82875a4933
a) The haproxy.stats stanza in haproxy config file has pretty much remained the same since newton: listen haproxy.stats bind 192.168.24.8:1993 transparent mode http stats enable stats uri / stats auth admin:tRJre6PnQuN4ZwqKYUygTJArB b) what we do today with the haproxy stats makes little sense: - we bind it to the VIP running on the control-plane network on all controller nodes - de facto we allow to look at the haproxy stat info via web only on the node holding the ctlplane VIP - since haproxy does not share stats across nodes, we're effectively limited at looking at the stats info on a single node. Now imagine ctrl-0 holding the internal_api VIP and ctrl-1 holding the ctlplane VIP. Basically now the only stats you will be able to see are the ones relative to keystone_admin (which for other silly reasons has been moved to ctlplane by default) and very little else. Tested this and am able to bind the haproxy stat to another network and to have it listen to the IP of the node on said network (in addition to the ctrlplane vip which we do not remove as it might break stuff): listen haproxy.stats bind fd00:fd00:fd00:2000::16:1993 transparent bind 192.168.24.15:1993 transparent mode http stats enable stats uri / stats auth admin:password Closes-Bug: #1830334 NB: Cherry-pick not 100% clean as it applies to puppet/services/haproxy.yaml and not docker/services/haproxy.yaml NB: Tiny conflict due to context for the queens backport Depends-On: Iab5f11c3065ff34a3543621554e7f05161d069f2 Change-Id: If2ee15f1e0fcf6d077cba524fad75dec7e1144b6 (cherry picked from commit45f5c283e3
) (cherry picked from commit8b3fceb0be
) (cherry picked from commitb56035e655
)
188 lines
6.5 KiB
YAML
188 lines
6.5 KiB
YAML
heat_template_version: queens
|
|
|
|
description: >
|
|
HAproxy service configured with Puppet
|
|
|
|
parameters:
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
EnableLoadBalancer:
|
|
default: true
|
|
description: Whether to deploy a LoadBalancer, set to false when an external load balancer is used.
|
|
type: boolean
|
|
HAProxyStatsPassword:
|
|
description: Password for HAProxy stats endpoint
|
|
hidden: true
|
|
type: string
|
|
HAProxyStatsUser:
|
|
description: User for HAProxy stats endpoint
|
|
default: admin
|
|
type: string
|
|
HAProxySyslogAddress:
|
|
default: /dev/log
|
|
description: Syslog address where HAproxy will send its log
|
|
type: string
|
|
HAProxySyslogFacility:
|
|
default: local0
|
|
description: Syslog facility HAProxy will use for its logs
|
|
type: string
|
|
HAProxyStatsEnabled:
|
|
default: true
|
|
description: Whether or not to enable the HAProxy stats interface.
|
|
type: boolean
|
|
RedisPassword:
|
|
description: The password for the redis service account.
|
|
type: string
|
|
hidden: true
|
|
MonitoringSubscriptionHaproxy:
|
|
default: 'overcloud-haproxy'
|
|
type: string
|
|
SSLCertificate:
|
|
default: ''
|
|
description: >
|
|
The content of the SSL certificate (without Key) in PEM format.
|
|
type: string
|
|
PublicSSLCertificateAutogenerated:
|
|
default: false
|
|
description: >
|
|
Whether the public SSL certificate was autogenerated or not.
|
|
type: boolean
|
|
DeployedSSLCertificatePath:
|
|
default: '/etc/pki/tls/private/overcloud_endpoint.pem'
|
|
description: >
|
|
The filepath of the certificate as it will be stored in the controller.
|
|
type: string
|
|
InternalTLSCAFile:
|
|
default: '/etc/ipa/ca.crt'
|
|
type: string
|
|
description: Specifies the default CA cert to use if TLS is used for
|
|
services in the internal network.
|
|
InternalTLSCRLPEMFile:
|
|
default: '/etc/pki/CA/crl/overcloud-crl.pem'
|
|
type: string
|
|
description: Specifies the default CRL PEM file to use for revocation if
|
|
TLS is used for services in the internal network.
