Lightweight composition layer for Puppet TripleO
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 

1756 lines
71 KiB

  1. # Copyright 2014 Red Hat, Inc.
  2. # All Rights Reserved.
  3. #
  4. # Licensed under the Apache License, Version 2.0 (the "License"); you may
  5. # not use this file except in compliance with the License. You may obtain
  6. # a copy of the License at
  7. #
  8. # http://www.apache.org/licenses/LICENSE-2.0
  9. #
  10. # Unless required by applicable law or agreed to in writing, software
  11. # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
  12. # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
  13. # License for the specific language governing permissions and limitations
  14. # under the License.
  15. # == Class: tripleo::haproxy
  16. #
  17. # Configure HAProxy for TripleO.
  18. #
  19. # === Parameters:
  20. #
  21. # [*haproxy_service_manage*]
  22. # Will be passed as value for service_manage to HAProxy module.
  23. # Defaults to true
  24. #
  25. # [*haproxy_global_maxconn*]
  26. # The value to use as maxconn in the HAProxy global config section.
  27. # Defaults to 20480
  28. #
  29. # [*haproxy_default_maxconn*]
  30. # The value to use as maxconn in the HAProxy default config section.
  31. # Defaults to 4096
  32. #
  33. # [*haproxy_default_timeout*]
  34. # The value to use as timeout in the HAProxy default config section.
  35. # Defaults to [ 'http-request 10s', 'queue 2m', 'connect 10s', 'client 2m', 'server 2m', 'check 10s' ]
  36. #
  37. # [*haproxy_listen_bind_param*]
  38. # A list of params to be added to the HAProxy listener bind directive. By
  39. # default the 'transparent' param is added but it should be cleared if
  40. # one of the *_virtual_ip addresses is a wildcard, eg. 0.0.0.0
  41. # Defaults to [ 'transparent' ]
  42. #
  43. # [*haproxy_member_options*]
  44. # The default options to use for the HAProxy balancer members.
  45. # Defaults to [ 'check', 'inter 2000', 'rise 2', 'fall 5' ]
  46. #
  47. # [*haproxy_log_address*]
  48. # The IPv4, IPv6 or filesystem socket path of the syslog server.
  49. # Defaults to '/dev/log'
  50. #
  51. # [*haproxy_log_facility*]
  52. # The syslog facility for HAProxy.
  53. # Defaults to 'local0'
  54. #
  55. # [*activate_httplog*]
  56. # Globally activate "httplog" option (in defaults section)
  57. # In case the listener is NOT set to "http" mode, HAProxy will fallback to "tcplog".
  58. # Defaults to false
  59. #
  60. # [*haproxy_globals_override*]
  61. # HAProxy global option we can append to the default base set in this class.
  62. # If you enter an already existing key, it will override the default.
  63. # Defaults to {}
  64. #
  65. # [*haproxy_defaults_override*]
  66. # HAProxy defaults option we can append to the default base set in this class.
  67. # If you enter an already existing key, it will override the default.
  68. # Defaults to {}
  69. #
  70. # [*haproxy_daemon*]
  71. # Should haproxy run in daemon mode or not
  72. # Defaults to true
  73. #
  74. # [*haproxy_socket_access_level*]
  75. # Access level for HAProxy socket.
  76. # Can be "user" or "admin"
  77. # Defaults to "user"
  78. #
  79. # [*manage_firewall*]
  80. # (optional) Enable or disable firewall settings for ports exposed by HAProxy
  81. # (false means disabled, and true means enabled)
  82. # Defaults to hiera('tripleo::firewall::manage_firewall', true)
  83. #
  84. # [*controller_hosts*]
  85. # IPs of host or group of hosts to load-balance the services
  86. # Can be a string or an array.
  87. # Defaults tohiera('controller_node_ips')
  88. #
  89. # [*controller_hosts_names*]
  90. # Names of host or group of hosts to load-balance the services
  91. # Can be a string or an array.
  92. # Defaults to hiera('controller_node_names', undef)
  93. #
  94. # [*controller_virtual_ip*]
  95. # Control IP or group of IPs to bind the pools
  96. # Can be a string or an array.
  97. # Defaults to undef
  98. #
  99. # [*public_virtual_ip*]
  100. # Public IP or group of IPs to bind the pools
  101. # Can be a string or an array.
  102. # Defaults to undef
  103. #
  104. # [*haproxy_stats_user*]
  105. # Username for haproxy stats authentication.
  106. # A string.
  107. # Defaults to 'admin'
  108. #
  109. # [*haproxy_stats_password*]
  110. # Password for haproxy stats authentication. When set, authentication is
  111. # enabled on the haproxy stats endpoint.
  112. # A string.
  113. # Defaults to undef
  114. #
  115. # [*haproxy_stats_bind_address*]
  116. # Bind address for where the haproxy stats web interface should listen on in addition
  117. # to the controller_virtual_ip
  118. # A string.or an array
  119. # Defaults to undef
  120. #
  121. # [*service_certificate*]
  122. # Filename of an HAProxy-compatible certificate and key file
  123. # When set, enables SSL on the public API endpoints using the specified file.
  124. # Defaults to undef
  125. #
  126. # [*use_internal_certificates*]
  127. # Flag that indicates if we'll use an internal certificate for this specific
  128. # service. When set, enables SSL on the internal API endpoints using the file
  129. # that certmonger is tracking; this is derived from the network the service is
  130. # listening on.
  131. # Defaults to false
  132. #
  133. # [*internal_certificates_specs*]
  134. # A hash that should contain the specs that were used to create the
  135. # certificates. As the name indicates, only the internal certificates will be
  136. # fetched from here. And the keys should follow the following pattern
  137. # "haproxy-<network name>". The network name should be as it was defined in
  138. # tripleo-heat-templates.
  139. # Note that this is only taken into account if the $use_internal_certificates
  140. # flag is set.
  141. # Defaults to {}
  142. #
  143. # [*enable_internal_tls*]
  144. # A flag that indicates if the servers in the internal network are using TLS.
  145. # This enables the 'ssl' option for the server members that are proxied.
  146. # Defaults to hiera('enable_internal_tls', false)
  147. #
  148. # [*ssl_cipher_suite*]
  149. # The default string describing the list of cipher algorithms ("cipher suite")
  150. # that are negotiated during the SSL/TLS handshake for all "bind" lines. This
  151. # value comes from the Fedora system crypto policy.
  152. # Defaults to '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES'
  153. #
  154. # [*ssl_options*]
  155. # String that sets the default ssl options to force on all "bind" lines.
  156. # Defaults to 'no-sslv3 no-tlsv10'
  157. #
  158. # [*ca_bundle*]
  159. # Path to the CA bundle to be used for HAProxy to validate the certificates of
  160. # the servers it balances
  161. # Defaults to '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt'
  162. #
  163. # [*crl_file*]
  164. # Path to the CRL file to be used for checking revoked certificates.
  165. # Defaults to undef
  166. #
  167. # [*haproxy_stats_certificate*]
  168. # Filename of an HAProxy-compatible certificate and key file
  169. # When set, enables SSL on the haproxy stats endpoint using the specified file.
  170. # Defaults to undef
  171. #
  172. # [*haproxy_stats*]
  173. # (optional) Enable or not the haproxy stats interface
  174. # Defaults to true
  175. #
  176. # [*keystone_admin*]
  177. # (optional) Enable or not Keystone Admin API binding
  178. # Defaults to hiera('keystone_enabled', false)
  179. #
  180. # [*keystone_public*]
  181. # (optional) Enable or not Keystone Public API binding
  182. # Defaults to hiera('keystone_enabled', false)
  183. #
  184. # [*neutron*]
  185. # (optional) Enable or not Neutron API binding
  186. # Defaults to hiera('neutron_api_enabled', false)
  187. #
  188. # [*cinder*]
  189. # (optional) Enable or not Cinder API binding
  190. # Defaults to hiera('cinder_api_enabled', false)
  191. #
  192. # [*manila*]
  193. # (optional) Enable or not Manila API binding
  194. # Defaults to hiera('manila_api_enabled', false)
  195. #
  196. # [*sahara*]
  197. # (optional) Enable or not Sahara API binding
  198. # defaults to hiera('sahara_api_enabled', false)
  199. #
  200. # [*trove*]
  201. # (optional) Enable or not Trove API binding
  202. # defaults to hiera('trove_api_enabled', false)
  203. #
  204. # [*glance_api*]
  205. # (optional) Enable or not Glance API binding
  206. # Defaults to hiera('glance_api_enabled', false)
  207. #
  208. # [*nova_osapi*]
  209. # (optional) Enable or not Nova API binding
  210. # Defaults to hiera('nova_api_enabled', false)
  211. #
  212. # [*placement*]
  213. # (optional) Enable or not Placement API binding
  214. # Defaults to hiera('placement_enabled', false)
  215. #
  216. # [*nova_metadata*]
  217. # (optional) Enable or not Nova metadata binding
  218. # Defaults to hiera('nova_metadata_enabled', false)
  219. #
  220. # [*nova_novncproxy*]
  221. # (optional) Enable or not Nova novncproxy binding
  222. # Defaults to hiera('nova_vnc_proxy_enabled', false)
  223. #
  224. # [*ec2_api*]
  225. # (optional) Enable or not EC2 API binding
  226. # Defaults to hiera('ec2_api_enabled', false)
  227. #
  228. # [*ec2_api_metadata*]
  229. # (optional) Enable or not EC2 API metadata binding
  230. # Defaults to hiera('ec2_api_enabled', false)
  231. #
  232. # [*aodh*]
  233. # (optional) Enable or not Aodh API binding
  234. # Defaults to hiera('aodh_api_enabled', false)
  235. #
  236. # [*panko*]
  237. # (optional) Enable or not Panko API binding
  238. # Defaults to hiera('panko_api_enabled', false)
  239. #
  240. # [*barbican*]
  241. # (optional) Enable or not Barbican API binding
  242. # Defaults to hiera('barbican_api_enabled', false)
  243. #
  244. # [*designate*]
  245. # (optional) Enable or not Designate API binding
  246. # Defaults to hiera('designate_api_enabled', false)
  247. #
  248. # [*metrics_qdr*]
  249. # (optional) Enable or not Metrics QDR binding
  250. # Defaults to hiera('metrics_qdr_enabled', false)
  251. #
  252. # [*gnocchi*]
  253. # (optional) Enable or not Gnocchi API binding
  254. # Defaults to hiera('gnocchi_api_enabled', false)
  255. #
  256. # [*mistral*]
  257. # (optional) Enable or not Mistral API binding
  258. # Defaults to hiera('mistral_api_enabled', false)
  259. #
  260. # [*swift_proxy_server*]
  261. # (optional) Enable or not Swift API binding
  262. # Defaults to hiera('swift_proxy_enabled', false)
  263. #
  264. # [*heat_api*]
  265. # (optional) Enable or not Heat API binding
  266. # Defaults to hiera('heat_api_enabled', false)
  267. #
  268. # [*heat_cfn*]
  269. # (optional) Enable or not Heat CFN API binding
  270. # Defaults to hiera('heat_api_cfn_enabled', false)
  271. #
  272. # [*horizon*]
  273. # (optional) Enable or not Horizon dashboard binding
  274. # Defaults to hiera('horizon_enabled', false)
  275. #
  276. # [*ironic*]
  277. # (optional) Enable or not Ironic API binding
  278. # Defaults to hiera('ironic_enabled', false)
  279. #
  280. # [*ironic_inspector*]
  281. # (optional) Enable or not Ironic Inspector API binding
  282. # Defaults to hiera('ironic_inspector_enabled', false)
  283. #
  284. # [*kubernetes_master*]
  285. # (optional) Enable or not Kubernetes API binding
  286. # Defaults to hiera('kubernetes_master_enabled', false)
  287. #
  288. # [*octavia*]
  289. # (optional) Enable or not Octavia APII binding
  290. # Defaults to hiera('octavia_api_enabled', false)
  291. #
  292. # [*mysql*]
  293. # (optional) Enable or not MySQL Galera binding
  294. # Defaults to hiera('mysql_enabled', false)
  295. #
  296. # [*mysql_clustercheck*]
  297. # (optional) Enable check via clustercheck for mysql
  298. # Defaults to false
  299. #
  300. # [*mysql_max_conn*]
  301. # (optional) Set the maxconn parameter for mysql
  302. # Defaults to undef
  303. #
  304. # [*mysql_member_options*]
  305. # The options to use for the mysql HAProxy balancer members.
