Merge "Redirect keystone admin endpoint to public endpoint"
This commit is contained in:
commit
641d5e354a
@ -913,7 +913,8 @@ class tripleo::haproxy (
|
|||||||
# same IP.
|
# same IP.
|
||||||
::tripleo::haproxy::endpoint { 'keystone_admin':
|
::tripleo::haproxy::endpoint { 'keystone_admin':
|
||||||
internal_ip => hiera('keystone_admin_api_vip', $controller_virtual_ip),
|
internal_ip => hiera('keystone_admin_api_vip', $controller_virtual_ip),
|
||||||
service_port => $ports[keystone_admin_api_port],
|
service_port => $ports[keystone_public_api_port],
|
||||||
|
haproxy_port => $ports[keystone_admin_api_port],
|
||||||
ip_addresses => hiera('keystone_public_api_node_ips', $controller_hosts_real),
|
ip_addresses => hiera('keystone_public_api_node_ips', $controller_hosts_real),
|
||||||
server_names => hiera('keystone_public_api_node_names', $controller_hosts_names_real),
|
server_names => hiera('keystone_public_api_node_names', $controller_hosts_names_real),
|
||||||
mode => 'http',
|
mode => 'http',
|
||||||
|
@ -28,6 +28,10 @@
|
|||||||
# Options for the balancer member, specified after the server declaration.
|
# Options for the balancer member, specified after the server declaration.
|
||||||
# These should go in the member's configuration block.
|
# These should go in the member's configuration block.
|
||||||
#
|
#
|
||||||
|
# [*haproxy_port*]
|
||||||
|
# An alternative port, on which haproxy will listen for incoming requests.
|
||||||
|
# Defaults to service_port.
|
||||||
|
#
|
||||||
# [*base_service_name*]
|
# [*base_service_name*]
|
||||||
# In cases where the service name doesn't match the endpoint name, you can
|
# In cases where the service name doesn't match the endpoint name, you can
|
||||||
# specify this option in order to get an appropriate value for $ip_addresses
|
# specify this option in order to get an appropriate value for $ip_addresses
|
||||||
@ -115,6 +119,7 @@ define tripleo::haproxy::endpoint (
|
|||||||
$internal_ip,
|
$internal_ip,
|
||||||
$service_port,
|
$service_port,
|
||||||
$member_options,
|
$member_options,
|
||||||
|
$haproxy_port = undef,
|
||||||
$base_service_name = undef,
|
$base_service_name = undef,
|
||||||
$ip_addresses = hiera("${name}_node_ips", undef),
|
$ip_addresses = hiera("${name}_node_ips", undef),
|
||||||
$server_names = hiera("${name}_node_names", undef),
|
$server_names = hiera("${name}_node_names", undef),
|
||||||
@ -135,6 +140,14 @@ define tripleo::haproxy::endpoint (
|
|||||||
$session_cookie = 'STICKYSESSION',
|
$session_cookie = 'STICKYSESSION',
|
||||||
) {
|
) {
|
||||||
|
|
||||||
|
if $haproxy_port {
|
||||||
|
$haproxy_port_real = $haproxy_port
|
||||||
|
$service_port_real = $service_port
|
||||||
|
} else {
|
||||||
|
$haproxy_port_real = $service_port
|
||||||
|
$service_port_real = $service_port
|
||||||
|
}
|
||||||
|
|
||||||
if $base_service_name {
|
if $base_service_name {
|
||||||
$ip_addresses_real = hiera("${base_service_name}_node_ips", undef)
|
$ip_addresses_real = hiera("${base_service_name}_node_ips", undef)
|
||||||
} else {
|
} else {
|
||||||
@ -165,7 +178,7 @@ define tripleo::haproxy::endpoint (
|
|||||||
union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate]))
|
union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate]))
|
||||||
} else {
|
} else {
|
||||||
$listen_options_precookie = merge($listen_options, $custom_options)
|
$listen_options_precookie = merge($listen_options, $custom_options)
|
||||||
$public_bind_opts = list_to_hash(suffix(any2array($public_virtual_ip), ":${service_port}"), $haproxy_listen_bind_param)
|
$public_bind_opts = list_to_hash(suffix(any2array($public_virtual_ip), ":${haproxy_port_real}"), $haproxy_listen_bind_param)
