Merge "Allow custom per-service bind_options for haproxy"
This commit is contained in:
Zuul
Gerrit Code Review
commit
610691ca65
@ -160,6 +160,8 @@ define tripleo::haproxy::endpoint (
|
||||
}
|
||||
# Let users override the options on a per-service basis
|
||||
$custom_options = hiera("tripleo::haproxy::${name}::options", undef)
|
||||
$custom_bind_options_public = delete(any2array(hiera("tripleo::haproxy::${name}::public_bind_options", undef)), undef).flatten()
|
||||
$custom_bind_options_internal = delete(any2array(hiera("tripleo::haproxy::${name}::internal_bind_options", undef)), undef).flatten()
|
||||
if $public_virtual_ip {
|
||||
# service exposed to the public network
|
||||
|
||||
@ -175,10 +177,11 @@ define tripleo::haproxy::endpoint (
|
||||
$listen_options_precookie = merge($listen_options, $custom_options)
|
||||
}
|
||||
$public_bind_opts = list_to_hash(suffix(any2array($public_virtual_ip), ":${public_ssl_port}"),
|
||||
union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate]))
|
||||
union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate], $custom_bind_options_public))
|
||||
} else {
|
||||
$listen_options_precookie = merge($listen_options, $custom_options)
|
||||
$public_bind_opts = list_to_hash(suffix(any2array($public_virtual_ip), ":${haproxy_port_real}"), $haproxy_listen_bind_param)
|
||||
$public_bind_opts = list_to_hash(suffix(any2array($public_virtual_ip), ":${haproxy_port_real}"),
|
||||
union($haproxy_listen_bind_param, $custom_bind_options_public))
|
||||
}
|
||||
} else {
|
||||
# internal service only
|
||||
@ -211,13 +214,16 @@ define tripleo::haproxy::endpoint (
|
||||
$internal_cert_path = $internal_certificates_specs["haproxy-${service_network}"]['service_pem']
|
||||
}
|
||||
$internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${haproxy_port_real}"),
|
||||
union($haproxy_listen_bind_param, ['ssl', 'crt', $internal_cert_path]))
|
||||
union($haproxy_listen_bind_param, ['ssl', 'crt', $internal_cert_path],
|
||||
$custom_bind_options_internal))
|
||||
} else {
|
||||
if $service_network == 'external' and $public_certificate {
|
||||
$internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${haproxy_port_real}"),
|
||||
union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate]))
|
||||
union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate],
|
||||
$custom_bind_options_internal))
|
||||
} else {
|
||||
$internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${haproxy_port_real}"), $haproxy_listen_bind_param)
|
||||
$internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${haproxy_port_real}"),
|
||||
union($haproxy_listen_bind_param, $custom_bind_options_internal))
|
||||
}
|
||||
}
|
||||
if $authorized_userlist {
|
||||
|
||||
@ -86,6 +86,8 @@ class tripleo::haproxy::horizon_endpoint (
|
||||
) {
|
||||
# Let users override the options on a per-service basis
|
||||
$custom_options = hiera('tripleo::haproxy::horizon::options', undef)
|
||||
$custom_bind_options_public = delete(any2array(hiera('tripleo::haproxy::horizon::public_bind_options', undef)), undef).flatten()
|
||||
$custom_bind_options_internal = delete(any2array(hiera('tripleo::haproxy::horizon::internal_bind_options', undef)), undef).flatten()
|
||||
# service exposed to the public network
|
||||
if $public_certificate {
|
||||
if $use_internal_certificates {
|
||||
@ -113,10 +115,10 @@ class tripleo::haproxy::horizon_endpoint (
|
||||
# Even though for the public_virtual_ip the port 80 is listening, we
|
||||
# redirect to https in the horizon_options below.
|
||||
$horizon_bind_opts = {
|
||||
"${internal_ip}:80" => $haproxy_listen_bind_param,
|
||||
"${internal_ip}:443" => $internal_bind_opts,
|
||||
"${public_virtual_ip}:80" => $haproxy_listen_bind_param,
|
||||
"${public_virtual_ip}:443" => union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate]),
|
||||
"${internal_ip}:80" => union($haproxy_listen_bind_param, $custom_bind_options_internal),
|
||||
"${internal_ip}:443" => union($internal_bind_opts, $custom_bind_options_internal),
|
||||
"${public_virtual_ip}:80" => union($haproxy_listen_bind_param, $custom_bind_options_public),
|
||||
"${public_virtual_ip}:443" => union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate], $custom_bind_options_public),
|
||||
}
|
||||
$horizon_options = merge({
|
||||
'cookie' => 'SERVERID insert indirect nocache',
|
||||
@ -130,8 +132,8 @@ class tripleo::haproxy::horizon_endpoint (
|
||||
}, $custom_options)
|
||||
} else {
|
||||
$horizon_bind_opts = {
|
||||
"${internal_ip}:80" => $haproxy_listen_bind_param,
|
||||
"${public_virtual_ip}:80" => $haproxy_listen_bind_param,
|
||||
"${internal_ip}:80" => union($haproxy_listen_bind_param, $custom_bind_options_internal),
|
||||
"${public_virtual_ip}:80" => union($haproxy_listen_bind_param, $custom_bind_options_public),
|
||||
}
|
||||
$horizon_options = merge({
|
||||
'cookie' => 'SERVERID insert indirect nocache',
|
||||
|
||||
@ -0,0 +1,10 @@
|
||||
---
|
||||
features:
|
||||
- |
|
||||
Two custom per-service hiera keys are added
|
||||
tripleo::haproxy::<service>::internal_bind_options and
|
||||
tripleo::haproxy::<service>::public_bind_options. They control additional
|
||||
custom options that can be added to the bind line of a specific service configuration
|
||||
in haproxy. One use case is to force older TLS versions for internal APIs that
|
||||
end up pointing to devices that do not support the latest TLS standard.
|
||||
They accept a single string or an array of strings.
|
||||
Loading…
x
Reference in New Issue
Block a user