  306. # If this parameter is undefined, the actual value configured will depend
  307. # on the value of $mysql_clustercheck. If cluster checking is enabled,
  308. # the mysql member options will be: "['backup', 'port 9200', 'on-marked-down shutdown-sessions', 'check', 'inter 1s']"
  309. # and if mysql cluster checking is disabled, the member options will be: "union($haproxy_member_options, ['backup'])"
  310. # Defaults to undef
  311. #
  312. # [*mysql_custom_listen_options*]
  313. # Hash to pass to the mysql haproxy listen stanza to be deepmerged with the other options
  314. # Defaults to {}
  315. #
  316. # [*rabbitmq*]
  317. # (optional) Enable or not RabbitMQ binding
  318. # Defaults to false
  319. #
  320. # [*etcd*]
  321. # (optional) Enable or not Etcd binding
  322. # Defaults to hiera('etcd_enabled', false)
  323. #
  324. # [*docker_registry*]
  325. # (optional) Enable or not the Docker Registry API binding
  326. # Defaults to hiera('enable_docker_registry', false)
  327. #
  328. # [*redis*]
  329. # (optional) Enable or not Redis binding
  330. # Defaults to hiera('redis_enabled', false)
  331. #
  332. # [*redis_password*]
  333. # (optional) Password for Redis authentication, eventually needed by the
  334. # specific monitoring we do from HAProxy for Redis
  335. # Defaults to undef
  336. #
  337. # [*zaqar_api*]
  338. # (optional) Enable or not Zaqar Api binding
  339. # Defaults to hiera('zaqar_api_enabled', false)
  340. #
  341. # [*ceph_rgw*]
  342. # (optional) Enable or not Ceph RadosGW binding
  343. # Defaults to hiera('ceph_rgw_enabled', false)
  344. #
  345. # [*ceph_grafana*]
  346. # (optional) Enable or not Ceph Grafana dashboard binding
  347. # Defaults to hiera('ceph_grafana_enabled', false)
  348. #
  349. # [*ceph_dashboard*]
  350. # (optional) Enable or not Ceph Dashboard binding
  351. # Defaults to hiera('ceph_grafana_enabled', false)
  352. #
  353. # [*opendaylight*]
  354. # (optional) Enable or not OpenDaylight binding
  355. # Defaults to hiera('opendaylight_api_enabled', false)
  356. #
  357. # [*openshift_master*]
  358. # (optional) Enable or not Kubernetes API binding
  359. # Defaults to hiera('openshift_master_enabled', false)
  360. #
  361. # [*ovn_dbs*]
  362. # (optional) Enable or not OVN northd binding
  363. # Defaults to hiera('ovn_dbs_enabled', false)
  364. #
  365. # [*ovn_dbs_manage_lb*]
  366. # (optional) Whether or not haproxy should configure OVN dbs for load balancing
  367. # if ovn_dbs is enabled.
  368. # Defaults to false
  369. #
  370. # [*zaqar_ws*]
  371. # (optional) Enable or not Zaqar Websockets binding
  372. # Defaults to false
  373. #
  374. # [*ui*]
  375. # (optional) Enable or not TripleO UI
  376. # Defaults to false
  377. #
  378. # [*aodh_network*]
  379. # (optional) Specify the network aodh is running on.
  380. # Defaults to hiera('aodh_api_network', undef)
  381. #
  382. # [*barbican_network*]
  383. # (optional) Specify the network barbican is running on.
  384. # Defaults to hiera('barbican_api_network', undef)
  385. #
  386. # [*ceph_rgw_network*]
  387. # (optional) Specify the network ceph_rgw is running on.
  388. # Defaults to hiera('ceph_rgw_network', undef)
  389. #
  390. # [*ceph_grafana_network*]
  391. # (optional) Specify the network ceph_grafana is running on.
  392. # Defaults to hiera('ceph_grafana_network', undef)
  393. #
  394. # [*ceph_dashboard_network*]
  395. # (optional) Specify the network ceph_dashboard is running on.
  396. # Defaults to hiera('ceph_mgr', undef)
  397. #
  398. # [*cinder_network*]
  399. # (optional) Specify the network cinder is running on.
  400. # Defaults to hiera('cinder_api_network', undef)
  401. #
  402. # [*designate_network*]
  403. # (optional) Specify the network designate is running on.
  404. # Defaults to hiera('designate_api_network', undef)
  405. #
  406. # [*metrics_qdr_network*]
  407. # (optional) Specify the network metrics_qdr is running on.
  408. # Defaults to hiera('metrics_qdr_network', undef)
  409. #
  410. # [*docker_registry_network*]
  411. # (optional) Specify the network docker-registry is running on.
  412. # Defaults to hiera('docker_registry_network', undef)
  413. #
  414. # [*glance_api_network*]
  415. # (optional) Specify the network glance_api is running on.
  416. # Defaults to hiera('glance_api_network', undef)
  417. #
  418. # [*gnocchi_network*]
  419. # (optional) Specify the network gnocchi is running on.
  420. # Defaults to hiera('gnocchi_api_network', undef)
  421. #
  422. # [*heat_api_network*]
  423. # (optional) Specify the network heat_api is running on.
  424. # Defaults to hiera('heat_api_network', undef)
  425. #
  426. # [*heat_cfn_network*]
  427. # (optional) Specify the network heat_cfn is running on.
  428. # Defaults to hiera('heat_api_cfn_network', undef)
  429. #
  430. # [*horizon_network*]
  431. # (optional) Specify the network horizon is running on.
  432. # Defaults to hiera('horizon_network', undef)
  433. #
  434. # [*ironic_inspector_network*]
  435. # (optional) Specify the network ironic_inspector is running on.
  436. # Defaults to hiera('ironic_inspector_network', undef)
  437. #
  438. # [*kubernetes_master_network*]
  439. # (optional) Specify the network kubernetes_master is running on.
  440. # Defaults to hiera('kubernetes_master_network', undef)
  441. #
  442. # [*ironic_network*]
  443. # (optional) Specify the network ironic is running on.
  444. # Defaults to hiera('ironic_api_network', undef)
  445. #
  446. # [*keystone_admin_network*]
  447. # (optional) Specify the network keystone_admin is running on.
  448. # Defaults to hiera('keystone_network', undef)
  449. #
  450. # [*keystone_public_network*]
  451. # (optional) Specify the network keystone_public is running on.
  452. # Defaults to hiera('keystone_network', undef)
  453. #
  454. # [*keystone_sticky_sessions*]
  455. # (optional) Use cookie-based session persistence for the Keystone
  456. # public API.
  457. # Defaults to hiera('keystone_sticky_sessions', false)
  458. #
  459. # [*keystone_session_cookie*]
  460. # (optional) Use a specified name for the Keystone sticky session cookie.
  461. # Defaults to hiera('keystone_session_cookie', 'KEYSTONESESSION')
  462. #
  463. # [*manila_network*]
  464. # (optional) Specify the network manila is running on.
  465. # Defaults to hiera('manila_api_network', undef)
  466. #
  467. # [*mistral_network*]
  468. # (optional) Specify the network mistral is running on.
  469. # Defaults to hiera('mistral_api_network', undef)
  470. #
  471. # [*neutron_network*]
  472. # (optional) Specify the network neutron is running on.
  473. # Defaults to hiera('neutron_api_network', undef)
  474. #
  475. # [*nova_metadata_network*]
  476. # (optional) Specify the network nova_metadata is running on.
  477. # Defaults to hiera('nova_metadata_network', undef)
  478. #
  479. # [*nova_novncproxy_network*]
  480. # (optional) Specify the network nova_novncproxy is running on.
  481. # Defaults to hiera('nova_vncproxy_network', undef)
  482. #
  483. # [*nova_osapi_network*]
  484. # (optional) Specify the network nova_osapi is running on.
  485. # Defaults to hiera('nova_api_network', undef)
  486. #
  487. # [*placement_network*]
  488. # (optional) Specify the network placement is running on.
  489. # Defaults to hiera('placement_network', undef)
  490. #
  491. # [*ec2_api_network*]
  492. # (optional) Specify the network ec2_api is running on.
  493. # Defaults to hiera('ec2_api_network', undef)
  494. #
  495. # [*ec2_api_metadata_network*]
  496. # (optional) Specify the network ec2_api_metadata is running on.
  497. # Defaults to hiera('ec2_api_network', undef)
  498. #
  499. # [*etcd_network*]
  500. # (optional) Specify the network etcd is running on.
  501. # Defaults to hiera('etcd_network', undef)
  502. #
  503. # [*octavia_network*]
  504. # (optional) Specify the network octavia is running on.
  505. # Defaults to hiera('octavia_api_network', undef)
  506. #
  507. # [*opendaylight_network*]
  508. # (optional) Specify the network opendaylight is running on.
  509. # Defaults to hiera('opendaylight_api_network', undef)
  510. #
  511. # [*openshift_master_network*]
  512. # (optional) Specify the network openshift_master is running on.
