Make keystone session stickiness optional
As part of Bug 1527717, we added in support of session stickiness for
keystone to allow for federation support in keystone. This introduced
performance issues with keystone and should not be configured by
default. This change disables the stickiness by default but allows for
it to be enabled by adding a 'federation' key to the keystone hiera
hash.
DocImpact: Keystone HAProxy session stickiness can be enabled by adding
a 'federation' key to the keystone hiera configuration. By default
session stickiness is disabled.
Change-Id: Id43446a9f923417b8fa140ffcfddb6797f1b4e48
Related-Bug: #1527717
Closes-Bug: #1582202
(cherry picked from commit 8ebe5f1547
)
This commit is contained in:
parent
a00420eb14
commit
264a310432
|
@ -48,19 +48,41 @@
|
|||
# [*server_names*]
|
||||
# (required) Array. This is an array of server names for the haproxy service
|
||||
#
|
||||
# [*federation_enabled*]
|
||||
# (Optional) If enabled, sticky sessions will be enabled for keystone sessions
|
||||
# to properly support federation.
|
||||
#
|
||||
class openstack::ha::keystone (
|
||||
$internal_virtual_ip,
|
||||
$ipaddresses,
|
||||
$public_virtual_ip,
|
||||
$server_names,
|
||||
$public_ssl = false,
|
||||
$public_ssl_path = undef,
|
||||
$internal_ssl = false,
|
||||
$internal_ssl_path = undef,
|
||||
$admin_ssl = false,
|
||||
$admin_ssl_path = undef,
|
||||
$public_ssl = false,
|
||||
$public_ssl_path = undef,
|
||||
$internal_ssl = false,
|
||||
$internal_ssl_path = undef,
|
||||
$admin_ssl = false,
|
||||
$admin_ssl_path = undef,
|
||||
$federation_enabled = false,
|
||||
) {
|
||||
|
||||
$base_options = {
|
||||
'option' => ['httpchk GET /v3', 'httplog', 'httpclose', 'forwardfor'],
|
||||
'http-request' => 'set-header X-Forwarded-Proto https if { ssl_fc }',
|
||||
}
|
||||
|
||||
if $federation_enabled {
|
||||
# See LP#1527717
|
||||
$session_options = {
|
||||
'stick' => ['on src'],
|
||||
'stick-table' => ['type ip size 200k expire 2m'],
|
||||
}
|
||||
} else {
|
||||
$session_options = { }
|
||||
}
|
||||
|
||||
$config_options = merge($base_options, $session_options)
|
||||
|
||||
# defaults for any haproxy_service within this class
|
||||
Openstack::Ha::Haproxy_service {
|
||||
internal_virtual_ip => $internal_virtual_ip,
|
||||
|
@ -71,12 +93,7 @@ class openstack::ha::keystone (
|
|||
public_ssl_path => $public_ssl_path,
|
||||
internal_ssl => $internal_ssl,
|
||||
internal_ssl_path => $internal_ssl_path,
|
||||
haproxy_config_options => {
|
||||
option => ['httpchk GET /v3', 'httplog', 'httpclose', 'forwardfor'],
|
||||
stick => ['on src'],
|
||||
stick-table => ['type ip size 200k expire 2m'],
|
||||
'http-request' => 'set-header X-Forwarded-Proto https if { ssl_fc }',
|
||||
},
|
||||
haproxy_config_options => $config_options,
|
||||
balancermember_options => 'check inter 10s fastinter 2s downinter 2s rise 30 fall 3',
|
||||
}
|
||||
|
||||
|
|
|
@ -1,17 +1,23 @@
|
|||
require 'spec_helper'
|
||||
|
||||
describe 'openstack::ha::keystone' do
|
||||
let(:params) { {:internal_virtual_ip => '127.0.0.1',
|
||||
:ipaddresses => ['127.0.0.2', '127.0.0.3'],
|
||||
:public_virtual_ip => '192.168.0.1',
|
||||
:server_names => ['node-1', 'node-2'],
|
||||
:public_ssl => true,
