_ws endpoint, but that only applies to connections made directly to the zaqar_ws endpoint directly. Since UI now uses mod_proxy to proxy WebSocket connections for Zaqar, the timeout is now applied for the same reasons to the ui haproxy server. Change-Id: If749dc9148ccf8f2fa12b56b6ed6740f42e65aeb Closes-Bug: 1672826
2017-03-13Correct haproxy's stat unix socket pathMichele Baldessari1-1/+1
We currently set the haproxy stat socket to /var/run/haproxy.sock. On Centos/RHEL with selinux enabled this will break: avc: denied { link } for pid=284010 comm="haproxy" name="haproxy.sock" dev="tmpfs" ino=330803 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file The blessed/correctly-labeled path is /var/lib/haproxy/stats Note: I am setting only Partial-Bug because I would still like to make this a parameter so other distros may just override the path. But that change is more apt for pike and not for ocata. Change-Id: I62aab6fb188a9103f1586edac1c2aa7949fdb08c Patial-Bug: #1671119
2017-03-07Deploy Heat APIs over httpdJuan Antonio Osorio Robles1-0/+3
This deploys the Heat APIs (api, cfn and cloudwatch) over httpd, and includes the TLS-everywhere bits. bp tls-via-certmonger Change-Id: I23971b0164468e67c9b3577772af84bd947e16f1
2017-02-28Revert "Add httpchk for http services"Emilien Macchi1-25/+87
https://bugs.launchpad.net/tripleo/+bug/1668493 I thought about a fix for ceph_rgw, but I realized we might have missed other services too, specially the ones we're not testing in CI. We need to revisit this work and probably make the code more robust for the services where no CI coverage is done. Related-Bug: #1668493 This reverts commit ebcc470ea8a632e6d5c13561a97e817d5f290aac. Change-Id: I3f79c881d8aeda361a59f9952948355986a7c835
2017-02-22Add httpchk for http servicesAlex Schultz1-87/+25
The httpchk health check option should help reduce the situtations where haproxy thinks the service is up but the service is only listening and not actively serving http requests. Change-Id: Ie72b96c76d7513f84003bc15b6527c97df7ba92f Closes-Bug: #1629052
2017-02-13Uncomment internal TLS options for placement APIJuan Antonio Osorio Robles1-1/+1
Placement API is still running over wsgi which can run with TLS on the internal network; These options were commented from haproxy and doing this breaks the TLS-everywhere setup. Change-Id: I1194f1f487cdcf45541c0d139806aa3dc4456d6e
2017-02-06Stop deploying Nova API in WSGI with ApacheEmilien Macchi1-2/+2
It was suggested by Nova team to not deploying Nova API in WSGI with Apache in production. It's causing some issues that we didn't catch until now (see in the bug report). Until we figure out what was wrong, let's disable it so we can move forward in the upgrade process. Related-Bug: 1661360 Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com> Change-Id: Ia87b5bdea79e500ed41c30beb9aa9d6be302e3ac
2017-01-31Merge "Re-organizes Contrail services to the correct roles"Jenkins1-1/+79
2017-01-27Re-organizes Contrail services to the correct rolesMichael Henkel1-1/+79
In current setup some Contrail services belong to the wrong roles. The Contrail control plane can be impacted if the Analytics database has problems. Furthermore contrail tripleo puppet modules are being refactored to conform to the new interface of the puppet-contrail modules. Closes-Bug: 1659560 Change-Id: Id0dd35b95c5fe9d0fcc1e16c4b7d6cc601f10818
2017-01-27Merge "Use TLS proxy for neutron server's internal TLS"Jenkins1-0/+1
2017-01-26Use TLS proxy for neutron server's internal TLSJuan Antonio Osorio Robles1-0/+1
This uses the tls_proxy resource added in a previous commit [1] in front of the neutron server when internal TLS is enabled. Right now values are passed quite manually, but a subsequent commit will use t-h-t to pass the appropriate hieradata, and then we'll be able to clean it up from here. Note that the proxy is only deployed when internal TLS is enabled. [1] I82243fd3acfe4f23aab373116b78e1daf9d08467 bp tls-via-certmonger Change-Id: I6dfbf49f45aef9f47e58b5c0dbedd2b4e239979e