  513. # Defaults to hiera('openshift_master_network', undef)
  514. #
  515. # [*panko_network*]
  516. # (optional) Specify the network panko is running on.
  517. # Defaults to hiera('panko_api_network', undef)
  518. #
  519. # [*ovn_dbs_network*]
  520. # (optional) Specify the network ovn_dbs is running on.
  521. # Defaults to hiera('ovn_dbs_network', undef)
  522. #
  523. # [*sahara_network*]
  524. # (optional) Specify the network sahara is running on.
  525. # Defaults to hiera('sahara_api_network', undef)
  526. #
  527. # [*swift_proxy_server_network*]
  528. # (optional) Specify the network swift_proxy_server is running on.
  529. # Defaults to hiera('swift_proxy_network', undef)
  530. #
  531. # [*trove_network*]
  532. # (optional) Specify the network trove is running on.
  533. # Defaults to hiera('trove_api_network', undef)
  534. #
  535. # [*zaqar_api_network*]
  536. # (optional) Specify the network zaqar_api is running on.
  537. # Defaults to hiera('zaqar_api_network', undef)
  538. #
  539. # [*zaqar_ws_timeout_tunnel*]
  540. # (optional) Specify the tunnel timeout in seconds for the Zaqar API.
  541. # Defaults to hiera('zaqar_ws_timeout_tunnel', '14400')
  542. #
  543. # [*service_ports*]
  544. # (optional) Hash that contains the values to override from the service ports
  545. # The available keys to modify the services' ports are:
  546. # 'aodh_api_port' (Defaults to 8042)
  547. # 'aodh_api_ssl_port' (Defaults to 13042)
  548. # 'barbican_api_port' (Defaults to 9311)
  549. # 'barbican_api_ssl_port' (Defaults to 13311)
  550. # 'cinder_api_port' (Defaults to 8776)
  551. # 'cinder_api_ssl_port' (Defaults to 13776)
  552. # 'docker_registry_port' (Defaults to 8787)
  553. # 'docker_registry_ssl_port' (Defaults to 13787)
  554. # 'glance_api_port' (Defaults to 9292)
  555. # 'glance_api_ssl_port' (Defaults to 13292)
  556. # 'gnocchi_api_port' (Defaults to 8041)
  557. # 'gnocchi_api_ssl_port' (Defaults to 13041)
  558. # 'mistral_api_port' (Defaults to 8989)
  559. # 'mistral_api_ssl_port' (Defaults to 13989)
  560. # 'heat_api_port' (Defaults to 8004)
  561. # 'heat_api_ssl_port' (Defaults to 13004)
  562. # 'heat_cfn_port' (Defaults to 8000)
  563. # 'heat_cfn_ssl_port' (Defaults to 13005)
  564. # 'ironic_api_port' (Defaults to 6385)
  565. # 'ironic_api_ssl_port' (Defaults to 13385)
  566. # 'ironic_inspector_port' (Defaults to 5050)
  567. # 'ironic_inspector_ssl_port' (Defaults to 13050)
  568. # 'kubernetes_master_port' (Defaults to 6443)
  569. # 'kubernetes_master_ssl_port' (Defaults to 13443)
  570. # 'keystone_admin_api_port' (Defaults to 35357)
  571. # 'keystone_public_api_port' (Defaults to 5000)
  572. # 'keystone_public_api_ssl_port' (Defaults to 13000)
  573. # 'manila_api_port' (Defaults to 8786)
  574. # 'manila_api_ssl_port' (Defaults to 13786)
  575. # 'metrics_qdr_port' (Defaults to 5666)
  576. # 'neutron_api_port' (Defaults to 9696)
  577. # 'neutron_api_ssl_port' (Defaults to 13696)
  578. # 'nova_api_port' (Defaults to 8774)
  579. # 'nova_api_ssl_port' (Defaults to 13774)
  580. # 'nova_metadata_port' (Defaults to 8775)
  581. # 'nova_novnc_port' (Defaults to 6080)
  582. # 'nova_novnc_ssl_port' (Defaults to 13080)
  583. # 'octavia_api_port' (Defaults to 9876)
  584. # 'octavia_api_ssl_port' (Defaults to 13876)
  585. # 'openshift_master_port' (Defaults to 6444)
  586. # 'openshift_master_ssl_port' (Defaults to 13443)
  587. # 'opendaylight_api_port' (Defaults to 8081)
  588. # 'panko_api_port' (Defaults to 8977)
  589. # 'panko_api_ssl_port' (Defaults to 13977)
  590. # 'placement_port' (Defaults to 8778)
  591. # 'placement_ssl_port' (Defaults to 13778)
  592. # 'ovn_nbdb_port' (Defaults to 6641)
  593. # 'ovn_nbdb_ssl_port' (Defaults to 13641)
  594. # 'ovn_sbdb_port' (Defaults to 6642)
  595. # 'ovn_sbdb_ssl_port' (Defaults to 13642)
  596. # 'sahara_api_port' (Defaults to 8386)
  597. # 'sahara_api_ssl_port' (Defaults to 13386)
  598. # 'swift_proxy_port' (Defaults to 8080)
  599. # 'swift_proxy_ssl_port' (Defaults to 13808)
  600. # 'trove_api_port' (Defaults to 8779)
  601. # 'trove_api_ssl_port' (Defaults to 13779)
  602. # 'zaqar_api_port' (Defaults to 8888)
  603. # 'zaqar_api_ssl_port' (Defaults to 13888)
  604. # 'ceph_rgw_port' (Defaults to 8080)
  605. # 'ceph_rgw_ssl_port' (Defaults to 13808)
  606. # 'ceph_grafana_port' (Defaults to 3100)
  607. # 'ceph_grafana_ssl_port' (Defaults to 3100)
  608. # 'ceph_dashboard_port' (Defaults to 8444)
  609. # 'ceph_dashboard_ssl_port' (Defaults to 8444)
  610. # 'zaqar_ws_port' (Defaults to 9000)
  611. # 'zaqar_ws_ssl_port' (Defaults to 9000)
  612. # * Note that for zaqar's websockets we don't support having a different
  613. # port for SSL, because it ignores the handshake.
  614. # Defaults to {}
  615. #
  616. class tripleo::haproxy (
  617. $controller_virtual_ip,
  618. $public_virtual_ip,
  619. $haproxy_service_manage = true,
  620. $haproxy_global_maxconn = 20480,
  621. $haproxy_default_maxconn = 4096,
  622. $haproxy_default_timeout = [ 'http-request 10s', 'queue 2m', 'connect 10s', 'client 2m', 'server 2m', 'check 10s' ],
  623. $haproxy_listen_bind_param = [ 'transparent' ],
  624. $haproxy_member_options = [ 'check', 'inter 2000', 'rise 2', 'fall 5' ],
  625. $haproxy_log_address = '/dev/log',
  626. $haproxy_log_facility = 'local0',
  627. $activate_httplog = false,
  628. $haproxy_globals_override = {},
  629. $haproxy_defaults_override = {},
  630. $haproxy_daemon = true,
  631. $haproxy_socket_access_level = 'user',
  632. $haproxy_stats_user = 'admin',
  633. $haproxy_stats_password = undef,
  634. $haproxy_stats_bind_address = undef,
  635. $manage_firewall = hiera('tripleo::firewall::manage_firewall', true),
  636. $controller_hosts = hiera('controller_node_ips'),
  637. $controller_hosts_names = hiera('controller_node_names', undef),
  638. $service_certificate = undef,
  639. $use_internal_certificates = false,
  640. $internal_certificates_specs = {},
  641. $enable_internal_tls = hiera('enable_internal_tls', false),
  642. $ssl_cipher_suite = '!SSLv2:kEECDH:kRSA:kEDH:kPSK:+3DES:!aNULL:!eNULL:!MD5:!EXP:!RC4:!SEED:!IDEA:!DES',
  643. $ssl_options = 'no-sslv3 no-tlsv10',
  644. $ca_bundle = '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt',
  645. $crl_file = undef,
  646. $haproxy_stats_certificate = undef,
  647. $haproxy_stats = true,
  648. $keystone_admin = hiera('keystone_enabled', false),
  649. $keystone_public = hiera('keystone_enabled', false),
  650. $neutron = hiera('neutron_api_enabled', false),
  651. $cinder = hiera('cinder_api_enabled', false),
  652. $manila = hiera('manila_api_enabled', false),
  653. $sahara = hiera('sahara_api_enabled', false),
  654. $trove = hiera('trove_api_enabled', false),
  655. $glance_api = hiera('glance_api_enabled', false),
  656. $nova_osapi = hiera('nova_api_enabled', false),
  657. $placement = hiera('placement_enabled', false),
  658. $nova_metadata = hiera('nova_metadata_enabled', false),
  659. $nova_novncproxy = hiera('nova_vnc_proxy_enabled', false),
  660. $ec2_api = hiera('ec2_api_enabled', false),
  661. $ec2_api_metadata = hiera('ec2_api_enabled', false),
  662. $aodh = hiera('aodh_api_enabled', false),
  663. $panko = hiera('panko_api_enabled', false),
  664. $barbican = hiera('barbican_api_enabled', false),
  665. $ceph_grafana = hiera('ceph_grafana_enabled', false),
  666. $ceph_dashboard = hiera('ceph_grafana_enabled', false),
  667. $gnocchi = hiera('gnocchi_api_enabled', false),
  668. $mistral = hiera('mistral_api_enabled', false),
  669. $swift_proxy_server = hiera('swift_proxy_enabled', false),
  670. $heat_api = hiera('heat_api_enabled', false),
  671. $heat_cfn = hiera('heat_api_cfn_enabled', false),
  672. $horizon = hiera('horizon_enabled', false),
  673. $ironic = hiera('ironic_api_enabled', false),
  674. $ironic_inspector = hiera('ironic_inspector_enabled', false),
  675. $octavia = hiera('octavia_api_enabled', false),
  676. $designate = hiera('designate_api_enabled', false),
  677. $metrics_qdr = hiera('metrics_qdr_enabled', false),
  678. $mysql = hiera('mysql_enabled', false),
  679. $kubernetes_master = hiera('kubernetes_master_enabled', false),
  680. $mysql_clustercheck = false,
  681. $mysql_max_conn = undef,
  682. $mysql_member_options = undef,
  683. $mysql_custom_listen_options = {},
  684. $openshift_master = hiera('openshift_master_enabled', false),
  685. $rabbitmq = false,
  686. $etcd = hiera('etcd_enabled', false),
  687. $docker_registry = hiera('enable_docker_registry', false),
  688. $redis = hiera('redis_enabled', false),
  689. $redis_password = undef,
  690. $zaqar_api = hiera('zaqar_api_enabled', false),
  691. $ceph_rgw = hiera('ceph_rgw_enabled', false),
  692. $opendaylight = hiera('opendaylight_api_enabled', false),
  693. $ovn_dbs = hiera('ovn_dbs_enabled', false),
  694. $ovn_dbs_manage_lb = false,
  695. $zaqar_ws = hiera('zaqar_api_enabled', false),
  696. # For backward compatibility with instack-undercloud, keep enable_ui support)
  697. $ui = pick(hiera('tripleo_ui_enabled', undef), hiera('enable_ui', undef), false),
  698. $aodh_network = hiera('aodh_api_network', undef),
  699. $barbican_network = hiera('barbican_api_network', false),
  700. $ceph_rgw_network = hiera('ceph_rgw_network', undef),
  701. $cinder_network = hiera('cinder_api_network', undef),
  702. $designate_network = hiera('designate_api_network', undef),
  703. $metrics_qdr_network = hiera('metrics_qdr_network', undef),
