openstack/puppet-tripleo
Code Issues Proposed changes

Redirect keystone admin endpoint to public endpoint

Browse Source 
This adds the option to specify an additional port which
haproxy will listen on, making sure that all requests to
the admin endpoint are redirected.

Change-Id: I293c1e57a2a04ff4ba7e5b01842ca2535291cfdf
This commit is contained in:
Grzegorz Grasza 2019-01-24 12:07:17 +01:00
parent 7de34bf57d
commit 5bd82e9ef0
2 changed files with 33 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
manifests/haproxy.pp
View File

@ -913,7 +913,8 @@ class tripleo::haproxy (
# same IP. # same IP.
::tripleo::haproxy::endpoint { 'keystone_admin': ::tripleo::haproxy::endpoint { 'keystone_admin':
internal_ip => hiera('keystone_admin_api_vip', $controller_virtual_ip), internal_ip => hiera('keystone_admin_api_vip', $controller_virtual_ip),
service_port => $ports[keystone_admin_api_port], service_port => $ports[keystone_public_api_port],
haproxy_port => $ports[keystone_admin_api_port],
ip_addresses => hiera('keystone_public_api_node_ips', $controller_hosts_real), ip_addresses => hiera('keystone_public_api_node_ips', $controller_hosts_real),
server_names => hiera('keystone_public_api_node_names', $controller_hosts_names_real), server_names => hiera('keystone_public_api_node_names', $controller_hosts_names_real),
mode => 'http', mode => 'http',

42
manifests/haproxy/endpoint.pp
View File

@ -28,6 +28,10 @@
# Options for the balancer member, specified after the server declaration. # Options for the balancer member, specified after the server declaration.
# These should go in the member's configuration block. # These should go in the member's configuration block.
# #
# [*haproxy_port*]
# An alternative port, on which haproxy will listen for incoming requests.
# Defaults to service_port.
#
# [*base_service_name*] # [*base_service_name*]
# In cases where the service name doesn't match the endpoint name, you can # In cases where the service name doesn't match the endpoint name, you can
# specify this option in order to get an appropriate value for $ip_addresses # specify this option in order to get an appropriate value for $ip_addresses
@ -115,6 +119,7 @@ define tripleo::haproxy::endpoint (
$internal_ip, $internal_ip,
$service_port, $service_port,
$member_options, $member_options,
$haproxy_port = undef,
$base_service_name = undef, $base_service_name = undef,
$ip_addresses = hiera("${name}_node_ips", undef), $ip_addresses = hiera("${name}_node_ips", undef),
$server_names = hiera("${name}_node_names", undef), $server_names = hiera("${name}_node_names", undef),
@ -135,6 +140,14 @@ define tripleo::haproxy::endpoint (
$session_cookie = 'STICKYSESSION', $session_cookie = 'STICKYSESSION',
) { ) {
if $haproxy_port {
$haproxy_port_real = $haproxy_port
$service_port_real = $service_port
} else {
$haproxy_port_real = $service_port
$service_port_real = $service_port
}
if $base_service_name { if $base_service_name {
$ip_addresses_real = hiera("${base_service_name}_node_ips", undef) $ip_addresses_real = hiera("${base_service_name}_node_ips", undef)
} else { } else {
@ -165,7 +178,7 @@ define tripleo::haproxy::endpoint (
union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate])) union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate]))
} else { } else {
$listen_options_precookie = merge($listen_options, $custom_options) $listen_options_precookie = merge($listen_options, $custom_options)
$public_bind_opts = list_to_hash(suffix(any2array($public_virtual_ip), ":${service_port}"), $haproxy_listen_bind_param) $public_bind_opts = list_to_hash(suffix(any2array($public_virtual_ip), ":${haproxy_port_real}"), $haproxy_listen_bind_param)
} }
} else { } else {
# internal service only # internal service only
@ -197,14 +210,14 @@ define tripleo::haproxy::endpoint (
# contain the path that we'll use under 'service_pem'. # contain the path that we'll use under 'service_pem'.
$internal_cert_path = $internal_certificates_specs["haproxy-${service_network}"]['service_pem'] $internal_cert_path = $internal_certificates_specs["haproxy-${service_network}"]['service_pem']
} }
$internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"), $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${haproxy_port_real}"),
union($haproxy_listen_bind_param, ['ssl', 'crt', $internal_cert_path])) union($haproxy_listen_bind_param, ['ssl', 'crt', $internal_cert_path]))
} else { } else {
if $service_network == 'external' and $public_certificate { if $service_network == 'external' and $public_certificate {
$internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"), $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${haproxy_port_real}"),
union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate])) union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate]))
} else { } else {
$internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"), $haproxy_listen_bind_param) $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${haproxy_port_real}"), $haproxy_listen_bind_param)
} }
} }
if $authorized_userlist { if $authorized_userlist {
@ -236,7 +249,7 @@ define tripleo::haproxy::endpoint (
$non_colon_ip = regsubst($ip, ':', '-', 'G') $non_colon_ip = regsubst($ip, ':', '-', 'G')
haproxy::balancermember { "${name}_${non_colon_ip}_${server}": haproxy::balancermember { "${name}_${non_colon_ip}_${server}":
listening_service => $name, listening_service => $name,
ports => $service_port, ports => $service_port_real,
ipaddresses => $ip, ipaddresses => $ip,
server_names => $server, server_names => $server,
options => union($member_options, ["cookie ${server}"]), options => union($member_options, ["cookie ${server}"]),
@ -245,7 +258,7 @@ define tripleo::haproxy::endpoint (
} else { } else {
haproxy::balancermember { "${name}": haproxy::balancermember { "${name}":
listening_service => $name, listening_service => $name,
ports => $service_port, ports => $service_port_real,
ipaddresses => $ip_addresses_real, ipaddresses => $ip_addresses_real,
server_names => $server_names_real, server_names => $server_names_real,
options => $member_options, options => $member_options,
@ -258,10 +271,17 @@ define tripleo::haproxy::endpoint (
# a port for the regular service and also the ssl port for the service. # a port for the regular service and also the ssl port for the service.
# It makes sure we're not trying to create TCP iptables rules where no port # It makes sure we're not trying to create TCP iptables rules where no port
# is specified. # is specified.
if $service_port { if $service_port_real {
$haproxy_firewall_rules = { $service_firewall_rules = {
"100 ${name}_haproxy" => { "100 ${name}_haproxy" => {
'dport' => $service_port, 'dport' => $service_port_real,
},
}
}
if $service_port_real != $haproxy_port_real {
$haproxy_firewall_rules = {
"100 ${name}_haproxy_frontend" => {
'dport' => $haproxy_port_real,
}, },
} }
} }
@ -274,8 +294,8 @@ define tripleo::haproxy::endpoint (
} else { } else {
$haproxy_ssl_firewall_rules = {} $haproxy_ssl_firewall_rules = {}
} }
$firewall_rules = merge($haproxy_firewall_rules, $haproxy_ssl_firewall_rules) $firewall_rules = merge($service_firewall_rules, $haproxy_firewall_rules, $haproxy_ssl_firewall_rules)
if $service_port or $public_ssl_port { if $service_port_real or $public_ssl_port {
create_resources('tripleo::firewall::rule', $firewall_rules) create_resources('tripleo::firewall::rule', $firewall_rules)
} }
} }