openstack/puppet-tripleo
Code Issues Proposed changes

Explode loadbalancer role in 2 sub-roles

Browse Source 
Split loadbalancer role into 2 sub-roles:
- HAproxy
- Keepalived

Change-Id: I84dfa9d409d390c6f549d62cb3634931e4cb432c
This commit is contained in:
Emilien Macchi 2016-05-25 15:37:01 -04:00
parent 727d1b006a
commit 7b355dcc63
5 changed files with 1202 additions and 648 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

865
manifests/haproxy.pp Normal file
View File

@ -0,0 +1,865 @@
# Copyright 2014 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
# == Class: tripleo::haproxy
#
# Configure HAProxy for TripleO.
#
# === Parameters:
#
# [*keepalived*]
# Whether to configure keepalived to manage the VIPs or not.
# Defaults to true
#
# [*haproxy_service_manage*]
# Will be passed as value for service_manage to HAProxy module.
# Defaults to true
#
# [*haproxy_global_maxconn*]
# The value to use as maxconn in the HAProxy global config section.
# Defaults to 20480
#
# [*haproxy_default_maxconn*]
# The value to use as maxconn in the HAProxy default config section.
# Defaults to 4096
#
# [*haproxy_default_timeout*]
# The value to use as timeout in the HAProxy default config section.
# Defaults to [ 'http-request 10s', 'queue 1m', 'connect 10s', 'client 1m', 'server 1m', 'check 10s' ]
#
# [*haproxy_listen_bind_param*]
# A list of params to be added to the HAProxy listener bind directive. By
# default the 'transparent' param is added but it should be cleared if
# one of the *_virtual_ip addresses is a wildcard, eg. 0.0.0.0
# Defaults to [ 'transparent' ]
#
# [*haproxy_member_options*]
# The default options to use for the HAProxy balancer members.
# Defaults to [ 'check', 'inter 2000', 'rise 2', 'fall 5' ]
#
# [*haproxy_log_address*]
# The IPv4, IPv6 or filesystem socket path of the syslog server.
# Defaults to '/dev/log'
#
# [*controller_host*]
# (Deprecated)Host or group of hosts to load-balance the services
# Can be a string or an array.
# Defaults to undef
#
# [*controller_hosts*]
# IPs of host or group of hosts to load-balance the services
# Can be a string or an array.
# Defaults to undef
#
# [*controller_hosts_names*]
# Names of host or group of hosts to load-balance the services
# Can be a string or an array.
# Defaults to undef
#
# [*controller_virtual_ip*]
# Control IP or group of IPs to bind the pools
# Can be a string or an array.
# Defaults to undef
#
# [*public_virtual_ip*]
# Public IP or group of IPs to bind the pools
# Can be a string or an array.
# Defaults to undef
# [*haproxy_stats_user*]
#
# Username for haproxy stats authentication.
# A string.
# Defaults to 'admin'
#
# [*haproxy_stats_password*]
# Password for haproxy stats authentication. When set, authentication is
# enabled on the haproxy stats endpoint.
# A string.
# Defaults to undef
#
# [*service_certificate*]
# Filename of an HAProxy-compatible certificate and key file
# When set, enables SSL on the public API endpoints using the specified file.
# Defaults to undef
#
# [*internal_certificate*]
# Filename of an HAProxy-compatible certificate and key file
# When set, enables SSL on the internal API endpoints using the specified file.
# Defaults to undef
#
# [*ssl_cipher_suite*]
# The default string describing the list of cipher algorithms ("cipher suite")
# that are negotiated during the SSL/TLS handshake for all "bind" lines. This
# value comes from the Fedora system crypto policy.
# Defaults to '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES'
#
# [*ssl_options*]
# String that sets the default ssl options to force on all "bind" lines.
# Defaults to 'no-sslv3'
#
# [*haproxy_stats_certificate*]
# Filename of an HAProxy-compatible certificate and key file
# When set, enables SSL on the haproxy stats endpoint using the specified file.
# Defaults to undef
#
# [*keystone_admin*]
# (optional) Enable or not Keystone Admin API binding
# Defaults to false
#
# [*keystone_public*]
# (optional) Enable or not Keystone Public API binding
# Defaults to false
#
# [*neutron*]
# (optional) Enable or not Neutron API binding
# Defaults to false
#
# [*cinder*]
# (optional) Enable or not Cinder API binding
# Defaults to false
#
# [*manila*]
# (optional) Enable or not Manila API binding
# Defaults to false
#
# [*sahara*]
# (optional) Enable or not Sahara API binding
# defaults to false
#
# [*trove*]
# (optional) Enable or not Trove API binding
# defaults to false
#
# [*glance_api*]
# (optional) Enable or not Glance API binding
# Defaults to false
#
# [*glance_registry*]
# (optional) Enable or not Glance registry binding
# Defaults to false
#
# [*nova_osapi*]
# (optional) Enable or not Nova API binding
# Defaults to false
#
# [*nova_metadata*]
# (optional) Enable or not Nova metadata binding
# Defaults to false
#
# [*nova_novncproxy*]
# (optional) Enable or not Nova novncproxy binding
# Defaults to false
#
# [*ceilometer*]
# (optional) Enable or not Ceilometer API binding
# Defaults to false
#
# [*aodh*]
# (optional) Enable or not Aodh API binding
# Defaults to false
#
# [*gnocchi*]
# (optional) Enable or not Gnocchi API binding
# Defaults to false
#
# [*swift_proxy_server*]
# (optional) Enable or not Swift API binding
# Defaults to false
#
# [*heat_api*]
# (optional) Enable or not Heat API binding
# Defaults to false
#
# [*heat_cloudwatch*]
# (optional) Enable or not Heat Cloudwatch API binding
# Defaults to false
#
# [*heat_cfn*]
# (optional) Enable or not Heat CFN API binding
# Defaults to false
#
# [*horizon*]
# (optional) Enable or not Horizon dashboard binding
# Defaults to false
#
# [*ironic*]
# (optional) Enable or not Ironic API binding
# Defaults to false
#
# [*mysql*]
# (optional) Enable or not MySQL Galera binding
# Defaults to false
#
# [*mysql_clustercheck*]
# (optional) Enable check