# Copyright 2014 Red Hat, Inc. # All Rights Reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # == Class: tripleo::haproxy # # Configure HAProxy for TripleO. # # === Parameters: # # [*keepalived*] # Whether to configure keepalived to manage the VIPs or not. # Defaults to true # # [*haproxy_service_manage*] # Will be passed as value for service_manage to HAProxy module. # Defaults to true # # [*haproxy_global_maxconn*] # The value to use as maxconn in the HAProxy global config section. # Defaults to 20480 # # [*haproxy_default_maxconn*] # The value to use as maxconn in the HAProxy default config section. # Defaults to 4096 # # [*haproxy_default_timeout*] # The value to use as timeout in the HAProxy default config section. # Defaults to [ 'http-request 10s', 'queue 1m', 'connect 10s', 'client 1m', 'server 1m', 'check 10s' ] # # [*haproxy_listen_bind_param*] # A list of params to be added to the HAProxy listener bind directive. By # default the 'transparent' param is added but it should be cleared if # one of the *_virtual_ip addresses is a wildcard, eg. 0.0.0.0 # Defaults to [ 'transparent' ] # # [*haproxy_member_options*] # The default options to use for the HAProxy balancer members. # Defaults to [ 'check', 'inter 2000', 'rise 2', 'fall 5' ] # # [*haproxy_log_address*] # The IPv4, IPv6 or filesystem socket path of the syslog server. # Defaults to '/dev/log' # # [*controller_hosts*] # IPs of host or group of hosts to load-balance the services # Can be a string or an array. # Defaults tohiera('controller_node_ips') # # [*controller_hosts_names*] # Names of host or group of hosts to load-balance the services # Can be a string or an array. # Defaults to hiera('controller_node_names', undef) # # [*controller_virtual_ip*] # Control IP or group of IPs to bind the pools # Can be a string or an array. # Defaults to undef # # [*public_virtual_ip*] # Public IP or group of IPs to bind the pools # Can be a string or an array. # Defaults to undef # [*haproxy_stats_user*] # # Username for haproxy stats authentication. # A string. # Defaults to 'admin' # # [*haproxy_stats_password*] # Password for haproxy stats authentication. When set, authentication is # enabled on the haproxy stats endpoint. # A string. # Defaults to undef # # [*service_certificate*] # Filename of an HAProxy-compatible certificate and key file # When set, enables SSL on the public API endpoints using the specified file. # Defaults to undef # # [*use_internal_certificates*] # Flag that indicates if we'll use an internal certificate for this specific # service. When set, enables SSL on the internal API endpoints using the file # that certmonger is tracking; this is derived from the network the service is # listening on. # Defaults to false # # [*internal_certificates_specs*] # A hash that should contain the specs that were used to create the # certificates. As the name indicates, only the internal certificates will be # fetched from here. And the keys should follow the following pattern # "haproxy-". The network name should be as it was defined in # tripleo-heat-templates. # Note that this is only taken into account if the $use_internal_certificates # flag is set. # Defaults to {} # # [*enable_internal_tls*] # A flag that indicates if the servers in the internal network are using TLS. # This enables the 'ssl' option for the server members that are proxied. # Defaults to hiera('enable_internal_tls', false) # # [*ssl_cipher_suite*] # The default string describing the list of cipher algorithms ("cipher suite") # that are negotiated during the SSL/TLS handshake for all "bind" lines. This # value comes from the Fedora system crypto policy. # Defaults to '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES' # # [*ssl_options*] # String that sets the default ssl options to force on all "bind" lines. # Defaults to 'no-sslv3' # # [*haproxy_stats_certificate*] # Filename of an HAProxy-compatible certificate and key file # When set, enables SSL on the haproxy stats endpoint using the specified file. # Defaults to undef # # [*keystone_admin*] # (optional) Enable or not Keystone Admin API binding # Defaults to hiera('keystone_enabled', false) # # [*keystone_public*] # (optional) Enable or not Keystone Public API binding # Defaults to hiera('keystone_enabled', false) # # [*neutron*] # (optional) Enable or not Neutron API binding # Defaults to hiera('neutron_api_enabled', false) # # [*cinder*] # (optional) Enable or not Cinder API binding # Defaults to hiera('cinder_api_enabled', false) # # [*manila*] # (optional) Enable or not Manila API binding # Defaults to hiera('manila_api_enabled', false) # # [*sahara*] # (optional) Enable or not Sahara API binding # defaults to hiera('sahara_api_enabled', false) # # [*trove*] # (optional) Enable or not Trove API binding # defaults to hiera('trove_api_enabled', false) # # [*glance_api*] # (optional) Enable or not Glance API binding # Defaults to hiera('glance_api_enabled', false) # # [*glance_registry*] # (optional) Enable or not Glance registry binding # Defaults to hiera('glance_registry_enabled', false) # # [*nova_osapi*] # (optional) Enable or not Nova API binding # Defaults to hiera('nova_api_enabled', false) # # [*nova_metadata*] # (optional) Enable