From 9f31a7dbe8a98af0da05bc79a80f785db5ecac13 Mon Sep 17 00:00:00 2001 From: Juan Antonio Osorio Robles Date: Thu, 7 Apr 2016 09:51:49 +0300 Subject: Add generic manifest for loadbalancer endpoints In order to reduce repeated code in the loadbalancer manifest, the repeated parts were moved into one manifest that contains the endpoint resource. Change-Id: Ib72abe9de7ab073dcbd780298385b0c519f363aa --- manifests/loadbalancer.pp | 627 ++++++++++--------------------------- manifests/loadbalancer/endpoint.pp | 117 +++++++ 2 files changed, 286 insertions(+), 458 deletions(-) create mode 100644 manifests/loadbalancer/endpoint.pp (limited to 'manifests') diff --git a/manifests/loadbalancer.pp b/manifests/loadbalancer.pp index ce83803..0a14290 100644 --- a/manifests/loadbalancer.pp +++ b/manifests/loadbalancer.pp @@ -493,235 +493,6 @@ class tripleo::loadbalancer ( $haproxy_stats_bind_certificate = $haproxy_stats_certificate } - $keystone_public_api_vip = hiera('keystone_public_api_vip', $controller_virtual_ip) - $keystone_admin_api_vip = hiera('keystone_admin_api_vip', $controller_virtual_ip) - if $service_certificate { - $keystone_public_bind_opts = { - "${keystone_public_api_vip}:${ports[keystone_public_api_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[keystone_public_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]), - } - $keystone_admin_bind_opts = { - "${keystone_admin_api_vip}:${ports[keystone_admin_api_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[keystone_admin_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]), - } - } else { - $keystone_public_bind_opts = { - "${keystone_public_api_vip}:${ports[keystone_public_api_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[keystone_public_api_port]}" => $haproxy_listen_bind_param, - } - $keystone_admin_bind_opts = { - "${keystone_admin_api_vip}:${ports[keystone_admin_api_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[keystone_admin_api_port]}" => $haproxy_listen_bind_param, - } - } - - $neutron_api_vip = hiera('neutron_api_vip', $controller_virtual_ip) - if $service_certificate { - $neutron_bind_opts = { - "${neutron_api_vip}:${ports[neutron_api_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[neutron_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]), - } - } else { - $neutron_bind_opts = { - "${neutron_api_vip}:${ports[neutron_api_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[neutron_api_port]}" => $haproxy_listen_bind_param, - } - } - - $cinder_api_vip = hiera('cinder_api_vip', $controller_virtual_ip) - if $service_certificate { - $cinder_bind_opts = { - "${cinder_api_vip}:${ports[cinder_api_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[cinder_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]), - } - } else { - $cinder_bind_opts = { - "${cinder_api_vip}:${ports[cinder_api_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[cinder_api_port]}" => $haproxy_listen_bind_param, - } - } - - $manila_api_vip = hiera('manila_api_vip', $controller_virtual_ip) - if $service_certificate { - $manila_bind_opts = { - "${manila_api_vip}:${ports[manila_api_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[manila_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]), - } - } else { - $manila_bind_opts = { - "${manila_api_vip}:${ports[manila_api_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[manila_api_port]}" => $haproxy_listen_bind_param, - } - } - - $glance_api_vip = hiera('glance_api_vip', $controller_virtual_ip) - if $service_certificate { - $glance_bind_opts = { - "${glance_api_vip}:${ports[glance_api_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[glance_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]), - } - } else { - $glance_bind_opts = { - "${glance_api_vip}:${ports[glance_api_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[glance_api_port]}" => $haproxy_listen_bind_param, - } - } - - $glance_registry_vip = hiera('glance_registry_vip', $controller_virtual_ip) - $glance_registry_bind_opts = { - "${glance_registry_vip}:${ports[glance_registry_port]}" => $haproxy_listen_bind_param, - } - - $sahara_api_vip = hiera('sahara_api_vip', $controller_virtual_ip) - if $service_certificate { - $sahara_bind_opts = { - "${sahara_api_vip}:${ports[sahara_api_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[sahara_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]), - } - } else { - $sahara_bind_opts = { - "${sahara_api_vip}:${ports[sahara_api_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[sahara_api_port]}" => $haproxy_listen_bind_param, - } - } - - $trove_api_vip = hiera('$trove_api_vip', $controller_virtual_ip) - if $service_certificate { - $trove_bind_opts = { - "${trove_api_vip}:${ports[trove_api_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[trove_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]), - } - } else { - $trove_bind_opts = { - "${trove_api_vip}:${ports[trove_api_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[trove_api_port]}" => $haproxy_listen_bind_param, - } - } - - $nova_api_vip = hiera('nova_api_vip', $controller_virtual_ip) - if $service_certificate { - $nova_osapi_bind_opts = { - "${nova_api_vip}:${ports[nova_api_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[nova_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]), - } - $nova_ec2_bind_opts = { - "${nova_api_vip}:${ports[nova_ec2_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[nova_ec2_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]), - } - $nova_novnc_bind_opts = { - "${nova_api_vip}:${ports[nova_novnc_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[nova_novnc_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]), - } - } else { - $nova_osapi_bind_opts = { - "${nova_api_vip}:${ports[nova_api_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[nova_api_port]}" => $haproxy_listen_bind_param, - } - $nova_ec2_bind_opts = { - "${nova_api_vip}:${ports[nova_ec2_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[nova_ec2_port]}" => $haproxy_listen_bind_param, - } - $nova_novnc_bind_opts = { - "${nova_api_vip}:${ports[nova_novnc_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[nova_novnc_port]}" => $haproxy_listen_bind_param, - } - } - - $nova_metadata_vip = hiera('nova_metadata_vip', $controller_virtual_ip) - $nova_metadata_bind_opts = { - "${nova_metadata_vip}:${ports[nova_metadata_port]}" => $haproxy_listen_bind_param, - } - - $ceilometer_api_vip = hiera('ceilometer_api_vip', $controller_virtual_ip) - if $service_certificate { - $ceilometer_bind_opts = { - "${ceilometer_api_vip}:${ports[ceilometer_api_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[ceilometer_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]), - } - } else { - $ceilometer_bind_opts = { - "${ceilometer_api_vip}:${ports[ceilometer_api_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[ceilometer_api_port]}" => $haproxy_listen_bind_param, - } - } - - $aodh_api_vip = hiera('aodh_api_vip', $controller_virtual_ip) - if $service_certificate { - $aodh_bind_opts = { - "${aodh_api_vip}:${ports[aodh_api_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[aodh_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]), - } - } else { - $aodh_bind_opts = { - "${aodh_api_vip}:${ports[aodh_api_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[aodh_api_port]}" => $haproxy_listen_bind_param, - } - } - - $gnocchi_api_vip = hiera('gnocchi_api_vip', $controller_virtual_ip) - if $service_certificate { - $gnocchi_bind_opts = { - "${gnocchi_api_vip}:${ports[gnocchi_api_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[gnocchi_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]), - } - } else { - $gnocchi_bind_opts = { - "${gnocchi_api_vip}:${ports[gnocchi_api_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[gnocchi_api_port]}" => $haproxy_listen_bind_param, - } - } - - $swift_proxy_vip = hiera('swift_proxy_vip', $controller_virtual_ip) - if $service_certificate { - $swift_bind_opts = { - "${swift_proxy_vip}:${ports[swift_proxy_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[swift_proxy_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]), - } - } else { - $swift_bind_opts = { - "${swift_proxy_vip}:${ports[swift_proxy_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[swift_proxy_port]}" => $haproxy_listen_bind_param, - } - } - - $heat_api_vip = hiera('heat_api_vip', $controller_virtual_ip) - $heat_base_options = { - 'http-request' => [ - 'set-header X-Forwarded-Proto https if { ssl_fc }', - 'set-header X-Forwarded-Proto http if !{ ssl_fc }']} - if $service_certificate { - $heat_bind_opts = { - "${heat_api_vip}:${ports[heat_api_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[heat_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]), - } - $heat_ssl_options = { - 'rsprep' => "^Location:\\ http://${public_virtual_ip}(.*) Location:\\ https://${public_virtual_ip}\\1", - } - $heat_options = merge($heat_base_options, $heat_ssl_options) - $heat_cw_bind_opts = { - "${heat_api_vip}:${ports[heat_cw_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[heat_cw_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]), - } - $heat_cfn_bind_opts = { - "${heat_api_vip}:${ports[heat_cfn_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[heat_cfn_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]), - } - } else { - $heat_bind_opts = { - "${heat_api_vip}:${ports[heat_api_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[heat_api_port]}" => $haproxy_listen_bind_param, - } - $heat_options = $heat_base_options - $heat_cw_bind_opts = { - "${heat_api_vip}:${ports[heat_cw_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[heat_cw_port]}" => $haproxy_listen_bind_param, - } - $heat_cfn_bind_opts = { - "${heat_api_vip}:${ports[heat_cfn_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[heat_cfn_port]}" => $haproxy_listen_bind_param, - } - } - $horizon_vip = hiera('horizon_vip', $controller_virtual_ip) if $service_certificate { # NOTE(jaosorior): If the horizon_vip and the public_virtual_ip are the @@ -754,19 +525,6 @@ class tripleo::loadbalancer ( } } - $ironic_api_vip = hiera('ironic_api_vip', $controller_virtual_ip) - if $service_certificate { - $ironic_bind_opts = { - "${ironic_api_vip}:${ports[ironic_api_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[ironic_api_ssl_port]}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]), - } - } else { - $ironic_bind_opts = { - "${ironic_api_vip}:${ports[ironic_api_port]}" => $haproxy_listen_bind_param, - "${public_virtual_ip}:${ports[ironic_api_port]}" => $haproxy_listen_bind_param, - } - } - if $haproxy_stats_bind_certificate { $haproxy_stats_bind_opts = { "${controller_virtual_ip}:1993" => union($haproxy_listen_bind_param, ['ssl', 'crt', $haproxy_stats_bind_certificate]), @@ -815,10 +573,10 @@ class tripleo::loadbalancer ( }, } - Haproxy::Listen { - options => { - 'option' => [], - } + Tripleo::Loadbalancer::Endpoint { + haproxy_listen_bind_param => $haproxy_listen_bind_param, + member_options => $haproxy_member_options, + public_certificate => $service_certificate, } $stats_base = ['enable', 'uri /'] @@ -837,312 +595,268 @@ class tripleo::loadbalancer ( } if $keystone_admin { - haproxy::listen { 'keystone_admin': - bind => $keystone_admin_bind_opts, - collect_exported => false, - mode => 'http', # Needed for http-request option - options => { + ::tripleo::loadbalancer::endpoint { 'keystone_admin': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('keystone_admin_api_vip', $controller_virtual_ip), + service_port => $ports[keystone_admin_api_port], + ip_addresses => hiera('keystone_admin_api_node_ips', $controller_hosts_real), + server_names => $controller_hosts_names_real, + mode => 'http', + listen_options => { 'http-request' => [ 'set-header X-Forwarded-Proto https if { ssl_fc }', 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], }, - } - haproxy::balancermember { 'keystone_admin': - listening_service => 'keystone_admin', - ports => '35357', - ipaddresses => hiera('keystone_admin_api_node_ips',$controller_hosts_real), - server_names => $controller_hosts_names_real, - options => $haproxy_member_options, + public_ssl_port => $ports[keystone_admin_api_ssl_port], } } if $keystone_public { - haproxy::listen { 'keystone_public': - bind => $keystone_public_bind_opts, - collect_exported => false, - mode => 'http', # Needed for http-request option - options => { + ::tripleo::loadbalancer::endpoint { 'keystone_public': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('keystone_public_api_vip', $controller_virtual_ip), + service_port => $ports[keystone_public_api_port], + ip_addresses => hiera('keystone_public_api_node_ips', $controller_hosts_real), + server_names => $controller_hosts_names_real, + mode => 'http', + listen_options => { 'http-request' => [ 'set-header X-Forwarded-Proto https if { ssl_fc }', 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], }, - } - haproxy::balancermember { 'keystone_public': - listening_service => 'keystone_public', - ports => '5000', - ipaddresses => hiera('keystone_public_api_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, - options => $haproxy_member_options, + public_ssl_port => $ports[keystone_public_api_ssl_port], } } if $neutron { - haproxy::listen { 'neutron': - bind => $neutron_bind_opts, - collect_exported => false, - } - haproxy::balancermember { 'neutron': - listening_service => 'neutron', - ports => '9696', - ipaddresses => hiera('neutron_api_node_ips', $controller_hosts_real), + ::tripleo::loadbalancer::endpoint { 'neutron': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('neutron_api_vip', $controller_virtual_ip), + service_port => $ports[neutron_api_port], + ip_addresses => hiera('neutron_api_node_ips', $controller_hosts_real), server_names => $controller_hosts_names_real, - options => $haproxy_member_options, + public_ssl_port => $ports[neutron_api_ssl_port], } } if $cinder { - haproxy::listen { 'cinder': - bind => $cinder_bind_opts, - collect_exported => false, - mode => 'http', # Needed for http-request option - options => { + ::tripleo::loadbalancer::endpoint { 'cinder': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('cinder_api_vip', $controller_virtual_ip), + service_port => $ports[cinder_api_port], + ip_addresses => hiera('cinder_api_node_ips', $controller_hosts_real), + server_names => $controller_hosts_names_real, + mode => 'http', + listen_options => { 'http-request' => [ 'set-header X-Forwarded-Proto https if { ssl_fc }', 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], }, - } - haproxy::balancermember { 'cinder': - listening_service => 'cinder', - ports => '8776', - ipaddresses => hiera('cinder_api_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, - options => $haproxy_member_options, + public_ssl_port => $ports[cinder_api_ssl_port], } } if $manila { - haproxy::listen { 'manila': - bind => $manila_bind_opts, - collect_exported => false, - } - haproxy::balancermember { 'manila': - listening_service => 'manila', - ports => '8786', - ipaddresses => hiera('manila_api_node_ips', $controller_hosts_real), + ::tripleo::loadbalancer::endpoint { 'manila': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('manila_api_vip', $controller_virtual_ip), + service_port => $ports[manila_api_port], + ip_addresses => hiera('manila_api_node_ips', $controller_hosts_real), server_names => $controller_hosts_names_real, - options => $haproxy_member_options, + public_ssl_port => $ports[manila_api_ssl_port], } } if $sahara { - haproxy::listen { 'sahara': - bind => $sahara_bind_opts, - collect_exported => false, - } - haproxy::balancermember { 'sahara': - listening_service => 'sahara', - ports => '8386', - ipaddresses => hiera('sahara_api_node_ips', $controller_hosts_real), + ::tripleo::loadbalancer::endpoint { 'sahara': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('sahara_api_vip', $controller_virtual_ip), + service_port => $ports[sahara_api_port], + ip_addresses => hiera('sahara_api_node_ips', $controller_hosts_real), server_names => $controller_hosts_names_real, - options => $haproxy_member_options, + public_ssl_port => $ports[sahara_api_ssl_port], } } if $trove { - haproxy::listen { 'trove': - bind => $trove_bind_opts, - collect_exported => false, - } - haproxy::balancermember { 'trove': - listening_service => 'trove', - ports => '8779', - ipaddresses => hiera('trove_api_node_ips', $controller_hosts_real), + ::tripleo::loadbalancer::endpoint { 'trove': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('trove_api_vip', $controller_virtual_ip), + service_port => $ports[trove_api_port], + ip_addresses => hiera('trove_api_node_ips', $controller_hosts_real), server_names => $controller_hosts_names_real, - options => $haproxy_member_options, + public_ssl_port => $ports[trove_api_ssl_port], } } if $glance_api { - haproxy::listen { 'glance_api': - bind => $glance_bind_opts, - collect_exported => false, - } - haproxy::balancermember { 'glance_api': - listening_service => 'glance_api', - ports => '9292', - ipaddresses => hiera('glance_api_node_ips', $controller_hosts_real), + ::tripleo::loadbalancer::endpoint { 'glance_api': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('glance_api_vip', $controller_virtual_ip), + service_port => $ports[glance_api_port], + ip_addresses => hiera('glance_api_node_ips', $controller_hosts_real), server_names => $controller_hosts_names_real, - options => $haproxy_member_options, + public_ssl_port => $ports[glance_api_ssl_port], } } if $glance_registry { - haproxy::listen { 'glance_registry': - bind => $glance_registry_bind_opts, - collect_exported => false, - } - haproxy::balancermember { 'glance_registry': - listening_service => 'glance_registry', - ports => '9191', - ipaddresses => hiera('glance_registry_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, - options => $haproxy_member_options, + ::tripleo::loadbalancer::endpoint { 'glance_registry': + internal_ip => hiera('glance_registry_vip', $controller_virtual_ip), + service_port => $ports[glance_registry_port], + ip_addresses => hiera('glance_registry_node_ips', $controller_hosts_real), + server_names => $controller_hosts_names_real, } } + $nova_api_vip = hiera('nova_api_vip', $controller_virtual_ip) if $nova_ec2 { - haproxy::listen { 'nova_ec2': - bind => $nova_ec2_bind_opts, - collect_exported => false, - } - haproxy::balancermember { 'nova_ec2': - listening_service => 'nova_ec2', - ports => '8773', - ipaddresses => hiera('nova_api_node_ips', $controller_hosts_real), + ::tripleo::loadbalancer::endpoint { 'nova_ec2': + public_virtual_ip => $public_virtual_ip, + internal_ip => $nova_api_vip, + service_port => $ports[nova_ec2_port], + ip_addresses => hiera('nova_api_node_ips', $controller_hosts_real), server_names => $controller_hosts_names_real, - options => $haproxy_member_options, + public_ssl_port => $ports[nova_ec2_ssl_port], } } if $nova_osapi { - haproxy::listen { 'nova_osapi': - bind => $nova_osapi_bind_opts, - collect_exported => false, - mode => 'http', - options => { + ::tripleo::loadbalancer::endpoint { 'nova_osapi': + public_virtual_ip => $public_virtual_ip, + internal_ip => $nova_api_vip, + service_port => $ports[nova_api_port], + ip_addresses => hiera('nova_api_node_ips', $controller_hosts_real), + server_names => $controller_hosts_names_real, + mode => 'http', + listen_options => { 