Loadbalance keystone's admin endpoints towards the internal backends

Instead of trying to loadbalance keystone's admin endpoint frontends
towards the backends of the same network. We instead forward them
towards the IP's where the public/internal endpoints are listening on.

This way we definitely don't use the admin endpoint (a step towards
getting rid of it), and we won't get SSL host failures when trying to
access the one single endpoint.

Change-Id: I577373b5ff110c47bc4dc350ca753b7a1957554f
This commit is contained in:
Juan Antonio Osorio Robles 2019-01-23 07:41:52 +02:00
parent a71e9f8074
commit 7de34bf57d

View File

@ -908,11 +908,14 @@ class tripleo::haproxy (
} }
if $keystone_admin { if $keystone_admin {
# NOTE(jaosorior): Given that the admin endpoint is in the same vhost
# nowadays as the public/internal one. We can just loadbalance towards the
# same IP.
::tripleo::haproxy::endpoint { 'keystone_admin': ::tripleo::haproxy::endpoint { 'keystone_admin':
internal_ip => hiera('keystone_admin_api_vip', $controller_virtual_ip), internal_ip => hiera('keystone_admin_api_vip', $controller_virtual_ip),
service_port => $ports[keystone_admin_api_port], service_port => $ports[keystone_admin_api_port],
ip_addresses => hiera('keystone_admin_api_node_ips', $controller_hosts_real), ip_addresses => hiera('keystone_public_api_node_ips', $controller_hosts_real),
server_names => hiera('keystone_admin_api_node_names', $controller_hosts_names_real), server_names => hiera('keystone_public_api_node_names', $controller_hosts_names_real),
mode => 'http', mode => 'http',
listen_options => merge($default_listen_options, { 'option' => [ 'httpchk GET /v3' ] }), listen_options => merge($default_listen_options, { 'option' => [ 'httpchk GET /v3' ] }),
service_network => $keystone_admin_network, service_network => $keystone_admin_network,