via clustercheck for mysql
# Defaults to false
#
# [*rabbitmq*]
# (optional) Enable or not RabbitMQ binding
# Defaults to false
#
# [*redis*]
# (optional) Enable or not Redis binding
# Defaults to false
#
# [*redis_password*]
# (optional) Password for Redis authentication, eventually needed by the
# specific monitoring we do from HAProxy for Redis
# Defaults to undef
#
# [*midonet_api*]
# (optional) Enable or not MidoNet API binding
# Defaults to false
#
# [*service_ports*]
# (optional) Hash that contains the values to override from the service ports
# The available keys to modify the services' ports are:
# 'aodh_api_port' (Defaults to 8042)
# 'aodh_api_ssl_port' (Defaults to 13042)
# 'ceilometer_api_port' (Defaults to 8777)
# 'ceilometer_api_ssl_port' (Defaults to 13777)
# 'cinder_api_port' (Defaults to 8776)
# 'cinder_api_ssl_port' (Defaults to 13776)
# 'glance_api_port' (Defaults to 9292)
# 'glance_api_ssl_port' (Defaults to 13292)
# 'glance_registry_port' (Defaults to 9191)
# 'gnocchi_api_port' (Defaults to 8041)
# 'gnocchi_api_ssl_port' (Defaults to 13041)
# 'heat_api_port' (Defaults to 8004)
# 'heat_api_ssl_port' (Defaults to 13004)
# 'heat_cfn_port' (Defaults to 8000)
# 'heat_cfn_ssl_port' (Defaults to 13005)
# 'heat_cw_port' (Defaults to 8003)
# 'heat_cw_ssl_port' (Defaults to 13003)
# 'ironic_api_port' (Defaults to 6385)
# 'ironic_api_ssl_port' (Defaults to 13385)
# 'keystone_admin_api_port' (Defaults to 35357)
# 'keystone_admin_api_ssl_port' (Defaults to 13357)
# 'keystone_public_api_port' (Defaults to 5000)
# 'keystone_public_api_ssl_port' (Defaults to 13000)
# 'manila_api_port' (Defaults to 8786)
# 'manila_api_ssl_port' (Defaults to 13786)
# 'neutron_api_port' (Defaults to 9696)
# 'neutron_api_ssl_port' (Defaults to 13696)
# 'nova_api_port' (Defaults to 8774)
# 'nova_api_ssl_port' (Defaults to 13774)
# 'nova_metadata_port' (Defaults to 8775)
# 'nova_novnc_port' (Defaults to 6080)
# 'nova_novnc_ssl_port' (Defaults to 13080)
# 'sahara_api_port' (Defaults to 8386)
# 'sahara_api_ssl_port' (Defaults to 13386)
# 'swift_proxy_port' (Defaults to 8080)
# 'swift_proxy_ssl_port' (Defaults to 13808)
# 'trove_api_port' (Defaults to 8779)
# 'trove_api_ssl_port' (Defaults to 13779)
# Defaults to {}
#
class tripleo::haproxy (
$controller_virtual_ip,
$public_virtual_ip,
$keepalived = true,
$haproxy_service_manage = true,
$haproxy_global_maxconn = 20480,
$haproxy_default_maxconn = 4096,
$haproxy_default_timeout = [ 'http-request 10s', 'queue 1m', 'connect 10s', 'client 1m', 'server 1m', 'check 10s' ],
$haproxy_listen_bind_param = [ 'transparent' ],
$haproxy_member_options = [ 'check', 'inter 2000', 'rise 2', 'fall 5' ],
$haproxy_log_address = '/dev/log',
$haproxy_stats_user = 'admin',
$haproxy_stats_password = undef,
$controller_host = undef,
$controller_hosts = undef,
$controller_hosts_names = undef,
$service_certificate = undef,
$internal_certificate = undef,
$ssl_cipher_suite = '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES',
$ssl_options = 'no-sslv3',
$haproxy_stats_certificate = undef,
$keystone_admin = false,
$keystone_public = false,
$neutron = false,
$cinder = false,
$sahara = false,
$trove = false,
$manila = false,
$glance_api = false,
$glance_registry = false,
$nova_osapi = false,
$nova_metadata = false,
$nova_novncproxy = false,
$ceilometer = false,
$aodh = false,
$gnocchi = false,
$swift_proxy_server = false,
$heat_api = false,
$heat_cloudwatch = false,
$heat_cfn = false,
$horizon = false,
$ironic = false,
$mysql = false,
$mysql_clustercheck = false,
$rabbitmq = false,
$redis = false,
$redis_password = undef,
$midonet_api = false,
$service_ports = {}
) {
$default_service_ports = {
aodh_api_port => 8042,
aodh_api_ssl_port => 13042,
ceilometer_api_port => 8777,
ceilometer_api_ssl_port => 13777,
cinder_api_port => 8776,
cinder_api_ssl_port => 13776,
glance_api_port => 9292,
glance_api_ssl_port => 13292,
glance_registry_port => 9191,
gnocchi_api_port => 8041,
gnocchi_api_ssl_port => 13041,
heat_api_port => 8004,
heat_api_ssl_port => 13004,
heat_cfn_port => 8000,
heat_cfn_ssl_port => 13005,
heat_cw_port => 8003,
heat_cw_ssl_port => 13003,
ironic_api_port => 6385,
ironic_api_ssl_port => 13385,
keystone_admin_api_port => 35357,
keystone_admin_api_ssl_port => 13357,
keystone_public_api_port => 5000,
keystone_public_api_ssl_port => 13000,
manila_api_port => 8786,
manila_api_ssl_port => 13786,
neutron_api_port => 9696,
neutron_api_ssl_port => 13696,
nova_api_port => 8774,
nova_api_ssl_port => 13774,
nova_metadata_port => 8775,
nova_novnc_port => 6080,
nova_novnc_ssl_port => 13080,
sahara_api_port => 8386,
sahara_api_ssl_port => 13386,
swift_proxy_port => 8080,
swift_proxy_ssl_port => 13808,
trove_api_port => 8779,
trove_api_ssl_port => 13779,
}
$ports = merge($default_service_ports, $service_ports)
if !$controller_host and !$controller_hosts {
fail('$controller_hosts or $controller_host (now deprecated) is a mandatory parameter')
}
if $controller_hosts {
$controller_hosts_real = any2array($controller_hosts)
} else {
warning('$controller_host has been deprecated in favor of $controller_hosts')
$controller_hosts_real = any2array($controller_host)
}
if !$controller_hosts_names {
$controller_hosts_names_real = any2array($controller_hosts_real)
} else {
$controller_hosts_names_real = any2array($controller_hosts_names)
}
# This code will be removed once we switch undercloud and overcloud to use both haproxy & keepalived roles.
if $keepalived {
include ::tripleo::keepalived
}
# TODO(bnemec): When we have support for SSL on private and admin endpoints,
# have the haproxy stats endpoint use that certificate by default.
if $haproxy_stats_certificate {
$haproxy_stats_bind_certificate = $haproxy_stats_certificate
}
$horizon_vip = hiera('horizon_vip', $controller_virtual_ip)