2017-01-26Adding congress serviceDan Radez1-0/+30
Change-Id: Ic74ccd5fa7b3b04ca810416e5160463252f17474 Signed-off-by: Dan Radez <dradez@redhat.com>
2017-01-25Adding tacker serviceDan Radez1-0/+30
Change-Id: I3d6bbc05644e840395f87333ec80e3b844f69903
2017-01-24Merge "Use TLS proxy for Glance API's internal TLS"Jenkins1-0/+1
2017-01-23Merge "Implement Nova ec2api profile"Jenkins1-0/+51
2017-01-23Use TLS proxy for Glance API's internal TLSJuan Antonio Osorio Robles1-0/+1
This uses the tls_proxy resource added in the previous commit [1] in front of the Glance API server when internal TLS is enabled. Right now values are passed quite manually, but a subsequent commit will use t-h-t to pass the appropriate hieradata, and then we'll be able to clean it up from here. Note that the proxy is only deployed when internal TLS is enabled. [1] I82243fd3acfe4f23aab373116b78e1daf9d08467 bp tls-via-certmonger Depends-On: Id5dfb38852cf2420f4195a3c1cb98d5c47bbd45e Change-Id: Id35a846d43ecae8903a0d58306d9803d5ea00bee
2017-01-23Remove last bits of Glance RegistryEmilien Macchi1-22/+0
Glance Registry has been removed in TripleO. So we can clean puppet-tripleo and remove last bits that used to deploy this service. Change-Id: Iea8f6340349ab366606205305a3ec9a6e4f11ba6
2017-01-23Merge "Add haproxy firewall rules for galera and redis"Jenkins1-0/+18
2017-01-20Implement Nova ec2api profileSven Anderson1-0/+51
Change-Id: If4b091e1ca02f43aa9c65392baf8ceea007b7cfb
2017-01-19Merge "Adds etcd"Jenkins1-0/+27
2017-01-18Adds etcdFeng Pan1-0/+27
etcd is used by networking-vpp ML2 driver as the messaging mechanism. This patch adds etcd service which can be used by other services. Implements: blueprint fdio-integration-tripleo Change-Id: Idaa3e3deddf9be3d278e90b569466c2717e2d517 Signed-off-by: Feng Pan <fpan@redhat.com>
2017-01-19Use network entries for nova placementJuan Antonio Osorio Robles1-1/+6
Having these available from t-h-t, we should be able to use these now. Change-Id: I7272df25c4fdba152fe15d40444311bc35ace4d9 Depends-On: Id0d34c7c3939ee81126ffd26d0658c0a87805a44
2017-01-11Implement Nova Placement API profileEmilien Macchi1-0/+29
Allow TripleO to deploy Nova Placement API with a new profile. Change-Id: I5e25a50f3d7a9b39f4146a61cb528963ee09e90c
2017-01-09Add haproxy firewall rules for galera and redisMichele Baldessari1-0/+18
This change adds haproxy rules for galera and redis. They are not there because these haproxy entries do not use the ::tripleo::haproxy::endpoint function which does this automatically. Rabbit does not need them because it does not go through haproxy. Closes-Bug: #1654280 Change-Id: If995d5c36341f3c089cbda9a0827ea28c19c796b
2017-01-04Merge "Fixes missing haproxy firewall rules for OpenDaylight"Jenkins1-17/+9
2017-01-04Fixes missing haproxy firewall rules for OpenDaylightTim Rozet1-17/+9
This migrates the haproxy config for ODL to use the tripleo::haproxy::endpoint class. This class automatically configures firewall rules for each haproxy endpoint. Also removes listening on public network for IP and adds listening on ctlplane network for admin access. Partial-Bug: 1651476 Change-Id: I1f2af2793d040fda17bf73252afe59434d99f31f Signed-off-by: Tim Rozet <trozet@redhat.com>
2016-12-22Merge "Split ovn plugin and northd configuration"Jenkins1-0/+47
2016-12-19Merge "Fix a typo in haproxy.pp"Jenkins1-1/+1
2016-12-11Merge "Changes default MidoNet API port on HAProxy"Jenkins1-4/+5
2016-11-30Add verify required and CA bundle to haproxyJuan Antonio Osorio Robles1-2/+7
This only takes effect is internal-tls is used, and forces haproxy to do proper verifications of the SSL certificates provided by the servers. bp tls-via-certmonger Change-Id: Ibd98ec46dd6570887db29f55fe183deb1c9dc642
2016-11-23Merge "Proxy manila in http mode"Jenkins1-0/+1
