summaryrefslogtreecommitdiffstats
path: root/manifests
AgeCommit message (Collapse)AuthorFilesLines
2016-03-23Allow the Redis specific monitor to use authenticationGiulio Fidente1-1/+12
When accessing Redis, if password protected, we need to update the HAProxy checks so that they use a password or we won't be able to gather which node is the replica master. Also adds PING/PONG and QUIT/OK sequence before and after the info command is sent. More at https://bugzilla.redhat.com/show_bug.cgi?id=1320036 Change-Id: Ia9e61e66c5426061eab8172f0a25820989597780
2016-03-11Allow enabling authentication on haproxy.statsBen Nemec1-3/+42
Right now we always deploy the haproxy.stats endpoint with no authentication, which is a security concern. Allow setting a password on the endpoint so it isn't accessible to the world. While this allows configuring SSL on the stats endpoint, it does not use the service_certificate parameter because that certificate is intended to be used only for public endpoints, and the stats endpoint is actually on the admin VIP. Once we have support for SSL on admin endpoints we can have stats use it by default. Change-Id: I8a5844e89bd81a99d5101ab6bce7a8d79e069565
2016-03-09Merge "Make OpenStack service ports configurable in HAProxy"Jenkins1-62/+135
2016-03-08Make OpenStack service ports configurable in HAProxyJuan Antonio Osorio Robles1-62/+135
Some deployments were expecting specific ports for the OpenStack services; In case the default ports are not meeting those needs, we need to provide the means of changing the defaults. Change-Id: Idbbcc90e2af1b3a731b0b5ea955df6082541a9f7
2016-03-03Merge "loadbalancer: fix Redis timeout HAproxy config"Jenkins1-1/+0
2016-03-01Always override X-Forwarded-Proto header for HeatJuan Antonio Osorio Robles1-5/+7
Heat has the ssl middleware to handle the X-Forwarded-Proto header by default. We override this header when SSL is enabled because we need to, but overriding it even when we won't be terminating SSL will prevent some attacks using this header. Change-Id: I0b2c61cd4f47c8c08a84402af310983af752d3f2
2016-02-25loadbalancer: fix Redis timeout HAproxy configJason Guiditta1-1/+0
Current HAproxy config is broken for Redis timeout parameters. This is what we have today by default in HAproxy logs: [WARNING] 238/115010 (13878) : config : missing timeouts for proxy 'redis'. | While not properly invalid, you will certainly encounter various problems | with such a configuration. To fix this, please ensure that all following | timeouts are set to a non-zero value: 'client', 'connect', 'server'. This patch removes the explicit setting of client and server timeouts to 0, which is the cause of the above warning. Instead, Redis will simply inherit the haproxy defaults, which should be a more reasonable setting, and result in no warnings. Change-Id: Ibe7941bec02f5facf21732910c9ad96f547ff8e5
2016-02-22Override X-Forwarded-Proto headerJuan Antonio Osorio Robles1-5/+15
Right now, the only manipulation done to the X-Forwarded-Proto header is done if an SSL connection is established. This is not sufficient as one might be able to erroneously put values through that header. This patch disables that behaviour by defaulting to plain http if an SSL connection is not established. Change-Id: I4bf6def21e21148834c2baa9669190bab8fa95ef
2016-02-18Merge "packages: secure upgrade workflow from dependency cycles"Jenkins1-4/+11
2016-02-17Merge "Handle redirects for Horizon"Jenkins1-3/+8
2016-02-11Merge "Enable X-Forwarded-Proto header for keystone admin endpoint"Jenkins1-0/+4
2016-02-11Handle redirects for HorizonBen Nemec1-3/+8