if $service_certificate {
# NOTE(jaosorior): If the horizon_vip and the public_virtual_ip are the
# same, the first option takes precedence. Which is the case when network
# isolation is not enabled. This is not a problem as both options are
# identical. If network isolation is enabled, this works correctly and
# will add a TLS binding to both the horizon_vip and the
# public_virtual_ip.
# Even though for the public_virtual_ip the port 80 is listening, we
# redirect to https in the horizon_options below.
$horizon_bind_opts = {
"${horizon_vip}:80" => $haproxy_listen_bind_param,
"${horizon_vip}:443" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
"${public_virtual_ip}:80" => $haproxy_listen_bind_param,
"${public_virtual_ip}:443" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
}
$horizon_options = {
'cookie' => 'SERVERID insert indirect nocache',
'rsprep' => '^Location:\ http://(.*) Location:\ https://\1',
# NOTE(jaosorior): We always redirect to https for the public_virtual_ip.
'redirect' => "scheme https code 301 if { hdr(host) -i ${public_virtual_ip} } !{ ssl_fc }",
'option' => 'forwardfor',
}
} else {
$horizon_bind_opts = {
"${horizon_vip}:80" => $haproxy_listen_bind_param,
"${public_virtual_ip}:80" => $haproxy_listen_bind_param,
}
$horizon_options = {
'cookie' => 'SERVERID insert indirect nocache',
'option' => 'forwardfor',
}
}
if $haproxy_stats_bind_certificate {
$haproxy_stats_bind_opts = {
"${controller_virtual_ip}:1993" => union($haproxy_listen_bind_param, ['ssl', 'crt', $haproxy_stats_bind_certificate]),
}
} else {
$haproxy_stats_bind_opts = {
"${controller_virtual_ip}:1993" => $haproxy_listen_bind_param,
}
}
$mysql_vip = hiera('mysql_vip', $controller_virtual_ip)
$mysql_bind_opts = {
"${mysql_vip}:3306" => $haproxy_listen_bind_param,
}
$rabbitmq_vip = hiera('rabbitmq_vip', $controller_virtual_ip)
$rabbitmq_bind_opts = {
"${rabbitmq_vip}:5672" => $haproxy_listen_bind_param,
}
$redis_vip = hiera('redis_vip', $controller_virtual_ip)
$redis_bind_opts = {
"${redis_vip}:6379" => $haproxy_listen_bind_param,
}
class { '::haproxy':
service_manage => $haproxy_service_manage,
global_options => {
'log' => "${haproxy_log_address} local0",
'pidfile' => '/var/run/haproxy.pid',
'user' => 'haproxy',
'group' => 'haproxy',
'daemon' => '',
'maxconn' => $haproxy_global_maxconn,
'ssl-default-bind-ciphers' => $ssl_cipher_suite,
'ssl-default-bind-options' => $ssl_options,
},
defaults_options => {
'mode' => 'tcp',
'log' => 'global',
'retries' => '3',
'timeout' => $haproxy_default_timeout,
'maxconn' => $haproxy_default_maxconn,
},
}
Tripleo::Haproxy::Endpoint {
haproxy_listen_bind_param => $haproxy_listen_bind_param,
member_options => $haproxy_member_options,
public_certificate => $service_certificate,
internal_certificate => $internal_certificate,
}
$stats_base = ['enable', 'uri /']
if $haproxy_stats_password {
$stats_config = union($stats_base, ["auth ${haproxy_stats_user}:${haproxy_stats_password}"])
} else {
$stats_config = $stats_base
}
haproxy::listen { 'haproxy.stats':
bind => $haproxy_stats_bind_opts,
mode => 'http',
options => {
'stats' => $stats_config,
},
collect_exported => false,
}
if $keystone_admin {
::tripleo::haproxy::endpoint { 'keystone_admin':
public_virtual_ip => $public_virtual_ip,
internal_ip => hiera('keystone_admin_api_vip', $controller_virtual_ip),
service_port => $ports[keystone_admin_api_port],
ip_addresses => hiera('keystone_admin_api_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
mode => 'http',
listen_options => {
'http-request' => [
'set-header X-Forwarded-Proto https if { ssl_fc }',
'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
},
public_ssl_port => $ports[keystone_admin_api_ssl_port],
}
}
if $keystone_public {
::tripleo::haproxy::endpoint { 'keystone_public':
public_virtual_ip => $public_virtual_ip,
internal_ip => hiera('keystone_public_api_vip', $controller_virtual_ip),
service_port => $ports[keystone_public_api_port],
ip_addresses => hiera('keystone_public_api_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
mode => 'http',
listen_options => {
'http-request' => [
'set-header X-Forwarded-Proto https if { ssl_fc }',
'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
},
public_ssl_port => $ports[keystone_public_api_ssl_port],
}
}
if $neutron {
::tripleo::haproxy::endpoint { 'neutron':
public_virtual_ip => $public_virtual_ip,
internal_ip => hiera('neutron_api_vip', $controller_virtual_ip),
service_port => $ports[neutron_api_port],
ip_addresses => hiera('neutron_api_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
public_ssl_port => $ports[neutron_api_ssl_port],
}
}
if $cinder {
::tripleo::haproxy::endpoint { 'cinder':
public_virtual_ip => $public_virtual_ip,
internal_ip => hiera('cinder_api_vip', $controller_virtual_ip),
service_port => $ports[cinder_api_port],
ip_addresses => hiera('cinder_api_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
mode => 'http',
listen_options => {
'http-request' => [
'set-header X-Forwarded-Proto https if { ssl_fc }',
'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
},
public_ssl_port => $ports[cinder_api_ssl_port],
}
}
if $manila {
::tripleo::haproxy::endpoint { 'manila':
public_virtual_ip => $public_virtual_ip,
internal_ip => hiera('manila_api_vip', $controller_virtual_ip),
service_port => $ports[manila_api_port],
ip_addresses => hiera('manila_api_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
public_ssl_port => $ports[manila_api_ssl_port],
}
}
if $sahara {
::tripleo::haproxy::endpoint { 'sahara':
public_virtual_ip => $public_virtual_ip,
internal_ip => hiera('sahara_api_vip', $controller_virtual_ip),
service_port => $ports[sahara_api_port],
ip_addresses => hiera('sahara_api_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
public_ssl_port => $ports[sahara_api_ssl_port],
}
}
if $trove {
::tripleo::haproxy::endpoint { 'trove':
public_virtual_ip => $public_virtual_ip,
internal_ip => hiera('trove_api_vip', $controller_virtual_ip),
service_port => $ports[trove_api_port],
ip_addresses => hiera('trove_api_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
public_ssl_port => $ports[trove_api_ssl_port],
}
}
if $glance_api {
::tripleo::haproxy::endpoint { 'glance_api':
public_virtual_ip => $public_virtual_ip,
internal_ip => hiera('glance_api_vip', $controller_virtual_ip),
service_port => $ports[glance_api_port],
ip_addresses => hiera('glance_api_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
public_ssl_port => $ports[glance_api_ssl_port],
}
}
if $glance_registry {
::tripleo::haproxy::endpoint { 'glance_registry':
internal_ip => hiera('glance_registry_vip', $controller_virtual_ip),
service_port => $ports[glance_registry_port],
ip_addresses => hiera('glance_registry_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
}
}
$nova_api_vip = hiera('nova_api_vip', $controller_virtual_ip)
if $nova_osapi {
::tripleo::haproxy::endpoint { 'nova_osapi':
public_virtual_ip => $public_virtual_ip,
internal_ip => $nova_api_vip,
service_port => $ports[nova_api_port],
ip_addresses => hiera('nova_api_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