  704. $docker_registry_network = hiera('docker_registry_network', undef),
  705. $glance_api_network = hiera('glance_api_network', undef),
  706. $gnocchi_network = hiera('gnocchi_api_network', undef),
  707. $heat_api_network = hiera('heat_api_network', undef),
  708. $ceph_grafana_network = hiera('ceph_grafana_network', undef),
  709. $ceph_dashboard_network = hiera('ceph_dashboard_network', undef),
  710. $heat_cfn_network = hiera('heat_api_cfn_network', undef),
  711. $horizon_network = hiera('horizon_network', undef),
  712. $ironic_inspector_network = hiera('ironic_inspector_network', undef),
  713. $ironic_network = hiera('ironic_api_network', undef),
  714. $kubernetes_master_network = hiera('kubernetes_master_network', undef),
  715. $keystone_admin_network = hiera('keystone_admin_api_network', undef),
  716. $keystone_public_network = hiera('keystone_public_api_network', undef),
  717. $keystone_sticky_sessions = hiera('keystone_sticky_sessions', false),
  718. $keystone_session_cookie = hiera('keystone_session_cookie,', 'KEYSTONESESSION'),
  719. $manila_network = hiera('manila_api_network', undef),
  720. $mistral_network = hiera('mistral_api_network', undef),
  721. $neutron_network = hiera('neutron_api_network', undef),
  722. $nova_metadata_network = hiera('nova_metadata_network', undef),
  723. $nova_novncproxy_network = hiera('nova_vnc_proxy_network', undef),
  724. $nova_osapi_network = hiera('nova_api_network', undef),
  725. $placement_network = hiera('placement_network', undef),
  726. $octavia_network = hiera('octavia_api_network', undef),
  727. $opendaylight_network = hiera('opendaylight_api_network', undef),
  728. $openshift_master_network = hiera('openshift_master_network', undef),
  729. $panko_network = hiera('panko_api_network', undef),
  730. $ovn_dbs_network = hiera('ovn_dbs_network', undef),
  731. $ec2_api_network = hiera('ec2_api_network', undef),
  732. $ec2_api_metadata_network = hiera('ec2_api_network', undef),
  733. $etcd_network = hiera('etcd_network', undef),
  734. $sahara_network = hiera('sahara_api_network', undef),
  735. $swift_proxy_server_network = hiera('swift_proxy_network', undef),
  736. $trove_network = hiera('trove_api_network', undef),
  737. $zaqar_api_network = hiera('zaqar_api_network', undef),
  738. $zaqar_ws_timeout_tunnel = hiera('zaqar_ws_timeout_tunnel', '14400'),
  739. $service_ports = {}
  740. ) {
  741. $default_service_ports = {
  742. aodh_api_port => 8042,
  743. aodh_api_ssl_port => 13042,
  744. barbican_api_port => 9311,
  745. barbican_api_ssl_port => 13311,
  746. cinder_api_port => 8776,
  747. cinder_api_ssl_port => 13776,
  748. designate_api_port => 9001,
  749. designate_api_ssl_port => 13001,
  750. docker_registry_port => 8787,
  751. docker_registry_ssl_port => 13787,
  752. etcd_port => 2379,
  753. glance_api_port => 9292,
  754. glance_api_ssl_port => 13292,
  755. gnocchi_api_port => 8041,
  756. gnocchi_api_ssl_port => 13041,
  757. mistral_api_port => 8989,
  758. mistral_api_ssl_port => 13989,
  759. heat_api_port => 8004,
  760. heat_api_ssl_port => 13004,
  761. heat_cfn_port => 8000,
  762. heat_cfn_ssl_port => 13005,
  763. ironic_api_port => 6385,
  764. ironic_api_ssl_port => 13385,
  765. ironic_inspector_port => 5050,
  766. ironic_inspector_ssl_port => 13050,
  767. kubernetes_master_port => 6443,
  768. kubernetes_master_ssl_port => 13443,
  769. keystone_admin_api_port => 35357,
  770. keystone_public_api_port => 5000,
  771. keystone_public_api_ssl_port => 13000,
  772. manila_api_port => 8786,
  773. manila_api_ssl_port => 13786,
  774. metrics_qdr_port => 5666,
  775. neutron_api_port => 9696,
  776. neutron_api_ssl_port => 13696,
  777. nova_api_port => 8774,
  778. nova_api_ssl_port => 13774,
  779. nova_metadata_port => 8775,
  780. nova_novnc_port => 6080,
  781. nova_novnc_ssl_port => 13080,
  782. octavia_api_port => 9876,
  783. octavia_api_ssl_port => 13876,
  784. opendaylight_api_port => 8081,
  785. opendaylight_ws_port => 8185,
  786. openshift_master_port => 8443,
  787. openshift_master_ssl_port => 18443,
  788. panko_api_port => 8977,
  789. panko_api_ssl_port => 13977,
  790. placement_port => 8778,
  791. placement_ssl_port => 13778,
  792. ovn_nbdb_port => 6641,
  793. ovn_nbdb_ssl_port => 13641,
  794. ovn_sbdb_port => 6642,
  795. ovn_sbdb_ssl_port => 13642,
  796. ec2_api_port => 8788,
  797. ec2_api_ssl_port => 13788,
  798. ec2_api_metadata_port => 8789,
  799. sahara_api_port => 8386,
  800. sahara_api_ssl_port => 13386,
  801. swift_proxy_port => 8080,
  802. swift_proxy_ssl_port => 13808,
  803. trove_api_port => 8779,
  804. trove_api_ssl_port => 13779,
  805. ui_port => 3000,
  806. ui_ssl_port => 443,
  807. zaqar_api_port => 8888,
  808. zaqar_api_ssl_port => 13888,
  809. ceph_rgw_port => 8080,
  810. ceph_rgw_ssl_port => 13808,
  811. zaqar_ws_port => 9000,
  812. zaqar_ws_ssl_port => 9000,
  813. ceph_grafana_port => 3100,
  814. ceph_grafana_ssl_port => 3100,
  815. ceph_dashboard_port => 8444,
  816. ceph_dashboard_ssl_port => 8444,
  817. }
  818. $ports = merge($default_service_ports, $service_ports)
  819. if $enable_internal_tls {
  820. $base_internal_tls_member_options = ['ssl', 'verify required', "ca-file ${ca_bundle}"]
  821. if $crl_file {
  822. $internal_tls_member_options = concat($base_internal_tls_member_options, "crl-file ${crl_file}")
  823. } else {
  824. $internal_tls_member_options = $base_internal_tls_member_options
  825. }
  826. Haproxy::Balancermember {
  827. verifyhost => true
  828. }
  829. } else {
  830. $internal_tls_member_options = []
  831. }
  832. $controller_hosts_real = any2array(split($controller_hosts, ','))
  833. if ! $controller_hosts_names {
  834. $controller_hosts_names_real = $controller_hosts_real
  835. } else {
  836. $controller_hosts_names_real = downcase(any2array(split($controller_hosts_names, ',')))
  837. }
  838. $mysql_vip = hiera('mysql_vip', $controller_virtual_ip)
  839. $mysql_bind_opts = {
  840. "${mysql_vip}:3306" => $haproxy_listen_bind_param,
  841. }
  842. $rabbitmq_vip = hiera('rabbitmq_vip', $controller_virtual_ip)
  843. $rabbitmq_bind_opts = {
  844. "${rabbitmq_vip}:5672" => $haproxy_listen_bind_param,
  845. }
  846. $haproxy_global_options = {
  847. 'log' => "${haproxy_log_address} ${haproxy_log_facility}",
  848. 'pidfile' => '/var/run/haproxy.pid',
  849. 'user' => 'haproxy',
  850. 'group' => 'haproxy',
  851. 'maxconn' => $haproxy_global_maxconn,
  852. 'ssl-default-bind-ciphers' => $ssl_cipher_suite,
  853. 'ssl-default-bind-options' => $ssl_options,
  854. 'stats' => [
  855. "socket /var/lib/haproxy/stats mode 600 level ${haproxy_socket_access_level}",
  856. 'timeout 2m'
  857. ],
  858. }
  859. if $haproxy_daemon == true {
  860. $haproxy_daemonize = {
  861. 'daemon' => '',
  862. }
  863. } else {
  864. $haproxy_daemonize = {}
  865. }
  866. $haproxy_defaults_options = {
  867. 'mode' => 'tcp',
  868. 'log' => 'global',
  869. 'retries' => '3',
  870. 'timeout' => $haproxy_default_timeout,
  871. 'maxconn' => $haproxy_default_maxconn,
  872. }
  873. if $activate_httplog {
  874. $httplog = {'option' => 'httplog'}
  875. } else {
  876. $httplog = {}
  877. }
  878. class { '::haproxy':
  879. service_manage => $haproxy_service_manage,
  880. global_options => merge($haproxy_global_options, $haproxy_daemonize, $haproxy_globals_override),
  881. defaults_options => merge($haproxy_defaults_options, $httplog, $haproxy_defaults_override),
  882. }
  883. $default_listen_options = {
  884. 'option' => [ 'httpchk', 'httplog', ],
  885. 'http-request' => [
  886. 'set-header X-Forwarded-Proto https if { ssl_fc }',
  887. 'set-header X-Forwarded-Proto http if !{ ssl_fc }',
  888. 'set-header X-Forwarded-Port %[dst_port]'],
  889. }
  890. Tripleo::Haproxy::Endpoint {
  891. haproxy_listen_bind_param => $haproxy_listen_bind_param,
  892. member_options => $haproxy_member_options,
  893. public_certificate => $service_certificate,
  894. use_internal_certificates => $use_internal_certificates,
  895. internal_certificates_specs => $internal_certificates_specs,
  896. listen_options => $default_listen_options,
  897. manage_firewall => $manage_firewall,
  898. }
  899. $service_names = hiera('enabled_services', [])
  900. tripleo::haproxy::service_endpoints { $service_names: }
  901. if $haproxy_stats {
  902. if $haproxy_stats_certificate {
  903. $haproxy_stats_certificate_real = $haproxy_stats_certificate
  904. } elsif $use_internal_certificates {
  905. # NOTE(jaosorior): Right now it's hardcoded to use the ctlplane network
  906. $haproxy_stats_certificate_real = $internal_certificates_specs["haproxy-ctlplane"]['service_pem']
  907. } else {
  908. $haproxy_stats_certificate_real = undef
  909. }
  910. $haproxy_stats_ips_raw = union(any2array($controller_virtual_ip), any2array($haproxy_stats_bind_address))
  911. $haproxy_stats_ips = delete_undef_values($haproxy_stats_ips_raw)
  912. class { '::tripleo::haproxy::stats':
  913. haproxy_listen_bind_param => $haproxy_listen_bind_param,
  914. ip => $haproxy_stats_ips,
  915. password => $haproxy_stats_password,
  916. certificate => $haproxy_stats_certificate_real,
  917. user => $haproxy_stats_user,
  918. }
  919. }
  920. if $keystone_admin {
  921. # NOTE(jaosorior): Given that the admin endpoint is in the same vhost
  922. # nowadays as the public/internal one. We can just loadbalance towards the
  923. # same IP.
