aboutsummaryrefslogtreecommitdiffstats
path: root/manifests/haproxy.pp
AgeCommit message (Collapse)AuthorFilesLines
2017-01-11Implement Nova Placement API profileEmilien Macchi1-0/+29
Allow TripleO to deploy Nova Placement API with a new profile. Change-Id: I5e25a50f3d7a9b39f4146a61cb528963ee09e90c
2017-01-04Merge "Fixes missing haproxy firewall rules for OpenDaylight"Jenkins1-17/+9
2017-01-04Fixes missing haproxy firewall rules for OpenDaylightTim Rozet1-17/+9
This migrates the haproxy config for ODL to use the tripleo::haproxy::endpoint class. This class automatically configures firewall rules for each haproxy endpoint. Also removes listening on public network for IP and adds listening on ctlplane network for admin access. Partial-Bug: 1651476 Change-Id: I1f2af2793d040fda17bf73252afe59434d99f31f Signed-off-by: Tim Rozet <trozet@redhat.com>
2016-12-22Merge "Split ovn plugin and northd configuration"Jenkins1-0/+47
2016-12-19Merge "Fix a typo in haproxy.pp"Jenkins1-1/+1
2016-12-11Merge "Changes default MidoNet API port on HAProxy"Jenkins1-4/+5
2016-11-30Add verify required and CA bundle to haproxyJuan Antonio Osorio Robles1-2/+7
This only takes effect is internal-tls is used, and forces haproxy to do proper verifications of the SSL certificates provided by the servers. bp tls-via-certmonger Change-Id: Ibd98ec46dd6570887db29f55fe183deb1c9dc642
2016-11-23Merge "Proxy manila in http mode"Jenkins1-0/+1
2016-11-22Split ovn plugin and northd configurationSteven Hardy1-0/+47
This allows us to use the composable services interfaces to handle providing the IP address for northd, and will be more flexible in the event folks want to deploy northd/ovndb on a different node to the neutron plugin. This also adds ovn_northd to the haproxy configuration so we can access it via the ovn_northd_vip in other service profiles. Note we need to ensure the haproxy config only hits the bootstrap node as northd won't be running on the other nodes. Change-Id: I9af7bd837c340c3df016fc7ad4238b2941ba7a95 Partial-Bug: #1634171
2016-11-22Merge "Use mode 'http' in haproxy for ceilometer, neutron, aodh and gnocchi"Jenkins1-0/+4
2016-11-22Proxy manila in http modeJuan Antonio Osorio Robles1-0/+1
It needs it so HAProxy will be able to set the X-Forwarded-Proto header. Related-Bug: #1640126 Change-Id: I1726fa1742bc70518338b80fc6d27567bb020e7c
2016-11-22Use mode 'http' in haproxy for ceilometer, neutron, aodh and gnocchiJuan Antonio Osorio Robles1-0/+4
HAProxy won't pass X-Forwarded-Proto to these services in mode tcp, so we need to switch it to http in order for it to work and for the services to properly set the protocol in the links they serve. Change-Id: Ib10282159fb9269eebe81af23171ec9fb1297cd0 Closes-Bug: #1640126
2016-11-21Merge "Adds auto-detection for VIP interfaces"Jenkins1-12/+0
2016-11-21Merge "Add panko service support"Jenkins1-0/+32
2016-11-20Adds auto-detection for VIP interfacesTim Rozet1-12/+0
Previously the ctrl plane VIP would default to 'br-ex' which in non-vlan deployments ends up being the wrong interface. The public VIP interface was also defaulted to 'br-ex' which would be incorrect for vlan based deployments. Since a user has already given the nic template (and in most cases the subnet that corresponds to the nic) the installer should be able to figure out which interface the public/control vip should be on. These changes enable that type of auto-detection, unless a user explicitly overrides the heat parameters for ControlVirtualInterface and PublicVirtualInterface. Also removes calling keepalived from haproxy now that the services are composed separately on the Controller role. Partial-Bug: 1606632 Change-Id: I05105fce85be8ace986db351cdca2916f405ed04 Signed-off-by: Tim Rozet <trozet@redhat.com>
2016-11-18Changes default MidoNet API port on HAProxyAlejandro Andreu1-4/+5
The default port of the MidoNet Cluster (formerly known as MidoNet API) is now 8181 instead of 8081. Since this parameter is configurable through the settings, the default value for the port has been added to the $service_ports array. Change-Id: I2785d3109993bca0bd68077ff55cfeafbf594e19
