These were looking for the wrong names so they were always taking
the default. This broke designate in network-isolation scenarios.
Change-Id: I8cd71520bbd27b83e9a64ee3ecd1ca25bd0ed498
This patch removed listen_options for ODL:
https://review.openstack.org/#/c/562036/
Which introduced a regression where default options were then applied
for ODL, including httpchk. This does not work with ODL because ODL
will not respond to an HTTP GET without specific paths used. This patch
adds the correct path that may be used to issue HTTP backend check.
Closes-Bug: 1768037
Change-Id: I60bdfc436044851ac02449c262d382b07b888f79
Signed-off-by: Tim Rozet <trozet@redhat.com>
Currently source based balancing is used for both opendaylight and
opendaylgiht_ws which results in the load being spread across only 2
bacnekds instead of 3 (as confirmed by scale tests). This commit changes
the haproxy configuration for opendaylight and opendaylight_ws to use
roundrobin which is the default.
Change-Id: Idb4fe3803f69ab7440aaa2997cc4de46c9ac5458
Closes-Bug: 1762518
For OpenDaylight Websocket connections we were not using transparent
binding type with HA Proxy. This means that HA Proxy was not able to
start on nodes that did not have the VIP because it was unable to bind
to that IP on more than one node. However, transparent binding works OK
with OpenDaylight Websocket and should be fine to enable so that HA
Proxy is able to start on every controller.
Closes-Bug: 1764514
Change-Id: I89e6115795ece6735e816ab71b5b552b17f7b943
Signed-off-by: Tim Rozet <trozet@redhat.com>
Currently haproxy for swift doesn't have default setting. This generates config
such as
listen swift_proxy_server
bind 10.0.0.5:13808 transparent ssl crt /etc/pki/tls/private/overcloud_endpoint.pem
bind 172.16.1.4:8080 transparent
option httpchk GET /healthcheck
timeout client 2m
timeout server 2m
server overcloud-controller-0.storage.localdomain 172.16.1.10:8080 check fall 5 inter 2000 rise 2
without
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
option httplog
This makes really hard to debug in case of issues.
This patch merges default_listen_options with swift to have config which is
more reliable for debugging
Closes-Bug: #1764731
Change-Id: I6716499b4a10f3ba39db33d6468c261c58ee373d
This reverts the manifests/haproxy.pp parts of
commit 4c7ca4cbc385fa70438015ebc91b8692c00d46e7.
The reverted commit made it such that you can not set a
hostname as undercloud_public_host in undercloud.conf. This
is required so that the UI can be accessed by hostname
externally as well as to make the Undercloud API accessible
externally. We keep the parts of that change that verify if
the haproxy VIP for pacemaker is a proper IP as it can
happen that a misconfigured network template causes empty
strings and the deploy will fail in a very odd way.
Change-Id: I57eeb2dd26336465627593d633c63b92da42e71d
Closes-Bug: #1763776
TripleO UI endpoint was never enabled in HAproxy because enable_ui is
for instack-undercloud.
It should be tripleo_ui_enabled to follow the pattern with other
services, and be automatically set to True when the service is actually
enabled, which is the case of the containerized undercloud.
For backward compatibility, we'll keep support for enable_ui and use
pick to find which one is defined, otherwise we'll just disable it like
before.
Change-Id: I2f9ef89b6daac2dec4e2af110f5d239a3611f747
OpenStack services are generally http services. The mode for
these endpoints should be http otherwise logging will fallback
tcplog.
Change-Id: If3b50718027a4a52df3453feb6fc332d2966ffd0
Closes-Bug: #1759690
While rabbitmq currently does not use haproxy at all, the code for
it inside haproxy is currently wrong.
Let's get this right in case we ever want to put rabbitmq back under
haproxy's balancing
Change-Id: Iaf1f818bdbde000ea3eedf0fb6503f60b3dddf75
Closes-Bug: #1672356
Introduce a new function called is_ip_addresses which will verify
if a string or an array of strings are composed of correct ip addresses.
We do this in order to fail a bit more clearly if we are passed an empty
or broken ip address. Without this the failure will be in pacemaker
failing to start a VIP called 'ip-'.
Also convert the only use of legacy is_ip_address stdlib function in
mysql::client to this new function (for consistency reasons).
Suggested-by: Rhys Oxenham <roxenham@redhat.com>
Change-Id: Ie15c585a9a902b577f35a75de191bfa91c132668
This forces HAProxy to only accept newer versions of TLS, which allows
us to meet FedRAMP requirements.
Change-Id: I14f4de3875a743ee5328b13668790b26cefd8439
Related-Bug: #1754368
This patch reverts the revert of Redis TLS [1], and fixes the
encryption of Redis replication traffic for HA deployments.
In order to encrypt replication traffic, Redis is configured to
drive outgoing replication traffic to a stunnel endpoint on
<localhost:port_xxx>. Stunnel then manages the encryption up to
the peer Redis master.
