diff options
| author |   James Polley <jp@jamezpolley.com> | 2014-06-20 17:28:57 +1000 |
|---|---|---|
| committer | James Polley <jp@jamezpolley.com> | 2014-07-22 16:06:48 +0200 |
| commit | 5def125573552ec34b0d4a837873b1e91c4e295d (patch) | |
| tree | d4c6c3568e1e87779eef4d6636b4f8f21f3e7234 | |
| parent | 13d9fee47142e13a25f25ff21773bf8af63d4979 (diff) | |
Define and bind a public virtual IP
Prior to this change our heat templates define one virtual IP, which all
the services are bound to.
We wish to be able to segregate these endpoints: some need to be
accessible to "the public"; some are only intended to be accessed within
the cloud; some are only for admin use.
This change adds a second VIP which we can use for binding only the
endpoints that are intended to be publicly accessible, leaving the older
VIP to be used for internal end points.
Haproxy is told to also listen on that new VIP so that we can expose selected
services via the new VIP, and keepalived is in charge of assigning the VIP to
control plane nodes.
This change has a proposed split of services between control-only and
control+public interfaces. Assuming our yaml parsers (in merge.py and
Heat) understand YAML anchors/aliases, and assuming I've got the syntax
right, this should get expanded so that all the control+public services
get their config defined from the same block without needing to repeat
it for each service. (AFAICT both merge.py and heat use pyyaml, which
does support aliases/anchors)
The default is left at binding to only the controlplane interface, so
that new services added to this map will default to being internal-only
This patchset partially completes a spec which will one day live at
https://blueprints.launchpad.net/tripleo/+specs/tripleo-juno-virtual-public-ips
but for now can bee seen in Id9addc65f0d2ed519ce4b3edbd561ed660a2786e
Implements: blueprint tripleo-juno-virtual-public-ips
Change-Id: I9649ee74ebaf62b6b929b28243a07c789a08867c
Co-Authored-By: Robert Collins <rbtcollins@hp.com>
Partial-Bug #1325114
| -rw-r--r-- | overcloud-source.yaml | 71 |
1 files changed, 70 insertions, 1 deletions
diff --git a/overcloud-source.yaml b/overcloud-source.yaml index 33355c98..068c8532 100644 --- a/overcloud-source.yaml +++ b/overcloud-source.yaml @@ -252,6 +252,23 @@ Parameters: Default: [] Description: Should be used for arbitrary ips. Type: Json + PublicVirtualFixedIPs: + Default: [] + Description: | + Control the IP allocation for the PublicVirtualInterface port. E.g. + [{'ip_address':'1.2.3.4'}] + Type: Json + PublicVirtualInterface: + Default: 'br-ex' + Description: > + Specifies the interface where the public-facing virtual ip will be assigned. + This should be int_public when a VLAN is being used. + Type: String + PublicVirtualNetwork: + Default: 'ctlplane' + Type: String + Description: > + Neutron network to allocate public virtual IP port on. KeystoneCACertificate: Default: '' Description: Keystone self-signed certificate authority certificate. @@ -277,6 +294,13 @@ Resources: Type: OS::Heat::RandomString Properties: length: 10 + PublicVirtualIP: + Type: OS::Neutron::Port + Properties: + name: public_virtual_ip + network: {Ref: PublicVirtualNetwork} + fixed_ips: + Ref: PublicVirtualFixedIPs RabbitCookie: Type: OS::Heat::RandomString Properties: @@ -482,15 +506,44 @@ Resources: ntp: servers: - {server: {Ref: NtpServer}, fudge: "stratum 0"} + virtual_interfaces: + instances: + - vrrp_instance_name: VI_CONTROL + virtual_router_id: 51 + keepalive_interface: + Ref: ControlVirtualInterface + priority: 101 + virtual_ips: + - ip: {'Fn::Select': [ip_address, 'Fn::Select': [0, 'Fn::GetAtt': [ControlVirtualIP, fixed_ips]]]} + interface: + Ref: ControlVirtualInterface + - vrrp_instance_name: VI_PUBLIC + virtual_router_id: 52 + keepalive_interface: + Ref: PublicVirtualInterface + priority: 101 + virtual_ips: + - ip: {'Fn::Select': [ip_address, 'Fn::Select': [0, 'Fn::GetAtt': [PublicVirtualIP, fixed_ips]]]} + interface: + Ref: PublicVirtualInterface + vrrp_sync_groups: + - name: VG1 + members: + - VI_CONTROL + - VI_PUBLIC keepalived: keepalive_interface: - Ref: ControlVirtualInterface + Ref: PublicVirtualInterface priority: 101 virtual_ips: - ip: {'Fn::Select': [ip_address, 'Fn::Select': [0, 'Fn::GetAtt': [ControlVirtualIP, fixed_ips]]]} interface: Ref: ControlVirtualInterface + - + ip: {'Fn::Select': [ip_address, 'Fn::Select': [0, 'Fn::GetAtt': [PublicVirtualIP, fixed_ips]]]} + interface: + Ref: PublicVirtualInterface haproxy: nodes: Merge::Map: @@ -502,34 +555,50 @@ Resources: services: - name: keystone_admin port: 35357 + net_binds: &public_binds + - ip: {'Fn::Select': [ip_address, 'Fn::Select': [0, 'Fn::GetAtt': [ControlVirtualIP, fixed_ips]]]} + - ip: {'Fn::Select': [ip_address, 'Fn::Select': [0, 'Fn::GetAtt': [PublicVirtualIP, fixed_ips]]]} - name: keystone_public port: 5000 + net_binds: *public_binds - name: horizon port: 80 + net_binds: *public_binds - name: neutron port: 9696 + net_binds: *public_binds - name: cinder port: 8776 + net_binds: *public_binds - name: glance_api port: 9292 + net_binds: *public_binds - name: glance_registry port: 9191 + net_binds: *public_binds - name: heat_api port: 8004 + net_binds: *public_binds - name: heat_cloudwatch port: 8003 + net_binds: *public_binds - name: heat_cfn port: 8000 + net_binds: *public_binds - name: nova_ec2 port: 8773 - name: nova_osapi port: 8774 + net_binds: *public_binds - name: nova_metadata port: 8775 + net_binds: *public_binds - name: ceilometer port: 8777 + net_binds: *public_binds - name: swift_proxy_server port: 8080 + net_binds: *public_binds controllerPassthrough: Type: OS::Heat::StructuredConfig Properties: |