2016-11-17Replace hard-coded haproxy/keepalived couplingSteven Hardy1-3/+3
We have a variable in hiera which tells us if the keepalived service is enabled, so use it here. Without this any deployment disabling OS::TripleO::Services::Keepalived will fail. Change-Id: I90faf51881bd05920067c1e1d82baf5d7586af23 Closes-Bug: #1642677
2016-11-15Merge " Enable TLS in the internal network for Barbican API"Jenkins1-1/+2
2016-11-14Add panko service supportPradeep Kilambi1-0/+32
Change-Id: I35f283bdf8dd0ed979c65633724f0464695130a4
2016-11-14Merge "Fix barbican server name to not use aodh hiera"Jenkins1-1/+1
2016-11-14 Enable TLS in the internal network for Barbican APIJuan Antonio Osorio Robles1-1/+2
This optionally enables TLS for Barbican API in the internal network. If internal TLS is enabled, each node that is serving the Barbican API service will use certmonger to request its certificate. bp tls-via-certmonger Change-Id: I1c1d3dab9bba7bec6296a55747e9ade242c47bd9
2016-11-11Merge "Enable TLS in the internal network for Cinder API"Jenkins1-0/+1
2016-11-11Fix barbican server name to not use aodh hieraPradeep Kilambi1-1/+1
this looks like a copy/paste error. Let barbican use its own hiera data. Change-Id: I84118c1a561c3db2f18504b55c5a8c4f042e7e3b
2016-11-09Merge "Enable TLS in the internal network for Nova API"Jenkins1-0/+1
2016-11-09Merge "Better way to ensure keepalived before haproxy."Jenkins1-0/+2
2016-11-09Merge "Pass X-Forwarded-Proto for missing services"Jenkins1-0/+20
2016-11-08Better way to ensure keepalived before haproxy.Sofer Athlan-Guyot1-0/+2
The lastest patchset of https://review.openstack.org/393361 was actually not working. The `if defined` idiom depends on *evaluation* order. At the time it's red in the haproxy.pp class, the line that loads the class 'haproxy' has still not yet been reached and thus the `defined` result is false. The constraint is not added. For this reason, the use of `defined` in module is not advised by puppetlabs[1]. [1] https://docs.puppet.com/puppet/latest/reference/function.html#defined Change-Id: Ibd352cb313f8863d62db8987419378bed5b87256 Relates-To: #1638029
2016-11-08Merge "Enable TLS in the internal network for gnocchi"Jenkins1-0/+1
2016-11-08Merge "Improve failed mysql node removal time in HA deploys."Jenkins1-3/+20
2016-11-08Pass X-Forwarded-Proto for missing servicesJuan Antonio Osorio Robles1-0/+20
aodh, ceilometer, gnocchi and neutron need the X-Forwarded-Proto in order to return links with the correct protocol when SSL is enabled. This enables it in HAProxy Change-Id: Icceab92f86b1cc40d42195fa4ba0c75f302795b8 Closes-Bug: #1640126
2016-11-08Improve failed mysql node removal time in HA deploys.Chris Jones1-3/+20
In HA deployments, we now check mysql nodes every 1s and removed them immediately if they are failed. Previously we would check every 2s and allow them to fail 5 checks before being removed, producing errors from other OpenStack services for 10s, which causes confusion and delay for operators. Additionally, these check options are now also a class parameter so can be overridden by operators. Closes-Bug: #1639189 Change-Id: I0b915f790ae5a4b018a212d3aa83cca507be05e9
2016-11-07Increase haproxy timeoutsSteven Hardy1-2/+2
It's been proposed this may help with the ('Connection aborted.', BadStatusLine("''",)) errors. This patch increase queue, server and client timeouts to 2m (default is 1m) Related-Bug: #1638908 Change-Id: Ie4f059f3fad2271bb472697e85ede296eee91f5d
2016-11-02Enable TLS in the internal network for Cinder APIJuan Antonio Osorio Robles1-0/+1
This optionally enables TLS for Cinder API in the internal network. If internal TLS is enabled, each node that is serving the Cinder API service will use certmonger to request its certificate. bp tls-via-certmonger Change-Id: Ib4a9c8d3ca57f1b02e1bb0d150f333db501e9863
2016-11-01Fix default for barbican documentationJuan Antonio Osorio Robles1-1/+1
Change-Id: Id4dc2379b0c423012a0b3aaf49d1e1a7d633a03b
