Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
|
|
This optionally enables TLS for Barbican API in the internal network.
If internal TLS is enabled, each node that is serving the Barbican API
service will use certmonger to request its certificate.
bp tls-via-certmonger
Change-Id: I1c1d3dab9bba7bec6296a55747e9ade242c47bd9
|
|
|
|
this looks like a copy/paste error. Let barbican use its own
hiera data.
Change-Id: I84118c1a561c3db2f18504b55c5a8c4f042e7e3b
|
|
|
|
|
|
|
|
The lastest patchset of https://review.openstack.org/393361 was actually
not working.
The `if defined` idiom depends on *evaluation* order.
At the time it's red in the haproxy.pp class, the line that loads the
class 'haproxy' has still not yet been reached and thus the `defined`
result is false. The constraint is not added.
For this reason, the use of `defined` in module is not advised by
puppetlabs[1].
[1] https://docs.puppet.com/puppet/latest/reference/function.html#defined
Change-Id: Ibd352cb313f8863d62db8987419378bed5b87256
Relates-To: #1638029
|
|
|
|
|
|
aodh, ceilometer, gnocchi and neutron need the X-Forwarded-Proto in
order to return links with the correct protocol when SSL is enabled.
This enables it in HAProxy
Change-Id: Icceab92f86b1cc40d42195fa4ba0c75f302795b8
Closes-Bug: #1640126
|
|
In HA deployments, we now check mysql nodes every 1s and removed them
immediately if they are failed. Previously we would check every 2s and
allow them to fail 5 checks before being removed, producing errors from
other OpenStack services for 10s, which causes confusion and delay for
operators.
Additionally, these check options are now also a class parameter so can
be overridden by operators.
Closes-Bug: #1639189
Change-Id: I0b915f790ae5a4b018a212d3aa83cca507be05e9
|
|
It's been proposed this may help with the
('Connection aborted.', BadStatusLine("''",)) errors.
This patch increase queue, server and client timeouts to 2m (default is 1m)
Related-Bug: #1638908
Change-Id: Ie4f059f3fad2271bb472697e85ede296eee91f5d
|
|
This optionally enables TLS for Cinder API in the internal network.
If internal TLS is enabled, each node that is serving the Cinder API
service will use certmonger to request its certificate.
bp tls-via-certmonger
Change-Id: Ib4a9c8d3ca57f1b02e1bb0d150f333db501e9863
|
|
Change-Id: Id4dc2379b0c423012a0b3aaf49d1e1a7d633a03b
|
|
|
|
|
|
This optionally enables TLS for Nova API in the internal network.
If internal TLS is enabled, each node that is serving the Nova API
service will use certmonger to request its certificate.
Note that this doesn't enable internal TLS for the nova metadata
service since it doesn't run over httpd. This will be handled in
a later commit.
bp tls-via-certmonger
Change-Id: I88380a1ed8fd597a1a80488cbc6ce357f133bd70
|
|
|
|
|
|
ODL was missing transparent binding mode, which causes HA deployments to
fail since HA Proxy will try to come up on every node (even without
VIP).
Closes-Bug: 1637833
Change-Id: I0bb7839cdcfeacb4ca1a9fc6f878e8b51330be92
Signed-off-by: Tim Rozet <trozet@redhat.com>
|
|
proxy for the UI"
|
|
|
|
|
|
|
|
The upload and extraction for the plan tarball to swift can take
longer than the default one minute in slower environments. Doubling
the timeout to two minutes has proven to help.
This is only a partial fix, because the error reporting for this
issue also needs to be improved.
Change-Id: I06592d38fdfefacc8bdf76289a0bfa20eb33a89b
Partial-Bug: 1635269
|
|
The docker tooling has a preference for interacting with encrypted
endpoints. Terminating the docker-registry endpoint with HAProxy
allows the SSL VIP to be used for this purpose.
Change-Id: Ifebfa7256e0887d6f26a478ff8dc82b0ef5f65f6
|
|
This optionally enables TLS for gnocchi in the internal network.
If internal TLS is enabled, each node that is serving the gnocchi
service will use certmonger to request its certificate.
bp tls-via-certmonger
Change-Id: Ie983933e062ac6a7f0af4d88b32634e6ce17838b
|
|
This optionally enables TLS for aodh in the internal network.
If internal TLS is enabled, each node that is serving the aodh
service will use certmonger to request its certificate.
This, in turn should also configure a command that should be ran when
the certificate is refreshed (which requires the service to be
restarted).
bp tls-via-certmonger
Change-Id: I50ef0c8fbecb19d6597a28290daa61a91f3b13fc
|
|
This optionally enables TLS for aodh in the internal network.