  924. ::tripleo::haproxy::endpoint { 'keystone_admin':
  925. internal_ip => hiera('keystone_admin_api_vip', $controller_virtual_ip),
  926. service_port => $ports[keystone_public_api_port],
  927. haproxy_port => $ports[keystone_admin_api_port],
  928. ip_addresses => hiera('keystone_public_api_node_ips', $controller_hosts_real),
  929. server_names => hiera('keystone_public_api_node_names', $controller_hosts_names_real),
  930. mode => 'http',
  931. listen_options => merge($default_listen_options, { 'option' => [ 'httpchk GET /v3' ] }),
  932. service_network => $keystone_admin_network,
  933. member_options => union($haproxy_member_options, $internal_tls_member_options),
  934. }
  935. }
  936. if $keystone_public {
  937. $keystone_listen_opts = {
  938. 'option' => [ 'httpchk GET /v3', ],
  939. }
  940. ::tripleo::haproxy::endpoint { 'keystone_public':
  941. public_virtual_ip => $public_virtual_ip,
  942. internal_ip => hiera('keystone_public_api_vip', $controller_virtual_ip),
  943. service_port => $ports[keystone_public_api_port],
  944. ip_addresses => hiera('keystone_public_api_node_ips', $controller_hosts_real),
  945. server_names => hiera('keystone_public_api_node_names', $controller_hosts_names_real),
  946. mode => 'http',
  947. listen_options => merge($default_listen_options, $keystone_listen_opts),
  948. public_ssl_port => $ports[keystone_public_api_ssl_port],
  949. service_network => $keystone_public_network,
  950. sticky_sessions => $keystone_sticky_sessions,
  951. session_cookie => $keystone_session_cookie,
  952. member_options => union($haproxy_member_options, $internal_tls_member_options),
  953. }
  954. }
  955. if $neutron {
  956. ::tripleo::haproxy::endpoint { 'neutron':
  957. public_virtual_ip => $public_virtual_ip,
  958. internal_ip => hiera('neutron_api_vip', $controller_virtual_ip),
  959. service_port => $ports[neutron_api_port],
  960. ip_addresses => hiera('neutron_api_node_ips', $controller_hosts_real),
  961. server_names => hiera('neutron_api_node_names', $controller_hosts_names_real),
  962. mode => 'http',
  963. public_ssl_port => $ports[neutron_api_ssl_port],
  964. service_network => $neutron_network,
  965. member_options => union($haproxy_member_options, $internal_tls_member_options),
  966. }
  967. }
  968. if $cinder {
  969. ::tripleo::haproxy::endpoint { 'cinder':
  970. public_virtual_ip => $public_virtual_ip,
  971. internal_ip => hiera('cinder_api_vip', $controller_virtual_ip),
  972. service_port => $ports[cinder_api_port],
  973. ip_addresses => hiera('cinder_api_node_ips', $controller_hosts_real),
  974. server_names => hiera('cinder_api_node_names', $controller_hosts_names_real),
  975. mode => 'http',
  976. public_ssl_port => $ports[cinder_api_ssl_port],
  977. service_network => $cinder_network,
  978. member_options => union($haproxy_member_options, $internal_tls_member_options),
  979. }
  980. }
  981. if $manila {
  982. ::tripleo::haproxy::endpoint { 'manila':
  983. public_virtual_ip => $public_virtual_ip,
  984. internal_ip => hiera('manila_api_vip', $controller_virtual_ip),
  985. service_port => $ports[manila_api_port],
  986. ip_addresses => hiera('manila_api_node_ips', $controller_hosts_real),
  987. server_names => hiera('manila_api_node_names', $controller_hosts_names_real),
  988. mode => 'http',
  989. public_ssl_port => $ports[manila_api_ssl_port],
  990. service_network => $manila_network,
  991. member_options => union($haproxy_member_options, $internal_tls_member_options),
  992. }
  993. }
  994. if $sahara {
  995. ::tripleo::haproxy::endpoint { 'sahara':
  996. public_virtual_ip => $public_virtual_ip,
  997. internal_ip => hiera('sahara_api_vip', $controller_virtual_ip),
  998. service_port => $ports[sahara_api_port],
  999. ip_addresses => hiera('sahara_api_node_ips', $controller_hosts_real),
  1000. server_names => hiera('sahara_api_node_names', $controller_hosts_names_real),
  1001. mode => 'http',
  1002. public_ssl_port => $ports[sahara_api_ssl_port],
  1003. service_network => $sahara_network,
  1004. }
  1005. }
  1006. if $trove {
  1007. ::tripleo::haproxy::endpoint { 'trove':
  1008. public_virtual_ip => $public_virtual_ip,
  1009. internal_ip => hiera('trove_api_vip', $controller_virtual_ip),
  1010. service_port => $ports[trove_api_port],
  1011. ip_addresses => hiera('trove_api_node_ips', $controller_hosts_real),
  1012. server_names => hiera('trove_api_node_names', $controller_hosts_names_real),
  1013. mode => 'http',
  1014. public_ssl_port => $ports[trove_api_ssl_port],
  1015. service_network => $trove_network,
  1016. }
  1017. }
  1018. if $glance_api {
  1019. ::tripleo::haproxy::endpoint { 'glance_api':
  1020. public_virtual_ip => $public_virtual_ip,
  1021. internal_ip => hiera('glance_api_vip', $controller_virtual_ip),
  1022. service_port => $ports[glance_api_port],
  1023. ip_addresses => hiera('glance_api_node_ips', $controller_hosts_real),
  1024. server_names => hiera('glance_api_node_names', $controller_hosts_names_real),
  1025. public_ssl_port => $ports[glance_api_ssl_port],
  1026. mode => 'http',
  1027. listen_options => merge($default_listen_options, { 'option' => [ 'httpchk GET /healthcheck', ]}),
  1028. service_network => $glance_api_network,
  1029. member_options => union($haproxy_member_options, $internal_tls_member_options),
  1030. }
  1031. }
  1032. if $ceph_grafana {
  1033. ::tripleo::haproxy::endpoint { 'ceph_grafana':
  1034. internal_ip => hiera('ceph_dashboard_vip', $controller_virtual_ip),
  1035. service_port => $ports[ceph_grafana_port],
  1036. ip_addresses => hiera('ceph_grafana_node_ips', $controller_hosts_real),
  1037. server_names => hiera('ceph_grafana_node_names', $controller_hosts_names_real),
  1038. mode => 'http',
  1039. public_ssl_port => $ports[ceph_grafana_ssl_port],
  1040. listen_options => merge($default_listen_options, {
  1041. 'option' => [ 'httpchk HEAD /' ],
  1042. 'balance' => 'source',
  1043. }),
  1044. service_network => $ceph_grafana_network,
  1045. member_options => union($haproxy_member_options, $internal_tls_member_options),
  1046. }
  1047. }
  1048. if $ceph_dashboard {
  1049. ::tripleo::haproxy::endpoint { 'ceph_dashboard':
  1050. internal_ip => hiera('ceph_dashboard_vip', $controller_virtual_ip),
  1051. service_port => $ports[ceph_dashboard_port],
  1052. ip_addresses => hiera('ceph_grafana_node_ips', $controller_hosts_real),
  1053. server_names => hiera('ceph_grafana_node_names', $controller_hosts_names_real),
  1054. mode => 'http',
  1055. public_ssl_port => $ports[ceph_dashboard_ssl_port],
  1056. listen_options => merge($default_listen_options, {
  1057. 'option' => [ 'httpchk HEAD /' ],
  1058. 'balance' => 'source',
  1059. 'http-check' => 'expect rstatus 2[0-9][0-9]',
  1060. }),
  1061. service_network => $ceph_dashboard_network,
  1062. member_options => union($haproxy_member_options, $internal_tls_member_options),
  1063. }
  1064. }
  1065. $nova_api_vip = hiera('nova_api_vip', $controller_virtual_ip)
  1066. if $nova_osapi {
  1067. ::tripleo::haproxy::endpoint { 'nova_osapi':
  1068. public_virtual_ip => $public_virtual_ip,
  1069. internal_ip => $nova_api_vip,
  1070. service_port => $ports[nova_api_port],
  1071. ip_addresses => hiera('nova_api_node_ips', $controller_hosts_real),
  1072. server_names => hiera('nova_api_node_names', $controller_hosts_names_real),
  1073. mode => 'http',
  1074. public_ssl_port => $ports[nova_api_ssl_port],
  1075. service_network => $nova_osapi_network,
  1076. member_options => union($haproxy_member_options, $internal_tls_member_options),
  1077. }
  1078. }
  1079. $placement_vip = hiera('placement_vip', $controller_virtual_ip)
  1080. if $placement {
  1081. ::tripleo::haproxy::endpoint { 'placement':
  1082. public_virtual_ip => $public_virtual_ip,
  1083. internal_ip => $placement_vip,
  1084. service_port => $ports[placement_port],
  1085. ip_addresses => hiera('placement_node_ips', $controller_hosts_real),
  1086. server_names => hiera('placement_node_names', $controller_hosts_names_real),
  1087. mode => 'http',
  1088. public_ssl_port => $ports[placement_ssl_port],
  1089. service_network => $placement_network,
  1090. member_options => union($haproxy_member_options, $internal_tls_member_options),
  1091. }
  1092. }
  1093. if $nova_metadata {
  1094. if hiera('nova_is_additional_cell', undef) {
  1095. $nova_metadata_server_names_real = hiera('nova_metadata_cell_node_names', $controller_hosts_names_real)
  1096. } else {
  1097. $nova_metadata_server_names_real = hiera('nova_metadata_node_names', $controller_hosts_names_real)
  1098. }
  1099. ::tripleo::haproxy::endpoint { 'nova_metadata':
  1100. internal_ip => hiera('nova_metadata_vip', $controller_virtual_ip),
  1101. service_port => $ports[nova_metadata_port],
  1102. ip_addresses => hiera('nova_metadata_node_ips', $controller_hosts_real),
  1103. server_names => $nova_metadata_server_names_real,
  1104. mode => 'http',
  1105. service_network => $nova_metadata_network,
  1106. member_options => union($haproxy_member_options, $internal_tls_member_options),
  1107. }
  1108. }
  1109. $nova_vnc_proxy_vip = hiera('nova_vnc_proxy_vip', $controller_virtual_ip)
  1110. if $nova_novncproxy {
  1111. if $enable_internal_tls {
  1112. # we need to make sure we use ssl for checks.
