diff --git a/etc/openstack_deploy/user_group_vars.yml b/etc/openstack_deploy/user_group_vars.yml index 4f3f4fb76c..848de34f04 100644 --- a/etc/openstack_deploy/user_group_vars.yml +++ b/etc/openstack_deploy/user_group_vars.yml @@ -131,12 +131,17 @@ keystone_service_port: 5000 keystone_service_proto: http keystone_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(keystone_service_proto) }}" keystone_service_internaluri_proto: "{{ openstack_service_internaluri_proto | default(keystone_service_proto) }}" +keystone_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(keystone_service_proto) }}" keystone_service_user_name: keystone keystone_service_tenant_name: service +keystone_service_publicuri: "{{ keystone_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ keystone_service_port }}" +keystone_service_publicurl: "{{ keystone_service_publicuri }}/v2.0" keystone_service_internaluri: "{{ keystone_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_service_port }}" keystone_service_internalurl: "{{ keystone_service_internaluri }}/v2.0" keystone_service_adminuri: "{{ keystone_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_admin_port }}" keystone_service_adminurl: "{{ keystone_service_adminuri }}/v2.0" +keystone_service_publicuri_v3: "{{ keystone_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ keystone_service_port }}" +keystone_service_publicurl_v3: "{{ keystone_service_publicuri_v3 }}/v3" keystone_service_internaluri_v3: "{{ keystone_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_service_port }}" keystone_service_internalurl_v3: "{{ keystone_service_adminuri_v3 }}/v3" keystone_service_adminuri_v3: "{{ keystone_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_admin_port }}" diff --git a/playbooks/haproxy-install.yml b/playbooks/haproxy-install.yml index a8095d7c88..8acabb7fc6 100644 --- a/playbooks/haproxy-install.yml +++ b/playbooks/haproxy-install.yml @@ -17,9 +17,38 @@ hosts: haproxy_hosts max_fail_percentage: 20 user: root + pre_tasks: + - name: Remove legacy haproxy configuration files + file: + dest: "/etc/haproxy/conf.d/{{ item }}" + state: "absent" + with_items: + - "keystone_internal" + when: internal_lb_vip_address == external_lb_vip_address + tags: + - haproxy-service-config + post_tasks: + - name: Add keystone internal endpoint config + include: roles/haproxy_server/tasks/haproxy_service_config.yml + when: internal_lb_vip_address != external_lb_vip_address + vars: + haproxy_service_configs: + - service: + haproxy_service_name: keystone_internal + haproxy_backend_nodes: "{{ groups['keystone_all'] }}" + haproxy_bind: "{{ internal_lb_vip_address }}" + haproxy_port: 5000 + haproxy_ssl: "{% if haproxy_ssl | bool and keystone_service_internaluri_proto == 'https' %}true{% else %}false{% endif %}" + haproxy_balance_type: http + haproxy_backend_options: + - "forwardfor" + - "httpchk" + - "httplog" + tags: + - haproxy-service-config roles: - { role: "haproxy_server", tags: [ "haproxy-server" ] } vars_files: - vars/configs/haproxy_config.yml vars: - is_metal: "{{ properties.is_metal|default(false) }}" \ No newline at end of file + is_metal: "{{ properties.is_metal|default(false) }}" diff --git a/playbooks/roles/haproxy_server/defaults/main.yml b/playbooks/roles/haproxy_server/defaults/main.yml index fccd990dc0..5f5728e8d6 100644 --- a/playbooks/roles/haproxy_server/defaults/main.yml +++ b/playbooks/roles/haproxy_server/defaults/main.yml @@ -16,6 +16,23 @@ # Defines that the role will be deployed on a host machine is_metal: true +haproxy_apt_repo_url: "http://ppa.launchpad.net/vbernat/haproxy-1.5/ubuntu" +haproxy_apt_repo: + repo: "deb {{ haproxy_apt_repo_url }} {{ ansible_distribution_release }} main" + state: "present" + +# Haproxy GPG Keys +haproxy_gpg_keys: + - key_name: 'haproxy' + keyserver: 'hkp://keyserver.ubuntu.com:80' + fallback_keyserver: 'hkp://p80.pool.sks-keyservers.net:80' + hash_id: '0xcffb779aadc995e4f350a060505d97a41c61b9cd' + +haproxy_pre_apt_packages: + - python-software-properties + - software-properties-common + - debconf-utils + haproxy_apt_packages: - haproxy - hatop @@ -43,3 +60,11 @@ haproxy_backup_nodes: [] # - "httplog" galera_monitoring_user: monitoring + +## haproxy SSL +haproxy_ssl: no +haproxy_cert_regen: no +haproxy_ssl_cert: /etc/ssl/certs/haproxy.cert +haproxy_ssl_key: /etc/ssl/private/haproxy.key +haproxy_ssl_pem: /etc/ssl/private/haproxy.pem +haproxy_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ internal_lb_vip_address }}/subjectAltName=IP.1={{ external_lb_vip_address }}" diff --git a/playbooks/roles/haproxy_server/tasks/haproxy_add_ppa_repo.yml b/playbooks/roles/haproxy_server/tasks/haproxy_add_ppa_repo.yml new file mode 100644 index 0000000000..17a483350a --- /dev/null +++ b/playbooks/roles/haproxy_server/tasks/haproxy_add_ppa_repo.yml @@ -0,0 +1,86 @@ +--- +# Copyright 2014, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: Update apt sources + apt: + update_cache: yes + cache_valid_time: 600 + register: apt_update + until: apt_update|success + retries: 5 + delay: 2 + tags: + - haproxy-apt-packages + +- name: Install haproxy pre packages + apt: + pkg: "{{ item }}" + state: latest + register: install_packages + until: install_packages|success + retries: 5 + delay: 2 + with_items: haproxy_pre_apt_packages + tags: + - haproxy-pre-apt-packages + +- name: Add haproxy apt-keys + apt_key: + id: "{{ item.hash_id }}" + keyserver: "{{ item.keyserver }}" + state: "present" + register: add_keys + until: add_keys|success + ignore_errors: True + retries: 5 + delay: 2 + with_items: haproxy_gpg_keys + tags: + - haproxy-apt-keys + +- name: Add haproxy apt-keys using fallback keyserver + apt_key: + id: "{{ item.hash_id }}" + keyserver: "{{ item.fallback_keyserver }}" + state: "present" + register: add_keys_fallback + until: add_keys_fallback|success + retries: 5 + delay: 2 + with_items: haproxy_gpg_keys + when: add_keys|failed and item.fallback_keyserver is defined + tags: + - haproxy-apt-keys + +- name: Drop haproxy repo pin + template: + src: "haproxy_pin.pref.j2" + dest: "/etc/apt/preferences.d/haproxy_pin.pref" + owner: "root" + group: "root" + mode: "0644" + tags: + - haproxy-repo-pin + +- name: Add haproxy repo(s) + apt_repository: + repo: "{{ haproxy_apt_repo.repo }}" + state: "{{ haproxy_apt_repo.state }}" + register: add_repos + until: add_repos|success + retries: 5 + delay: 2 + tags: + - haproxy-repos diff --git a/playbooks/roles/haproxy_server/tasks/haproxy_post_install.yml b/playbooks/roles/haproxy_server/tasks/haproxy_post_install.yml index 3aae8f0f19..07f572a133 100644 --- a/playbooks/roles/haproxy_server/tasks/haproxy_post_install.yml +++ b/playbooks/roles/haproxy_server/tasks/haproxy_post_install.yml @@ -23,11 +23,4 @@ tags: - haproxy-base-config -- name: "Create haproxy service config files" - template: - src: service.j2 - dest: "/etc/haproxy/conf.d/{{ item.service.haproxy_service_name }}" - with_items: haproxy_service_configs - notify: Restart haproxy - tags: - - haproxy-service-config +- include: haproxy_service_config.yml diff --git a/playbooks/roles/haproxy_server/tasks/haproxy_service_config.yml b/playbooks/roles/haproxy_server/tasks/haproxy_service_config.yml new file mode 100644 index 0000000000..c0c8e7f338 --- /dev/null +++ b/playbooks/roles/haproxy_server/tasks/haproxy_service_config.yml @@ -0,0 +1,23 @@ +--- +# Copyright 2014, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: "Create haproxy service config files" + template: + src: service.j2 + dest: "/etc/haproxy/conf.d/{{ item.service.haproxy_service_name }}" + with_items: haproxy_service_configs + notify: Restart haproxy + tags: + - haproxy-service-config diff --git a/playbooks/roles/haproxy_server/tasks/haproxy_ssl_key_create.yml b/playbooks/roles/haproxy_server/tasks/haproxy_ssl_key_create.yml new file mode 100644 index 0000000000..e4d88d832e --- /dev/null +++ b/playbooks/roles/haproxy_server/tasks/haproxy_ssl_key_create.yml @@ -0,0 +1,43 @@ +--- +# Copyright 2014, Rackspace US, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: Remove self signed cert for regen + file: + dest: "{{ haproxy_ssl_cert }}" + state: "absent" + with_items: + - "{{ haproxy_ssl_pem }}" + - "{{ haproxy_ssl_key }}" + - "{{ haproxy_ssl_cert }}" + when: haproxy_cert_regen | bool + +- name: Create self-signed ssl cert + command: > + openssl req -new -nodes -sha256 -x509 -subj + "{{ haproxy_ssl_self_signed_subject }}" + -days 3650 + -keyout {{ haproxy_ssl_key }} + -out {{ haproxy_ssl_cert }} + -extensions v3_ca + creates={{ haproxy_ssl_cert }} + notify: Restart haproxy + tags: + - haproxy-ssl + +- name: Create a .pem certificate file + shell: > + cat {{ haproxy_ssl_cert }} {{ haproxy_ssl_key }} > {{ haproxy_ssl_pem }} + args: + creates: "{{ haproxy_ssl_pem }}" diff --git a/playbooks/roles/haproxy_server/tasks/main.yml b/playbooks/roles/haproxy_server/tasks/main.yml index 7d7a0e8c61..01e7c2a4cb 100644 --- a/playbooks/roles/haproxy_server/tasks/main.yml +++ b/playbooks/roles/haproxy_server/tasks/main.yml @@ -13,5 +13,12 @@ # See the License for the specific language governing permissions and # limitations under the License. +- include: haproxy_add_ppa_repo.yml + when: haproxy_ssl | bool + - include: haproxy_install.yml + +- include: haproxy_ssl_key_create.yml + when: haproxy_ssl | bool + - include: haproxy_post_install.yml diff --git a/playbooks/roles/haproxy_server/templates/haproxy_pin.pref.j2 b/playbooks/roles/haproxy_server/templates/haproxy_pin.pref.j2 new file mode 100644 index 0000000000..f2ed22f614 --- /dev/null +++ b/playbooks/roles/haproxy_server/templates/haproxy_pin.pref.j2 @@ -0,0 +1,5 @@ +# {{ ansible_managed }} + +Package: * +Pin: release o=LP-PPA-vbernat-haproxy-1.5 +Pin-Priority: 1001 diff --git a/playbooks/roles/haproxy_server/templates/service.j2 b/playbooks/roles/haproxy_server/templates/service.j2 index 88910f7686..37391e00ad 100644 --- a/playbooks/roles/haproxy_server/templates/service.j2 +++ b/playbooks/roles/haproxy_server/templates/service.j2 @@ -1,16 +1,20 @@ # {{ ansible_managed }} frontend {{ item.service.haproxy_service_name }}-front -bind {{ item.service.haproxy_bind|default('*') }}:{{ item.service.haproxy_port }} +bind {{ item.service.haproxy_bind|default('*') }}:{{ item.service.haproxy_port }} {% if item.service.haproxy_ssl is defined and item.service.haproxy_ssl | bool %}ssl crt {{ haproxy_ssl_pem }}{% endif %} + {% if item.service.haproxy_balance_type == "http" %} - option httplog - option forwardfor except 127.0.0.0/8 - option http-server-close - - {% set request_option = "http" %} + option httplog + option forwardfor except 127.0.0.0/8 + option http-server-close + + {%- set request_option = "http" %} {% else %} option tcplog - {% set request_option = "tcp" %} + {%- set request_option = "tcp" %} +{% endif %} +{% if item.service.haproxy_ssl is defined and item.service.haproxy_ssl | bool %} + reqadd X-Forwarded-Proto:\ https {% endif %} {% if item.service.haproxy_timeout_client is defined %} diff --git a/playbooks/vars/configs/haproxy_config.yml b/playbooks/vars/configs/haproxy_config.yml index beef6e7bd7..7a1bc27044 100644 --- a/playbooks/vars/configs/haproxy_config.yml +++ b/playbooks/vars/configs/haproxy_config.yml @@ -68,6 +68,7 @@ haproxy_service_configs: haproxy_service_name: keystone_admin haproxy_backend_nodes: "{{ groups['keystone_all'] }}" haproxy_port: 35357 + haproxy_ssl: "{% if haproxy_ssl | bool and keystone_service_adminuri_proto == 'https' %}true{% else %}false{% endif %}" haproxy_balance_type: http haproxy_backend_options: - "forwardfor" @@ -76,7 +77,9 @@ haproxy_service_configs: - service: haproxy_service_name: keystone_service haproxy_backend_nodes: "{{ groups['keystone_all'] }}" + haproxy_bind: "{% if internal_lb_vip_address != external_lb_vip_address %}{{ external_lb_vip_address }}{% else %}*{% endif %}" haproxy_port: 5000 + haproxy_ssl: "{% if haproxy_ssl | bool and keystone_service_publicuri_proto == 'https' %}true{% else %}false{% endif %}" haproxy_balance_type: http haproxy_backend_options: - "forwardfor"