or not Nova metadata binding # Defaults to hiera('nova_api_enabled', false) # # [*nova_novncproxy*] # (optional) Enable or not Nova novncproxy binding # Defaults to hiera('nova_vnc_proxy_enabled', false) # # [*ceilometer*] # (optional) Enable or not Ceilometer API binding # Defaults to hiera('ceilometer_api_enabled', false) # # [*aodh*] # (optional) Enable or not Aodh API binding # Defaults to hiera('aodh_api_enabled', false) # # [*gnocchi*] # (optional) Enable or not Gnocchi API binding # Defaults to hiera('gnocchi_api_enabled', false) # # [*mistral*] # (optional) Enable or not Mistral API binding # Defaults to hiera('mistral_api_enabled', false) # # [*swift_proxy_server*] # (optional) Enable or not Swift API binding # Defaults to hiera('swift_proxy_enabled', false) # # [*heat_api*] # (optional) Enable or not Heat API binding # Defaults to hiera('heat_api_enabled', false) # # [*heat_cloudwatch*] # (optional) Enable or not Heat Cloudwatch API binding # Defaults to hiera('heat_api_cloudwatch_enabled', false) # # [*heat_cfn*] # (optional) Enable or not Heat CFN API binding # Defaults to hiera('heat_api_cfn_enabled', false) # # [*horizon*] # (optional) Enable or not Horizon dashboard binding # Defaults to hiera('horizon_enabled', false) # # [*ironic*] # (optional) Enable or not Ironic API binding # Defaults to hiera('ironic_enabled', false) # # [*ironic_inspector*] # (optional) Enable or not Ironic Inspector API binding # Defaults to hiera('ironic_inspector_enabled', false) # # [*mysql*] # (optional) Enable or not MySQL Galera binding # Defaults to hiera('mysql_enabled', false) # # [*mysql_clustercheck*] # (optional) Enable check via clustercheck for mysql # Defaults to false # # [*rabbitmq*] # (optional) Enable or not RabbitMQ binding # Defaults to false # # [*docker_registry*] # (optional) Enable or not the Docker Registry API binding # Defaults to hiera('enable_docker_registry', false) # # [*redis*] # (optional) Enable or not Redis binding # Defaults to hiera('redis_enabled', false) # # [*redis_password*] # (optional) Password for Redis authentication, eventually needed by the # specific monitoring we do from HAProxy for Redis # Defaults to undef # # [*midonet_api*] # (optional) Enable or not MidoNet API binding # Defaults to false # # [*zaqar_api*] # (optional) Enable or not Zaqar Api binding # Defaults to hiera('zaqar_api_enabled', false) # # [*ceph_rgw*] # (optional) Enable or not Ceph RadosGW binding # Defaults to hiera('ceph_rgw_enabled', false) # # [*opendaylight*] # (optional) Enable or not OpenDaylight binding # Defaults to hiera('opendaylight_api_enabled', false) # # [*zaqar_ws*] # (optional) Enable or not Zaqar Websockets binding # Defaults to false # # [*aodh_network*] # (optional) Specify the network aodh is running on. # Defaults to hiera('aodh_api_network', undef) # # [*ceilometer_network*] # (optional) Specify the network ceilometer is running on. # Defaults to hiera('ceilometer_api_network', undef) # # [*ceph_rgw_network*] # (optional) Specify the network ceph_rgw is running on. # Defaults to hiera('ceph_rgw_network', undef) # # [*cinder_network*] # (optional) Specify the network cinder is running on. # Defaults to hiera('cinder_api_network', undef) # # [*docker_registry_network*] # (optional) Specify the network docker-registry is running on. # Defaults to hiera('docker_registry_network', undef) # # [*glance_api_network*] # (optional) Specify the network glance_api is running on. # Defaults to hiera('glance_api_network', undef) # # [*glance_registry_network*] # (optional) Specify the network glance_registry is running on. # Defaults to hiera('glance_registry_network', undef) # # [*gnocchi_network*] # (optional) Specify the network gnocchi is running on. # Defaults to hiera('gnocchi_api_network', undef) # # [*heat_api_network*] # (optional) Specify the network heat_api is running on. # Defaults to hiera('heat_api_network', undef) # # [*heat_cfn_network*] # (optional) Specify the network heat_cfn is running on. # Defaults to hiera('heat_api_cfn_network', undef) # # [*heat_cloudwatch_network*] # (optional) Specify the network heat_cloudwatch is running on. # Defaults to hiera('heat_api_cloudwatch_network', undef) # # [*ironic_inspector_network*] # (optional) Specify the network ironic_inspector is running on. # Defaults to hiera('ironic_inspector_network', undef) # # [*ironic_network*] # (optional) Specify the network ironic is running on. # Defaults to hiera('ironic_api_network', undef) # # [*keystone_admin_network*] # (optional) Specify the network keystone_admin is running on. # Defaults to hiera('keystone_network', undef) # # [*keystone_public_network*] # (optional) Specify the network keystone_public is running on. # Defaults to hiera('keystone_network', undef) # # [*manila_network*] # (optional) Specify the network manila is running on. # Defaults to hiera('manila_api_network', undef) # # [*mistral_network*] # (optional) Specify the network mistral is running on. # Defaults to hiera('mistral_api_network', undef) # # [*neutron_network*] # (optional) Specify the network neutron is running on. # Defaults to hiera('neutron_api_network', undef) # # [*nova_metadata_network*] # (optional) Specify