This allows to get the full HTTP log (and TCP if not HTTP) from HAProxy,
in case you need any debug from that central point.
In case you want timers for those entries, you might want to use the
already present "$haproxy_globals_override" parameter and set its
content to:
{ 'log' => '/dev/log local0 debug' }
Change-Id: I4667317cbd453875585521b22b0ccbdb208f5353
Closes-Bug: 1733801
This is to enable our existing haproxy & vip management to work as an
external loadbalancer for kubernetes when it's deployed as part of the
overcloud.
Change-Id: I89c63720921db5e9c63536645694f2c35ef8b2f1
This adds a TLS proxy in front of it so it serves TLS in the
internal network.
bp tls-via-certmonger
Change-Id: Id7d487abb65cf17cd65626e582bf4ff950b4395c
EC2-API always returns HTTP code 400 if not properly authorized,
therefore httpchk is not working, since it's expecting an 200 OK.
Changing to tcpka for now, until EC2-API implements a URL that is
suitable for healthchecks.
Change-Id: Ic8ec8cdd4dc59e3768c06912ceb8a91b425b0a06
This adds a TLS proxy in front of it so it serves TLS in the
internal network.
bp tls-via-certmonger
Change-Id: I24d990eccf7affd5f3899338ac96d02d2d47460e
With this resource we can add the values needed for haproxy via t-h-t,
instead of having everything in the haproxy manifest. Right now nothing
is using it, but subsequent and per-service changes will come.
Change-Id: I8ab49c0b8d8f42ce68c0c7fe3ef8067a7d0da3c0
You can either append new options or override existing one.
This can be particularly useful in case you want to set your own log
options, for example.
Change-Id: I19005b7e70e624d3b64b6c2ac8eaadfdec3944db
Closes-Bug: 1721246
This allow to set the socket access level to admin instead of default
"user".
This "admin" access adds the capability to interact with HAproxy in
order to manage its configuration, at least temporarly.
This changes keeps the default "user" access level, as "admin" might
break things if misused.
Change-Id: I1a4612b9f8aacc410b48a04dac3bf300bbb0e08e
Closes-bug: #1716692
This uses the tls_proxy resource in front of the Redis server when
internal TLS is enabled.
bp tls-via-certmonger
Co-Authored-By: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Change-Id: Ia50933da9e59268b17f56db34d01dcc6b6c38147
Ironic-inspector spams the logs with errors if we don't get full
response. If ironic-inspector answers something with 200 it should
be fine.
Change-Id: I464cdd139fb93ce7cd19fc5ac5960f302ae1a9f4
Closes-Bug: #1691971
Resolves: rhbz#1477663
In templates we use 13977 as the port for panko. The
old 13779 is reserved for trove so it conflicts.
Closes-bug: #1712566
Change-Id: I77444199eef6c2b9abbd819829b4fea2d698e2db
This adds a TLS proxy in front of it so it serves TLS in the internal
network.
bp tls-via-certmonger
Change-Id: I97ac2da29be468c75713fe2fae7e6d84cae8f67c
This removes clutter from the main haproxy manifest and allows TLS in
the internal network as well. Trying to keep the previous behavior.
bp tls-via-certmonger-containers
Change-Id: I1a68771cc7be7fb2b32abbad81db7890bd2c5502
The current code exposes an unused public listen directive in HAProxy
for the keystone admin endpoint. This is not ideal and should be
removed, as it exposes the service unnecessarily. We should stick to
just exposing it to the ctlplane network as is the default.
If folks really need to expose it to the public network, they can do so
by modifying the ServiceNetMap through t-h-t and setting the keystone
admin endpoint's network to external.
Now, for "single" or "internal" haproxy endpoints, this adds the ability
to detect if they're using the external network, and thus use TLS on it.
Which is something a deployer would want if they exposed the keystone
admin endpoint in such a way.
Change-Id: I79563f62fd49a4f7654779157ebda3c239d6dd22
Closes-Bug: #1710909
Closes-Bug: #1639996
This creates a new class for the stats interface and furtherly
configures it to also use the certificates that are provided by
certmonger (via the internal_certificates_specs variable).
Note that the already existing haproxy_stats_certificate still works and
will take precedence if it's set.
bp tls-via-certmonger
Change-Id: Iea65d91648ab13dbe6ec20241a1a7c95ce856e3e
When docker-puppet runs module tripleo::haproxy to generate haproxy
configuration file, and tripleo::firewall::manage_firewall is true,
iptables is called to set up firewall rules for the proxied services
and fails due to lack of NET_ADMIN capability.