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
# internal service only
|
# internal service only
|
||||||
@ -197,14 +210,14 @@ define tripleo::haproxy::endpoint (
|
|||||||
# contain the path that we'll use under 'service_pem'.
|
# contain the path that we'll use under 'service_pem'.
|
||||||
$internal_cert_path = $internal_certificates_specs["haproxy-${service_network}"]['service_pem']
|
$internal_cert_path = $internal_certificates_specs["haproxy-${service_network}"]['service_pem']
|
||||||
}
|
}
|
||||||
$internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"),
|
$internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${haproxy_port_real}"),
|
||||||
union($haproxy_listen_bind_param, ['ssl', 'crt', $internal_cert_path]))
|
union($haproxy_listen_bind_param, ['ssl', 'crt', $internal_cert_path]))
|
||||||
} else {
|
} else {
|
||||||
if $service_network == 'external' and $public_certificate {
|
if $service_network == 'external' and $public_certificate {
|
||||||
$internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"),
|
$internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${haproxy_port_real}"),
|
||||||
union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate]))
|
union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate]))
|
||||||
} else {
|
} else {
|
||||||
$internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"), $haproxy_listen_bind_param)
|
$internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${haproxy_port_real}"), $haproxy_listen_bind_param)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if $authorized_userlist {
|
if $authorized_userlist {
|
||||||
@ -236,7 +249,7 @@ define tripleo::haproxy::endpoint (
|
|||||||
$non_colon_ip = regsubst($ip, ':', '-', 'G')
|
$non_colon_ip = regsubst($ip, ':', '-', 'G')
|
||||||
haproxy::balancermember { "${name}_${non_colon_ip}_${server}":
|
haproxy::balancermember { "${name}_${non_colon_ip}_${server}":
|
||||||
listening_service => $name,
|
listening_service => $name,
|
||||||
ports => $service_port,
|
ports => $service_port_real,
|
||||||
ipaddresses => $ip,
|
ipaddresses => $ip,
|
||||||
server_names => $server,
|
server_names => $server,
|
||||||
options => union($member_options, ["cookie ${server}"]),
|
options => union($member_options, ["cookie ${server}"]),
|
||||||
@ -245,7 +258,7 @@ define tripleo::haproxy::endpoint (
|
|||||||
} else {
|
} else {
|
||||||
haproxy::balancermember { "${name}":
|
haproxy::balancermember { "${name}":
|
||||||
listening_service => $name,
|
listening_service => $name,
|
||||||
ports => $service_port,
|
ports => $service_port_real,
|
||||||
ipaddresses => $ip_addresses_real,
|
ipaddresses => $ip_addresses_real,
|
||||||
server_names => $server_names_real,
|
server_names => $server_names_real,
|
||||||
options => $member_options,
|
options => $member_options,
|
||||||
@ -258,10 +271,17 @@ define tripleo::haproxy::endpoint (
|
|||||||
# a port for the regular service and also the ssl port for the service.
|
# a port for the regular service and also the ssl port for the service.
|
||||||
# It makes sure we're not trying to create TCP iptables rules where no port
|
# It makes sure we're not trying to create TCP iptables rules where no port
|
||||||
# is specified.
|
# is specified.
|
||||||
if $service_port {
|
if $service_port_real {
|
||||||
$haproxy_firewall_rules = {
|
$service_firewall_rules = {
|
||||||
"100 ${name}_haproxy" => {
|
"100 ${name}_haproxy" => {
|
||||||
'dport' => $service_port,
|
'dport' => $service_port_real,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if $service_port_real != $haproxy_port_real {
|
||||||
|
$haproxy_firewall_rules = {
|
||||||
|
"100 ${name}_haproxy_frontend" => {
|
||||||
|
'dport' => $haproxy_port_real,
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -274,8 +294,8 @@ define tripleo::haproxy::endpoint (
|
|||||||
} else {
|
} else {
|
||||||
$haproxy_ssl_firewall_rules = {}
|
$haproxy_ssl_firewall_rules = {}
|
||||||
}
|
}
|
||||||
$firewall_rules = merge($haproxy_firewall_rules, $haproxy_ssl_firewall_rules)
|
$firewall_rules = merge($service_firewall_rules, $haproxy_firewall_rules, $haproxy_ssl_firewall_rules)
|
||||||
if $service_port or $public_ssl_port {
|
if $service_port_real or $public_ssl_port {
|
||||||
create_resources('tripleo::firewall::rule', $firewall_rules)
|
create_resources('tripleo::firewall::rule', $firewall_rules)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user