Make keystone session stickiness optional
As part of Bug 1527717, we added in support of session stickiness for keystone to allow for federation support in keystone. This introduced performance issues with keystone and should not be configured by default. This change disables the stickiness by default but allows for it to be enabled by adding a 'federation' key to the keystone hiera hash. DocImpact: Keystone HAProxy session stickiness can be enabled by adding a 'federation' key to the keystone hiera configuration. By default session stickiness is disabled. Change-Id: Id43446a9f923417b8fa140ffcfddb6797f1b4e48 Related-Bug: #1527717 Closes-Bug: #1582202
This commit is contained in:
parent
17a0775e0e
commit
8ebe5f1547
@ -48,19 +48,41 @@
|
||||
# [*server_names*]
|
||||
# (required) Array. This is an array of server names for the haproxy service
|
||||
#
|
||||
# [*federation_enabled*]
|
||||
# (Optional) If enabled, sticky sessions will be enabled for keystone sessions
|
||||
# to properly support federation.
|
||||
#
|
||||
class openstack::ha::keystone (
|
||||
$internal_virtual_ip,
|
||||
$ipaddresses,
|
||||
$public_virtual_ip,
|
||||
$server_names,
|
||||
$public_ssl = false,
|
||||
$public_ssl_path = undef,
|
||||
$internal_ssl = false,
|
||||
$internal_ssl_path = undef,
|
||||
$admin_ssl = false,
|
||||
$admin_ssl_path = undef,
|
||||
$public_ssl = false,
|
||||
$public_ssl_path = undef,
|
||||
$internal_ssl = false,
|
||||
$internal_ssl_path = undef,
|
||||
$admin_ssl = false,
|
||||
$admin_ssl_path = undef,
|
||||
$federation_enabled = false,
|
||||
) {
|
||||
|
||||
$base_options = {
|
||||
'option' => ['httpchk GET /v3', 'httplog', 'httpclose', 'forwardfor'],
|
||||
'http-request' => 'set-header X-Forwarded-Proto https if { ssl_fc }',
|
||||
}
|
||||
|
||||
if $federation_enabled {
|
||||
# See LP#1527717
|
||||
$session_options = {
|
||||
'stick' => ['on src'],
|
||||
'stick-table' => ['type ip size 200k expire 2m'],
|
||||
}
|
||||
} else {
|
||||
$session_options = { }
|
||||
}
|
||||
|
||||
$config_options = merge($base_options, $session_options)
|
||||
|
||||
# defaults for any haproxy_service within this class
|
||||
Openstack::Ha::Haproxy_service {
|
||||
internal_virtual_ip => $internal_virtual_ip,
|
||||
@ -71,12 +93,7 @@ class openstack::ha::keystone (
|
||||
public_ssl_path => $public_ssl_path,
|
||||
internal_ssl => $internal_ssl,
|
||||
internal_ssl_path => $internal_ssl_path,
|
||||
haproxy_config_options => {
|
||||
option => ['httpchk GET /v3', 'httplog', 'httpclose', 'forwardfor'],
|
||||
stick => ['on src'],
|
||||
stick-table => ['type ip size 200k expire 2m'],
|
||||
'http-request' => 'set-header X-Forwarded-Proto https if { ssl_fc }',
|
||||
},
|
||||
haproxy_config_options => $config_options,
|
||||
balancermember_options => 'check inter 10s fastinter 2s downinter 2s rise 30 fall 3',
|
||||
}
|
||||
|
||||
|
@ -1,17 +1,23 @@
|
||||
require 'spec_helper'
|
||||
|
||||
describe 'openstack::ha::keystone' do
|
||||
let(:params) { {:internal_virtual_ip => '127.0.0.1',
|
||||
:ipaddresses => ['127.0.0.2', '127.0.0.3'],
|
||||
:public_virtual_ip => '192.168.0.1',
|
||||
:server_names => ['node-1', 'node-2'],
|
||||
:public_ssl => true,
|
||||