Make the generation of firewall rule configurable by exposing a
new argument to the puppet module. That way, firewall management can
be temporarily disabled when being run through docker-puppet.
Change-Id: I2d6274d061039a9793ad162ed8e750bd87bf71e9
Partial-Bug: #1697921
This patch will move the Contrail roles communication towards
OpenStack APIs from the public/external network to the
internal_api network. I will also add the option to enable
dpdk for Contrail.
Change-Id: Ia835df656031cdf28de20f41ec6ab1c028dced23
Closes-Bug: 1698422
This makes sure that we set the necessary options so HAProxy uses TLS
to contact nova. It was commented out when nova was moved to not run
over httpd. Since that is no longer the case we can re-enable it.
Change-Id: I026a7dab30b00a4e93966f650f098c570b0b624b
Depends-On: Iac35b7ddcd8a800901548c75ca8d5083ad17e4d3
Some people might or might not want to enable it. So this makes it
configurable. It defaults to true as we were always deploying it before.
Change-Id: I8d2a08cdaf3e5ec3d1a69d4f95e57522508c8610
Allows configurability of maxconn as applies to
the MySQL section of the HAProxy config, both
for clustercheck and single node.
Also adds a new test for the haproxy class
overall to exercise options.
Change-Id: I023682dd5e85cc78d6dd3e5214a53863acc4f303
The horizon proxy should redirect all HTTP requests to HTTPS,
regardless of the 'Host' field in the header. The current rule will
cause haproxy to redirect HTTP requests if the 'Host' field contains
the public virtual IP address. It will not redirect if the 'Host'
field contains a hostname, FQDN, etc.
Change-Id: I6c8f58a30f97cdf4c668734793197ea976297733
Signed-off-by: Ryan O'Hara <rohara@redhat.com>
This sets up the CRL file to be triggered on the certmonger_user
resource. Furtherly, HAProxy uses this CRL file in the member options,
thus effectively enabling revocation for proxied nodes.
So, if a certificate has been revoked by the CA, HAProxy will not proxy
requests to it.
bp tls-via-certmonger
Change-Id: I4f1edc551488aa5bf6033442c4fa1fb0d3f735cd
This patch enables OVN DB servers to be started in master/slave
mode in the pacemaker cluster.
A virtual IP resource is created first and then the pacemaker OVN OCF
resource - "ovn:ovndb-servers" is created. The OVN OCF resource is
configured to be colocated with the vip resource. The ovn-controller and
Neutron OVN ML2 mechanism driver which depends on OVN DB servers will
always connect to the vip address on which the master OVN DB servers
listen on.
The OVN OCF resource itself takes care of (re)starting ovn-northd service
on the master node and we don't have to manage it.
When HA is enabled for OVN DB servers, haproxy does not configure the OVN DB
servers in its configuration.
This patch requires OVS 2.7 in the overcloud.
Co-authored:by: Numan Siddique <nusiddiq@redhat.com>
Change-Id: I9dc366002ef5919339961e5deebbf8aa815c73db
Partial-bug: #1670564
Currently we hard-code the fact that haproxy starts as a daemon.
When running haproxy in a container we need this to be configurable
because the haproxy process will be pid number 1.
We are not changing the current semantics which have the 'daemon'
option always set, but we are allowing its disabling.
Change-Id: I51c482b70731f15fee4025bbce14e46a49a49938
This checks that the subjectAltName in the backend server's certificate
matches the server's name that was intended to be used.
Change-Id: If1c61e1becf9cc84c9b18835aef1eaaa8c0d4341
Default timeout is 2min but it doesn't reflect the rpc_response_timeout
value that we set in THT and instack-undercloud, which is 600 (10 min).
In some cases (in low-memory environments), Heat needs more than 2
minutes to reply to the client, when deploying the overcloud.
It makes sense to increase the timeout to the value of rpc_timeout to
give a chance to Heat to reply to the client, otherwise HAproxy will
kill the connection and send 504 to the client.
Depends-On: I9669d40d86d762101734704fcef153e360767690
Change-Id: I32c71fe7930c8798d306046d6933e4b20c22740c
Related-Bug: 1666072
When TLS is enabled for the internal network, HAProxy needs to handle
etcd's TLS termination. Else it will use plain text.
bp secure-etcd
Change-Id: I20651240edcff0953741d4e8e01fa9a7ab185863