As for Heat, we need to be able to handle 30X redirects from Horizon when configured to use SSL. Because Horizon's redirects are handled directly by Apache, we can't use middleware to handle the X-Forwarded-Proto header like we are planning to do for the other services. However, in this case we don't need to worry about rewriting urls in the payload like we do for the other services because Horizon is just serving standard web pages, not custom HTTP bodies with JSON contents. One other change from the previous Heat patch is to drop the IP from the rewrite regex. This is because Horizon will generally be accessed via a DNS name, so the IP won't appear in the Location header. The heat regex should probably be changed as well since we now support registering endpoints with DNS names, but since we plan to move all the other services to the X-Forwarded-Proto header middleware anyway we can probably just wait until that happens and then remove the Heat rule entirely. Change-Id: I039a3036be17eeabe3cff68e0ef24f70907cc568
2016-02-11Merge "Use HAProxy 'transparent' bind option for compat with IPv6"Jenkins1-91/+118
2016-02-11Merge "Make haproxy balancer default options configurable"Jenkins1-26/+31
2016-01-25Merge "loadbalancer: add Gnocchi API support"Jenkins1-0/+43
2016-01-21SSL/Cinder: enable ssl_header_handler filterJuan Antonio Osorio Robles1-0/+28
Enable oslo_middleware.http_proxy_to_wsgi:HTTPProxyToWSGI.factory in ssl_header_handler middlewarefilter so we can run Nova API with SSL support. Change-Id: If88dcdf9f4905e2a792b2fdc656eab51c85f637e
2016-01-20packages: secure upgrade workflow from dependency cyclesEmilien Macchi1-4/+11
Change the workflow to be: Upgrade all packages before any services that is notified & managed by Puppet. It also disable the Exec timeout so we rely on Heat timeout and not on the 300s that are the default in Puppet [1] Example: we upgrade and OpenStack config will change (obviously). Puppet catalog will contain 3 important things: * config resources * service resources * package-upgrade Exec resource with that patch, what will happen: * puppet will update config first or second and notify services * puppet will run package-upgrade first or second but before the package-upgrade Exec resource * at the very end, puppet will restart services That way, we avoid complications with Puppet dependency cycle issues. [1] https://docs.puppetlabs.com/references/latest/type.html#exec-attribute-timeout Closes-Bug: 1536349 Change-Id: I07310bdfc5b07b03ac9fa5f8c13e87eaa2bfef4d
2016-01-14Enable X-Forwarded-Proto header for keystone admin endpointJuan Antonio Osorio Robles1-0/+4
This is useful for handling URLs properly when TLS is enabled. Change-Id: I4defed679cf3b2980dcc4ce1db030c0fdf154bfe
2016-01-13Use HAProxy 'transparent' bind option for compat with IPv6Giulio Fidente1-91/+118
Change-Id: Iddf1fdaabc1c758546999e7af7e7412158400e7f
2016-01-13Enable X-Forwarded-Proto header for cinderJuan Antonio Osorio Robles1-0/+4
Change-Id: I3bd836140537fc5b7e3fba600a712d6a9d6f1185
2016-01-08Make haproxy balancer default options configurableGiulio Fidente1-26/+31
Change-Id: Id5e119e0949d27a6e3b3f21ecd5e2eb39f1eeb13
2016-01-07Merge "Haproxy has non-working Horizon session persistence."Jenkins1-1/+1
2016-01-07Merge "Upgrade all packages after puppet managed ones"Jenkins1-1/+20
2016-01-06Merge "loadbalancer: fix MySQL timeout HAproxy config"Jenkins1-5/+7
2016-01-05Merge "Trove integration"Jenkins1-0/+43
2016-01-05Merge "Sahara integration"Jenkins1-0/+42
2016-01-05Merge "Enable X-Forwarded-Proto header for Heat and Nova"Jenkins1-0/+5
2016-01-05Merge "Enable X-Forwarded-Proto header for keystone_public"Jenkins1-0/+4
2016-01-05Haproxy has non-working Horizon session persistence.Sofer Athlan-Guyot1-1/+1
Haproxy is using session persistence[1] for horizon. It is not correctly configured though. The cookie is not properly set. This add the necessary code. [1]: http://blog.haproxy.com/2012/03/29/load-balancing-affinity-persistence-sticky-sessions-what-you-need-to-know/ Change-Id: Ic9d79475cf84c25fb8146ecbc5f0a45862c106f0 Closes-Bug: 1526786
2016-01-04Trove integrationEthan Gafford1-0/+43
Adds configuration for Trove to loadbalancer class. Partially-implements: blueprint trove-integration Change-Id: I3cdf43b6d63ad0ee68db047518743c62b6689f56
2016-01-04Sahara integrationEthan Gafford1-0/+42
Adds configuration for Sahara to loadbalancer class. Change-Id: I0f0a1dc2eaa57d8226bad8cfb250110296ab9614 Partially-implements: blueprint sahara-integration
2015-12-23Upgrade all packages after puppet managed onesDan Prince1-1/+20