mode => 'http',
listen_options => {
'http-request' => [
'set-header X-Forwarded-Proto https if { ssl_fc }',
'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
},
public_ssl_port => $ports[nova_api_ssl_port],
}
}
if $nova_metadata {
::tripleo::haproxy::endpoint { 'nova_metadata':
internal_ip => hiera('nova_metadata_vip', $controller_virtual_ip),
service_port => $ports[nova_metadata_port],
ip_addresses => hiera('nova_metadata_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
}
}
if $nova_novncproxy {
::tripleo::haproxy::endpoint { 'nova_novncproxy':
public_virtual_ip => $public_virtual_ip,
internal_ip => $nova_api_vip,
service_port => $ports[nova_novnc_port],
ip_addresses => hiera('nova_api_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
listen_options => {
'balance' => 'source',
'timeout' => [ 'tunnel 1h' ],
},
public_ssl_port => $ports[nova_novnc_ssl_port],
}
}
if $ceilometer {
::tripleo::haproxy::endpoint { 'ceilometer':
public_virtual_ip => $public_virtual_ip,
internal_ip => hiera('ceilometer_api_vip', $controller_virtual_ip),
service_port => $ports[ceilometer_api_port],
ip_addresses => hiera('ceilometer_api_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
public_ssl_port => $ports[ceilometer_api_ssl_port],
}
}
if $aodh {
::tripleo::haproxy::endpoint { 'aodh':
public_virtual_ip => $public_virtual_ip,
internal_ip => hiera('aodh_api_vip', $controller_virtual_ip),
service_port => $ports[aodh_api_port],
ip_addresses => hiera('aodh_api_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
public_ssl_port => $ports[aodh_api_ssl_port],
}
}
if $gnocchi {
::tripleo::haproxy::endpoint { 'gnocchi':
public_virtual_ip => $public_virtual_ip,
internal_ip => hiera('gnocchi_api_vip', $controller_virtual_ip),
service_port => $ports[gnocchi_api_port],
ip_addresses => hiera('gnocchi_api_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
public_ssl_port => $ports[gnocchi_api_ssl_port],
}
}
if $swift_proxy_server {
::tripleo::haproxy::endpoint { 'swift_proxy_server':
public_virtual_ip => $public_virtual_ip,
internal_ip => hiera('swift_proxy_vip', $controller_virtual_ip),
service_port => $ports[swift_proxy_port],
ip_addresses => hiera('swift_proxy_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
public_ssl_port => $ports[swift_proxy_ssl_port],
}
}
$heat_api_vip = hiera('heat_api_vip', $controller_virtual_ip)
$heat_ip_addresses = hiera('heat_api_node_ips', $controller_hosts_real)
$heat_base_options = {
'http-request' => [
'set-header X-Forwarded-Proto https if { ssl_fc }',
'set-header X-Forwarded-Proto http if !{ ssl_fc }']}
if $service_certificate {
$heat_ssl_options = {
'rsprep' => "^Location:\\ http://${public_virtual_ip}(.*) Location:\\ https://${public_virtual_ip}\\1",
}
$heat_options = merge($heat_base_options, $heat_ssl_options)
} else {
$heat_options = $heat_base_options
}
if $heat_api {
::tripleo::haproxy::endpoint { 'heat_api':
public_virtual_ip => $public_virtual_ip,
internal_ip => $heat_api_vip,
service_port => $ports[heat_api_port],
ip_addresses => $heat_ip_addresses,
server_names => $controller_hosts_names_real,
mode => 'http',
listen_options => $heat_options,
public_ssl_port => $ports[heat_api_ssl_port],
}
}
if $heat_cloudwatch {
::tripleo::haproxy::endpoint { 'heat_cloudwatch':
public_virtual_ip => $public_virtual_ip,
internal_ip => $heat_api_vip,
service_port => $ports[heat_cw_port],
ip_addresses => $heat_ip_addresses,
server_names => $controller_hosts_names_real,
mode => 'http',
listen_options => $heat_options,
public_ssl_port => $ports[heat_cw_ssl_port],
}
}
if $heat_cfn {
::tripleo::haproxy::endpoint { 'heat_cfn':
public_virtual_ip => $public_virtual_ip,
internal_ip => $heat_api_vip,
service_port => $ports[heat_cfn_port],
ip_addresses => $heat_ip_addresses,
server_names => $controller_hosts_names_real,
mode => 'http',
listen_options => $heat_options,
public_ssl_port => $ports[heat_cfn_ssl_port],
}
}
if $horizon {
haproxy::listen { 'horizon':
bind => $horizon_bind_opts,
options => $horizon_options,
mode => 'http',
collect_exported => false,
}
haproxy::balancermember { 'horizon':
listening_service => 'horizon',
ports => '80',
ipaddresses => hiera('horizon_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
options => union($haproxy_member_options, ["cookie ${::hostname}"]),
}
}
if $ironic {
::tripleo::haproxy::endpoint { 'ironic':
public_virtual_ip => $public_virtual_ip,
internal_ip => hiera('ironic_api_vip', $controller_virtual_ip),
service_port => $ports[ironic_api_port],
ip_addresses => hiera('ironic_api_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
public_ssl_port => $ports[ironic_api_ssl_port],
}
}
if $mysql_clustercheck {
$mysql_listen_options = {
'option' => [ 'tcpka', 'httpchk' ],
'timeout client' => '90m',
'timeout server' => '90m',
'stick-table' => 'type ip size 1000',
'stick' => 'on dst',
}
$mysql_member_options = union($haproxy_member_options, ['backup', 'port 9200', 'on-marked-down shutdown-sessions'])
} else {
$mysql_listen_options = {
'timeout client' => '90m',
'timeout server' => '90m',
}
$mysql_member_options = union($haproxy_member_options, ['backup'])
}
if $mysql {
haproxy::listen { 'mysql':
bind => $mysql_bind_opts,
options => $mysql_listen_options,
collect_exported => false,
}
haproxy::balancermember { 'mysql-backup':
listening_service => 'mysql',
ports => '3306',
ipaddresses => hiera('mysql_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
options => $mysql_member_options,
}
}
if $rabbitmq {
haproxy::listen { 'rabbitmq':
bind => $rabbitmq_bind_opts,
options => {
'option' => [ 'tcpka' ],
'timeout' => [ 'client 0', 'server 0' ],
},
collect_exported => false,
}
haproxy::balancermember { 'rabbitmq':
listening_service => 'rabbitmq',
ports => '5672',
ipaddresses => hiera('rabbitmq_network', $controller_hosts_real),
server_names => $controller_hosts_names_real,
options => $haproxy_member_options,
}
}
if $redis {
if $redis_password {
$redis_tcp_check_options = ["send AUTH\\ ${redis_password}\\r\\n"]
} else {
$redis_tcp_check_options = []
}
haproxy::listen { 'redis':
bind => $redis_bind_opts,
options => {
'balance' => 'first',
'option' => ['tcp-check',],
'tcp-check' => union($redis_tcp_check_options, ['send PING\r\n','expect string +PONG','send info\ replication\r\n','expect string role:master','send QUIT\r\n','expect string +OK']),
},
collect_exported => false,
}
haproxy::balancermember { 'redis':
listening_service => 'redis',
ports => '6379',
ipaddresses => hiera('redis_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
options => $haproxy_member_options,
}
}
$midonet_api_vip = hiera('midonet_api_vip', $controller_virtual_ip)
$midonet_bind_opts = {
"${midonet_api_vip}:8081" => [],
"${public_virtual_ip}:8081" => [],
}
if $midonet_api {
haproxy::listen { 'midonet_api':
bind => $midonet_bind_opts,
collect_exported => false,
}
haproxy::balancermember { 'midonet_api':
listening_service => 'midonet_api',
ports => '8081',
ipaddresses => hiera('midonet_api_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
options => $haproxy_member_options,
}
}
}

120
manifests/haproxy/endpoint.pp Normal file
View File

