322 lines
13 KiB
Puppet
322 lines
13 KiB
Puppet
# Copyright 2014 Red Hat, Inc.
|
|
# All Rights Reserved.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
# == Class: tripleo::haproxy::endpoint
|
|
#
|
|
# Configure a HAProxy listen endpoint
|
|
#
|
|
# [*internal_ip*]
|
|
# The IP in which the proxy endpoint will be listening in the internal
|
|
# network.
|
|
#
|
|
# [*service_port*]
|
|
# The default port on which the endpoint will be listening.
|
|
#
|
|
# [*member_options*]
|
|
# Options for the balancer member, specified after the server declaration.
|
|
# These should go in the member's configuration block.
|
|
#
|
|
# [*use_backend_syntax*]
|
|
# (optional) When set to true, generate a config with frontend and
|
|
# backend sections, otherwise use listen sections.
|
|
# Defaults to lookup('haproxy_backend_syntax', undef, undef, false)
|
|
#
|
|
# [*haproxy_port*]
|
|
# An alternative port, on which haproxy will listen for incoming requests.
|
|
# Defaults to service_port.
|
|
#
|
|
# [*base_service_name*]
|
|
# In cases where the service name doesn't match the endpoint name, you can
|
|
# specify this option in order to get an appropriate value for $ip_addresses
|
|
# and $server_names. So, this will be used in hiera to derive these, if set.
|
|
# Defaults to undef
|
|
#
|
|
# [*ip_addresses*]
|
|
# The ordered list of IPs to be used to contact the balancer member.
|
|
# Defaults to lookup("${name}_node_ips", undef, undef, undef)
|
|
#
|
|
# [*server_names*]
|
|
# The names of the balancer members, which usually should be the hostname.
|
|
# Defaults to lookup("${name}_node_names", undef, undef, undef)
|
|
#
|
|
# [*public_virtual_ip*]
|
|
# Address in which the proxy endpoint will be listening in the public network.
|
|
# If this service is internal only this should be omitted.
|
|
# Defaults to undef.
|
|
#
|
|
# [*mode*]
|
|
# HAProxy mode in which the endpoint will be listening. This can be undef,
|
|
# tcp, http or health.
|
|
# Defaults to undef.
|
|
#
|
|
# [*haproxy_listen_bind_param*]
|
|
# A list of params to be added to the HAProxy listener bind directive.
|
|
# Defaults to undef.
|
|
#
|
|
# [*listen_options*]
|
|
# Options specified for the listening service's configuration block (in
|
|
# HAproxy terms, the frontend).
|
|
# defaults to {'option' => []}
|
|
#
|
|
# [*frontend_options*]
|
|
# Options specified for the frontend service's configuration block
|
|
# defaults to {'option' => []}
|
|
#
|
|
# [*backend_options*]
|
|
# Options specified for the service's backend configuration block
|
|
# defaults to {'option' => []}
|
|
#
|
|
# [*public_ssl_port*]
|
|
# The port used for the public proxy endpoint if it differs from the default
|
|
# one. This is used only if SSL is enabled, and it's used in order to avoid
|
|
# overriding with the internal proxy endpoint (which could happen if they were
|
|
# in the same network).
|
|
# Defaults to undef.
|
|
#
|
|
# [*public_certificate*]
|
|
# Certificate path used to enable TLS for the public proxy endpoint.
|
|
# Defaults to undef.
|
|
#
|
|
# [*use_internal_certificates*]
|
|
# Flag that indicates if we'll use an internal certificate for this specific
|
|
# service. When set, enables SSL on the internal API endpoints using the file
|
|
# that certmonger is tracking; this is derived from the network the service is
|
|
# listening on.
|
|
# Defaults to false
|
|
#
|
|
# [*internal_certificates_specs*]
|
|
# A hash that should contain the specs that were used to create the
|
|
# certificates. As the name indicates, only the internal certificates will be
|
|
# fetched from here. And the keys should follow the following pattern
|
|
# "haproxy-<network name>". The network name should be as it was defined in
|
|
# tripleo-heat-templates.
|
|
# Note that this is only taken into account if the $use_internal_certificates
|
|
# flag is set.
|
|
# Defaults to {}
|
|
#
|
|
# [*service_network*]
|
|
# (optional) Indicates the network that the service is running on. Used for
|
|
# fetching the certificate for that specific network.
|
|
# Defaults to undef
|
|
#
|
|
# [*authorized_userlist*]
|
|
# (optional) Userlist that may access the endpoint. Activate Basic Authentication.
|
|
# You'll need to create a tripleo::haproxy::userlist in order to use that option.
|
|
# Defaults to undef
|
|
#
|
|
# [*sticky_sessions*]
|
|
# (optional) Enable sticky sessions for this frontend using a cookie
|