|
|
|
|
conditions:
|
|
|
|
public_tls_enabled:
|
|
or:
|
|
- not:
|
|
equals:
|
|
- {get_param: SSLCertificate}
|
|
- ""
|
|
- equals:
|
|
- {get_param: PublicSSLCertificateAutogenerated}
|
|
- true
|
|
|
|
resources:
|
|
|
|
HAProxyPublicTLS:
|
|
type: OS::TripleO::Services::HAProxyPublicTLS
|
|
properties:
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
DefaultPasswords: {get_param: DefaultPasswords}
|
|
EndpointMap: {get_param: EndpointMap}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
|
|
HAProxyInternalTLS:
|
|
type: OS::TripleO::Services::HAProxyInternalTLS
|
|
properties:
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
DefaultPasswords: {get_param: DefaultPasswords}
|
|
EndpointMap: {get_param: EndpointMap}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the HAproxy role.
|
|
value:
|
|
service_name: haproxy
|
|
monitoring_subscription: {get_param: MonitoringSubscriptionHaproxy}
|
|
config_settings:
|
|
map_merge:
|
|
- tripleo.haproxy.firewall_rules:
|
|
'107 haproxy stats':
|
|
dport: 1993
|
|
tripleo::haproxy::haproxy_log_address: {get_param: HAProxySyslogAddress}
|
|
tripleo::haproxy::haproxy_log_facility: {get_param: HAProxySyslogFacility}
|
|
tripleo::haproxy::haproxy_stats_user: {get_param: HAProxyStatsUser}
|
|
tripleo::haproxy::haproxy_stats_password: {get_param: HAProxyStatsPassword}
|
|
tripleo::haproxy::haproxy_stats_bind_address:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, HaproxyNetwork]}
|
|
tripleo::haproxy::redis_password: {get_param: RedisPassword}
|
|
tripleo::haproxy::ca_bundle: {get_param: InternalTLSCAFile}
|
|
tripleo::haproxy::crl_file: {get_param: InternalTLSCRLPEMFile}
|
|
tripleo::haproxy::haproxy_stats: {get_param: HAProxyStatsEnabled}
|
|
enable_load_balancer: {get_param: EnableLoadBalancer}
|
|
tripleo::profile::base::haproxy::certificates_specs:
|
|
map_merge:
|
|
- get_attr: [HAProxyPublicTLS, role_data, certificates_specs]
|
|
- get_attr: [HAProxyInternalTLS, role_data, certificates_specs]
|
|
- if:
|
|
- public_tls_enabled
|
|
- tripleo::haproxy::service_certificate: {get_param: DeployedSSLCertificatePath}
|
|
- {}
|
|
- get_attr: [HAProxyPublicTLS, role_data, config_settings]
|
|
- get_attr: [HAProxyInternalTLS, role_data, config_settings]
|
|
step_config: |
|
|
include ::tripleo::profile::base::haproxy
|
|
upgrade_tasks:
|
|
- name: Check if haproxy is deployed
|
|
command: systemctl is-enabled haproxy
|
|
tags: common
|
|
ignore_errors: True
|
|
register: haproxy_enabled
|
|
- name: "PreUpgrade step0,validation: Check service haproxy is running"
|
|
shell: /usr/bin/systemctl show 'haproxy' --property ActiveState | grep '\bactive\b'
|
|
when:
|
|
- step|int == 0
|
|
- haproxy_enabled.rc == 0
|
|
tags: validation
|
|
- name: Stop haproxy service
|
|
when:
|
|
- step|int == 2
|
|
- haproxy_enabled.rc == 0
|
|
service: name=haproxy state=stopped
|
|
- name: Start haproxy service
|
|
when:
|
|
- step|int == 4
|
|
- haproxy_enabled.rc == 0
|
|
service: name=haproxy state=started
|
|
metadata_settings:
|
|
list_concat:
|
|
- {get_attr: [HAProxyPublicTLS, role_data, metadata_settings]}
|
|
- {get_attr: [HAProxyInternalTLS, role_data, metadata_settings]}
|