@ -0,0 +1,120 @@
# Copyright 2014 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
# == Class: tripleo::haproxy::endpoint
#
# Configure a HAProxy listen endpoint
#
# [*internal_ip*]
# The IP in which the proxy endpoint will be listening in the internal
# network.
#
# [*service_port*]
# The default port on which the endpoint will be listening.
#
# [*ip_addresses*]
# The ordered list of IPs to be used to contact the balancer member.
#
# [*server_names*]
# The names of the balancer members, which usually should be the hostname.
#
# [*member_options*]
# Options for the balancer member, specified after the server declaration.
# These should go in the member's configuration block.
#
# [*public_virtual_ip*]
# Address in which the proxy endpoint will be listening in the public network.
# If this service is internal only this should be ommited.
# Defaults to undef.
#
# [*mode*]
# HAProxy mode in which the endpoint will be listening. This can be undef,
# tcp, http or health.
# Defaults to undef.
#
# [*haproxy_listen_bind_param*]
# A list of params to be added to the HAProxy listener bind directive.
# Defaults to undef.
#
# [*listen_options*]
# Options specified for the listening service's configuration block (in
# HAproxy terms, the frontend).
# defaults to {'option' => []}
#
# [*public_ssl_port*]
# The port used for the public proxy endpoint if it differs from the default
# one. This is used only if SSL is enabled, and it's used in order to avoid
# overriding with the internal proxy endpoint (which could happen if they were
# in the same network).
# Defaults to undef.
#
# [*public_certificate*]
# Certificate path used to enable TLS for the public proxy endpoint.
# Defaults to undef.
#
# [*internal_certificate*]
# Certificate path used to enable TLS for the internal proxy endpoint.
# Defaults to undef.
#
define tripleo::haproxy::endpoint (
$internal_ip,
$service_port,
$ip_addresses,
$server_names,
$member_options,
$public_virtual_ip = undef,
$mode = undef,
$haproxy_listen_bind_param = undef,
$listen_options = {
'option' => [],
},
$public_ssl_port = undef,
$public_certificate = undef,
$internal_certificate = undef,
) {
if $public_virtual_ip {
# service exposed to the public network
if $public_certificate {
$public_bind_opts = list_to_hash(suffix(any2array($public_virtual_ip), ":${public_ssl_port}"), union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate]))
} else {
$public_bind_opts = list_to_hash(suffix(any2array($public_virtual_ip), ":${service_port}"), $haproxy_listen_bind_param)
}
} else {
# internal service only
$public_bind_opts = {}
}
if $internal_certificate {
$internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"), union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate]))
} else {
$internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"), $haproxy_listen_bind_param)
}
$bind_opts = merge($internal_bind_opts, $public_bind_opts)
haproxy::listen { "${name}":
bind => $bind_opts,
collect_exported => false,
mode => $mode,
options => $listen_options,
}
haproxy::balancermember { "${name}":
listening_service => $name,
ports => $service_port,
ipaddresses => $ip_addresses,
server_names => $server_names,
options => $member_options,
}
}

144
manifests/keepalived.pp Normal file
View File

@ -0,0 +1,144 @@
# Copyright 2014 Red Hat, Inc.
# All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
# == Class: tripleo::keepalived
#
# Configure keepalived for TripleO.
#
# === Parameters:
#
# [*controller_virtual_ip*]
# Control IP or group of IPs to bind the pools
# Can be a string or an array.
# Defaults to undef
#
# [*control_virtual_interface*]
# Interface to bind the control VIP
# Can be a string or an array.
# Defaults to undef
#
# [*public_virtual_interface*]
# Interface to bind the public VIP
# Can be a string or an array.
# Defaults to undef
#
# [*public_virtual_ip*]
# Public IP or group of IPs to bind the pools
# Can be a string or an array.
# Defaults to undef
#
# [*internal_api_virtual_ip*]
# Virtual IP on the internal API network.
# A string.
# Defaults to false
#
# [*storage_virtual_ip*]
# Virtual IP on the storage network.
# A string.
# Defaults to false
#
# [*storage_mgmt_virtual_ip*]
# Virtual IP on the storage mgmt network.
# A string.
# Defaults to false
#
class tripleo::keepalived (
$controller_virtual_ip,
$control_virtual_interface,
$public_virtual_interface,
$public_virtual_ip,
$internal_api_virtual_ip = false,
$storage_virtual_ip = false,
$storage_mgmt_virtual_ip = false,
) {
case $::osfamily {
'RedHat': {
$keepalived_name_is_process = false
$keepalived_vrrp_script = 'systemctl status haproxy.service'
} # RedHat
'Debian': {
$keepalived_name_is_process = true
$keepalived_vrrp_script = undef
}
default: {
warning('Please configure keepalived defaults in tripleo::keepalived.')
$keepalived_name_is_process = undef
$keepalived_vrrp_script = undef
}
}
class { '::keepalived': }
keepalived::vrrp_script { 'haproxy':
name_is_process => $keepalived_name_is_process,
script => $keepalived_vrrp_script,
}
# KEEPALIVE INSTANCE CONTROL
keepalived::instance { '51':
interface => $control_virtual_interface,
virtual_ips => [join([$controller_virtual_ip, ' dev ', $control_virtual_interface])],
state => 'MASTER',
track_script => ['haproxy'],
priority => 101,
}
# KEEPALIVE INSTANCE PUBLIC
keepalived::instance { '52':
interface => $public_virtual_interface,
virtual_ips => [join([$public_virtual_ip, ' dev ', $public_virtual_interface])],
state => 'MASTER',
track_script => ['haproxy'],
priority => 101,
}
if $internal_api_virtual_ip and $internal_api_virtual_ip != $controller_virtual_ip {
$internal_api_virtual_interface = interface_for_ip($internal_api_virtual_ip)
# KEEPALIVE INTERNAL API NETWORK
keepalived::instance { '53':
interface => $internal_api_virtual_interface,
virtual_ips => [join([$internal_api_virtual_ip, ' dev ', $internal_api_virtual_interface])],
state => 'MASTER',
track_script => ['haproxy'],
priority => 101,
}
}
if $storage_virtual_ip and $storage_virtual_ip != $controller_virtual_ip {
$storage_virtual_interface = interface_for_ip($storage_virtual_ip)
# KEEPALIVE STORAGE NETWORK
keepalived::instance { '54':
interface => $storage_virtual_interface,
virtual_ips => [join([$storage_virtual_ip, ' dev ', $storage_virtual_interface])],
state => 'MASTER',
track_script => ['haproxy'],
priority => 101,
}
}
if $storage_mgmt_virtual_ip and $storage_mgmt_virtual_ip != $controller_virtual_ip {
$storage_mgmt_virtual_interface = interface_for_ip($storage_mgmt_virtual_ip)
# KEEPALIVE STORAGE MANAGEMENT NETWORK
keepalived::instance { '55':
interface => $storage_mgmt_virtual_interface,
virtual_ips => [join([$storage_mgmt_virtual_ip, ' dev ', $storage_mgmt_virtual_interface])],
state => 'MASTER',
track_script => ['haproxy'],
priority => 101,
}
}
}

676
manifests/loadbalancer.pp
View File

@ -346,625 +346,69 @@ class tripleo::loadbalancer (
$midonet_api = false,
$service_ports = {}
) {
$default_service_ports = {
aodh_api_port => 8042,
aodh_api_ssl_port => 13042,
ceilometer_api_port => 8777,
ceilometer_api_ssl_port => 13777,
cinder_api_port => 8776,
cinder_api_ssl_port => 13776,
glance_api_port => 9292,
glance_api_ssl_port => 13292,
glance_registry_port => 9191,
gnocchi_api_port => 8041,
gnocchi_api_ssl_port => 13041,
heat_api_port => 8004,
heat_api_ssl_port => 13004,
heat_cfn_port => 8000,
heat_cfn_ssl_port => 13005,
heat_cw_port => 8003,
heat_cw_ssl_port => 13003,
ironic_api_port => 6385,
ironic_api_ssl_port => 13385,
keystone_admin_api_port => 35357,
keystone_admin_api_ssl_port => 13357,
keystone_public_api_port => 5000,
keystone_public_api_ssl_port => 13000,
manila_api_port => 8786,
manila_api_ssl_port => 13786,
neutron_api_port => 9696,
neutron_api_ssl_port => 13696,
nova_api_port => 8774,
nova_api_ssl_port => 13774,
nova_metadata_port => 8775,
nova_novnc_port => 6080,
nova_novnc_ssl_port => 13080,
sahara_api_port => 8386,
sahara_api_ssl_port => 13386,
swift_proxy_port => 8080,
swift_proxy_ssl_port => 13808,
trove_api_port => 8779,
trove_api_ssl_port => 13779,
}
$ports = merge($default_service_ports, $service_ports)
if !$controller_host and !$controller_hosts {
fail('$controller_hosts or $controller_host (now deprecated) is a mandatory parameter')
}
if $controller_hosts {
$controller_hosts_real = any2array($controller_hosts)
} else {
warning('$controller_host has been deprecated in favor of $controller_hosts')
$controller_hosts_real = any2array($controller_host)
}
if !$controller_hosts_names {
$controller_hosts_names_real = any2array($controller_hosts_real)
} else {
$controller_hosts_names_real = any2array($controller_hosts_names)
warning('This class is going to be dropped during Newton cycle, replaced by tripleo::haproxy and tripleo::keepalived.')