|
#
|
|
# [*session_cookie*]
|
|
# (optional) Cookie name to use for sticky sessions. This should be different
|
|
# for each service using sticky sessions.
|
|
#
|
|
define tripleo::haproxy::endpoint (
|
|
$internal_ip,
|
|
$service_port,
|
|
$member_options,
|
|
$use_backend_syntax = lookup('haproxy_backend_syntax', undef, undef, false),
|
|
$haproxy_port = undef,
|
|
$base_service_name = undef,
|
|
$ip_addresses = lookup("${name}_node_ips", undef, undef, undef),
|
|
$server_names = lookup("${name}_node_names", undef, undef, undef),
|
|
$public_virtual_ip = undef,
|
|
$mode = undef,
|
|
$haproxy_listen_bind_param = undef,
|
|
$listen_options = {
|
|
'option' => [],
|
|
},
|
|
$frontend_options = {
|
|
'option' => [],
|
|
},
|
|
$backend_options = {
|
|
'option' => [],
|
|
},
|
|
$public_ssl_port = undef,
|
|
$public_certificate = undef,
|
|
$use_internal_certificates = false,
|
|
$internal_certificates_specs = {},
|
|
$service_network = undef,
|
|
$authorized_userlist = undef,
|
|
$sticky_sessions = false,
|
|
$session_cookie = 'STICKYSESSION',
|
|
) {
|
|
|
|
if $haproxy_port {
|
|
$haproxy_port_real = $haproxy_port
|
|
$service_port_real = $service_port
|
|
} else {
|
|
$haproxy_port_real = $service_port
|
|
$service_port_real = $service_port
|
|
}
|
|
|
|
if $base_service_name {
|
|
$ip_addresses_real = lookup("${base_service_name}_node_ips", undef, undef, undef)
|
|
} else {
|
|
$ip_addresses_real = $ip_addresses
|
|
}
|
|
if $base_service_name {
|
|
$server_names_real = lookup("${base_service_name}_node_names", undef, undef, undef)
|
|
} else {
|
|
$server_names_real = $server_names
|
|
}
|
|
# Let users override the options on a per-service basis
|
|
$custom_options = lookup("tripleo::haproxy::${name}::options", undef, undef, undef)
|
|
$custom_frontend_options = lookup("tripleo::haproxy::${name}::frontend_options", undef, undef, undef)
|
|
$custom_backend_options = lookup("tripleo::haproxy::${name}::backend_options", undef, undef, undef)
|
|
$custom_bind_options_public = delete(
|
|
any2array(lookup("tripleo::haproxy::${name}::public_bind_options", undef, undef, undef)),
|
|
undef).flatten()
|
|
$custom_bind_options_internal = delete(
|
|
any2array(lookup("tripleo::haproxy::${name}::internal_bind_options", undef, undef, undef)),
|
|
undef).flatten()
|
|
if $public_virtual_ip {
|
|
# service exposed to the public network
|
|
|
|
if $public_certificate {
|
|
if $mode == 'http' {
|
|
$tls_listen_options = {
|
|
'http-response' => 'replace-header Location http://(.*) https://\\1',
|
|
'redirect' => "scheme https code 301 if { hdr(host) -i ${public_virtual_ip} } !{ ssl_fc }",
|
|
}
|
|
$listen_options_precookie = merge($tls_listen_options, $listen_options, $custom_options)
|
|
$frontend_options_precookie = merge($tls_listen_options, $frontend_options, $custom_frontend_options)
|
|
} else {
|
|
$listen_options_precookie = merge($listen_options, $custom_options)
|
|
$frontend_options_precookie = merge($frontend_options, $custom_frontend_options)
|
|
}
|
|
$public_bind_opts = list_to_hash(suffix(any2array($public_virtual_ip), ":${public_ssl_port}"),
|
|
union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate], $custom_bind_options_public))
|
|
} else {
|
|
$listen_options_precookie = merge($listen_options, $custom_options)
|
|
$frontend_options_precookie = merge($frontend_options, $custom_frontend_options)
|
|
$public_bind_opts = list_to_hash(suffix(any2array($public_virtual_ip), ":${haproxy_port_real}"),
|
|
union($haproxy_listen_bind_param, $custom_bind_options_public))
|
|
}
|
|
} else {
|
|
# internal service only
|
|
$public_bind_opts = {}
|
|
$listen_options_precookie = merge($listen_options, $custom_options)
|
|
$frontend_options_precookie = merge($frontend_options, $custom_frontend_options)
|
|
}
|
|
if $sticky_sessions {
|
|
$cookie_options = {
|
|
'cookie' => "${session_cookie} insert indirect nocache",
|
|
}
|
|
$listen_options_real = merge($listen_options_precookie, $cookie_options)
|
|
$frontend_options_real = merge($frontend_options_precookie, $cookie_options)
|
|
} else {
|
|
$listen_options_real = $listen_options_precookie
|
|
$frontend_options_real = $frontend_options_precookie
|
|
}
|
|
if $use_internal_certificates {
|
|
if !$service_network {
|
|
fail("The service_network for this service is undefined. Can't configure TLS for the internal network.")