  1113. $haproxy_member_options_real = delete($haproxy_member_options, 'check')
  1114. $novncproxy_ssl_member_options = ['check-ssl']
  1115. } else {
  1116. $haproxy_member_options_real = $haproxy_member_options
  1117. $novncproxy_ssl_member_options = []
  1118. }
  1119. if hiera('nova_is_additional_cell', undef) {
  1120. $novncproxy_server_names_real = hiera('nova_vnc_proxy_cell_node_names', $controller_hosts_names_real)
  1121. } else {
  1122. $novncproxy_server_names_real = hiera('nova_vnc_proxy_node_names', $controller_hosts_names_real)
  1123. }
  1124. ::tripleo::haproxy::endpoint { 'nova_novncproxy':
  1125. public_virtual_ip => $public_virtual_ip,
  1126. internal_ip => $nova_vnc_proxy_vip,
  1127. service_port => $ports[nova_novnc_port],
  1128. ip_addresses => hiera('nova_vnc_proxy_node_ips', $controller_hosts_real),
  1129. server_names => $novncproxy_server_names_real,
  1130. listen_options => merge($default_listen_options, {
  1131. 'option' => [ 'tcpka', 'tcplog' ],
  1132. 'balance' => 'source',
  1133. 'timeout' => [ 'tunnel 1h' ],
  1134. }),
  1135. public_ssl_port => $ports[nova_novnc_ssl_port],
  1136. service_network => $nova_novncproxy_network,
  1137. member_options => union($haproxy_member_options_real, $internal_tls_member_options, $novncproxy_ssl_member_options),
  1138. }
  1139. }
  1140. if $ec2_api {
  1141. ::tripleo::haproxy::endpoint { 'ec2_api':
  1142. public_virtual_ip => $public_virtual_ip,
  1143. internal_ip => hiera('ec2_api_vip', $controller_virtual_ip),
  1144. service_port => $ports[ec2_api_port],
  1145. ip_addresses => hiera('ec2_api_node_ips', $controller_hosts_real),
  1146. server_names => hiera('ec2_api_node_names', $controller_hosts_names_real),
  1147. mode => 'http',
  1148. public_ssl_port => $ports[ec2_api_ssl_port],
  1149. listen_options => merge($default_listen_options, {
  1150. 'option' => [ 'tcpka' ]
  1151. }),
  1152. service_network => $ec2_api_network,
  1153. member_options => union($haproxy_member_options, $internal_tls_member_options),
  1154. }
  1155. }
  1156. if $ec2_api_metadata {
  1157. ::tripleo::haproxy::endpoint { 'ec2_api_metadata':
  1158. internal_ip => hiera('ec2_api_vip', $controller_virtual_ip),
  1159. service_port => $ports[ec2_api_metadata_port],
  1160. ip_addresses => hiera('ec2_api_node_ips', $controller_hosts_real),
  1161. server_names => hiera('ec2_api_node_names', $controller_hosts_names_real),
  1162. mode => 'http',
  1163. service_network => $ec2_api_metadata_network,
  1164. member_options => union($haproxy_member_options, $internal_tls_member_options),
  1165. }
  1166. }
  1167. if $aodh {
  1168. ::tripleo::haproxy::endpoint { 'aodh':
  1169. public_virtual_ip => $public_virtual_ip,
  1170. internal_ip => hiera('aodh_api_vip', $controller_virtual_ip),
  1171. service_port => $ports[aodh_api_port],
  1172. ip_addresses => hiera('aodh_api_node_ips', $controller_hosts_real),
  1173. server_names => hiera('aodh_api_node_names', $controller_hosts_names_real),
  1174. mode => 'http',
  1175. public_ssl_port => $ports[aodh_api_ssl_port],
  1176. service_network => $aodh_network,
  1177. member_options => union($haproxy_member_options, $internal_tls_member_options),
  1178. }
  1179. }
  1180. if $panko {
  1181. ::tripleo::haproxy::endpoint { 'panko':
  1182. public_virtual_ip => $public_virtual_ip,
  1183. internal_ip => hiera('panko_api_vip', $controller_virtual_ip),
  1184. service_port => $ports[panko_api_port],
  1185. ip_addresses => hiera('panko_api_node_ips', $controller_hosts_real),
  1186. server_names => hiera('panko_api_node_names', $controller_hosts_names_real),
  1187. public_ssl_port => $ports[panko_api_ssl_port],
  1188. mode => 'http',
  1189. service_network => $panko_network,
  1190. member_options => union($haproxy_member_options, $internal_tls_member_options),
  1191. }
  1192. }
  1193. if $barbican {
  1194. ::tripleo::haproxy::endpoint { 'barbican':
  1195. public_virtual_ip => $public_virtual_ip,
  1196. internal_ip => hiera('barbican_api_vip', $controller_virtual_ip),
  1197. service_port => $ports[barbican_api_port],
  1198. ip_addresses => hiera('barbican_api_node_ips', $controller_hosts_real),
  1199. server_names => hiera('barbican_api_node_names', $controller_hosts_names_real),
  1200. public_ssl_port => $ports[barbican_api_ssl_port],
  1201. service_network => $barbican_network,
  1202. mode => 'http',
  1203. member_options => union($haproxy_member_options, $internal_tls_member_options),
  1204. }
  1205. }
  1206. if $gnocchi {
  1207. ::tripleo::haproxy::endpoint { 'gnocchi':
  1208. public_virtual_ip => $public_virtual_ip,
  1209. internal_ip => hiera('gnocchi_api_vip', $controller_virtual_ip),
  1210. service_port => $ports[gnocchi_api_port],
  1211. ip_addresses => hiera('gnocchi_api_node_ips', $controller_hosts_real),
  1212. server_names => hiera('gnocchi_api_node_names', $controller_hosts_names_real),
  1213. mode => 'http',
  1214. public_ssl_port => $ports[gnocchi_api_ssl_port],
  1215. service_network => $gnocchi_network,
  1216. member_options => union($haproxy_member_options, $internal_tls_member_options),
  1217. }
  1218. }
  1219. if $mistral {
  1220. ::tripleo::haproxy::endpoint { 'mistral':
  1221. public_virtual_ip => $public_virtual_ip,
  1222. internal_ip => hiera('mistral_api_vip', $controller_virtual_ip),
  1223. service_port => $ports[mistral_api_port],
  1224. ip_addresses => hiera('mistral_api_node_ips', $controller_hosts_real),
  1225. server_names => hiera('mistral_api_node_names', $controller_hosts_names_real),
  1226. mode => 'http',
  1227. public_ssl_port => $ports[mistral_api_ssl_port],
  1228. service_network => $mistral_network,
  1229. }
  1230. }
  1231. if $swift_proxy_server {
  1232. $swift_proxy_server_listen_options = {
  1233. 'option' => [ 'httpchk GET /healthcheck', ],
  1234. 'timeout client' => '2m',
  1235. 'timeout server' => '2m',
  1236. }
  1237. ::tripleo::haproxy::endpoint { 'swift_proxy_server':
  1238. public_virtual_ip => $public_virtual_ip,
  1239. internal_ip => hiera('swift_proxy_vip', $controller_virtual_ip),
  1240. service_port => $ports[swift_proxy_port],
  1241. ip_addresses => hiera('swift_proxy_node_ips', $controller_hosts_real),
  1242. server_names => hiera('swift_proxy_node_names', $controller_hosts_names_real),
  1243. mode => 'http',
  1244. listen_options => merge($default_listen_options, $swift_proxy_server_listen_options),
  1245. public_ssl_port => $ports[swift_proxy_ssl_port],
  1246. service_network => $swift_proxy_server_network,
  1247. member_options => union($haproxy_member_options, $internal_tls_member_options),
  1248. }
  1249. }
  1250. $heat_api_vip = hiera('heat_api_vip', $controller_virtual_ip)
  1251. $heat_ip_addresses = hiera('heat_api_node_ips', $controller_hosts_real)
  1252. $heat_timeout_options = {
  1253. 'timeout client' => '10m',
  1254. 'timeout server' => '10m',
  1255. }
  1256. if $service_certificate {
  1257. $heat_ssl_options = {
  1258. 'rsprep' => "^Location:\\ http://${public_virtual_ip}(.*) Location:\\ https://${public_virtual_ip}\\1",
  1259. }
  1260. $heat_options = merge($default_listen_options, $heat_ssl_options, $heat_timeout_options)
  1261. } else {
  1262. $heat_options = merge($default_listen_options, $heat_timeout_options)
  1263. }
  1264. if $heat_api {
  1265. ::tripleo::haproxy::endpoint { 'heat_api':
  1266. public_virtual_ip => $public_virtual_ip,
  1267. internal_ip => $heat_api_vip,
  1268. service_port => $ports[heat_api_port],
  1269. ip_addresses => $heat_ip_addresses,
  1270. server_names => hiera('heat_api_node_names', $controller_hosts_names_real),
  1271. mode => 'http',
  1272. listen_options => $heat_options,
  1273. public_ssl_port => $ports[heat_api_ssl_port],
  1274. service_network => $heat_api_network,
  1275. member_options => union($haproxy_member_options, $internal_tls_member_options),
  1276. }
  1277. }
  1278. if $heat_cfn {
  1279. ::tripleo::haproxy::endpoint { 'heat_cfn':
  1280. public_virtual_ip => $public_virtual_ip,
  1281. internal_ip => $heat_api_vip,
  1282. service_port => $ports[heat_cfn_port],
  1283. ip_addresses => $heat_ip_addresses,
  1284. server_names => hiera('heat_api_node_names', $controller_hosts_names_real),
  1285. mode => 'http',
  1286. listen_options => $heat_options,
  1287. public_ssl_port => $ports[heat_cfn_ssl_port],
  1288. service_network => $heat_cfn_network,
  1289. member_options => union($haproxy_member_options, $internal_tls_member_options),
  1290. }
  1291. }
  1292. if $horizon {
  1293. class { '::tripleo::haproxy::horizon_endpoint':
  1294. public_virtual_ip => $public_virtual_ip,
  1295. internal_ip => hiera('horizon_vip', $controller_virtual_ip),
  1296. haproxy_listen_bind_param => $haproxy_listen_bind_param,
  1297. ip_addresses => hiera('horizon_node_ips', $controller_hosts_real),
  1298. server_names => hiera('horizon_node_names', $controller_hosts_names_real),
  1299. member_options => union($haproxy_member_options, $internal_tls_member_options),