If internal TLS is enabled, each node that is serving the ceilometer
service will use certmonger to request its certificate.
This, in turn should also configure a command that should be ran when
the certificate is refreshed (which requires the service to be
restarted).
bp tls-via-certmonger
Change-Id: Ib5609f77a31b17ed12baea419ecfab5d5f676496
|
|
This optionally enables TLS for keystone in the internal network.
If internal TLS is enabled, each node that is serving the keystone
service will use certmonger to request its certificate.
This, in turn should also configure a command that should be ran when
the certificate is refreshed (which requires the service to be
restarted).
bp tls-via-certmonger
Change-Id: I303f6cf47859284785c0cdc65284a7eb89a4e039
|
|
Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Change-Id: If2804b469eb3ee08f3f194c7dd3290d23a245a7a
|
|
proxy for the UI
Change-Id: I74eac4bbfc16720eeb6e2bf0ee251689dde3bafc
Implements: enable-communication-ui-undercloud
|
|
By enabling the statistics socket we allow the collection
of statistics over time for haproxy.
This socket is set to "user" level, so this socket is limited
to read-only. The "stats timeout" line is optional, but since the
default timeout of the stats socket is 10s, we set this higher.
Change-Id: I22d3ab771e981be0d2c74b60443d276973bc1639
|
|
The service profile in HAProxy has the capability of creating
certificates based on a map. The idea is to standardize this, as
some of those certificates should match certain networks the services
are listening on (with the exception of the external network which is
handled differently and the tenant network which doesn't need a
certificate). So, based on which network a certain service is
listening on, we fetch the appropriate certificate.
bp tls-via-certmonger
Change-Id: I89001ae32f46c9682aecc118753ef6cd647baa62
|
|
Right now we're hardcoding the server names for the services to be
the controllers. This is problematic if we start using custom roles
for services, which listen on nodes that are not controllers.
We already have the server names for each service, so using this
mapping instead fixes the issue.
Change-Id: Ic4b65edb3dc1b75abbc3421a87cab97425b058c4
Closes-Bug: #1629098
|
|
|
|
|
|
Note that there was a need to modify different timeouts due
to the nature of how websockets work. The source where the
reasoning and value came from is listed as a comment in the
code.
Related-Bug: #1625448
Co-Authored-By: Brad P. Crochet <brad@redhat.com>
Change-Id: I9de77d5f692c1c9d04e3c59c5de5312e63f81aed
|
|
The name was wrong, and so fixing it will actually enable VNC Proxy
when the service is enabled.
Change-Id: I65e90479fd33844b4dcd70c19cec3cd838aeff69
Closes-Bug: #1623796
|
|
This is necessary so the middleware in manila can set the protocol
correctly in case we're terminating SSL in HAProxy.
Depends-On: Ice78b0abceb6a956bb8c1dc6212ee1b56b62b43f
Change-Id: Iedaabaf1379466c22e3b9bb2307e940459d26de7
|
|
Shares the same (ssl)port with Swift Proxy
Change-Id: I2e1de1a3fa6ad62895a1e972e43858f23c08bbea
|
|
Change-Id: I5c620ba717f782b39c599aff24b4ac56fb695a04
|
|
profiles"
|
|
When enabling federated authentication with keystone, and then enabling websso
in horizon, the URL horizon constructs for the redirect is done internally, and
django needs to be able to know if it has to construct the url with http or
https. By setting this header at the haproxy level, horizon can make the correct
decision.
Change-Id: I0281fe1e5efa0d3f5983342dec70752246d9fca8
|
|
Partially-Implements: blueprint opendaylight-integration
Note this patch only adds support for a single ODL instance.
- neutron/opendaylight.pp handles installing ODL to control nodes
- ml2/opendaylight.pp handles configuring ML2 to work with ODL
- ovs/opendaylight.pp handles configuring OVS to connect to ODL
Change-Id: I666dc0874f1d11a72a62d796f4f6d41f7aa87a3f
Signed-off-by: Tim Rozet <trozet@redhat.com>
|
|
Some lint checks are returning:
WARNING: line has more than 140 characters in puppet-tripleo profiles
This patch will remove those warnings by adding \'s
Change-Id: I19b56c93db82948fb0498a4c9851b522c81946f8
|
|
If keystone sends a redirect and we have TLS enabled, we need to
modify the response in order to indicate https.
Change-Id: Icd61f527473bfe5153e058e94f9ed141cf13812d
|
|
|