2016-11-01Merge "Add barbican profile"Jenkins1-0/+26
2016-11-01Merge "Fixes transparent binding to OpenDaylight in HA Proxy"Jenkins1-2/+2
2016-11-01Enable TLS in the internal network for Nova APIJuan Antonio Osorio Robles1-0/+1
This optionally enables TLS for Nova API in the internal network. If internal TLS is enabled, each node that is serving the Nova API service will use certmonger to request its certificate. Note that this doesn't enable internal TLS for the nova metadata service since it doesn't run over httpd. This will be handled in a later commit. bp tls-via-certmonger Change-Id: I88380a1ed8fd597a1a80488cbc6ce357f133bd70
2016-10-31Merge "Enable TLS in the internal network for aodh"Jenkins1-0/+1
2016-10-31Merge "Enable TLS in the internal network for ceilometer"Jenkins1-0/+1
2016-10-30Fixes transparent binding to OpenDaylight in HA ProxyTim Rozet1-2/+2
ODL was missing transparent binding mode, which causes HA deployments to fail since HA Proxy will try to come up on every node (even without VIP). Closes-Bug: 1637833 Change-Id: I0bb7839cdcfeacb4ca1a9fc6f878e8b51330be92 Signed-off-by: Tim Rozet <trozet@redhat.com>
2016-10-23Merge "Enable communication between UI and the Undercloud by making HAProxy ↵Jenkins1-0/+20
proxy for the UI"
2016-10-23Merge "Enable haproxy statistics unix socket"Jenkins1-0/+4
2016-10-22Merge "Increase haproxy client/server timeout for swift-proxy"Jenkins1-0/+5
2016-10-22Merge "Use HAProxy for docker-registry endpoint"Jenkins1-0/+26
2016-10-21Increase haproxy client/server timeout for swift-proxyJohn Trowbridge1-0/+5
The upload and extraction for the plan tarball to swift can take longer than the default one minute in slower environments. Doubling the timeout to two minutes has proven to help. This is only a partial fix, because the error reporting for this issue also needs to be improved. Change-Id: I06592d38fdfefacc8bdf76289a0bfa20eb33a89b Partial-Bug: 1635269
2016-10-20Use HAProxy for docker-registry endpointSteve Baker1-0/+26
The docker tooling has a preference for interacting with encrypted endpoints. Terminating the docker-registry endpoint with HAProxy allows the SSL VIP to be used for this purpose. Change-Id: Ifebfa7256e0887d6f26a478ff8dc82b0ef5f65f6
2016-10-19Enable TLS in the internal network for gnocchiJuan Antonio Osorio Robles1-0/+1
This optionally enables TLS for gnocchi in the internal network. If internal TLS is enabled, each node that is serving the gnocchi service will use certmonger to request its certificate. bp tls-via-certmonger Change-Id: Ie983933e062ac6a7f0af4d88b32634e6ce17838b
2016-10-19Enable TLS in the internal network for aodhJuan Antonio Osorio Robles1-0/+1
This optionally enables TLS for aodh in the internal network. If internal TLS is enabled, each node that is serving the aodh service will use certmonger to request its certificate. This, in turn should also configure a command that should be ran when the certificate is refreshed (which requires the service to be restarted). bp tls-via-certmonger Change-Id: I50ef0c8fbecb19d6597a28290daa61a91f3b13fc
2016-10-19Enable TLS in the internal network for ceilometerJuan Antonio Osorio Robles1-0/+1
This optionally enables TLS for aodh in the internal network. If internal TLS is enabled, each node that is serving the ceilometer service will use certmonger to request its certificate. This, in turn should also configure a command that should be ran when the certificate is refreshed (which requires the service to be restarted). bp tls-via-certmonger Change-Id: Ib5609f77a31b17ed12baea419ecfab5d5f676496
2016-10-19Enable TLS in the internal network for keystoneJuan Antonio Osorio Robles1-0/+15
This optionally enables TLS for keystone in the internal network. If internal TLS is enabled, each node that is serving the keystone service will use certmonger to request its certificate. This, in turn should also configure a command that should be ran when the certificate is refreshed (which requires the service to be restarted). bp tls-via-certmonger Change-Id: I303f6cf47859284785c0cdc65284a7eb89a4e039