class { '::tripleo::haproxy':
controller_virtual_ip => $controller_virtual_ip,
public_virtual_ip => $public_virtual_ip,
# Force to false because we already declare ::tripleo::keepalived later in this manifest to kep
# old hieradata binding.
keepalived => false,
haproxy_service_manage => $haproxy_service_manage,
haproxy_global_maxconn => $haproxy_global_maxconn,
haproxy_default_maxconn => $haproxy_default_maxconn,
haproxy_default_timeout => $haproxy_default_timeout,
haproxy_listen_bind_param => $haproxy_listen_bind_param,
haproxy_member_options => $haproxy_member_options,
haproxy_log_address => $haproxy_log_address,
haproxy_stats_user => $haproxy_stats_user,
haproxy_stats_password => $haproxy_stats_password,
controller_host => $controller_host,
controller_hosts => $controller_hosts,
controller_hosts_names => $controller_hosts_names,
service_certificate => $service_certificate,
internal_certificate => $internal_certificate,
ssl_cipher_suite => $ssl_cipher_suite,
ssl_options => $ssl_options,
haproxy_stats_certificate => $haproxy_stats_certificate,
keystone_admin => $keystone_admin,
keystone_public => $keystone_public,
neutron => $neutron,
cinder => $cinder,
sahara => $sahara,
trove => $trove,
manila => $manila,
glance_api => $glance_api,
glance_registry => $glance_registry,
nova_osapi => $nova_osapi,
nova_metadata => $nova_metadata,
nova_novncproxy => $nova_novncproxy,
ceilometer => $ceilometer,
aodh => $aodh,
gnocchi => $gnocchi,
swift_proxy_server => $swift_proxy_server,
heat_api => $heat_api,
heat_cloudwatch => $heat_cloudwatch,
heat_cfn => $heat_cfn,
horizon => $horizon,
ironic => $ironic,
mysql => $mysql,
mysql_clustercheck => $mysql_clustercheck,
rabbitmq => $rabbitmq,
redis => $redis,
redis_password => $redis_password,
midonet_api => $midonet_api,
service_ports => $service_ports,
}
if $manage_vip {
case $::osfamily {
'RedHat': {
$keepalived_name_is_process = false
$keepalived_vrrp_script = 'systemctl status haproxy.service'
} # RedHat
'Debian': {
$keepalived_name_is_process = true
$keepalived_vrrp_script = undef
}
default: {
warning('Please configure keepalived defaults in tripleo::loadbalancer.')
$keepalived_name_is_process = undef
$keepalived_vrrp_script = undef
}
}
class { '::keepalived': }
keepalived::vrrp_script { 'haproxy':
name_is_process => $keepalived_name_is_process,
script => $keepalived_vrrp_script,
}
# KEEPALIVE INSTANCE CONTROL
keepalived::instance { '51':
interface => $control_virtual_interface,
virtual_ips => [join([$controller_virtual_ip, ' dev ', $control_virtual_interface])],
state => 'MASTER',
track_script => ['haproxy'],
priority => 101,
}
# KEEPALIVE INSTANCE PUBLIC
keepalived::instance { '52':
interface => $public_virtual_interface,
virtual_ips => [join([$public_virtual_ip, ' dev ', $public_virtual_interface])],
state => 'MASTER',
track_script => ['haproxy'],
priority => 101,
}
if $internal_api_virtual_ip and $internal_api_virtual_ip != $controller_virtual_ip {
$internal_api_virtual_interface = interface_for_ip($internal_api_virtual_ip)
# KEEPALIVE INTERNAL API NETWORK
keepalived::instance { '53':
interface => $internal_api_virtual_interface,
virtual_ips => [join([$internal_api_virtual_ip, ' dev ', $internal_api_virtual_interface])],
state => 'MASTER',
track_script => ['haproxy'],
priority => 101,
}
}
if $storage_virtual_ip and $storage_virtual_ip != $controller_virtual_ip {
$storage_virtual_interface = interface_for_ip($storage_virtual_ip)
# KEEPALIVE STORAGE NETWORK
keepalived::instance { '54':
interface => $storage_virtual_interface,
virtual_ips => [join([$storage_virtual_ip, ' dev ', $storage_virtual_interface])],
state => 'MASTER',
track_script => ['haproxy'],
priority => 101,
}
}
if $storage_mgmt_virtual_ip and $storage_mgmt_virtual_ip != $controller_virtual_ip {
$storage_mgmt_virtual_interface = interface_for_ip($storage_mgmt_virtual_ip)
# KEEPALIVE STORAGE MANAGEMENT NETWORK
keepalived::instance { '55':
interface => $storage_mgmt_virtual_interface,
virtual_ips => [join([$storage_mgmt_virtual_ip, ' dev ', $storage_mgmt_virtual_interface])],
state => 'MASTER',
track_script => ['haproxy'],
priority => 101,
}
}
}
# TODO(bnemec): When we have support for SSL on private and admin endpoints,
# have the haproxy stats endpoint use that certificate by default.
if $haproxy_stats_certificate {
$haproxy_stats_bind_certificate = $haproxy_stats_certificate
}
$horizon_vip = hiera('horizon_vip', $controller_virtual_ip)
if $service_certificate {
# NOTE(jaosorior): If the horizon_vip and the public_virtual_ip are the
# same, the first option takes precedence. Which is the case when network
# isolation is not enabled. This is not a problem as both options are
# identical. If network isolation is enabled, this works correctly and
# will add a TLS binding to both the horizon_vip and the
# public_virtual_ip.
# Even though for the public_virtual_ip the port 80 is listening, we
# redirect to https in the horizon_options below.
$horizon_bind_opts = {
"${horizon_vip}:80" => $haproxy_listen_bind_param,
"${horizon_vip}:443" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
"${public_virtual_ip}:80" => $haproxy_listen_bind_param,
"${public_virtual_ip}:443" => union($haproxy_listen_bind_param, ['ssl', 'crt', $service_certificate]),