|
||||
:public_ssl_path => '/var/lib/fuel/haproxy/public_keystone.pem',
|
||||
} }
|
||||
let(:facts) { {:kernel => 'Linux',
|
||||
:concat_basedir => '/var/lib/puppet/concat',
|
||||
:fqdn => 'some.host.tld'
|
||||
} }
|
||||
describe 'openstack::ha::keystone' do
|
||||
let(:facts) do
|
||||
{ :kernel => 'Linux',
|
||||
:concat_basedir => '/var/lib/puppet/concat',
|
||||
:fqdn => 'some.host.tld',
|
||||
}
|
||||
end
|
||||
|
||||
context 'default parameters' do
|
||||
let(:params) do
|
||||
{ :internal_virtual_ip => '127.0.0.1',
|
||||
:ipaddresses => ['127.0.0.2', '127.0.0.3'],
|
||||
:public_virtual_ip => '192.168.0.1',
|
||||
:server_names => ['node-1', 'node-2'],
|
||||
:public_ssl => true,
|
||||
:public_ssl_path => '/var/lib/fuel/haproxy/public_keystone.pem',
|
||||
}
|
||||
end
|
||||
|
||||
it "should properly configure keystone haproxy based on ssl" do
|
||||
should contain_openstack__ha__haproxy_service('keystone-1').with(
|
||||
|
@ -22,8 +28,6 @@ require 'spec_helper'
|
|||
'public_ssl_path' => '/var/lib/fuel/haproxy/public_keystone.pem',
|
||||
'haproxy_config_options' => {
|
||||
'option' => ['httpchk GET /v3', 'httplog','httpclose', 'forwardfor'],
|
||||
'stick' => ['on src'],
|
||||
'stick-table' => ['type ip size 200k expire 2m'],
|
||||
'http-request' => 'set-header X-Forwarded-Proto https if { ssl_fc }',
|
||||
},
|
||||
'balancermember_options' => 'check inter 10s fastinter 2s downinter 2s rise 30 fall 3',
|
||||
|
@ -37,11 +41,56 @@ require 'spec_helper'
|
|||
'public' => false,
|
||||
'haproxy_config_options' => {
|
||||
'option' => ['httpchk GET /v3', 'httplog','httpclose', 'forwardfor'],
|
||||
'stick' => ['on src'],
|
||||
'stick-table' => ['type ip size 200k expire 2m'],
|
||||
'http-request' => 'set-header X-Forwarded-Proto https if { ssl_fc }',
|
||||
},
|
||||
'balancermember_options' => 'check inter 10s fastinter 2s downinter 2s rise 30 fall 3',
|
||||
)
|
||||
end
|
||||
end
|
||||
|
||||
context 'with keystone federation' do
|
||||
let(:params) do
|
||||
{ :internal_virtual_ip => '127.0.0.1',
|
||||
:ipaddresses => ['127.0.0.2', '127.0.0.3'],
|
||||
:public_virtual_ip => '192.168.0.1',
|
||||
:server_names => ['node-1', 'node-2'],
|
||||
:public_ssl => true,
|
||||
:public_ssl_path => '/var/lib/fuel/haproxy/public_keystone.pem',
|
||||
:federation_enabled => true,
|
||||
}
|
||||
end
|
||||
|
||||
it "should properly configure keystone haproxy based on ssl" do
|
||||
should contain_openstack__ha__haproxy_service('keystone-1').with(
|
||||
'order' => '020',
|
||||
'listen_port' => 5000,
|
||||
'public' => true,
|
||||
'public_ssl' => true,
|
||||
'public_ssl_path' => '/var/lib/fuel/haproxy/public_keystone.pem',
|
||||
'haproxy_config_options' => {
|
||||
'option' => ['httpchk GET /v3', 'httplog','httpclose', 'forwardfor'],
|
||||
'stick' => ['on src'],
|
||||
'stick-table' => ['type ip size 200k expire 2m'],
|
||||
'http-request' => 'set-header X-Forwarded-Proto https if { ssl_fc }',
|
||||
},
|
||||
'balancermember_options' => 'check inter 10s fastinter 2s downinter 2s rise 30 fall 3',
|
||||
)
|
||||
end
|
||||
|
||||
it "should properly configure keystone admin haproxy without ssl" do
|
||||
should contain_openstack__ha__haproxy_service('keystone-2').with(
|
||||