:public_ssl_path => '/var/lib/fuel/haproxy/public_keystone.pem',
|
||||
} }
|
||||
let(:facts) { {:kernel => 'Linux',
|
||||
:concat_basedir => '/var/lib/puppet/concat',
|
||||
:fqdn => 'some.host.tld'
|
||||
} }
|
||||
describe 'openstack::ha::keystone' do
|
||||
let(:facts) do
|
||||
{ :kernel => 'Linux',
|
||||
:concat_basedir => '/var/lib/puppet/concat',
|
||||
:fqdn => 'some.host.tld',
|
||||
}
|
||||
end
|
||||
|
||||
context 'default parameters' do
|
||||
let(:params) do
|
||||
{ :internal_virtual_ip => '127.0.0.1',
|
||||
:ipaddresses => ['127.0.0.2', '127.0.0.3'],
|
||||
:public_virtual_ip => '192.168.0.1',
|
||||
:server_names => ['node-1', 'node-2'],
|
||||
:public_ssl => true,
|
||||
:public_ssl_path => '/var/lib/fuel/haproxy/public_keystone.pem',
|
||||
}
|
||||
end
|
||||
|
||||
it "should properly configure keystone haproxy based on ssl" do
|
||||
should contain_openstack__ha__haproxy_service('keystone-1').with(
|
||||
@ -22,8 +28,6 @@ require 'spec_helper'
|
||||
'public_ssl_path' => '/var/lib/fuel/haproxy/public_keystone.pem',
|
||||
'haproxy_config_options' => {
|
||||
'option' => ['httpchk GET /v3', 'httplog','httpclose', 'forwardfor'],
|
||||
'stick' => ['on src'],
|
||||
'stick-table' => ['type ip size 200k expire 2m'],
|
||||
'http-request' => 'set-header X-Forwarded-Proto https if { ssl_fc }',
|
||||
},
|
||||
'balancermember_options' => 'check inter 10s fastinter 2s downinter 2s rise 30 fall 3',
|
||||
@ -37,11 +41,56 @@ require 'spec_helper'
|
||||
'public' => false,
|
||||
'haproxy_config_options' => {
|
||||
'option' => ['httpchk GET /v3', 'httplog','httpclose', 'forwardfor'],
|
||||
'stick' => ['on src'],
|
||||
'stick-table' => ['type ip size 200k expire 2m'],
|
||||
'http-request' => 'set-header X-Forwarded-Proto https if { ssl_fc }',
|
||||
},
|
||||
'balancermember_options' => 'check inter 10s fastinter 2s downinter 2s rise 30 fall 3',
|
||||
)
|
||||
end
|
||||
end
|
||||
|
||||
context 'with keystone federation' do
|
||||
let(:params) do
|
||||
{ :internal_virtual_ip => '127.0.0.1',
|
||||
:ipaddresses => ['127.0.0.2', '127.0.0.3'],
|
||||
:public_virtual_ip => '192.168.0.1',
|
||||
:server_names => ['node-1', 'node-2'],
|
||||
:public_ssl => true,
|
||||
:public_ssl_path => '/var/lib/fuel/haproxy/public_keystone.pem',
|
||||
:federation_enabled => true,
|
||||
}
|
||||
end
|
||||
|
||||
it "should properly configure keystone haproxy based on ssl" do
|
||||
should contain_openstack__ha__haproxy_service('keystone-1').with(
|
||||
'order' => '020',
|
||||
'listen_port' => 5000,
|
||||
'public' => true,
|
||||
'public_ssl' => true,
|
||||
'public_ssl_path' => '/var/lib/fuel/haproxy/public_keystone.pem',
|
||||
'haproxy_config_options' => {
|
||||
'option' => ['httpchk GET /v3', 'httplog','httpclose', 'forwardfor'],
|
||||
'stick' => ['on src'],
|
||||
'stick-table' => ['type ip size 200k expire 2m'],
|
||||
'http-request' => 'set-header X-Forwarded-Proto https if { ssl_fc }',
|
||||
},
|
||||
'balancermember_options' => 'check inter 10s fastinter 2s downinter 2s rise 30 fall 3',
|
||||
)
|
||||
end
|
||||
|
||||
it "should properly configure keystone admin haproxy without ssl" do
|
||||
should contain_openstack__ha__haproxy_service('keystone-2').with(
|
||||
'order' => '030',
|
||||
'listen_port' => 35357,
|
||||
'public' => false,
|
||||
'haproxy_config_options' => {
|
||||
'option' => ['httpchk GET /v3', 'httplog','httpclose', 'forwardfor'],
|
||||
'stick' => ['on src'],
|
||||
'stick-table' => ['type ip size 200k expire 2m'],
|
||||
'http-request' => 'set-header X-Forwarded-Proto https if { ssl_fc }',
|
||||
},
|
||||
'balancermember_options' => 'check inter 10s fastinter 2s downinter 2s rise 30 fall 3',
|
||||
)
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
|
@ -25,6 +25,7 @@ class osnailyfacter::openstack_haproxy::openstack_haproxy_keystone {
|
||||
$ipaddresses = hiera_array('keystone_ipaddresses', values($keystone_address_map))
|
||||
$public_virtual_ip = pick(hiera('public_service_endpoint', undef), hiera('public_vip'))
|
||||
$internal_virtual_ip = pick(hiera('service_endpoint', undef), hiera('management_vip'))
|
||||
$keystone_federation = pick($keystone_hash['federation'], false)
|
||||
|
||||
# configure keystone ha proxy
|
||||
class { '::openstack::ha::keystone':
|
||||
@ -38,6 +39,7 @@ class osnailyfacter::openstack_haproxy::openstack_haproxy_keystone {
|
||||
internal_ssl_path => $internal_ssl_path,
|
||||
admin_ssl => $admin_ssl,
|
||||
admin_ssl_path => $admin_ssl_path,
|
||||
federation_enabled => $keystone_federation,
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -22,6 +22,24 @@ describe manifest do
|
||||
keystone_address_map.keys
|
||||
end
|
||||
|
||||
let(:keystone_hash) { Noop.hiera_hash('keystone') }
|
||||
|
||||
let(:config_options) do
|
||||
options = {
|
||||
'option' => ['httpchk GET /v3', 'httplog', 'httpclose', 'forwardfor'],
|
||||
'http-request' => 'set-header X-Forwarded-Proto https if { ssl_fc }',
|
||||
}
|
||||
session_options = {
|
||||
'stick' => ['on src'],
|
||||
'stick-table' => ['type ip size 200k expire 2m'],
|
||||
}
|
||||
|
||||
if keystone_hash['federation']
|
||||
options.merge!(session_options)
|
||||
end
|
||||
options
|
||||
end
|
||||
|
||||
use_keystone = Noop.hiera_structure('keystone/enabled', true)
|
||||
|
||||
if use_keystone and !Noop.hiera('external_lb', false)
|
||||
@ -34,12 +52,7 @@ describe manifest do
|
||||
'listen_port' => 5000,
|
||||
'public' => true,
|
||||
'public_ssl' => public_ssl_keystone,
|
||||
'haproxy_config_options' => {
|
||||
'option' => ['httpchk GET /v3', 'httplog', 'httpclose', 'forwardfor'],
|
||||
'stick' => ['on src'],
|
||||
'stick-table' => ['type ip size 200k expire 2m'],
|
||||
'http-request' => 'set-header X-Forwarded-Proto https if { ssl_fc }',
|
||||
},
|
||||
'haproxy_config_options' => config_options,
|
||||
)
|
||||
end
|
||||
it "should properly configure keystone haproxy admin without public" do
|
||||
@ -50,12 +63,7 @@ describe manifest do
|
||||
'server_names' => server_names,
|
||||
'listen_port' => 35357,
|
||||
'public' => false,
|
||||
'haproxy_config_options' => {
|
||||
'option' => ['httpchk GET /v3', 'httplog', 'httpclose', 'forwardfor'],
|
||||
'stick' => ['on src'],
|
||||
'stick-table' => ['type ip size 200k expire 2m'],
|
||||
'http-request' => 'set-header X-Forwarded-Proto https if { ssl_fc }',
|
||||
},
|
||||
'haproxy_config_options' => config_options,
|
||||
)
|
||||
end
|
||||
end
|
||||
|
Loading…
Reference in New Issue
Block a user