}
$horizon_options = {
'cookie' => 'SERVERID insert indirect nocache',
'rsprep' => '^Location:\ http://(.*) Location:\ https://\1',
# NOTE(jaosorior): We always redirect to https for the public_virtual_ip.
'redirect' => "scheme https code 301 if { hdr(host) -i ${public_virtual_ip} } !{ ssl_fc }",
'option' => 'forwardfor',
}
} else {
$horizon_bind_opts = {
"${horizon_vip}:80" => $haproxy_listen_bind_param,
"${public_virtual_ip}:80" => $haproxy_listen_bind_param,
}
$horizon_options = {
'cookie' => 'SERVERID insert indirect nocache',
'option' => 'forwardfor',
}
}
if $haproxy_stats_bind_certificate {
$haproxy_stats_bind_opts = {
"${controller_virtual_ip}:1993" => union($haproxy_listen_bind_param, ['ssl', 'crt', $haproxy_stats_bind_certificate]),
}
} else {
$haproxy_stats_bind_opts = {
"${controller_virtual_ip}:1993" => $haproxy_listen_bind_param,
}
}
$mysql_vip = hiera('mysql_vip', $controller_virtual_ip)
$mysql_bind_opts = {
"${mysql_vip}:3306" => $haproxy_listen_bind_param,
}
$rabbitmq_vip = hiera('rabbitmq_vip', $controller_virtual_ip)
$rabbitmq_bind_opts = {
"${rabbitmq_vip}:5672" => $haproxy_listen_bind_param,
}
$redis_vip = hiera('redis_vip', $controller_virtual_ip)
$redis_bind_opts = {
"${redis_vip}:6379" => $haproxy_listen_bind_param,
}
class { '::haproxy':
service_manage => $haproxy_service_manage,
global_options => {
'log' => "${haproxy_log_address} local0",
'pidfile' => '/var/run/haproxy.pid',
'user' => 'haproxy',
'group' => 'haproxy',
'daemon' => '',
'maxconn' => $haproxy_global_maxconn,
'ssl-default-bind-ciphers' => $ssl_cipher_suite,
'ssl-default-bind-options' => $ssl_options,
},
defaults_options => {
'mode' => 'tcp',
'log' => 'global',
'retries' => '3',
'timeout' => $haproxy_default_timeout,
'maxconn' => $haproxy_default_maxconn,
},
}
Tripleo::Loadbalancer::Endpoint {
haproxy_listen_bind_param => $haproxy_listen_bind_param,
member_options => $haproxy_member_options,
public_certificate => $service_certificate,
internal_certificate => $internal_certificate,
}
$stats_base = ['enable', 'uri /']
if $haproxy_stats_password {
$stats_config = union($stats_base, ["auth ${haproxy_stats_user}:${haproxy_stats_password}"])
} else {
$stats_config = $stats_base
}
haproxy::listen { 'haproxy.stats':
bind => $haproxy_stats_bind_opts,
mode => 'http',
options => {
'stats' => $stats_config,
},
collect_exported => false,
}
if $keystone_admin {
::tripleo::loadbalancer::endpoint { 'keystone_admin':
public_virtual_ip => $public_virtual_ip,
internal_ip => hiera('keystone_admin_api_vip', $controller_virtual_ip),
service_port => $ports[keystone_admin_api_port],
ip_addresses => hiera('keystone_admin_api_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
mode => 'http',
listen_options => {
'http-request' => [
'set-header X-Forwarded-Proto https if { ssl_fc }',
'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
},
public_ssl_port => $ports[keystone_admin_api_ssl_port],
}
}
if $keystone_public {
::tripleo::loadbalancer::endpoint { 'keystone_public':
public_virtual_ip => $public_virtual_ip,
internal_ip => hiera('keystone_public_api_vip', $controller_virtual_ip),
service_port => $ports[keystone_public_api_port],
ip_addresses => hiera('keystone_public_api_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
mode => 'http',
listen_options => {
'http-request' => [
'set-header X-Forwarded-Proto https if { ssl_fc }',
'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
},
public_ssl_port => $ports[keystone_public_api_ssl_port],
}
}
if $neutron {
::tripleo::loadbalancer::endpoint { 'neutron':
public_virtual_ip => $public_virtual_ip,
internal_ip => hiera('neutron_api_vip', $controller_virtual_ip),
service_port => $ports[neutron_api_port],
ip_addresses => hiera('neutron_api_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
public_ssl_port => $ports[neutron_api_ssl_port],
}
}
if $cinder {
::tripleo::loadbalancer::endpoint { 'cinder':
public_virtual_ip => $public_virtual_ip,
internal_ip => hiera('cinder_api_vip', $controller_virtual_ip),
service_port => $ports[cinder_api_port],
ip_addresses => hiera('cinder_api_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
mode => 'http',
listen_options => {
'http-request' => [
'set-header X-Forwarded-Proto https if { ssl_fc }',
'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
},
public_ssl_port => $ports[cinder_api_ssl_port],
}
}
if $manila {
::tripleo::loadbalancer::endpoint { 'manila':
public_virtual_ip => $public_virtual_ip,
internal_ip => hiera('manila_api_vip', $controller_virtual_ip),
service_port => $ports[manila_api_port],
ip_addresses => hiera('manila_api_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
public_ssl_port => $ports[manila_api_ssl_port],
}
}
if $sahara {
::tripleo::loadbalancer::endpoint { 'sahara':
public_virtual_ip => $public_virtual_ip,
internal_ip => hiera('sahara_api_vip', $controller_virtual_ip),
service_port => $ports[sahara_api_port],
ip_addresses => hiera('sahara_api_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
public_ssl_port => $ports[sahara_api_ssl_port],
}
}
if $trove {
::tripleo::loadbalancer::endpoint { 'trove':
public_virtual_ip => $public_virtual_ip,
internal_ip => hiera('trove_api_vip', $controller_virtual_ip),
service_port => $ports[trove_api_port],
ip_addresses => hiera('trove_api_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
public_ssl_port => $ports[trove_api_ssl_port],
}
}
if $glance_api {
::tripleo::loadbalancer::endpoint { 'glance_api':
public_virtual_ip => $public_virtual_ip,
internal_ip => hiera('glance_api_vip', $controller_virtual_ip),
service_port => $ports[glance_api_port],
ip_addresses => hiera('glance_api_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
public_ssl_port => $ports[glance_api_ssl_port],
}
}
if $glance_registry {
::tripleo::loadbalancer::endpoint { 'glance_registry':
internal_ip => hiera('glance_registry_vip', $controller_virtual_ip),
service_port => $ports[glance_registry_port],
ip_addresses => hiera('glance_registry_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
}
}
$nova_api_vip = hiera('nova_api_vip', $controller_virtual_ip)
if $nova_osapi {
::tripleo::loadbalancer::endpoint { 'nova_osapi':
public_virtual_ip => $public_virtual_ip,
internal_ip => $nova_api_vip,
service_port => $ports[nova_api_port],
ip_addresses => hiera('nova_api_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
mode => 'http',
listen_options => {
'http-request' => [
'set-header X-Forwarded-Proto https if { ssl_fc }',
'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
},
public_ssl_port => $ports[nova_api_ssl_port],
}
}
if $nova_metadata {
::tripleo::loadbalancer::endpoint { 'nova_metadata':
internal_ip => hiera('nova_metadata_vip', $controller_virtual_ip),
service_port => $ports[nova_metadata_port],
ip_addresses => hiera('nova_metadata_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
}
}
if $nova_novncproxy {
::tripleo::loadbalancer::endpoint { 'nova_novncproxy':
public_virtual_ip => $public_virtual_ip,
internal_ip => $nova_api_vip,
service_port => $ports[nova_novnc_port],
ip_addresses => hiera('nova_api_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
listen_options => {
'balance' => 'source',
'timeout' => [ 'tunnel 1h' ],
},
public_ssl_port => $ports[nova_novnc_ssl_port],
}
}
if $ceilometer {
::tripleo::loadbalancer::endpoint { 'ceilometer':
public_virtual_ip => $public_virtual_ip,
internal_ip => hiera('ceilometer_api_vip', $controller_virtual_ip),
service_port => $ports[ceilometer_api_port],
ip_addresses => hiera('ceilometer_api_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
public_ssl_port => $ports[ceilometer_api_ssl_port],
}
}
if $aodh {
::tripleo::loadbalancer::endpoint { 'aodh':
public_virtual_ip => $public_virtual_ip,
internal_ip => hiera('aodh_api_vip', $controller_virtual_ip),