  1300. public_certificate => $service_certificate,
  1301. use_internal_certificates => $use_internal_certificates,
  1302. internal_certificates_specs => $internal_certificates_specs,
  1303. service_network => $horizon_network,
  1304. manage_firewall => $manage_firewall,
  1305. }
  1306. }
  1307. if $ironic {
  1308. ::tripleo::haproxy::endpoint { 'ironic':
  1309. public_virtual_ip => $public_virtual_ip,
  1310. internal_ip => hiera('ironic_api_vip', $controller_virtual_ip),
  1311. service_port => $ports[ironic_api_port],
  1312. ip_addresses => hiera('ironic_api_node_ips', $controller_hosts_real),
  1313. server_names => hiera('ironic_api_node_names', $controller_hosts_names_real),
  1314. mode => 'http',
  1315. public_ssl_port => $ports[ironic_api_ssl_port],
  1316. service_network => $ironic_network,
  1317. member_options => union($haproxy_member_options, $internal_tls_member_options),
  1318. }
  1319. }
  1320. if $ironic_inspector {
  1321. ::tripleo::haproxy::endpoint { 'ironic-inspector':
  1322. public_virtual_ip => $public_virtual_ip,
  1323. internal_ip => hiera('ironic_inspector_vip', $controller_virtual_ip),
  1324. service_port => $ports[ironic_inspector_port],
  1325. ip_addresses => hiera('ironic_inspector_node_ips', $controller_hosts_real),
  1326. server_names => hiera('ironic_inspector_node_names', $controller_hosts_names_real),
  1327. public_ssl_port => $ports[ironic_inspector_ssl_port],
  1328. service_network => $ironic_inspector_network,
  1329. mode => 'http',
  1330. listen_options => { 'http-check' => ['expect rstring .*200.*'], },
  1331. }
  1332. }
  1333. if $designate {
  1334. ::tripleo::haproxy::endpoint { 'designate':
  1335. public_virtual_ip => $public_virtual_ip,
  1336. internal_ip => hiera('designate_api_vip', $controller_virtual_ip),
  1337. service_port => $ports[designate_api_port],
  1338. ip_addresses => hiera('designate_api_node_ips', $controller_hosts_real),
  1339. server_names => hiera('designate_api_node_names', $controller_hosts_names_real),
  1340. mode => 'http',
  1341. public_ssl_port => $ports[designate_api_ssl_port],
  1342. service_network => $designate_network,
  1343. }
  1344. }
  1345. if $metrics_qdr {
  1346. $metrics_bind_opts = {
  1347. "${public_virtual_ip}:${ports[metrics_qdr_port]}" => $haproxy_listen_bind_param,
  1348. }
  1349. haproxy::listen { 'metrics_qdr':
  1350. bind => $metrics_bind_opts,
  1351. options => {
  1352. 'option' => [ 'tcp-check', 'tcplog' ],
  1353. 'tcp-check' => ["connect port ${ports[metrics_qdr_port]}"],
  1354. },
  1355. collect_exported => false,
  1356. }
  1357. # Note(mmagr): while MetricsQdr service runs on all overcloud nodes, we need load balancing
  1358. # only on controllers as those are only QDRs forming mesh (listening on connection
  1359. # from QDRs running other nodes [storage, compute, etc.]). Sadly we don't have another
  1360. # reasonable way to get list of internal_api interfaces of controllers than using list
  1361. # of other services running only on controllers and also using internal_api network.
  1362. # MetricsQdr will be refactored (split to QDR running on controller or on other node)
  1363. # to better integrate, but for now we need this hack to enable the feature
  1364. haproxy::balancermember { 'metrics_qdr':
  1365. listening_service => 'metrics_qdr',
  1366. ports => $ports[metrics_qdr_port],
  1367. ipaddresses => hiera('pacemaker_node_ips', $controller_hosts_real),
  1368. server_names => hiera('pacemaker_node_names', $controller_hosts_names_real),
  1369. options => union($haproxy_member_options, ['on-marked-down shutdown-sessions']),
  1370. verifyhost => false,
  1371. }
  1372. }
  1373. if $mysql_clustercheck {
  1374. $mysql_listen_options = {
  1375. 'option' => [ 'tcpka', 'httpchk', 'tcplog' ],
  1376. 'timeout client' => '90m',
  1377. 'timeout server' => '90m',
  1378. 'stick-table' => 'type ip size 1000',
  1379. 'stick' => 'on dst',
  1380. 'maxconn' => $mysql_max_conn
  1381. }
  1382. if $mysql_member_options {
  1383. $mysql_member_options_real = $mysql_member_options
  1384. } else {
  1385. $mysql_member_options_real = ['backup', 'port 9200', 'on-marked-down shutdown-sessions', 'check', 'inter 1s']
  1386. }
  1387. } else {
  1388. $mysql_listen_options = {
  1389. 'timeout client' => '90m',
  1390. 'timeout server' => '90m',
  1391. 'maxconn' => $mysql_max_conn
  1392. }
  1393. if $mysql_member_options {
  1394. $mysql_member_options_real = $mysql_member_options
  1395. } else {
  1396. $mysql_member_options_real = union($haproxy_member_options, ['backup'])
  1397. }
  1398. }
  1399. if $mysql {
  1400. if hiera('nova_is_additional_cell', undef) {
  1401. $mysql_server_names_real = hiera('mysql_cell_node_names', $controller_hosts_names_real)
  1402. } else {
  1403. $mysql_server_names_real = hiera('mysql_node_names', $controller_hosts_names_real)
  1404. }
  1405. haproxy::listen { 'mysql':
  1406. bind => $mysql_bind_opts,
  1407. options => deep_merge($mysql_listen_options, $mysql_custom_listen_options),
  1408. collect_exported => false,
  1409. }
  1410. haproxy::balancermember { 'mysql-backup':
  1411. listening_service => 'mysql',
  1412. ports => '3306',
  1413. ipaddresses => hiera('mysql_node_ips', $controller_hosts_real),
  1414. server_names => $mysql_server_names_real,
  1415. options => $mysql_member_options_real,
  1416. }
  1417. if $manage_firewall {
  1418. include ::tripleo::firewall
  1419. $mysql_firewall_rules = {
  1420. '100 mysql_haproxy' => {
  1421. 'dport' => 3306,
  1422. }
  1423. }
  1424. create_resources('tripleo::firewall::rule', $mysql_firewall_rules)
  1425. }
  1426. }
  1427. if $rabbitmq {
  1428. haproxy::listen { 'rabbitmq':
  1429. bind => $rabbitmq_bind_opts,
  1430. options => {
  1431. 'option' => [ 'tcpka', 'tcplog' ],
  1432. 'timeout' => [ 'client 0', 'server 0' ],
  1433. },
  1434. collect_exported => false,
  1435. }
  1436. haproxy::balancermember { 'rabbitmq':
  1437. listening_service => 'rabbitmq',
  1438. ports => '5672',
  1439. ipaddresses => hiera('rabbitmq_node_ips', $controller_hosts_real),
  1440. server_names => hiera('rabbitmq_node_names', $controller_hosts_names_real),
  1441. options => $haproxy_member_options,
  1442. }
  1443. }
  1444. if $etcd {
  1445. ::tripleo::haproxy::endpoint { 'etcd':
  1446. internal_ip => hiera('etcd_vip', $controller_virtual_ip),
  1447. service_port => $ports[etcd_port],
  1448. ip_addresses => hiera('etcd_node_ips', $controller_hosts_real),
  1449. server_names => hiera('etcd_node_names', $controller_hosts_names_real),
  1450. service_network => $etcd_network,
  1451. member_options => union($haproxy_member_options, $internal_tls_member_options),
  1452. listen_options => {
  1453. 'balance' => 'source',
  1454. }
  1455. }
  1456. }
  1457. if $docker_registry {
  1458. ::tripleo::haproxy::endpoint { 'docker-registry':
  1459. public_virtual_ip => $public_virtual_ip,
  1460. internal_ip => hiera('docker_registry_vip', $controller_virtual_ip),
  1461. service_port => $ports[docker_registry_port],
  1462. ip_addresses => hiera('docker_registry_node_ips', $controller_hosts_real),
  1463. server_names => hiera('docker_registry_node_names', $controller_hosts_names_real),
  1464. public_ssl_port => $ports[docker_registry_ssl_port],
  1465. service_network => $docker_registry_network,
  1466. }
  1467. }
  1468. if $redis {
  1469. $redis_vip = hiera('redis_vip', $controller_virtual_ip)
  1470. $redis_bind_opts = {
  1471. "${redis_vip}:6379" => $haproxy_listen_bind_param,
  1472. }
  1473. if $enable_internal_tls {
  1474. $redis_tcp_check_ssl_options = ['connect port 6379 ssl']
  1475. $redis_ssl_member_options = ['check-ssl', "ca-file ${ca_bundle}"]
  1476. } else {
  1477. $redis_tcp_check_ssl_options = ['connect port 6379']
  1478. $redis_ssl_member_options = []
  1479. }
  1480. if $redis_password {
  1481. $redis_tcp_check_password_options = ["send AUTH\\ ${redis_password}\\r\\n",
  1482. 'expect string +OK']
  1483. } else {
  1484. $redis_tcp_check_password_options = []
  1485. }
  1486. $redis_tcp_check_options = union($redis_tcp_check_ssl_options, $redis_tcp_check_password_options)
  1487. haproxy::listen { 'redis':
  1488. bind => $redis_bind_opts,
  1489. options => {
  1490. 'balance' => 'first',
  1491. 'option' => [ 'tcp-check', 'tcplog', ],
  1492. 'tcp-check' => union($redis_tcp_check_options, ['send PING\r\n',
  1493. 'expect string +PONG',
  1494. 'send info\ replication\r\n',
  1495. 'expect string role:master',
  1496. 'send QUIT\r\n',
  1497. 'expect string +OK']),
  1498. },
  1499. collect_exported => false,
  1500. }
  1501. haproxy::balancermember { 'redis':
  1502. listening_service => 'redis',
  1503. ports => '6379',
  1504. ipaddresses => hiera('redis_node_ips', $controller_hosts_real),
  1505. server_names => hiera('redis_node_names', $controller_hosts_names_real),
  1506. options => union($haproxy_member_options, ['on-marked-down shutdown-sessions'], $redis_ssl_member_options),
  1507. verifyhost => false,
