From 6e27b4b0f681ee0b1fb61bd03e74d73b26ae0c11 Mon Sep 17 00:00:00 2001 From: Olivier Bourdon Date: Thu, 25 May 2017 08:29:07 +0200 Subject: [PATCH] Fix deployment errors when security options disabled Closes-Bug: #1693208 Change-Id: I3f8a3f9b02e9ce0854c6992ae94a101be372de97 --- .../plugin_zabbix/manifests/ha/haproxy.pp | 50 ++++++++++++------- .../modules/plugin_zabbix/manifests/params.pp | 11 ++-- deployment_tasks.yaml | 8 ++- 3 files changed, 48 insertions(+), 21 deletions(-) diff --git a/deployment_scripts/puppet/modules/plugin_zabbix/manifests/ha/haproxy.pp b/deployment_scripts/puppet/modules/plugin_zabbix/manifests/ha/haproxy.pp index e61b457..8439787 100644 --- a/deployment_scripts/puppet/modules/plugin_zabbix/manifests/ha/haproxy.pp +++ b/deployment_scripts/puppet/modules/plugin_zabbix/manifests/ha/haproxy.pp @@ -70,21 +70,38 @@ class plugin_zabbix::ha::haproxy { if $use_ssl { if $horizon_is_here { - # Update Horizon configuration to be able to use HTTPS port - file_line { 'add binding to Zabbix VIP for horizon and zabbix via ssl': - path => '/etc/haproxy/conf.d/017-horizon-ssl.cfg', - after => 'listen horizon-ssl', - line => " bind ${zabbix_vip}:443 ssl crt /var/lib/astute/haproxy/public_haproxy.pem", - notify => Exec['haproxy-restart'] + if $ssl[horizon] { + # Update Horizon configuration to be able to use HTTPS port + file_line { 'add binding to Zabbix VIP for horizon and zabbix via ssl': + path => '/etc/haproxy/conf.d/017-horizon-ssl.cfg', + after => 'listen horizon-ssl', + line => " bind ${zabbix_vip}:443 ssl crt /var/lib/astute/haproxy/public_haproxy.pem", + notify => Exec['haproxy-restart'] + } + -> + file_line { 'add binding to management VIP for horizon and zabbix via ssl': + path => '/etc/haproxy/conf.d/017-horizon-ssl.cfg', + after => 'listen horizon-ssl', + line => " bind ${mgmt_vip}:443 ssl crt /var/lib/astute/haproxy/public_haproxy.pem", + notify => Exec['haproxy-restart'] + } + } else { + # Update Horizon configuration to be able to use HTTP port + file_line { 'add binding to Zabbix VIP for horizon and zabbix': + path => '/etc/haproxy/conf.d/015-horizon.cfg', + after => 'listen horizon', + line => " bind ${zabbix_vip}:80", + notify => Exec['haproxy-restart'] + } + -> + file_line { 'add binding to management VIP for horizon and zabbix': + path => '/etc/haproxy/conf.d/015-horizon.cfg', + after => 'listen horizon', + line => " bind ${mgmt_vip}:80", + notify => Exec['haproxy-restart'] + } } - -> - file_line { 'add binding to management VIP for horizon and zabbix via ssl': - path => '/etc/haproxy/conf.d/017-horizon-ssl.cfg', - after => 'listen horizon-ssl', - line => " bind ${mgmt_vip}:443 ssl crt /var/lib/astute/haproxy/public_haproxy.pem", - notify => Exec['haproxy-restart'] - } - }else{ + } else { openstack::ha::haproxy_service { 'zabbix-ui': order => '211', listen_port => 80, @@ -94,7 +111,6 @@ class plugin_zabbix::ha::haproxy { 'redirect' => 'scheme https if !{ ssl_fc }' }, } - openstack::ha::haproxy_service { 'zabbix-ui-ssl': order => '212', listen_port => 443, @@ -130,7 +146,7 @@ class plugin_zabbix::ha::haproxy { notify => Exec['haproxy-restart'], } } - }else{ + } else { if $horizon_is_here { # Update Horizon configuration to be able to use HTTP port file_line { 'add binding to Zabbix VIP for horizon and zabbix': @@ -139,7 +155,7 @@ class plugin_zabbix::ha::haproxy { line => " bind ${zabbix_vip}:80", notify => Exec['haproxy-restart'] } - }else{ + } else { openstack::ha::haproxy_service { 'zabbix-ui': order => '211', listen_port => 80, diff --git a/deployment_scripts/puppet/modules/plugin_zabbix/manifests/params.pp b/deployment_scripts/puppet/modules/plugin_zabbix/manifests/params.pp index 7876061..c168236 100644 --- a/deployment_scripts/puppet/modules/plugin_zabbix/manifests/params.pp +++ b/deployment_scripts/puppet/modules/plugin_zabbix/manifests/params.pp @@ -125,6 +125,7 @@ class plugin_zabbix::params { #server parameters $vip_name = 'zbx_vip_mgmt' $server_ip = $network_metadata['vips'][$vip_name]['ipaddr'] + $server_public_ip = $network_metadata['vips']['public']['ipaddr'] $mgmt_vip = $network_metadata['vips']['management']['ipaddr'] $server_config = "${zabbix_base_conf_dir}/zabbix_server.conf" $server_config_template = 'plugin_zabbix/zabbix_server.conf.erb' @@ -184,9 +185,13 @@ class plugin_zabbix::params { #api $use_ssl = $ssl[horizon] or $ssl[services] if $use_ssl { - $api_url = "https://${mgmt_vip}${frontend_base}/api_jsonrpc.php" - }else{ - $api_url = "http://${mgmt_vip}${frontend_base}/api_jsonrpc.php" + if $ssl[horizon] { + $api_url = "https://${server_public_ip}${frontend_base}/api_jsonrpc.php" + } else { + $api_url = "http://${server_public_ip}${frontend_base}/api_jsonrpc.php" + } + } else { + $api_url = "http://${server_public_ip}${frontend_base}/api_jsonrpc.php" } $api_hash = { endpoint => $api_url, diff --git a/deployment_tasks.yaml b/deployment_tasks.yaml index 585de79..5754084 100644 --- a/deployment_tasks.yaml +++ b/deployment_tasks.yaml @@ -15,9 +15,15 @@ - id: zbx-primary-services type: puppet version: 2.0.0 - requires: [post_deployment_start, zbx-configure-apt] + requires: [post_deployment_start, zbx-configure-apt, cluster-haproxy] required_for: [post_deployment_end] role: [primary-controller] + # The primary crontroller configuration shouldn't start before haproxy is finished + # hence the cross-depends parameter that is required when running in + # a task-based deployment mode. + cross-depends: + - name: cluster-haproxy + role: [primary-controller] parameters: puppet_manifest: puppet/manifests/primary_controller.pp puppet_modules: puppet/modules:/etc/puppet/modules