Fix haproxy stats network binding

a) The haproxy.stats stanza in haproxy config file has pretty much remained the same since newton: listen haproxy.stats bind 192.168.24.8:1993 transparent mode http stats enable stats uri / stats auth admin:tRJre6PnQuN4ZwqKYUygTJArB b) what we do today with the haproxy stats makes little sense: - we bind it to the VIP running on the control-plane network on all controller nodes - de facto we allow to look at the haproxy stat info via web only on the node holding the ctlplane VIP - since haproxy does not share stats across nodes, we're effectively limited at looking at the stats info on a single node. Now imagine ctrl-0 holding the internal_api VIP and ctrl-1 holding the ctlplane VIP. Basically now the only stats you will be able to see are the ones relative to keystone_admin (which for other silly reasons has been moved to ctlplane by default) and very little else. Tested this and am able to bind the haproxy stat to another network and to have it listen to the IP of the node on said network (in addition to the ctrlplane vip which we do not remove as it might break stuff): listen haproxy.stats bind fd00:fd00:fd00:2000::16:1993 transparent bind 192.168.24.15:1993 transparent mode http stats enable stats uri / stats auth admin:password Closes-Bug: #1830334 NB: Cherry-pick not 100% clean as it applies to puppet/services/haproxy.yaml and not docker/services/haproxy.yaml Depends-On: Iab5f11c3065ff34a3543621554e7f05161d069f2 Change-Id: If2ee15f1e0fcf6d077cba524fad75dec7e1144b6 (cherry picked from commit 45f5c283e3) (cherry picked from commit 8b3fceb0be)
2019-05-18 21:18:48 +02:00 · 2019-05-18 21:18:48 +02:00 · b56035e655
parent bb4fb9d3d4
commit b56035e655
2 changed files with 8 additions and 0 deletions
--- a/network/service_net_map.j2.yaml
+++ b/network/service_net_map.j2.yaml
@ -88,6 +88,8 @@ parameters:
      EtcdNetwork: internal_api
      OpenshiftMasterNetwork: internal_api
      OpenshiftInfraNetwork: internal_api
+      # HaproxyNetwork currently only controls the haproxy.stats network binding
+      HaproxyNetwork: ctlplane
 {% for role in roles if role.name != 'CephStorage' %}
      {{role.name}}HostnameResolveNetwork: internal_api
 {% endfor %}
--- a/puppet/services/haproxy.yaml
+++ b/puppet/services/haproxy.yaml
@ -143,6 +143,12 @@ outputs:
            tripleo::haproxy::haproxy_log_facility: {get_param: HAProxySyslogFacility}
            tripleo::haproxy::haproxy_stats_user: {get_param: HAProxyStatsUser}
            tripleo::haproxy::haproxy_stats_password: {get_param: HAProxyStatsPassword}
+            tripleo::haproxy::haproxy_stats_bind_address:
+              str_replace:
+                template:
+                  "%{hiera('$NETWORK')}"
+                params:
+                  $NETWORK: {get_param: [ServiceNetMap, HaproxyNetwork]}
            tripleo::haproxy::redis_password: {get_param: RedisPassword}
            tripleo::haproxy::ca_bundle: {get_param: InternalTLSCAFile}
            tripleo::haproxy::crl_file: {get_param: InternalTLSCRLPEMFile}