This updates tripleo::packages so that when enable_upgrade is used it will: 1) upgrade puppet managed packages (will trigger puppet dependencies) 2) then upgrade all packages via exec 3) then restart services NOTE: the intention here is that the Exec['update-packages'] will always execute if enable_upgrade is set. It is not idempotent in this regard because I think we always want to execute it if enable_upgrade is set. Change-Id: I02f7cf07792765359f19fdf357024d9e48690e42 Related-bug: #1522943
2015-12-17Enable X-Forwarded-Proto header for Heat and NovaJuan Antonio Osorio Robles1-0/+5
Change-Id: Icd666d9988d14ac1e9581f55589bf95243cc7641
2015-12-17Merge "Allows customization of the HAProxy default timeouts"Jenkins1-1/+6
2015-12-14Modify cassandra dependencyJaume Devesa1-10/+9
Switch to locp/cassandra module since it has much more options than midonet/puppet-cassandra and it is already defined on the openstack-puppet-modules packages in RHEL. More info: https://bugzilla.redhat.com/show_bug.cgi?id=1285718 Depends-On: I72f21036fda795b54312a7d39f04c30bbf16c41b Change-Id: Icea9bd96e4c80a26b9e813d383f84099c736d7bf
2015-12-12Merge "Remove all 'validate_array' statements"Jenkins4-6/+25
2015-12-11Adding MidoNet LoadBalancing optionsJaume Devesa1-0/+24
MidoNet API needs to be loadbalanced if the midonet environment is activated. Change-Id: I6f1ac659297b8cf6671e11ad23284f8f543568b0
2015-12-11Remove all 'validate_array' statementsJaume Devesa4-6/+25
Unfortunately, some distributions like CentOS 7 (I guess RedHat 7 as well) still using puppet < 3.7, which experience the annoying 'PUP-1299' bug: https://tickets.puppetlabs.com/browse/PUP-1299 So passing a single array element, it magically transforms to a string (or whatever the inside elements are) and the validate_array fails. We need to get rid of these validations. Change-Id: Icc22ee575b7c236d1a6358f8593cf813d339a4b5
2015-12-10Merge "loadbalancer: add Aodh API support"Jenkins1-0/+43
2015-12-10Allows customization of the HAProxy default timeoutsGiulio Fidente1-1/+6
Change-Id: I3fdb705bbac26b4bc43a18131407a0a86d36a8a5
2015-12-08Enable X-Forwarded-Proto header for keystone_publicJuan Antonio Osorio Robles1-0/+4
One of the ways to make use of TLS in keystone is through the usage of the X-Fowarded-Proto header, which will be forwarded with the request by the loadbalancer, and it will tell keystone what protocol was used to access it. This also requires configuration from the keystone side. Change-Id: I9b899ba95e28b7dfae0c1ed84ca8431054673925
2015-12-01loadbalancer: add Gnocchi API supportEmilien Macchi1-0/+43
Add Gnocchi (OpenStack Metric storage) support in TripleO Loadbalancer config. Change-Id: Ia991819f57616a9a11bd4dfb77893748130268a0
2015-11-26Merge "MidoNet services manifests"Jenkins4-0/+312
2015-11-25Merge "Set tunnel timeout for nova_novncproxy"Jenkins1-0/+1
2015-11-25loadbalancer: add Aodh API supportEmilien Macchi1-0/+43
Add Aodh (Ceilometer Alarming) support in TripleO Loadbalancer config. Change-Id: I891985da9248a88c6ce2df1dd186881f582605ee
2015-11-23MidoNet services manifestsJaume Devesa4-0/+312
Provide TripleO overcloud manifests to deploy MidoNet and the cluster services that needs to run. Change-Id: I24f852e74fc4652d4609e1a71897e813448055fe
2015-10-22Resolve repeated ports for ssl frontends (nova vnc and swift proxy)Juan Antonio Osorio Robles1-1/+1
Nova vnc and swift proxy were listening on the same port if SSL is enabled in the load balancer Change-Id: Ibf4aa118d6c8e94f8f2a68bf270d5445ebda7593
2015-10-22Merge "Resolve repeated ports for ssl frontends"Jenkins1-1/+1
2015-10-21Resolve repeated ports for ssl frontendsJuan Antonio Osorio Robles1-1/+1
keystone and heat_cfn were listening on the same port if SSL is enabled inm the load balancer. Change-Id: I099119198ebf3322a783581f0c6758417e705a2e
2015-10-09Set tunnel timeout for nova_novncproxyJavier Pena1-0/+1
When using websockets in HAProxy, like nova_novncproxy does, we need to set "timeout tunnel" to avoid disconnections after a short period without traffic. Change-Id: I1b66cd9a1d20cbbe35a2ada5782a76a01b14bcd1 Closes-BZ: 1267043