the network nova_metadata is running on. # Defaults to hiera('nova_api_network', undef) # # [*nova_novncproxy_network*] # (optional) Specify the network nova_novncproxy is running on. # Defaults to hiera('nova_vncproxy_network', undef) # # [*nova_osapi_network*] # (optional) Specify the network nova_osapi is running on. # Defaults to hiera('nova_api_network', undef) # # [*opendaylight_network*] # (optional) Specify the network opendaylight is running on. # Defaults to hiera('opendaylight_api_network', undef) # # [*sahara_network*] # (optional) Specify the network sahara is running on. # Defaults to hiera('sahara_api_network', undef) # # [*swift_proxy_server_network*] # (optional) Specify the network swift_proxy_server is running on. # Defaults to hiera('swift_proxy_network', undef) # # [*trove_network*] # (optional) Specify the network trove is running on. # Defaults to hiera('trove_api_network', undef) # # [*zaqar_api_network*] # (optional) Specify the network zaqar_api is running on. # Defaults to hiera('zaqar_api_network', undef) # # [*service_ports*] # (optional) Hash that contains the values to override from the service ports # The available keys to modify the services' ports are: # 'aodh_api_port' (Defaults to 8042) # 'aodh_api_ssl_port' (Defaults to 13042) # 'ceilometer_api_port' (Defaults to 8777) # 'ceilometer_api_ssl_port' (Defaults to 13777) # 'cinder_api_port' (Defaults to 8776) # 'cinder_api_ssl_port' (Defaults to 13776) # 'docker_registry_port' (Defaults to 8787) # 'docker_registry_ssl_port' (Defaults to 13787) # 'glance_api_port' (Defaults to 9292) # 'glance_api_ssl_port' (Defaults to 13292) # 'glance_registry_port' (Defaults to 9191) # 'gnocchi_api_port' (Defaults to 8041) # 'gnocchi_api_ssl_port' (Defaults to 13041) # 'mistral_api_port' (Defaults to 8989) # 'mistral_api_ssl_port' (Defaults to 13989) # 'heat_api_port' (Defaults to 8004) # 'heat_api_ssl_port' (Defaults to 13004) # 'heat_cfn_port' (Defaults to 8000) # 'heat_cfn_ssl_port' (Defaults to 13005) # 'heat_cw_port' (Defaults to 8003) # 'heat_cw_ssl_port' (Defaults to 13003) # 'ironic_api_port' (Defaults to 6385) # 'ironic_api_ssl_port' (Defaults to 13385) # 'ironic_inspector_port' (Defaults to 5050) # 'ironic_inspector_ssl_port' (Defaults to 13050) # 'keystone_admin_api_port' (Defaults to 35357) # 'keystone_admin_api_ssl_port' (Defaults to 13357) # 'keystone_public_api_port' (Defaults to 5000) # 'keystone_public_api_ssl_port' (Defaults to 13000) # 'manila_api_port' (Defaults to 8786) # 'manila_api_ssl_port' (Defaults to 13786) # 'neutron_api_port' (Defaults to 9696) # 'neutron_api_ssl_port' (Defaults to 13696) # 'nova_api_port' (Defaults to 8774) # 'nova_api_ssl_port' (Defaults to 13774) # 'nova_metadata_port' (Defaults to 8775) # 'nova_novnc_port' (Defaults to 6080) # 'nova_novnc_ssl_port' (Defaults to 13080) # 'sahara_api_port' (Defaults to 8386) # 'sahara_api_ssl_port' (Defaults to 13386) # 'swift_proxy_port' (Defaults to 8080) # 'swift_proxy_ssl_port' (Defaults to 13808) # 'trove_api_port' (Defaults to 8779) # 'trove_api_ssl_port' (Defaults to 13779) # 'zaqar_api_port' (Defaults to 8888) # 'zaqar_api_ssl_port' (Defaults to 13888) # 'ceph_rgw_port' (Defaults to 8080) # 'ceph_rgw_ssl_port' (Defaults to 13808) # 'zaqar_ws_port' (Defaults to 9000) # 'zaqar_ws_ssl_port' (Defaults to 9000) # * Note that for zaqar's websockets we don't support having a different # port for SSL, because it ignores the handshake. # Defaults to {} # class tripleo::haproxy ( $controller_virtual_ip, $public_virtual_ip, $keepalived = true, $haproxy_service_manage = true, $haproxy_global_maxconn = 20480, $haproxy_default_maxconn = 4096, $haproxy_default_timeout = [ 'http-request 10s', 'queue 1m', 'connect 10s', 'client 1m', 'server 1m', 'check 10s' ], $haproxy_listen_bind_param = [ 'transparent' ], $haproxy_member_options = [ 'check', 'inter 2000', 'rise 2', 'fall 5' ], $haproxy_log_address = '/dev/log', $haproxy_stats_user = 'admin', $haproxy_stats_password = undef, $controller_hosts = hiera('controller_node_ips'), $controller_hosts_names = hiera('controller_node_names', undef), $service_certificate = undef, $use_internal_certificates = false, $internal_certificates_specs = {}, $enable_internal_tls = hiera('enable_internal_tls', false), $ssl_cipher_suite = '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES', $ssl_options = 'no-sslv3', $haproxy_stats_certificate = undef, $keystone_admin = hiera('keystone_enabled', false), $keystone_public = hiera('keystone_enabled', false), $neutron = hiera('neutron_api_enabled', false), $cinder = hiera('cinder_api_enabled', false), $manila = hiera('manila_api_enabled', false), $sahara = hiera('sahara_api_enabled', false), $trove = hiera('trove_api_enabled', false), $glance_api = hiera('glance_api_enabled', false), $glance_registry = hiera('glance_registry_enabled', false), $nova_osapi = hiera('nova_api_enabled', false), $nova_metadata = hiera('nova_api_enabled', false), $nova_novncproxy = hiera('nova_vnc_proxy_enabled', false), $ceilometer = hiera('ceilometer_api_enabled', false), $aodh = hiera('aodh_api_enabled', false), $gnocchi = hiera('gnocchi_api_enabled', false), $mistral = hiera('mistral_api_enabled', false), $swift_proxy_server = hiera('swift_proxy_enabled', false), $heat_api = hiera('heat_api_enabled', false), $heat_cloudwatch = hiera('heat_api_cloudwatch_enabled', false), $heat_cfn = hiera('heat_api_cfn_enabled', false), $horizon = hiera('horizon_enabled', false), $ironic = hiera('ironic_api_enabled', false), $ironic_inspector = hiera('ironic_inspector_enabled', false), $mysql = hiera('mysql_enabled', false), $mysql_clustercheck = false, $rabbitmq = false, $docker_registry = hiera('enable_docker_registry', false), $redis = hiera('redis_enabled', false), $redis_password = undef, $midonet_api = false, $zaqar_api = hiera('zaqar_api_enabled', false), $ceph_rgw = hiera('ceph_rgw_enabled', false), $opendaylight = hiera('opendaylight_api_enabled', false), $zaqar_ws = hiera('zaqar_api_enabled', false), $aodh_network = hiera('aodh_api_network', undef), $ceilometer_network = hiera('ceilometer_api_network', undef), $ceph_rgw_network = hiera('ceph_rgw_network', undef), $cinder_network = hiera('cinder_api_network', undef), $docker_registry_network = hiera('docker_registry_network', undef), $glance_api_network = hiera('glance_api_network', undef), $glance_registry_network = hiera('glance_registry_network', undef), $gnocchi_network = hiera('gnocchi_api_network', undef), $heat_api_network = hiera('heat_api_network', undef), $heat_cfn_network = hiera('heat_api_cfn_network', undef), $heat_cloudwatch_network = hiera('heat_api_cloudwatch_network', undef), $ironic_inspector_network = hiera('ironic_inspector_network', undef), $ironic_network = hiera('ironic_api_network', undef), $keystone_admin_network = hiera('keystone_admin_api_network', undef), $keystone_public_network = hiera('keystone_public_api_network', undef), $manila_network = hiera('manila_api_network', undef), $mistral_network = hiera('mistral_api_network', undef), $neutron_network = hiera('neutron_api_network', undef), $nova_metadata_network = hiera('nova_api_network', undef), $nova_novncproxy_network = hiera('nova_vnc_proxy_network', undef), $nova_osapi_network = hiera('nova_api_network', undef), $sahara_network = hiera('sahara_api_network', undef), $swift_proxy_server_network = hiera('swift_proxy_network', undef), $trove_network = hiera('trove_api_network', undef), $zaqar_api_network = hiera('zaqar_api_network', undef), $service_ports = {} ) { $default_service_ports = { aodh_api_port => 8042, aodh_api_ssl_port => 13042, ceilometer_api_port => 8777, ceilometer_api_ssl_port => 13777, cinder_api_port => 8776, cinder_api_ssl_port => 13776, docker_registry_port => 8787, docker_registry_ssl_port => 13787, glance_api_port => 9292, glance_api_ssl_port => 13292, glance_registry_port => 9191, gnocchi_api_port => 8041, gnocchi_api_ssl_port => 13041, mistral_api_port => 8989, mistral_api_ssl_port => 13989, heat_api_port => 8004, heat_api_ssl_port => 13004, heat_cfn_port => 8000, heat_cfn_ssl_port => 13005, heat_cw_port => 8003, heat_cw_ssl_port => 13003, ironic_api_port => 6385, ironic_api_ssl_port => 13385, ironic_inspector_port => 5050, ironic_inspector_ssl_port => 13050, keystone_admin_api_port => 35357, keystone_admin_api_ssl_port => 13357, keystone_public_api_port => 5000, keystone_public_api_ssl_port => 13000, manila_api_port => 8786, manila_api_ssl_port => 13786, neutron_api_port => 9696, neutron_api_ssl_port => 13696, nova_api_port => 8774, nova_api_ssl_port => 13774, nova_metadata_port => 8775, nova_novnc_port => 6080, nova_novnc_ssl_port => 13080, sahara_api_port => 8386, sahara_api_ssl_port => 13386, swift_proxy_port => 8080, swift_proxy_ssl_port => 13808, trove_api_port => 8779, trove_api_ssl_port => 13779, zaqar_api_port => 8888, zaqar_api_ssl_port => 13888, ceph_rgw_port => 8080, ceph_rgw_ssl_port => 13808, zaqar_ws_port => 9000, zaqar_ws_ssl_port => 9000, } $ports = merge($default_service_ports, $service_ports) if $enable_internal_tls { # TODO(jaosorior): change verify none to verify required. $internal_tls_member_options = ['ssl', 'verify none'] } else { $internal_tls_member_options = [] } $controller_hosts_real = any2array(split($controller_hosts, ',')) if ! $controller_hosts_names { $controller_hosts_names_real = $controller_hosts_real } else { $controller_hosts_names_real = downcase(any2array(split($controller_hosts_names, ','))) } # This code will be removed once we switch undercloud and overcloud to use both haproxy & keepalived roles. if $keepalived { include ::tripleo::keepalived } # TODO(bnemec): When we have support for SSL on private and admin endpoints, # have the haproxy stats endpoint use that certificate by default. if $haproxy_stats_certificate { $haproxy_stats_bind_certificate = $haproxy_stats_certificate } $horizon_vip = hiera('horizon_vip', $controller_virtual_ip) if $service_certificate { # NOTE(jaosorior): If the horizon_vip and the public_virtual_ip are the # same, the first option takes precedence. Which is the case when network # isolation is not enabled. This is not a problem as both options are # identical. If network isolation is enabled, this works correctly and # will add a TLS binding to both the horizon_vip and the # public_virtual_ip. # Even though for the public_virtual_ip the port 80 is listening, we # redirect to https in the horizon_options below. $horizon_bind_opts = { "${horizon_vip}:80" => $haproxy_listen_bind_param, "${horizon_vip}:443" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]), "${public_virtual_ip}:80" => $haproxy_listen_bind_param, "${public_virtual_ip}:443" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]), } $horizon_options = { 'cookie' => 'SERVERID insert indirect nocache', 'rsprep' => '^Location:\ http://(.