Likewise, slave Redis nodes advertise themselves as coming from
<localhost:port_yyy> in order to let the Master initiate connection
the Slave over its own stunnel endpoint, should it needs to.
Each redis node is assigned a unique replication port, and has
dedicated stunnels to each one of its peer. This port mapping
info is used by the redis resource agent to manage A/P failover.
The regular Redis port is unchanged, so Redis clients (OpenStack
services, HAproxy, CLI, firewall) are not impacted by this change.
Only SELinux needs to be adapted.
[1] I37501c4c983c87e3a38841272eb176ebbe626a65
Change-Id: I6cc818973fab25b4cd6f7a0d040aaa05a35c5bb1
Related-bug: #1737707
In 6d55417f80384ead56e176beec9e2fc4eb162d61 cloudwatch api
has been removed from heat.
Change-Id: Ic11d8803bb260fe302da929eda9ec8d547a92176
Depends-On: https://review.openstack.org/541132
Allows enabling TLS for the ODL service as well as OVS.
Partially-Implements: blueprint opendaylight-ssl-support
Depends-On: I719e8dddbd00d19fd8e1bd2a20dabd600b7b9d1c
Change-Id: Id579aea77bf8d679b514ef9851af36d9170e93a1
Signed-off-by: Tim Rozet <trozet@redhat.com>
The problem we have with redis can be described as follows:
- Connection is made to redis via haproxy, where haproxy directs to one redis node
- That chosen redis node fails and a new redis node gets promoted
- HAProxy will send *new* connections to redis to the newly promoted
redis server, but you still have a session active (ie. that has not hit
timeout), so haproxy will attempt to use that connection.
By using 'on-marked-down shutdown-sessions' we make sure we close
old existing sessions when the redis master node changes.
Closes-Bug: #1742086
Tested-By: Marian Krcmarik <mkrcmari@redhat.com>
Change-Id: Ia4d8c27057ee2de9e49e4358aa069571d1c952a9
Add the haproxy_defaults_override parameter so the defaults_options
in haproxy are overridable. Tested by adding the following yaml to
the deployment:
parameter_defaults:
ExtraConfig:
tripleo::haproxy::haproxy_defaults_override:
retries: 7
Observed that haproxy.conf contained the following (retries defaults
to 3):
defaults
retries 7
Change-Id: I52b8f528e334e4d243ac7f506b9f293dab9f478d
Closes-Bug: #1732176
This patch removes contrail from haproxy, so that the new tripleo haproxy
dynamic endpoint infrastructure can be used.
Change-Id: I4203055e87f9e319c8a27bcd37b3159c15d6c0a3
This patch is to increase the logging for haproxy. Currently HAProxy
doesn't log any events. This patch is to enable http logging when the
mode is http, also enable tcp logging when the mode is tcp.
Closes-Bug: #1713482
Change-Id: Idddb8844d03058d708b65b77efa04ca6571289a6
Port Status in ODL was previously disabled due to bugs which have now
been resolved. This patch enables it via Neutron ML2 conf. Port status
is communicated by ODL through a websocket connection on port 8185.
Therefore we need to enable haproxy to load balance across that port.
Related-Bug: 1718508
Change-Id: Iebdcc6404f5503eeb45b39380b3f198be175514b
Signed-off-by: Tim Rozet <trozet@redhat.com>
This allows to get the full HTTP log (and TCP if not HTTP) from HAProxy,
in case you need any debug from that central point.
In case you want timers for those entries, you might want to use the
already present "$haproxy_globals_override" parameter and set its
content to:
{ 'log' => '/dev/log local0 debug' }
Change-Id: I4667317cbd453875585521b22b0ccbdb208f5353
Closes-Bug: 1733801
This is to enable our existing haproxy & vip management to work as an
external loadbalancer for kubernetes when it's deployed as part of the
overcloud.
Change-Id: I89c63720921db5e9c63536645694f2c35ef8b2f1
This adds a TLS proxy in front of it so it serves TLS in the
internal network.
bp tls-via-certmonger
Change-Id: Id7d487abb65cf17cd65626e582bf4ff950b4395c
EC2-API always returns HTTP code 400 if not properly authorized,
therefore httpchk is not working, since it's expecting an 200 OK.
Changing to tcpka for now, until EC2-API implements a URL that is
suitable for healthchecks.
Change-Id: Ic8ec8cdd4dc59e3768c06912ceb8a91b425b0a06
This adds a TLS proxy in front of it so it serves TLS in the
internal network.
bp tls-via-certmonger
Change-Id: I24d990eccf7affd5f3899338ac96d02d2d47460e
With this resource we can add the values needed for haproxy via t-h-t,
instead of having everything in the haproxy manifest. Right now nothing
is using it, but subsequent and per-service changes will come.
Change-Id: I8ab49c0b8d8f42ce68c0c7fe3ef8067a7d0da3c0
You can either append new options or override existing one.
This can be particularly useful in case you want to set your own log
options, for example.
Change-Id: I19005b7e70e624d3b64b6c2ac8eaadfdec3944db
Closes-Bug: 1721246