service_port => $ports[aodh_api_port],
ip_addresses => hiera('aodh_api_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
public_ssl_port => $ports[aodh_api_ssl_port],
}
}
if $gnocchi {
::tripleo::loadbalancer::endpoint { 'gnocchi':
public_virtual_ip => $public_virtual_ip,
internal_ip => hiera('gnocchi_api_vip', $controller_virtual_ip),
service_port => $ports[gnocchi_api_port],
ip_addresses => hiera('gnocchi_api_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
public_ssl_port => $ports[gnocchi_api_ssl_port],
}
}
if $swift_proxy_server {
::tripleo::loadbalancer::endpoint { 'swift_proxy_server':
public_virtual_ip => $public_virtual_ip,
internal_ip => hiera('swift_proxy_vip', $controller_virtual_ip),
service_port => $ports[swift_proxy_port],
ip_addresses => hiera('swift_proxy_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
public_ssl_port => $ports[swift_proxy_ssl_port],
}
}
$heat_api_vip = hiera('heat_api_vip', $controller_virtual_ip)
$heat_ip_addresses = hiera('heat_api_node_ips', $controller_hosts_real)
$heat_base_options = {
'http-request' => [
'set-header X-Forwarded-Proto https if { ssl_fc }',
'set-header X-Forwarded-Proto http if !{ ssl_fc }']}
if $service_certificate {
$heat_ssl_options = {
'rsprep' => "^Location:\\ http://${public_virtual_ip}(.*) Location:\\ https://${public_virtual_ip}\\1",
}
$heat_options = merge($heat_base_options, $heat_ssl_options)
} else {
$heat_options = $heat_base_options
}
if $heat_api {
::tripleo::loadbalancer::endpoint { 'heat_api':
public_virtual_ip => $public_virtual_ip,
internal_ip => $heat_api_vip,
service_port => $ports[heat_api_port],
ip_addresses => $heat_ip_addresses,
server_names => $controller_hosts_names_real,
mode => 'http',
listen_options => $heat_options,
public_ssl_port => $ports[heat_api_ssl_port],
}
}
if $heat_cloudwatch {
::tripleo::loadbalancer::endpoint { 'heat_cloudwatch':
public_virtual_ip => $public_virtual_ip,
internal_ip => $heat_api_vip,
service_port => $ports[heat_cw_port],
ip_addresses => $heat_ip_addresses,
server_names => $controller_hosts_names_real,
mode => 'http',
listen_options => $heat_options,
public_ssl_port => $ports[heat_cw_ssl_port],
}
}
if $heat_cfn {
::tripleo::loadbalancer::endpoint { 'heat_cfn':
public_virtual_ip => $public_virtual_ip,
internal_ip => $heat_api_vip,
service_port => $ports[heat_cfn_port],
ip_addresses => $heat_ip_addresses,
server_names => $controller_hosts_names_real,
mode => 'http',
listen_options => $heat_options,
public_ssl_port => $ports[heat_cfn_ssl_port],
}
}
if $horizon {
haproxy::listen { 'horizon':
bind => $horizon_bind_opts,
options => $horizon_options,
mode => 'http',
collect_exported => false,
}
haproxy::balancermember { 'horizon':
listening_service => 'horizon',
ports => '80',
ipaddresses => hiera('horizon_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
options => union($haproxy_member_options, ["cookie ${::hostname}"]),
}
}
if $ironic {
::tripleo::loadbalancer::endpoint { 'ironic':
public_virtual_ip => $public_virtual_ip,
internal_ip => hiera('ironic_api_vip', $controller_virtual_ip),
service_port => $ports[ironic_api_port],
ip_addresses => hiera('ironic_api_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
public_ssl_port => $ports[ironic_api_ssl_port],
}
}
if $mysql_clustercheck {
$mysql_listen_options = {
'option' => [ 'tcpka', 'httpchk' ],
'timeout client' => '90m',
'timeout server' => '90m',
'stick-table' => 'type ip size 1000',
'stick' => 'on dst',
}
$mysql_member_options = union($haproxy_member_options, ['backup', 'port 9200', 'on-marked-down shutdown-sessions'])
} else {
$mysql_listen_options = {
'timeout client' => '90m',
'timeout server' => '90m',
}
$mysql_member_options = union($haproxy_member_options, ['backup'])
}
if $mysql {
haproxy::listen { 'mysql':
bind => $mysql_bind_opts,
options => $mysql_listen_options,
collect_exported => false,
}
haproxy::balancermember { 'mysql-backup':
listening_service => 'mysql',
ports => '3306',
ipaddresses => hiera('mysql_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
options => $mysql_member_options,
}
}
if $rabbitmq {
haproxy::listen { 'rabbitmq':
bind => $rabbitmq_bind_opts,
options => {
'option' => [ 'tcpka' ],
'timeout' => [ 'client 0', 'server 0' ],
},
collect_exported => false,
}
haproxy::balancermember { 'rabbitmq':
listening_service => 'rabbitmq',
ports => '5672',
ipaddresses => hiera('rabbitmq_network', $controller_hosts_real),
server_names => $controller_hosts_names_real,
options => $haproxy_member_options,
}
}
if $redis {
if $redis_password {
$redis_tcp_check_options = ["send AUTH\\ ${redis_password}\\r\\n"]
} else {
$redis_tcp_check_options = []
}
haproxy::listen { 'redis':
bind => $redis_bind_opts,
options => {
'balance' => 'first',
'option' => ['tcp-check',],
'tcp-check' => union($redis_tcp_check_options, ['send PING\r\n','expect string +PONG','send info\ replication\r\n','expect string role:master','send QUIT\r\n','expect string +OK']),
},
collect_exported => false,
}
haproxy::balancermember { 'redis':
listening_service => 'redis',
ports => '6379',
ipaddresses => hiera('redis_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
options => $haproxy_member_options,
}
}
$midonet_api_vip = hiera('midonet_api_vip', $controller_virtual_ip)
$midonet_bind_opts = {
"${midonet_api_vip}:8081" => [],
"${public_virtual_ip}:8081" => [],
}
if $midonet_api {
haproxy::listen { 'midonet_api':
bind => $midonet_bind_opts,
collect_exported => false,
}
haproxy::balancermember { 'midonet_api':
listening_service => 'midonet_api',
ports => '8081',
ipaddresses => hiera('midonet_api_node_ips', $controller_hosts_real),
server_names => $controller_hosts_names_real,
options => $haproxy_member_options,
class { '::tripleo::keepalived':
controller_virtual_ip => $controller_virtual_ip,
control_virtual_interface => $public_virtual_interface,
public_virtual_interface => $public_virtual_interface,
public_virtual_ip => $public_virtual_ip,
internal_api_virtual_ip => $internal_api_virtual_ip,
storage_virtual_ip => $storage_virtual_ip,
storage_mgmt_virtual_ip => $storage_mgmt_virtual_ip,
}
}
}

45
manifests/loadbalancer/endpoint.pp
View File

@ -84,37 +84,18 @@ define tripleo::loadbalancer::endpoint (
$public_certificate = undef,
$internal_certificate = undef,
) {
if $public_virtual_ip {
# service exposed to the public network
if $public_certificate {
$public_bind_opts = list_to_hash(suffix(any2array($public_virtual_ip), ":${public_ssl_port}"), union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate]))
} else {
$public_bind_opts = list_to_hash(suffix(any2array($public_virtual_ip), ":${service_port}"), $haproxy_listen_bind_param)
}
} else {
# internal service only
$public_bind_opts = {}
}
if $internal_certificate {
$internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"), union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate]))
} else {
$internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"), $haproxy_listen_bind_param)
}
$bind_opts = merge($internal_bind_opts, $public_bind_opts)
haproxy::listen { "${name}":
bind => $bind_opts,
collect_exported => false,
mode => $mode,
options => $listen_options,
}
haproxy::balancermember { "${name}":
listening_service => $name,
ports => $service_port,
ipaddresses => $ip_addresses,
server_names => $server_names,
options => $member_options,
::tripleo::haproxy::endpoint { $name:
internal_ip => $internal_ip,
service_port => $service_port,
ip_addresses => $ip_addresses,
server_names => $server_names,
member_options => $member_options,
public_virtual_ip => $public_virtual_ip,
mode => $mode,
haproxy_listen_bind_param => $haproxy_listen_bind_param,
listen_options => $listen_options,
public_ssl_port => $public_ssl_port,
public_certificate => $public_certificate,
internal_certificate => $internal_certificate
}
}