*) Location:\ https://\1', # NOTE(jaosorior): We always redirect to https for the public_virtual_ip. 'redirect' => "scheme https code 301 if { hdr(host) -i ${public_virtual_ip} } !{ ssl_fc }", 'option' => 'forwardfor', 'http-request' => [ 'set-header X-Forwarded-Proto https if { ssl_fc }', 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], } } else { $horizon_bind_opts = { "${horizon_vip}:80" => $haproxy_listen_bind_param, "${public_virtual_ip}:80" => $haproxy_listen_bind_param, } $horizon_options = { 'cookie' => 'SERVERID insert indirect nocache', 'option' => 'forwardfor', } } if $haproxy_stats_bind_certificate { $haproxy_stats_bind_opts = { "${controller_virtual_ip}:1993" => union($haproxy_listen_bind_param, ['ssl', 'crt', $haproxy_stats_bind_certificate]), } } else { $haproxy_stats_bind_opts = { "${controller_virtual_ip}:1993" => $haproxy_listen_bind_param, } } $mysql_vip = hiera('mysql_vip', $controller_virtual_ip) $mysql_bind_opts = { "${mysql_vip}:3306" => $haproxy_listen_bind_param, } $rabbitmq_vip = hiera('rabbitmq_vip', $controller_virtual_ip) $rabbitmq_bind_opts = { "${rabbitmq_vip}:5672" => $haproxy_listen_bind_param, } $redis_vip = hiera('redis_vip', $controller_virtual_ip) $redis_bind_opts = { "${redis_vip}:6379" => $haproxy_listen_bind_param, } class { '::haproxy': service_manage => $haproxy_service_manage, global_options => { 'log' => "${haproxy_log_address} local0", 'pidfile' => '/var/run/haproxy.pid', 'user' => 'haproxy', 'group' => 'haproxy', 'daemon' => '', 'maxconn' => $haproxy_global_maxconn, 'ssl-default-bind-ciphers' => $ssl_cipher_suite, 'ssl-default-bind-options' => $ssl_options, }, defaults_options => { 'mode' => 'tcp', 'log' => 'global', 'retries' => '3', 'timeout' => $haproxy_default_timeout, 'maxconn' => $haproxy_default_maxconn, }, } Tripleo::Haproxy::Endpoint { haproxy_listen_bind_param => $haproxy_listen_bind_param, member_options => $haproxy_member_options, public_certificate => $service_certificate, use_internal_certificates => $use_internal_certificates, internal_certificates_specs => $internal_certificates_specs, } $stats_base = ['enable', 'uri /'] if $haproxy_stats_password { $stats_config = union($stats_base, ["auth ${haproxy_stats_user}:${haproxy_stats_password}"]) } else { $stats_config = $stats_base } haproxy::listen { 'haproxy.stats': bind => $haproxy_stats_bind_opts, mode => 'http', options => { 'stats' => $stats_config, }, collect_exported => false, } if $keystone_admin { ::tripleo::haproxy::endpoint { 'keystone_admin': public_virtual_ip => $public_virtual_ip, internal_ip => hiera('keystone_admin_api_vip', $controller_virtual_ip), service_port => $ports[keystone_admin_api_port], ip_addresses => hiera('keystone_admin_api_node_ips', $controller_hosts_real), server_names => hiera('keystone_admin_api_node_names', $controller_hosts_names_real), mode => 'http', listen_options => { 'http-request' => [ 'set-header X-Forwarded-Proto https if { ssl_fc }', 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], }, public_ssl_port => $ports[keystone_admin_api_ssl_port], service_network => $keystone_admin_network, member_options => union($haproxy_member_options, $internal_tls_member_options), } } if $keystone_public { $keystone_listen_opts = { 'http-request' => [ 'set-header X-Forwarded-Proto https if { ssl_fc }', 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], } if $service_certificate { $keystone_public_tls_listen_opts = { 'rsprep' => '^Location:\ http://(.*) Location:\ https://\1', # NOTE(jaosorior): We always redirect to https for the public_virtual_ip. 'redirect' => "scheme https code 301 if { hdr(host) -i ${public_virtual_ip} } !{ ssl_fc }", 'option' => 'forwardfor', } } else { $keystone_public_tls_listen_opts = {} } ::tripleo::haproxy::endpoint { 'keystone_public': public_virtual_ip => $public_virtual_ip, internal_ip => hiera('keystone_public_api_vip', $controller_virtual_ip), service_port => $ports[keystone_public_api_port], ip_addresses => hiera('keystone_public_api_node_ips', $controller_hosts_real), server_names => hiera('keystone_public_api_node_names', $controller_hosts_names_real), mode => 'http', listen_options => merge($keystone_listen_opts, $keystone_public_tls_listen_opts), public_ssl_port => $ports[keystone_public_api_ssl_port], service_network => $keystone_public_network, member_options => union($haproxy_member_options, $internal_tls_member_options), } } if $neutron { ::tripleo::haproxy::endpoint { 'neutron': public_virtual_ip => $public_virtual_ip, internal_ip => hiera('neutron_api_vip', $controller_virtual_ip), service_port => $ports[neutron_api_port], ip_addresses => hiera('neutron_api_node_ips', $controller_hosts_real), server_names => hiera('neutron_api_node_names', $controller_hosts_names_real), public_ssl_port => $ports[neutron_api_ssl_port], service_network => $neutron_network, } } if $cinder { ::tripleo::haproxy::endpoint { 'cinder': public_virtual_ip => $public_virtual_ip, internal_ip => hiera('cinder_api_vip', $controller_virtual_ip), service_port => $ports[cinder_api_port], ip_addresses => hiera('cinder_api_node_ips', $controller_hosts_real), server_names => hiera('cinder_api_node_names', $controller_hosts_names_real), mode => 'http', listen_options => { 'http-request' => [ 'set-header X-Forwarded-Proto https if { ssl_fc }', 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], }, public_ssl_port => $ports[cinder_api_ssl_port], service_network => $cinder_network, } } if $manila { ::tripleo::haproxy::endpoint { 'manila': public_virtual_ip => $public_virtual_ip, internal_ip => hiera('manila_api_vip', $controller_virtual_ip), service_port => $ports[manila_api_port], ip_addresses => hiera('manila_api_node_ips', $controller_hosts_real), server_names => hiera('manila_api_node_names', $controller_hosts_names_real), listen_options => { 'http-request' => [ 'set-header X-Forwarded-Proto https if { ssl_fc }', 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], }, public_ssl_port => $ports[manila_api_ssl_port], service_network => $manila_network, } } if $sahara { ::tripleo::haproxy::endpoint { 'sahara': public_virtual_ip => $public_virtual_ip, internal_ip => hiera('sahara_api_vip', $controller_virtual_ip), service_port => $ports[sahara_api_port], ip_addresses => hiera('sahara_api_node_ips', $controller_hosts_real), server_names => hiera('sahara_api_node_names', $controller_hosts_names_real), public_ssl_port => $ports[sahara_api_ssl_port], service_network => $sahara_network, } } if $trove { ::tripleo::haproxy::endpoint { 'trove': public_virtual_ip => $public_virtual_ip, internal_ip => hiera('trove_api_vip', $controller_virtual_ip), service_port => $ports[trove_api_port], ip_addresses => hiera('trove_api_node_ips', $controller_hosts_real), server_names => hiera('trove_api_node_names', $controller_hosts_names_real), public_ssl_port => $ports[trove_api_ssl_port], service_network => $trove_network, } } if $glance_api { ::tripleo::haproxy::endpoint { 'glance_api': public_virtual_ip => $public_virtual_ip, internal_ip => hiera('glance_api_vip', $controller_virtual_ip), service_port => $ports[glance_api_port], ip_addresses => hiera('glance_api_node_ips', $controller_hosts_real), server_names => hiera('glance_api_node_names', $controller_hosts_names_real), public_ssl_port => $ports[glance_api_ssl_port], mode => 'http', listen_options => { 'http-request' => [ 'set-header X-Forwarded-Proto https if { ssl_fc }', 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], }, service_network => $glance_api_network, } } if $glance_registry { ::tripleo::haproxy::endpoint { 'glance_registry': internal_ip => hiera('glance_registry_vip', $controller_virtual_ip), service_port => $ports[glance_registry_port], ip_addresses => hiera('glance_registry_node_ips', $controller_hosts_real), server_names => hiera('glance_registry_node_names', $controller_hosts_names_real), service_network => $glance_registry_network, } } $nova_api_vip = hiera('nova_api_vip', $controller_virtual_ip) if $nova_osapi { ::tripleo::haproxy::endpoint { 'nova_osapi': public_virtual_ip => $public_virtual_ip, internal_ip => $nova_api_vip, service_port => $ports[nova_api_port], ip_addresses => hiera('nova_api_node_ips', $controller_hosts_real), server_names => hiera('nova_api_node_names', $controller_hosts_names_real), mode => 'http', listen_options => { 'http-request' => [ 'set-header X-Forwarded-Proto https if { ssl_fc }', 'set-header X-Forwarded-Proto http if !{ ssl_fc }'], }, public_ssl_port => $ports[nova_api_ssl_port], service_network => $nova_osapi_network, } } if $nova_metadata { ::tripleo::haproxy::endpoint { 'nova_metadata': internal_ip => hiera('nova_metadata_vip', $controller_virtual_ip), service_port => $ports[nova_metadata_port], ip_addresses => hiera('nova_metadata_node_ips', $controller_hosts_real), server_names => hiera('nova_metadata_node_names', $controller_hosts_names_real), service_network => $nova_metadata_network, } } if $nova_novncproxy { ::tripleo::haproxy::endpoint { 'nova_novncproxy': public_virtual_ip => $public_virtual_ip, internal_ip => $nova_api_vip, service_port => $ports[nova_novnc_port], ip_addresses => hiera('nova_api_node_ips', $controller_hosts_real), server_names => hiera('nova_api_node_names', $controller_hosts_names_real), listen_options => { 'balance' => 'source', 'timeout' => [ 'tunnel 1h' ], }, public_ssl_port => $ports[nova_novnc_ssl_port], service_network => $nova_novncproxy_network, } } if $ceilometer { ::tripleo::haproxy::endpoint { 'ceilometer': public_virtual_ip => $public_virtual_ip, internal_ip => hiera('ceilometer_api_vip', $controller_virtual_ip), service_port => $ports[ceilometer_api_port], ip_addresses => hiera('ceilometer_api_node_ips', $controller_hosts_real), server_names => hiera('ceilometer_api_node_names', $controller_hosts_names_real), public_ssl_port => $ports[ceilometer_api_ssl_port], service_network => $ceilometer_network, } } if $aodh { ::tripleo::haproxy::endpoint { 'aodh': public_virtual_ip => $public_virtual_ip, internal_ip => hiera('aodh_api_vip', $controller_virtual_ip), service_port => $ports[aodh_api_port], ip_addresses => hiera('aodh_api_node_ips', $controller_hosts_real), server_names => hiera('aodh_api_node_names', $controller_hosts_names_real), public_ssl_port => $ports[aodh_api_ssl_port], service_network => $aodh_network, } } if $gnocchi { ::tripleo::haproxy::endpoint { 'gnocchi': public_virtual_ip => $public_virtual_ip, internal_ip => hiera('gnocchi_api_vip', $controller_virtual_ip), service_port => $ports[gnocchi_api_port], ip_addresses => hiera('gnocchi_api_node_ips', $controller_hosts_real), server_names => hiera('gnocchi_api_node_names', $controller_hosts_names_real), public_ssl_port => $ports[gnocchi_api_ssl_port], service_network => $gnocchi_network, } } if $mistral { ::tripleo::haproxy::endpoint { 'mistral': public_virtual_ip => $public_virtual_ip, internal_ip => hiera('mistral_api_vip', $controller_virtual_ip), service_port => $ports[mistral_api_port], ip_addresses => hiera('mistral_api_node_ips', $controller_hosts_real), server_names => hiera('mistral_api_node_names', $controller_hosts_names_real), public_ssl_port => $ports[mistral_api_ssl_port], service_network => $mistral_network, } } if $swift_proxy_server { ::tripleo::haproxy::endpoint { 'swift_proxy_server': public_virtual_ip => $public_virtual_ip, internal_ip => hiera('swift_proxy_vip', $controller_virtual_ip), service_port => $ports[swift_proxy_port], ip_addresses => hiera('swift_proxy_node_ips', $controller_hosts_real), server_names => hiera('swift_proxy_node_names', $controller_hosts_names_real), public_ssl_port => $ports[swift_proxy_ssl_port], service_network => $swift_proxy_server_network, } } $heat_api_vip = hiera('heat_api_vip', $controller_virtual_ip) $heat_ip_addresses = hiera('heat_api_node_ips', $controller_hosts_real) $heat_base_options = { 'http-request' => [ 'set-header X-Forwarded-Proto https if { ssl_fc }', 'set-header X-Forwarded-Proto http if !{ ssl_fc }']} if $service_certificate { $heat_ssl_options = { 'rsprep' => "^Location:\\ http://${public_virtual_ip}(.*) Location:\\ https://${public_virtual_ip}\\1", } $heat_options = merge($heat_base_options, $heat_ssl_options) } else { $heat_options = $heat_base_options } if $heat_api { ::tripleo::haproxy::endpoint { 'heat_api': public_virtual_ip => $public_virtual_ip, internal_ip => $heat_api_vip, service_port => $ports[heat_api_port], ip_addresses => $heat_ip_addresses, server_names => hiera('heat_api_node_names', $controller_hosts_names_real), mode => 'http', listen_options => $heat_options, public_ssl_port => $ports[heat_api_ssl_port], service_network => $heat_api_network, } } if $heat_cloudwatch { ::tripleo::haproxy::endpoint { 'heat_cloudwatch': public_virtual_ip => $public_virtual_ip, internal_ip => $heat_api_vip, service_port => $ports[heat_cw_port], ip_addresses => $heat_ip_addresses, server_names => hiera('heat_api_node_names', $controller_hosts_names_real), mode => 'http', listen_options => $heat_options, public_ssl_port => $ports[heat_cw_ssl_port], service_network => $heat_cloudwatch_network, } } if $heat_cfn { ::tripleo::haproxy::endpoint { 'heat_cfn': public_virtual_ip => $public_virtual_ip, internal_ip => $heat_api_vip, service_port => $ports[heat_cfn_port], ip_addresses => $heat_ip_addresses, server_names => hiera('heat_api_node_names', $controller_hosts_names_real), mode => 'http', listen_options => $heat_options, public_ssl_port => $ports[heat_cfn_ssl_port], service_network => $heat_cfn_network, } } if $horizon { haproxy::listen { 'horizon': bind => $horizon_bind_opts, options => $horizon_options, mode => 'http', collect_exported => false, } haproxy::balancermember { 'horizon': listening_service => 'horizon', ports => '80', ipaddresses => hiera('horizon_node_ips', $controller_hosts_real), server_names => hiera('horizon_node_names', $controller_hosts_names_real), options => union($haproxy_member_options, ["cookie ${::hostname}"]), } } if $ironic { ::tripleo::haproxy::endpoint { 'ironic': public_virtual_ip => $public_virtual_ip, internal_ip => hiera('ironic_api_vip', $controller_virtual_ip), service_port => $ports[ironic_api_port], ip_addresses => hiera('ironic_api_node_ips', $controller_hosts_real), server_names => hiera('ironic_api_node_names', $controller_hosts_names_real), public_ssl_port => $ports[ironic_api_ssl_port], service_network => $ironic_network, } } if $ironic_inspector { ::tripleo::haproxy::endpoint { 'ironic-inspector': public_virtual_ip => $public_virtual_ip, internal_ip => hiera('ironic_inspector_vip', $controller_virtual_ip), service_port => $ports[ironic_inspector_port], ip_addresses => hiera('ironic_inspector_node_ips', $controller_hosts_real), server_names => hiera('ironic_inspector_node_names', $controller_hosts_names_real), public_ssl_port => $ports[ironic_inspector_ssl_port], service_network => $ironic_inspector_network, } } if $mysql_clustercheck { $mysql_listen_options = { 'option' => [ 'tcpka', 'httpchk' ], 'timeout client' => '90m', 'timeout server' => '90m', 'stick-table' => 'type ip size 1000', 'stick' => 'on dst', } $mysql_member_options = union($haproxy_member_options, ['backup', 'port 9200', 'on-marked-down shutdown-sessions']) } else { $mysql_listen_options = { 'timeout client' => '90m', 'timeout server' => '90m', } $mysql_member_options = union($haproxy_member_options, ['backup']) } if $mysql { haproxy::listen { 'mysql': bind => $mysql_bind_opts, options => $mysql_listen_options, collect_exported => false, } haproxy::balancermember { 'mysql-backup': listening_service => 'mysql', ports => '3306', ipaddresses => hiera('mysql_node_ips', $controller_hosts_real), server_names => hiera('mysql_node_names', $controller_hosts_names_real), options => $mysql_member_options, } } if $rabbitmq { haproxy::listen { 'rabbitmq': bind => $rabbitmq_bind_opts, options => { 'option' => [ 'tcpka' ], 'timeout' => [ 'client 0', 'server 0' ], }, collect_exported => false, } haproxy::balancermember { 'rabbitmq': listening_service => 'rabbitmq', ports => '5672', ipaddresses => hiera('rabbitmq_network', $controller_hosts_real), server_names => hiera('rabbitmq_node_names', $controller_hosts_names_real), options => $haproxy_member_options, } } if $docker_registry { ::tripleo::haproxy::endpoint { 'docker-registry': public_virtual_ip => $public_virtual_ip, internal_ip => hiera('docker_registry_vip', $controller_virtual_ip), service_port => $ports[docker_registry_port], ip_addresses => hiera('docker_registry_node_ips', $controller_hosts_real), server_names => hiera('docker_registry_node_names', $controller_hosts_names_real), public_ssl_port => $ports[docker_registry_ssl_port], service_network => $docker_registry_network, } } if $redis { if $redis_password { $redis_tcp_check_options = ["send AUTH\\ ${redis_password}\\r\\n"] } else { $redis_tcp_check_options = [] } haproxy::listen { 'redis': bind => $redis_bind_opts, options => { 'balance' => 'first', 'option' => ['tcp-check',], 'tcp-check' => union($redis_tcp_check_options, ['send PING\r\n', 'expect string +PONG', 'send info\ replication\r\n', 'expect string role:master', 'send QUIT\r\n', 'expect string +OK']), }, collect_exported => false, } haproxy::balancermember { 'redis': listening_service => 'redis', ports => '6379', ipaddresses => hiera('redis_node_ips', $controller_hosts_real), server_names => hiera('redis_node_names', $controller_hosts_names_real), options => $haproxy_member_options, } } $midonet_api_vip = hiera('midonet_api_vip', $controller_virtual_ip) $midonet_bind_opts = { "${midonet_api_vip}:8081" => [], "${public_virtual_ip}:8081" => [], } if $midonet_api { haproxy::listen { 'midonet_api': bind => $midonet_bind_opts, collect_exported => false, } haproxy::balancermember { 'midonet_api': listening_service => 'midonet_api', ports => '8081', ipaddresses => hiera('midonet_api_node_ips', $controller_hosts_real), server_names => hiera('midonet_api_node_names', $controller_hosts_names_real), options => $haproxy_member_options, } } if $zaqar_api { ::tripleo::haproxy::endpoint { 'zaqar_api': public_virtual_ip => $public_virtual_ip, internal_ip => hiera('zaqar_api_vip', $controller_virtual_ip), service_port => $ports[zaqar_api_port], ip_addresses => hiera('zaqar_api_node_ips', $controller_hosts_real), server_names => hiera('zaqar_api_node_names', $controller_hosts_names_real), mode => 'http', public_ssl_port => $ports[zaqar_api_ssl_port], service_network => $zaqar_api_network, } } if $ceph_rgw { ::tripleo::haproxy::endpoint { 'ceph_rgw': public_virtual_ip => $public_virtual_ip, internal_ip => hiera('ceph_rgw_vip', $controller_virtual_ip), service_port => $ports[ceph_rgw_port], ip_addresses => hiera('ceph_rgw_node_ips', $controller_hosts_real), server_names => hiera('ceph_rgw_node_names', $controller_hosts_names_real), public_ssl_port => $ports[ceph_rgw_ssl_port], service_network => $ceph_rgw_network, } } $opendaylight_api_vip = hiera('opendaylight_api_vip', $controller_virtual_ip) $opendaylight_bind_opts = { "${opendaylight_api_vip}:8081" => [], "${public_virtual_ip}:8081" => [], } if $opendaylight { haproxy::listen { 'opendaylight': bind => $opendaylight_bind_opts, options => { 'balance' => 'source', }, collect_exported => false, } haproxy::balancermember { 'opendaylight': listening_service => 'opendaylight', ports => '8081', ipaddresses => hiera('opendaylight_api_node_ips', $controller_hosts_real), server_names => hiera('opendaylight_api_node_names', $controller_hosts_names_real), options => ['check', 'inter 2000', 'rise 2', 'fall 5'], } } if $zaqar_ws { ::tripleo::haproxy::endpoint { 'zaqar_ws': public_virtual_ip => $public_virtual_ip, internal_ip => hiera('zaqar_ws_vip', $controller_virtual_ip), service_port => $ports[zaqar_ws_port], ip_addresses => hiera('zaqar_ws_node_ips', $controller_hosts_real), server_names => hiera('zaqar_ws_node_names', $controller_hosts_names_real), mode => 'http', haproxy_listen_bind_param => [], # We don't use a transparent proxy here listen_options => { # NOTE(jaosorior): Websockets have more overhead in establishing # connections than regular HTTP connections. Also, since it begins # as an HTTP connection and then "upgrades" to a TCP connection, some # timeouts get overriden by others at certain times of the connection. # The following values were taken from the following site: # http://blog.haproxy.com/2012/11/07/websockets-load-balancing-with-haproxy/ 'timeout' => ['connect 5s', 'client 25s', 'server 25s', 'tunnel 3600s'], }, public_ssl_port => $ports[zaqar_ws_ssl_port], service_network => $zaqar_api_network, } } }