2016-11-22Split ovn plugin and northd configurationSteven Hardy1-0/+47
This allows us to use the composable services interfaces to handle providing the IP address for northd, and will be more flexible in the event folks want to deploy northd/ovndb on a different node to the neutron plugin. This also adds ovn_northd to the haproxy configuration so we can access it via the ovn_northd_vip in other service profiles. Note we need to ensure the haproxy config only hits the bootstrap node as northd won't be running on the other nodes. Change-Id: I9af7bd837c340c3df016fc7ad4238b2941ba7a95 Partial-Bug: #1634171
2016-11-22Merge "Use mode 'http' in haproxy for ceilometer, neutron, aodh and gnocchi"Jenkins1-0/+4
2016-11-22Proxy manila in http modeJuan Antonio Osorio Robles1-0/+1
It needs it so HAProxy will be able to set the X-Forwarded-Proto header. Related-Bug: #1640126 Change-Id: I1726fa1742bc70518338b80fc6d27567bb020e7c
2016-11-22Use mode 'http' in haproxy for ceilometer, neutron, aodh and gnocchiJuan Antonio Osorio Robles1-0/+4
HAProxy won't pass X-Forwarded-Proto to these services in mode tcp, so we need to switch it to http in order for it to work and for the services to properly set the protocol in the links they serve. Change-Id: Ib10282159fb9269eebe81af23171ec9fb1297cd0 Closes-Bug: #1640126
2016-11-21Merge "Adds auto-detection for VIP interfaces"Jenkins1-12/+0
2016-11-21Merge "Add panko service support"Jenkins1-0/+32
2016-11-20Adds auto-detection for VIP interfacesTim Rozet1-12/+0
Previously the ctrl plane VIP would default to 'br-ex' which in non-vlan deployments ends up being the wrong interface. The public VIP interface was also defaulted to 'br-ex' which would be incorrect for vlan based deployments. Since a user has already given the nic template (and in most cases the subnet that corresponds to the nic) the installer should be able to figure out which interface the public/control vip should be on. These changes enable that type of auto-detection, unless a user explicitly overrides the heat parameters for ControlVirtualInterface and PublicVirtualInterface. Also removes calling keepalived from haproxy now that the services are composed separately on the Controller role. Partial-Bug: 1606632 Change-Id: I05105fce85be8ace986db351cdca2916f405ed04 Signed-off-by: Tim Rozet <trozet@redhat.com>
2016-11-18Changes default MidoNet API port on HAProxyAlejandro Andreu1-4/+5
The default port of the MidoNet Cluster (formerly known as MidoNet API) is now 8181 instead of 8081. Since this parameter is configurable through the settings, the default value for the port has been added to the $service_ports array. Change-Id: I2785d3109993bca0bd68077ff55cfeafbf594e19
2016-11-17Replace hard-coded haproxy/keepalived couplingSteven Hardy1-3/+3
We have a variable in hiera which tells us if the keepalived service is enabled, so use it here. Without this any deployment disabling OS::TripleO::Services::Keepalived will fail. Change-Id: I90faf51881bd05920067c1e1d82baf5d7586af23 Closes-Bug: #1642677
2016-11-15Merge " Enable TLS in the internal network for Barbican API"Jenkins1-1/+2
2016-11-14Add panko service supportPradeep Kilambi1-0/+32
Change-Id: I35f283bdf8dd0ed979c65633724f0464695130a4
2016-11-14Merge "Fix barbican server name to not use aodh hiera"Jenkins1-1/+1
2016-11-14 Enable TLS in the internal network for Barbican APIJuan Antonio Osorio Robles1-1/+2
This optionally enables TLS for Barbican API in the internal network. If internal TLS is enabled, each node that is serving the Barbican API service will use certmonger to request its certificate. bp tls-via-certmonger Change-Id: I1c1d3dab9bba7bec6296a55747e9ade242c47bd9
2016-11-11Merge "Enable TLS in the internal network for Cinder API"Jenkins1-0/+1
2016-11-11Fix barbican server name to not use aodh hieraPradeep Kilambi1-1/+1
this looks like a copy/paste error. Let barbican use its own hiera data. Change-Id: I84118c1a561c3db2f18504b55c5a8c4f042e7e3b