aboutsummaryrefslogtreecommitdiffstats
path: root/manifests/haproxy
AgeCommit message (Collapse)AuthorFilesLines
2017-08-18Merge "Create separate resource for HAProxy horizon endpoint"Jenkins1-0/+154
2017-08-17Merge "Remove extra keystone admin haproxy listen and allow TLS"Jenkins1-6/+19
2017-08-17Create separate resource for HAProxy horizon endpointJuan Antonio Osorio Robles1-0/+154
This removes clutter from the main haproxy manifest and allows TLS in the internal network as well. Trying to keep the previous behavior. bp tls-via-certmonger-containers Change-Id: I1a68771cc7be7fb2b32abbad81db7890bd2c5502
2017-08-16Remove extra keystone admin haproxy listen and allow TLSJuan Antonio Osorio Robles1-6/+19
The current code exposes an unused public listen directive in HAProxy for the keystone admin endpoint. This is not ideal and should be removed, as it exposes the service unnecessarily. We should stick to just exposing it to the ctlplane network as is the default. If folks really need to expose it to the public network, they can do so by modifying the ServiceNetMap through t-h-t and setting the keystone admin endpoint's network to external. Now, for "single" or "internal" haproxy endpoints, this adds the ability to detect if they're using the external network, and thus use TLS on it. Which is something a deployer would want if they exposed the keystone admin endpoint in such a way. Change-Id: I79563f62fd49a4f7654779157ebda3c239d6dd22 Closes-Bug: #1710909 Closes-Bug: #1639996
2017-08-11HAProxy: Set listen options for internal services tooJuan Antonio Osorio Robles1-0/+1
This was missed from a previous commit, as described in the bug report. We need to set this variable in this case as well, else it will use the undefined variable, thus ignoring anything that the user had set. Change-Id: I6810e7bb3eed16a6478974ac759c3f720a41120a Closes-Bug: #1709332
2017-07-31Merge "Enable TLS for the HAProxy stats interface"Jenkins1-0/+74
2017-07-31Enable TLS for the HAProxy stats interfaceJuan Antonio Osorio Robles1-0/+74
This creates a new class for the stats interface and furtherly configures it to also use the certificates that are provided by certmonger (via the internal_certificates_specs variable). Note that the already existing haproxy_stats_certificate still works and will take precedence if it's set. bp tls-via-certmonger Change-Id: Iea65d91648ab13dbe6ec20241a1a7c95ce856e3e
2017-07-27Prevent haproxy to run iptables during docker-puppet configurationDamien Ciabrini1-1/+7
When docker-puppet runs module tripleo::haproxy to generate haproxy configuration file, and tripleo::firewall::manage_firewall is true, iptables is called to set up firewall rules for the proxied services and fails due to lack of NET_ADMIN capability. Make the generation of firewall rule configurable by exposing a new argument to the puppet module. That way, firewall management can be temporarily disabled when being run through docker-puppet. Change-Id: I2d6274d061039a9793ad162ed8e750bd87bf71e9 Partial-Bug: #1697921
2017-06-16For http service endpoints always redirect to httpsJuan Antonio Osorio Robles1-1/+12
If public TLS is enabled, this sets as default that services should always redirect to https. Change-Id: I19b9d07ac8925366ed27fefcaca4fdb9a9ab1b37
2017-04-03Use correct manage_firewall hieradataBen Nemec1-1/+1
The manage_firewall hieradata was moved to tripleo::firewall::manage_firewall but some of the references to it were not updated, which makes it impossible to completely disable the firewall rules. Change-Id: I5f40f3b8b07bd312cce862aa319b8a1ef331ee49 Closes-Bug: 1679189
2017-01-20Fix typo in endpoint.ppzhangyanxian1-1/+1
TrivialFix Change-Id: I8ea2f108d6f98167217b31284c84dbdf23f55f36
2017-01-06Fix puppet warning for empty valueEmilien Macchi1-0/+2
Unknown variable: 'haproxy_ssl_firewall_rules' when public_ssl_port is empty. Fixing it by setting an empty hash in this case. Change-Id: If864732262852ef79ebb91ee77902c86b847072a
2016-12-22[CVE-2016-9599] Enforce Firewall TCP / UDP rules managementEmilien Macchi1-8/+21
This closes CVE-2016-9599. 1) Sanitize dynamic HAproxy endpoints firewall rules Build the hash of firewall rules only when a port is specified. The HAproxy endpoints are using TCP protocol, which means we have to specify a port to the IPtables rules. Some services don't have public network exposure (e.g. Glance Registry), which means they don't need haproxy_ssl rule. The code prepare the hash depending on the service_port and public_ssl_port parameters and create the actual firewall rules only if one of those or both parameters are specified. It will prevent new services without public exposure to open all traffic because no port is specified. 2) Secure Firewall rules creations The code won't allow to create TCP / UDP IPtables rules in INPUT or OUTPUT chains without port or sport or dport, because doing it would allow an IPtables rule opening all traffic for TCP or UDP. If we try to do that, Puppet catalog will fail with an error explaining why. Example of use-cases: - creating VRRP rules wouldn't require port parameters. - creating TCP or UDP rules would require port parameters. 3) Allow to open all traffic for TCO / UDP (when desired) Some use-cases require to open all traffic for all ports on TCP / UDP. It will be possible if the user gives port = 'all' when creating the firewall rule. Backward compatibility: - if our users created custom TCP / UDP firewall rules without port parameters, it won't work anymore, for security purpose. - if you users want to open TCP / UDP for all ports, they need to pass port = 'all' and the rule will be created, though a warning will be displayed because this is insecure. - if our users created custom VRRP rules without port parameters, it will still work correctly and rules will be created. - TCP / UDP rules in FORWARD chain without port are still accepted. Change-Id: I19396c8ab06b91fee3253cdfcb834482f4040a59 Closes-Bug: #1651831
2016-10-05Fetch internal certificates for HAProxy based on networkJuan Antonio Osorio Robles1-12/+40
The service profile in HAProxy has the capability of creating certificates based on a map. The idea is to standardize this, as some of those certificates should match certain networks the services are listening on (with the exception of the external network which is handled differently and the tenant network which doesn't need a certificate). So, based on which network a certain service is listening on, we fetch the appropriate certificate. bp tls-via-certmonger Change-Id: I89001ae32f46c9682aecc118753ef6cd647baa62
2016-08-11Removing WARNING: line has more than 140 characters in puppet-tripleo profilesCarlos Camacho1-2/+4
Some lint checks are returning: WARNING: line has more than 140 characters in puppet-tripleo profiles This patch will remove those warnings by adding \'s Change-Id: I19b56c93db82948fb0498a4c9851b522c81946f8
2016-07-06deploy composable firewall rules for HAproxyEmilien Macchi1-0/+12
Deploy composable iptables rules for HAproxy. Note: we can't use Hiera here because we have some logic in puppet-tripelo that select the services that we actually deploy. Using this code in the Define will easily create IPtables rules that we actually need. Some other services will be able to create IPtables rules in Hiera (in THT), but not HAproxy now. Change-Id: If03b18992c68461e97789c0318078a0b243c84fe
2016-05-26Explode loadbalancer role in 2 sub-rolesEmilien Macchi1-0/+120
Split loadbalancer role into 2 sub-roles: - HAproxy - Keepalived Change-Id: I84dfa9d409d390c6f549d62cb3634931e4cb432c