|
|
}
|
|
|
|
if $service_network == 'external' and $public_certificate {
|
|
# NOTE(jaosorior): This service has been configured to use the external
|
|
# network. We should use the public certificate in this case.
|
|
$internal_cert_path = $public_certificate
|
|
} else {
|
|
# NOTE(jaosorior): This service is configured for the internal network.
|
|
# We use the certificate spec hash. The key of the
|
|
# internal_certificates_specs hash must must match the convention
|
|
# haproxy-<network name> or else this will fail. Further, it must
|
|
# contain the path that we'll use under 'service_pem'.
|
|
$internal_cert_path = $internal_certificates_specs["haproxy-${service_network}"]['service_pem']
|
|
}
|
|
$internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${haproxy_port_real}"),
|
|
union($haproxy_listen_bind_param, ['ssl', 'crt', $internal_cert_path],
|
|
$custom_bind_options_internal))
|
|
} else {
|
|
if $service_network == 'external' and $public_certificate {
|
|
$internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${haproxy_port_real}"),
|
|
union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate],
|
|
$custom_bind_options_internal))
|
|
} else {
|
|
$internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${haproxy_port_real}"),
|
|
union($haproxy_listen_bind_param, $custom_bind_options_internal))
|
|
}
|
|
}
|
|
if $authorized_userlist {
|
|
$access_rules = {
|
|
'acl' => "acl Auth${name} http_auth(${authorized_userlist})",
|
|
'http-request' => "auth realm ${name} if !Auth${name}",
|
|
}
|
|
if $use_backend_syntax {
|
|
Haproxy::Frontend[$name] {
|
|
require => Tripleo::Haproxy::Userlist[$authorized_userlist],
|
|
}
|
|
} else {
|
|
Haproxy::Listen[$name] {
|
|
require => Tripleo::Haproxy::Userlist[$authorized_userlist],
|
|
}
|
|
}
|
|
} else {
|
|
$access_rules = {}
|
|
}
|
|
|
|
$_real_options = merge($listen_options_real, $access_rules)
|
|
$_real_frontend_options = merge($frontend_options_real, $access_rules,
|
|
{ 'default_backend' => "${name}_be" })
|
|
|
|
$bind_opts = merge($internal_bind_opts, $public_bind_opts)
|
|
|
|
if $use_backend_syntax {
|
|
haproxy::frontend { "${name}":
|
|
bind => $bind_opts,
|
|
collect_exported => false,
|
|
mode => $mode,
|
|
options => $_real_frontend_options,
|
|
}
|
|
haproxy::backend { "${name}_be":
|
|
mode => $mode,
|
|
options => merge($backend_options, $custom_backend_options),
|
|
}
|
|
$listening_service = "${name}_be"
|
|
} else {
|
|
haproxy::listen { "${name}":
|
|
bind => $bind_opts,
|
|
collect_exported => false,
|
|
mode => $mode,
|
|
options => $_real_options,
|
|
}
|
|
$listening_service = "${name}"
|
|
}
|
|
if $sticky_sessions {
|
|
hash(zip($ip_addresses_real, $server_names_real)).each | $ip, $server | {
|
|
# We need to be sure the IP (IPv6) don't have colons
|
|
# which is a reserved character to reference manifests
|
|
$non_colon_ip = regsubst($ip, ':', '-', 'G')
|
|
haproxy::balancermember { "${name}_${non_colon_ip}_${server}":
|
|
listening_service => $listening_service,
|
|
ports => "${service_port_real}",
|
|
ipaddresses => $ip,
|
|
server_names => $server,
|
|
options => union($member_options, ["cookie ${server}"]),
|
|
}
|
|
}
|
|
} else {
|
|
haproxy::balancermember { "${name}":
|
|
listening_service => $listening_service,
|
|
ports => "${service_port_real}",
|
|
ipaddresses => $ip_addresses_real,
|
|
server_names => $server_names_real,
|
|
options => $member_options,
|
|
}
|
|
}
|
|
}
|