162 lines
6.3 KiB
Puppet
162 lines
6.3 KiB
Puppet
#
|
|
# Copyright 2015 Mirantis, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
# not use this file except in compliance with the License. You may obtain
|
|
# a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
# License for the specific language governing permissions and limitations
|
|
# under the License.
|
|
#
|
|
class plugin_zabbix::ha::haproxy {
|
|
|
|
include openstack::ha::haproxy_restart
|
|
|
|
Haproxy::Service { use_include => true }
|
|
Haproxy::Balancermember { use_include => true }
|
|
Haproxy::Listen { use_include => true }
|
|
|
|
$public_vip = hiera('public_vip')
|
|
$ssl = hiera('public_ssl')
|
|
$zabbix_vip = $plugin_zabbix::params::server_ip
|
|
$mgmt_vip = $plugin_zabbix::params::mgmt_vip
|
|
$network_metadata = hiera_hash('network_metadata')
|
|
$primary_controller_nodes = get_nodes_hash_by_roles($network_metadata, ['primary-controller'])
|
|
$controllers = get_nodes_hash_by_roles($network_metadata, ['primary-controller', 'controller'])
|
|
$server_names = keys($controllers)
|
|
$ipaddresses = values(get_node_to_ipaddr_map_by_network_role($controllers, 'management'))
|
|
Plugin_zabbix::Ha::Haproxy_service {
|
|
server_names => $server_names,
|
|
ipaddresses => $ipaddresses,
|
|
public_virtual_ip => $public_vip,
|
|
internal_virtual_ip => $zabbix_vip,
|
|
}
|
|
|
|
plugin_zabbix::ha::haproxy_service { 'zabbix-agent':
|
|
order => '210',
|
|
listen_port => $plugin_zabbix::params::zabbix_ports['agent'],
|
|
balancermember_port => $plugin_zabbix::params::zabbix_ports['backend_agent'],
|
|
haproxy_config_options => {
|
|
'option' => ['tcpka'],
|
|
'timeout client' => '48h',
|
|
'timeout server' => '48h',
|
|
'balance' => 'roundrobin',
|
|
'mode' => 'tcp'
|
|
},
|
|
balancermember_options => 'check inter 5000 rise 2 fall 3',
|
|
notify => Exec['haproxy-restart'],
|
|
}
|
|
|
|
$horizon_is_here = defined_in_state(Class['openstack::ha::horizon'])
|
|
|
|
# Always configure HTTPS if a certificate is available
|
|
$use_ssl = $ssl[horizon] or $ssl[services]
|
|
|
|
# Defaults for any haproxy_service within this class
|
|
# This is used only when horizon is not deployed on controllers
|
|
Openstack::Ha::Haproxy_service {
|
|
internal_virtual_ip => $zabbix_vip,
|
|
ipaddresses => $ipaddresses,
|
|
public_virtual_ip => $public_vip,
|
|
server_names => $server_names,
|
|
public => true,
|
|
internal => true,
|
|
}
|
|
|
|
if $use_ssl {
|
|
if $horizon_is_here {
|
|
# Update Horizon configuration to be able to use HTTPS port
|
|
file_line { 'add binding to Zabbix VIP for horizon and zabbix via ssl':
|
|
path => '/etc/haproxy/conf.d/017-horizon-ssl.cfg',
|
|
after => 'listen horizon-ssl',
|
|
line => " bind ${zabbix_vip}:443 ssl crt /var/lib/astute/haproxy/public_haproxy.pem",
|
|
notify => Exec['haproxy-restart']
|
|
}
|
|
->
|
|
file_line { 'add binding to management VIP for horizon and zabbix via ssl':
|
|
path => '/etc/haproxy/conf.d/017-horizon-ssl.cfg',
|
|
after => 'listen horizon-ssl',
|
|
line => " bind ${mgmt_vip}:443 ssl crt /var/lib/astute/haproxy/public_haproxy.pem",
|
|
notify => Exec['haproxy-restart']
|
|
}
|
|
}else{
|
|
openstack::ha::haproxy_service { 'zabbix-ui':
|
|
order => '211',
|
|
listen_port => 80,
|
|
server_names => undef,
|
|
ipaddresses => undef,
|
|
haproxy_config_options => {
|
|
'redirect' => 'scheme https if !{ ssl_fc }'
|
|
},
|
|
}
|
|
|
|
openstack::ha::haproxy_service { 'zabbix-ui-ssl':
|
|
order => '212',
|
|
listen_port => 443,
|
|
balancermember_port => 80,
|
|
public_ssl => true,
|
|
public_ssl_path => '/var/lib/astute/haproxy/public_haproxy.pem',
|
|
haproxy_config_options => {
|
|
'option' => ['forwardfor', 'httpchk', 'httpclose', 'httplog'],
|
|
'stick-table' => 'type ip size 200k expire 30m',
|
|
'stick' => 'on src',
|
|
'balance' => 'source',
|
|
'timeout' => ['client 3h', 'server 3h'],
|
|
'mode' => 'http',
|
|
'reqadd' => 'X-Forwarded-Proto:\ https',
|
|
},
|
|
balancermember_options => 'weight 1 check',
|
|
# The internal binding is configured below because the certificate
|
|
# is not configured by this resource
|
|
internal => false,
|
|
}
|
|
->
|
|
file_line { 'add binding to Zabbix VIP for zabbix via ssl':
|
|
path => '/etc/haproxy/conf.d/212-zabbix-ui-ssl.cfg',
|
|
after => 'listen zabbix-ui-ssl',
|
|
line => " bind ${zabbix_vip}:443 ssl crt /var/lib/astute/haproxy/public_haproxy.pem",
|
|
notify => Exec['haproxy-restart'],
|
|
}
|
|
->
|
|
file_line { 'add binding to management VIP for zabbix via ssl':
|
|
path => '/etc/haproxy/conf.d/212-zabbix-ui-ssl.cfg',
|
|
after => 'listen zabbix-ui-ssl',
|
|
line => " bind ${mgmt_vip}:443 ssl crt /var/lib/astute/haproxy/public_haproxy.pem",
|
|
notify => Exec['haproxy-restart'],
|
|
}
|
|
}
|
|
}else{
|
|
if $horizon_is_here {
|
|
# Update Horizon configuration to be able to use HTTP port
|
|
file_line { 'add binding to Zabbix VIP for horizon and zabbix':
|
|
path => '/etc/haproxy/conf.d/015-horizon.cfg',
|
|
after => 'listen horizon',
|
|
line => " bind ${zabbix_vip}:80",
|
|
notify => Exec['haproxy-restart']
|
|
}
|
|
}else{
|
|
openstack::ha::haproxy_service { 'zabbix-ui':
|
|
order => '211',
|
|
listen_port => 80,
|
|
define_cookies => true,
|
|
internal => true,
|
|
haproxy_config_options => {
|
|
'option' => ['forwardfor', 'httpchk', 'httpclose', 'httplog'],
|
|
'rspidel' => '^Set-cookie:\ IP=',
|
|
'balance' => 'source',
|
|
'mode' => 'http',
|
|
'cookie' => 'SERVERID insert indirect nocache',
|
|
'capture' => 'cookie vgnvisitor= len 32',
|
|
'timeout' => ['client 3h', 'server 3h'],
|
|
},
|
|
balancermember_options => 'check inter 2000 fall 3',
|
|
}
|
|
}
|
|
}
|
|
}
|