'http-request' => [ 'set-header X-Forwarded-Proto https if { ssl_fc }', 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], }, - } - haproxy::balancermember { 'nova_osapi': - listening_service => 'nova_osapi', - ports => '8774', - ipaddresses => hiera('nova_api_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, - options => $haproxy_member_options, + public_ssl_port => $ports[nova_api_ssl_port], } } if $nova_metadata { - haproxy::listen { 'nova_metadata': - bind => $nova_metadata_bind_opts, - collect_exported => false, - } - haproxy::balancermember { 'nova_metadata': - listening_service => 'nova_metadata', - ports => '8775', - ipaddresses => hiera('nova_metadata_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, - options => $haproxy_member_options, + ::tripleo::loadbalancer::endpoint { 'nova_metadata': + internal_ip => hiera('nova_metadata_vip', $controller_virtual_ip), + service_port => $ports[nova_metadata_port], + ip_addresses => hiera('nova_metadata_node_ips', $controller_hosts_real), + server_names => $controller_hosts_names_real, } } if $nova_novncproxy { - haproxy::listen { 'nova_novncproxy': - bind => $nova_novnc_bind_opts, - options => { + ::tripleo::loadbalancer::endpoint { 'nova_novncproxy': + public_virtual_ip => $public_virtual_ip, + internal_ip => $nova_api_vip, + service_port => $ports[nova_novnc_port], + ip_addresses => hiera('nova_api_node_ips', $controller_hosts_real), + server_names => $controller_hosts_names_real, + listen_options => { 'balance' => 'source', 'timeout' => [ 'tunnel 1h' ], }, - collect_exported => false, - } - haproxy::balancermember { 'nova_novncproxy': - listening_service => 'nova_novncproxy', - ports => '6080', - ipaddresses => hiera('nova_api_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, - options => $haproxy_member_options, + public_ssl_port => $ports[nova_novnc_ssl_port], } } if $ceilometer { - haproxy::listen { 'ceilometer': - bind => $ceilometer_bind_opts, - collect_exported => false, - } - haproxy::balancermember { 'ceilometer': - listening_service => 'ceilometer', - ports => '8777', - ipaddresses => hiera('ceilometer_api_node_ips', $controller_hosts_real), + ::tripleo::loadbalancer::endpoint { 'ceilometer': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('ceilometer_api_vip', $controller_virtual_ip), + service_port => $ports[ceilometer_api_port], + ip_addresses => hiera('ceilometer_api_node_ips', $controller_hosts_real), server_names => $controller_hosts_names_real, - options => $haproxy_member_options, + public_ssl_port => $ports[ceilometer_api_ssl_port], } } if $aodh { - haproxy::listen { 'aodh': - bind => $aodh_bind_opts, - collect_exported => false, - } - haproxy::balancermember { 'aodh': - listening_service => 'aodh', - ports => '8042', - ipaddresses => hiera('aodh_api_node_ips', $controller_hosts_real), + ::tripleo::loadbalancer::endpoint { 'aodh': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('aodh_api_vip', $controller_virtual_ip), + service_port => $ports[aodh_api_port], + ip_addresses => hiera('aodh_api_node_ips', $controller_hosts_real), server_names => $controller_hosts_names_real, - options => $haproxy_member_options, + public_ssl_port => $ports[aodh_api_ssl_port], } } if $gnocchi { - haproxy::listen { 'gnocchi': - bind => $gnocchi_bind_opts, - collect_exported => false, - } - haproxy::balancermember { 'gnocchi': - listening_service => 'gnocchi', - ports => '8041', - ipaddresses => hiera('gnocchi_api_node_ips', $controller_hosts_real), + ::tripleo::loadbalancer::endpoint { 'gnocchi': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('gnocchi_api_vip', $controller_virtual_ip), + service_port => $ports[gnocchi_api_port], + ip_addresses => hiera('gnocchi_api_node_ips', $controller_hosts_real), server_names => $controller_hosts_names_real, - options => ['check', 'inter 2000', 'rise 2', 'fall 5'], + public_ssl_port => $ports[gnocchi_api_ssl_port], } } if $swift_proxy_server { - haproxy::listen { 'swift_proxy_server': - bind => $swift_bind_opts, - collect_exported => false, - } - haproxy::balancermember { 'swift_proxy_server': - listening_service => 'swift_proxy_server', - ports => '8080', - ipaddresses => hiera('swift_proxy_node_ips', $controller_hosts_real), + ::tripleo::loadbalancer::endpoint { 'swift_proxy_server': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('swift_proxy_vip', $controller_virtual_ip), + service_port => $ports[swift_proxy_port], + ip_addresses => hiera('swift_proxy_node_ips', $controller_hosts_real), server_names => $controller_hosts_names_real, - options => $haproxy_member_options, + public_ssl_port => $ports[swift_proxy_ssl_port], } } - if $heat_api { - haproxy::listen { 'heat_api': - bind => $heat_bind_opts, - options => $heat_options, - collect_exported => false, - mode => 'http', + $heat_api_vip = hiera('heat_api_vip', $controller_virtual_ip) + $heat_ip_addresses = hiera('heat_api_node_ips', $controller_hosts_real) + $heat_base_options = { + 'http-request' => [ + 'set-header X-Forwarded-Proto https if { ssl_fc }', + 'set-header X-Forwarded-Proto http if !{ ssl_fc }']} + if $service_certificate { + $heat_ssl_options = { + 'rsprep' => "^Location:\\ http://${public_virtual_ip}(.*) Location:\\ https://${public_virtual_ip}\\1", } - haproxy::balancermember { 'heat_api': - listening_service => 'heat_api', - ports => '8004', - ipaddresses => hiera('heat_api_node_ips', $controller_hosts_real), + $heat_options = merge($heat_base_options, $heat_ssl_options) + } else { + $heat_options = $heat_base_options + } + + if $heat_api { + ::tripleo::loadbalancer::endpoint { 'heat_api': + public_virtual_ip => $public_virtual_ip, + internal_ip => $heat_api_vip, + service_port => $ports[heat_api_port], + ip_addresses => $heat_ip_addresses, server_names => $controller_hosts_names_real, - options => $haproxy_member_options, + mode => 'http', + listen_options => $heat_options, + public_ssl_port => $ports[heat_api_ssl_port], } } if $heat_cloudwatch { - haproxy::listen { 'heat_cloudwatch': - bind => $heat_cw_bind_opts, - collect_exported => false, - } - haproxy::balancermember { 'heat_cloudwatch': - listening_service => 'heat_cloudwatch', - ports => '8003', - ipaddresses => hiera('heat_api_node_ips', $controller_hosts_real), + ::tripleo::loadbalancer::endpoint { 'heat_cloudwatch': + public_virtual_ip => $public_virtual_ip, + internal_ip => $heat_api_vip, + service_port => $ports[heat_cw_port], + ip_addresses => $heat_ip_addresses, server_names => $controller_hosts_names_real, - options => $haproxy_member_options, + mode => 'http', + listen_options => $heat_options, + public_ssl_port => $ports[heat_cw_ssl_port], } } if $heat_cfn { - haproxy::listen { 'heat_cfn': - bind => $heat_cfn_bind_opts, - collect_exported => false, - } - haproxy::balancermember { 'heat_cfn': - listening_service => 'heat_cfn', - ports => '8000', - ipaddresses => hiera('heat_api_node_ips', $controller_hosts_real), + ::tripleo::loadbalancer::endpoint { 'heat_cfn': + public_virtual_ip => $public_virtual_ip, + internal_ip => $heat_api_vip, + service_port => $ports[heat_cfn_port], + ip_addresses => $heat_ip_addresses, server_names => $controller_hosts_names_real, - options => $haproxy_member_options, + mode => 'http', + listen_options => $heat_options, + public_ssl_port => $ports[heat_cfn_ssl_port], } } @@ -1162,6 +876,17 @@ class tripleo::loadbalancer ( } } + if $ironic { + ::tripleo::loadbalancer::endpoint { 'ironic': + public_virtual_ip => $public_virtual_ip, + internal_ip => hiera('ironic_api_vip', $controller_virtual_ip), + service_port => $ports[ironic_api_port], + ip_addresses => hiera('ironic_api_node_ips', $controller_hosts_real), + server_names => $controller_hosts_names_real, + public_ssl_port => $ports[ironic_api_ssl_port], + } + } + if $mysql_clustercheck { $mysql_listen_options = { 'option' => [ 'tcpka', 'httpchk' ], @@ -1179,20 +904,6 @@ class tripleo::loadbalancer ( $mysql_member_options = union($haproxy_member_options, ['backup']) } - if $ironic { - haproxy::listen { 'ironic': - bind => $ironic_bind_opts, - collect_exported => false, - } - haproxy::balancermember { 'ironic': - listening_service => 'ironic', - ports => '6385', - ipaddresses => hiera('ironic_api_node_ips', $controller_hosts_real), - server_names => $controller_hosts_names_real, - options => $haproxy_member_options, - } - } - if $mysql { haproxy::listen { 'mysql': bind => $mysql_bind_opts, diff --git a/manifests/loadbalancer/endpoint.pp b/manifests/loadbalancer/endpoint.pp new file mode 100644 index 0000000..12209e3 --- /dev/null +++ b/manifests/loadbalancer/endpoint.pp @@ -0,0 +1,117 @@ +# Copyright 2014 Red Hat, Inc. +# All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. + +# == Class: tripleo::loadbalancer::endpoint +# +# Configure a HAProxy listen endpoint +# +# [*internal_ip*] +# The IP in which the proxy endpoint will be listening in the internal +# network. +# +# [*service_port*] +# The default port on which the endpoint will be listening. +# +# [*ip_addresses*] +# The ordered list of IPs to be used to contact the balancer member. +# +# [*server_names*] +# The names of the balancer members, which usually should be the hostname. +# +# [*member_options*] +# Options for the balancer member, specified after the server declaration. +# These should go in the member's configuration block. +# +# [*public_virtual_ip*] +# Address in which the proxy endpoint will be listening in the public network. +# If this service is internal only this should be ommited. +# Defaults to undef. +# +# [*mode*] +# HAProxy mode in which the endpoint will be listening. This can be undef, +# tcp, http or health. +# Defaults to undef. +# +# [*haproxy_listen_bind_param*] +# A list of params to be added to the HAProxy listener bind directive. +# Defaults to undef. +# +# [*listen_options*] +# Options specified for the listening service's configuration block (in +# HAproxy terms, the frontend). +# defaults to {'option' => []} +# +# [*public_ssl_port*] +# The port used for the public proxy endpoint if it differs from the default +# one. This is used only if SSL is enabled, and it's used in order to avoid +# overriding with the internal proxy endpoint (which could happen if they were +# in the same network). +# Defaults to undef. +# +# [*public_certificate*] +# Certificate path used to enable TLS for the public proxy endpoint. +# Defaults to undef. +# +define tripleo::loadbalancer::endpoint ( + $internal_ip, + $service_port, + $ip_addresses, + $server_names, + $member_options, + $public_virtual_ip = undef, + $mode = undef, + $haproxy_listen_bind_param = undef, + $listen_options = { + 'option' => [], + }, + $public_ssl_port = undef, + $public_certificate = undef, +) { + if $public_virtual_ip { + # service exposed to the public network + + if $public_certificate { + $public_bind_opts = { + "${public_virtual_ip}:${public_ssl_port}" => union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate]), + } + } else { + $public_bind_opts = { + "${public_virtual_ip}:${service_port}" => $haproxy_listen_bind_param, + } + } + } else { + # internal service only + $public_bind_opts = {} + } + + $internal_bind_opts = { + "${internal_ip}:${service_port}" => $haproxy_listen_bind_param, + } + $bind_opts = merge($internal_bind_opts, $public_bind_opts) + + haproxy::listen { "${name}": + bind => $bind_opts, + collect_exported => false, + mode => $mode, + options => $listen_options, + } + haproxy::balancermember { "${name}": + listening_service => $name, + ports => $service_port, + ipaddresses => $ip_addresses, + server_names => $server_names, + options => $member_options, + } +} -- cgit 1.2.3-korg