  1508. }
  1509. if $manage_firewall {
  1510. include ::tripleo::firewall
  1511. $redis_firewall_rules = {
  1512. '100 redis_haproxy' => {
  1513. 'dport' => 6379,
  1514. }
  1515. }
  1516. create_resources('tripleo::firewall::rule', $redis_firewall_rules)
  1517. }
  1518. }
  1519. if $zaqar_api {
  1520. ::tripleo::haproxy::endpoint { 'zaqar_api':
  1521. public_virtual_ip => $public_virtual_ip,
  1522. internal_ip => hiera('zaqar_api_vip', $controller_virtual_ip),
  1523. service_port => $ports[zaqar_api_port],
  1524. ip_addresses => hiera('zaqar_api_node_ips', $controller_hosts_real),
  1525. server_names => hiera('zaqar_api_node_names', $controller_hosts_names_real),
  1526. mode => 'http',
  1527. public_ssl_port => $ports[zaqar_api_ssl_port],
  1528. service_network => $zaqar_api_network,
  1529. member_options => union($haproxy_member_options, $internal_tls_member_options),
  1530. }
  1531. }
  1532. if $ceph_rgw {
  1533. ::tripleo::haproxy::endpoint { 'ceph_rgw':
  1534. public_virtual_ip => $public_virtual_ip,
  1535. internal_ip => hiera('ceph_rgw_vip', $controller_virtual_ip),
  1536. service_port => $ports[ceph_rgw_port],
  1537. ip_addresses => hiera('ceph_rgw_node_ips', $controller_hosts_real),
  1538. server_names => hiera('ceph_rgw_node_names', $controller_hosts_names_real),
  1539. mode => 'http',
  1540. public_ssl_port => $ports[ceph_rgw_ssl_port],
  1541. service_network => $ceph_rgw_network,
  1542. listen_options => merge($default_listen_options, { 'option' => [ 'httpchk GET /swift/healthcheck' ] }),
  1543. member_options => union($haproxy_member_options, $internal_tls_member_options),
  1544. }
  1545. }
  1546. if $opendaylight {
  1547. ::tripleo::haproxy::endpoint { 'opendaylight':
  1548. internal_ip => unique([hiera('opendaylight_api_vip', $controller_virtual_ip), $controller_virtual_ip]),
  1549. service_port => $ports[opendaylight_api_port],
  1550. ip_addresses => hiera('opendaylight_api_node_ips', $controller_hosts_real),
  1551. server_names => hiera('opendaylight_api_node_names', $controller_hosts_names_real),
  1552. mode => 'http',
  1553. member_options => union($haproxy_member_options, $internal_tls_member_options),
  1554. service_network => $opendaylight_network,
  1555. listen_options => merge($default_listen_options,
  1556. { 'option' => [ 'httpchk GET /diagstatus', 'httplog' ] }),
  1557. }
  1558. ::tripleo::haproxy::endpoint { 'opendaylight_ws':
  1559. internal_ip => unique([hiera('opendaylight_api_vip', $controller_virtual_ip), $controller_virtual_ip]),
  1560. service_port => $ports[opendaylight_ws_port],
  1561. ip_addresses => hiera('opendaylight_api_node_ips', $controller_hosts_real),
  1562. server_names => hiera('opendaylight_api_node_names', $controller_hosts_names_real),
  1563. mode => 'http',
  1564. service_network => $opendaylight_network,
  1565. listen_options => {
  1566. # NOTE(jaosorior): Websockets have more overhead in establishing
  1567. # connections than regular HTTP connections. Also, since it begins
  1568. # as an HTTP connection and then "upgrades" to a TCP connection, some
  1569. # timeouts get overridden by others at certain times of the connection.
  1570. # The following values were taken from the following site:
  1571. # http://blog.haproxy.com/2012/11/07/websockets-load-balancing-with-haproxy/
  1572. 'timeout' => ['connect 5s', 'client 25s', 'server 25s', 'tunnel 3600s'],
  1573. },
  1574. }
  1575. }
  1576. if $octavia {
  1577. ::tripleo::haproxy::endpoint { 'octavia':
  1578. public_virtual_ip => $public_virtual_ip,
  1579. internal_ip => hiera('octavia_api_vip', $controller_virtual_ip),
  1580. service_port => $ports[octavia_api_port],
  1581. ip_addresses => hiera('octavia_api_node_ips'),
  1582. server_names => hiera('octavia_api_node_names'),
  1583. public_ssl_port => $ports[octavia_api_ssl_port],
  1584. service_network => $octavia_network,
  1585. mode => 'http',
  1586. member_options => union($haproxy_member_options, $internal_tls_member_options),
  1587. }
  1588. }
  1589. if $ovn_dbs and $ovn_dbs_manage_lb {
  1590. # FIXME: is this config enough to ensure we only hit the first node in
  1591. # ovn_northd_node_ips ?
  1592. # We only configure ovn_dbs_vip in haproxy if HA for OVN DB servers is
  1593. # disabled.
  1594. # If HA is enabled, pacemaker configures the OVN DB servers accordingly.
  1595. $ovn_db_listen_options = {
  1596. 'option' => [ 'tcpka', 'tcplog' ],
  1597. 'timeout client' => '90m',
  1598. 'timeout server' => '90m',
  1599. 'stick-table' => 'type ip size 1000',
  1600. 'stick' => 'on dst',
  1601. }
  1602. ::tripleo::haproxy::endpoint { 'ovn_nbdb':
  1603. public_virtual_ip => $public_virtual_ip,
  1604. internal_ip => hiera('ovn_dbs_vip', $controller_virtual_ip),
  1605. service_port => $ports[ovn_nbdb_port],
  1606. ip_addresses => hiera('ovn_dbs_node_ips', $controller_hosts_real),
  1607. server_names => hiera('ovn_dbs_node_names', $controller_hosts_names_real),
  1608. service_network => $ovn_dbs_network,
  1609. public_ssl_port => $ports[ovn_nbdb_ssl_port],
  1610. listen_options => $ovn_db_listen_options,
  1611. mode => 'tcp'
  1612. }
  1613. ::tripleo::haproxy::endpoint { 'ovn_sbdb':
  1614. public_virtual_ip => $public_virtual_ip,
  1615. internal_ip => hiera('ovn_dbs_vip', $controller_virtual_ip),
  1616. service_port => $ports[ovn_sbdb_port],
  1617. ip_addresses => hiera('ovn_dbs_node_ips', $controller_hosts_real),
  1618. server_names => hiera('ovn_dbs_node_names', $controller_hosts_names_real),
  1619. service_network => $ovn_dbs_network,
  1620. public_ssl_port => $ports[ovn_sbdb_ssl_port],
  1621. listen_options => $ovn_db_listen_options,
  1622. mode => 'tcp'
  1623. }
  1624. }
  1625. if $zaqar_ws {
  1626. ::tripleo::haproxy::endpoint { 'zaqar_ws':
  1627. public_virtual_ip => $public_virtual_ip,
  1628. internal_ip => hiera('zaqar_ws_vip', $controller_virtual_ip),
  1629. service_port => $ports[zaqar_ws_port],
  1630. ip_addresses => hiera('zaqar_ws_node_ips', $controller_hosts_real),
  1631. server_names => hiera('zaqar_ws_node_names', $controller_hosts_names_real),
  1632. mode => 'http',
  1633. haproxy_listen_bind_param => [], # We don't use a transparent proxy here
  1634. listen_options => {
  1635. # NOTE(jaosorior): Websockets have more overhead in establishing
  1636. # connections than regular HTTP connections. Also, since it begins
  1637. # as an HTTP connection and then "upgrades" to a TCP connection, some
  1638. # timeouts get overridden by others at certain times of the connection.
  1639. # The following values were taken from the following site:
  1640. # http://blog.haproxy.com/2012/11/07/websockets-load-balancing-with-haproxy/
  1641. 'timeout' => ['connect 5s', 'client 25s', 'server 25s', regsubst('tunnel Xs', 'X', $zaqar_ws_timeout_tunnel)],
  1642. },
  1643. public_ssl_port => $ports[zaqar_ws_ssl_port],
  1644. service_network => $zaqar_api_network,
  1645. }
  1646. }
  1647. if $ui {
  1648. ::tripleo::haproxy::endpoint { 'ui':
  1649. public_virtual_ip => $public_virtual_ip,
  1650. internal_ip => hiera('ui_vip', $controller_virtual_ip),
  1651. service_port => $ports[ui_port],
  1652. ip_addresses => hiera('ui_ips', $controller_hosts_real),
  1653. server_names => $controller_hosts_names_real,
  1654. mode => 'http',
  1655. public_ssl_port => $ports[ui_ssl_port],
  1656. listen_options => {
  1657. # NOTE(dtrainor): in addition to the zaqar_ws endpoint, the HTTPS
  1658. # (443/tcp) endpoint that answers for the UI must also use a long-lived
  1659. # tunnel timeout for the same reasons mentioned above.
  1660. 'timeout' => ['tunnel 3600s'],
  1661. },
  1662. }
  1663. }
  1664. if $kubernetes_master {
  1665. ::tripleo::haproxy::endpoint { 'kubernetes-master':
  1666. # Note we don't expose the kubernetes endpoint via public_virtual_ip
  1667. internal_ip => hiera('kubernetes_master_vip', $controller_virtual_ip),
  1668. service_port => $ports[kubernetes_master_port],
  1669. ip_addresses => hiera('kubernetes_master_node_ips', $controller_hosts_real),
  1670. server_names => hiera('kubernetes_master_node_names', $controller_hosts_names_real),
  1671. public_ssl_port => $ports[kubernetes_master_ssl_port],
  1672. service_network => $kubernetes_master_network,
  1673. listen_options => {
  1674. 'balance' => 'roundrobin',
  1675. }
  1676. }
  1677. }
  1678. if $openshift_master {
  1679. ::tripleo::haproxy::endpoint { 'openshift-master':
  1680. public_virtual_ip => $public_virtual_ip,
  1681. internal_ip => hiera('openshift_master_vip', $controller_virtual_ip),
  1682. service_port => $ports[openshift_master_port],
  1683. ip_addresses => hiera('openshift_master_node_ips', $controller_hosts_real),
  1684. server_names => hiera('openshift_master_node_names', $controller_hosts_names_real),
  1685. public_ssl_port => $ports[openshift_master_ssl_port],
  1686. service_network => $openshift_master_network,
  1687. listen_options => {
  1688. 'balance' => 'source',
  1689. }
  1690. }
  1691. }
  1692. }