'order' => '030',
|
||||
'listen_port' => 35357,
|
||||
'public' => false,
|
||||
'haproxy_config_options' => {
|
||||
'option' => ['httpchk GET /v3', 'httplog','httpclose', 'forwardfor'],
|
||||
'stick' => ['on src'],
|
||||
'stick-table' => ['type ip size 200k expire 2m'],
|
||||
'http-request' => 'set-header X-Forwarded-Proto https if { ssl_fc }',
|
||||
},
|
||||
'balancermember_options' => 'check inter 10s fastinter 2s downinter 2s rise 30 fall 3',
|
||||
)
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
|
|
|
@ -25,6 +25,7 @@ class osnailyfacter::openstack_haproxy::openstack_haproxy_keystone {
|
|||
$ipaddresses = hiera_array('keystone_ipaddresses', values($keystone_address_map))
|
||||
$public_virtual_ip = pick(hiera('public_service_endpoint', undef), hiera('public_vip'))
|
||||
$internal_virtual_ip = pick(hiera('service_endpoint', undef), hiera('management_vip'))
|
||||
$keystone_federation = pick($keystone_hash['federation'], false)
|
||||
|
||||
# configure keystone ha proxy
|
||||
class { '::openstack::ha::keystone':
|
||||
|
@ -38,6 +39,7 @@ class osnailyfacter::openstack_haproxy::openstack_haproxy_keystone {
|
|||
internal_ssl_path => $internal_ssl_path,
|
||||
admin_ssl => $admin_ssl,
|
||||
admin_ssl_path => $admin_ssl_path,
|
||||
federation_enabled => $keystone_federation,
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -22,6 +22,24 @@ describe manifest do
|
|||
keystone_address_map.keys
|
||||
end
|
||||
|
||||
let(:keystone_hash) { Noop.hiera_hash('keystone') }
|
||||
|
||||
let(:config_options) do
|
||||
options = {
|
||||
'option' => ['httpchk GET /v3', 'httplog', 'httpclose', 'forwardfor'],
|
||||
'http-request' => 'set-header X-Forwarded-Proto https if { ssl_fc }',
|
||||
}
|
||||
session_options = {
|
||||
'stick' => ['on src'],
|
||||
'stick-table' => ['type ip size 200k expire 2m'],
|
||||
}
|
||||
|
||||
if keystone_hash['federation']
|
||||
options.merge!(session_options)
|
||||
end
|
||||
options
|
||||
end
|
||||
|
||||
use_keystone = Noop.hiera_structure('keystone/enabled', true)
|
||||
|
||||
if use_keystone and !Noop.hiera('external_lb', false)
|
||||
|
@ -34,12 +52,7 @@ describe manifest do
|
|||
'listen_port' => 5000,
|
||||
'public' => true,
|
||||
'public_ssl' => public_ssl_keystone,
|
||||
'haproxy_config_options' => {
|
||||
'option' => ['httpchk GET /v3', 'httplog', 'httpclose', 'forwardfor'],
|
||||
'stick' => ['on src'],
|
||||
'stick-table' => ['type ip size 200k expire 2m'],
|
||||
'http-request' => 'set-header X-Forwarded-Proto https if { ssl_fc }',
|
||||
},
|
||||
'haproxy_config_options' => config_options,
|
||||
)
|
||||
end
|
||||
it "should properly configure keystone haproxy admin without public" do
|
||||
|
@ -50,12 +63,7 @@ describe manifest do
|
|||
'server_names' => server_names,
|
||||
'listen_port' => 35357,
|
||||
'public' => false,
|
||||
'haproxy_config_options' => {
|
||||
'option' => ['httpchk GET /v3', 'httplog', 'httpclose', 'forwardfor'],
|
||||
'stick' => ['on src'],
|
||||
'stick-table' => ['type ip size 200k expire 2m'],
|
||||
'http-request' => 'set-header X-Forwarded-Proto https if { ssl_fc }',
|
||||
},
|
||||
'haproxy_config_options' => config_options,
|
||||
)
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue