From f2e29b1a2cdcf34e75eb632a134a6315f79cb387 Mon Sep 17 00:00:00 2001 From: Yanis Guenane Date: Thu, 4 Sep 2014 11:02:09 -0400 Subject: [PATCH] loadbalancer.pp: Enable HAProxy binding on 80 and 443 Currently, one can enable HA only on plain http or https for horizon, but can't have it enabled for both at the same time. This commit makes configuration for horizon http and https completly independent, one can decide to enable one and not the other, add specific bind options for one and not the other, etc... --- manifests/loadbalancer.pp | 66 +++++++++++++------------ spec/classes/cloud_loadbalancer_spec.rb | 61 ++++++++++++----------- 2 files changed, 66 insertions(+), 61 deletions(-) diff --git a/manifests/loadbalancer.pp b/manifests/loadbalancer.pp index dea27a03..c15ca4e5 100644 --- a/manifests/loadbalancer.pp +++ b/manifests/loadbalancer.pp @@ -180,6 +180,7 @@ class cloud::loadbalancer( $keystone_api_admin = true, $trove_api = true, $horizon = true, + $horizon_ssl = false, $spice = true, $haproxy_auth = 'admin:changeme', $keepalived_state = 'BACKUP', @@ -205,6 +206,7 @@ class cloud::loadbalancer( $swift_bind_options = [], $spice_bind_options = [], $horizon_bind_options = [], + $horizon_ssl_bind_options = [], $galera_bind_options = [], $ks_ceilometer_public_port = 8777, $ks_cinder_public_port = 8776, @@ -222,6 +224,7 @@ class cloud::loadbalancer( $ks_swift_public_port = 8080, $ks_trove_public_port = 8779, $horizon_port = 80, + $horizon_ssl_port = 443, $spice_port = 6082, $vip_public_ip = ['127.0.0.1'], $vip_internal_ip = false, @@ -229,8 +232,6 @@ class cloud::loadbalancer( # Deprecated parameters $keepalived_interface = false, $keepalived_ipvs = false, - $horizon_ssl = false, - $horizon_ssl_port = false, ){ # Manage deprecation when using old parameters @@ -246,32 +247,6 @@ class cloud::loadbalancer( } else { $keepalived_public_ipvs_real = $keepalived_public_ipvs } - if $horizon_ssl { - warning('horizon_ssl parameter is deprecated. Specify ssl in the horizon_bind_options instead.') - $horizon_httpchk = 'ssl-hello-chk' - $horizon_options = { - 'mode' => 'tcp', - 'cookie' => 'sessionid prefix', - 'balance' => 'leastconn' } - } else { - $horizon_httpchk = "httpchk GET /${horizon_auth_url} \"HTTP/1.0\\r\\nUser-Agent: HAproxy-${::hostname}\"" - if 'ssl' in $horizon_bind_options { - $horizon_options = { - 'cookie' => 'sessionid prefix', - 'reqadd' => 'X-Forwarded-Proto:\ https if { ssl_fc }', - 'balance' => 'leastconn' } - } else { - $horizon_options = { - 'cookie' => 'sessionid prefix', - 'balance' => 'leastconn' } - } - } - if $horizon_ssl_port { - warning('horizon_ssl_port parameter is deprecated. Specify port with the horizon_port instead.') - $horizon_port_real = $horizon_ssl_port - } else { - $horizon_port_real = $horizon_port - } # end of deprecation support # Fail if OpenStack and Galera VIP are not in the VIP list @@ -459,15 +434,42 @@ class cloud::loadbalancer( } else { $horizon_auth_url = 'horizon' } + + $horizon_ssl_options = { + 'mode' => 'tcp', + 'cookie' => 'sessionid prefix', + 'balance' => 'leastconn' + } + + if 'ssl' in $horizon_bind_options { + $horizon_options = { + 'cookie' => 'sessionid prefix', + 'reqadd' => 'X-Forwarded-Proto:\ https if { ssl_fc }', + 'balance' => 'leastconn' + } + } else { + $horizon_options = { + 'cookie' => 'sessionid prefix', + 'balance' => 'leastconn' + } + } + cloud::loadbalancer::binding { 'horizon_cluster': - ip => $vip_public_ip, - # to maintain backward compatibility - port => $horizon_port_real, - httpchk => $horizon_httpchk, + ip => $horizon, + port => $horizon_port, + httpchk => "httpchk GET /${horizon_auth_url} \"HTTP/1.0\\r\\nUser-Agent: HAproxy-${::hostname}\"", options => $horizon_options, bind_options => $horizon_bind_options, } + cloud::loadbalancer::binding { 'horizon_ssl_cluster': + ip => $horizon_ssl, + port => $horizon_ssl_port, + httpchk => 'ssl-hello-chk', + options => $horizon_ssl_options, + bind_options => $horizon_ssl_bind_options, + } + if ($galera_ip in $keepalived_public_ipvs_real) { warning('Exposing Galera cluster to public network is a security issue.') } diff --git a/spec/classes/cloud_loadbalancer_spec.rb b/spec/classes/cloud_loadbalancer_spec.rb index 92247507..f4c1ff40 100644 --- a/spec/classes/cloud_loadbalancer_spec.rb +++ b/spec/classes/cloud_loadbalancer_spec.rb @@ -338,45 +338,21 @@ describe 'cloud::loadbalancer' do )} end - context 'configure OpenStack Horizon with backward compatibility' do - before do - params.merge!( - :horizon_ssl_port => '80' - ) - end + context 'configure OpenStack Horizon' do it { should contain_haproxy__listen('horizon_cluster').with( :ipaddress => [params[:vip_public_ip]], :ports => '80', :options => { 'mode' => 'http', 'http-check' => 'expect ! rstatus ^5', - 'option' => ["tcpka", "forwardfor", "tcplog", "httpchk GET / \"HTTP/1.0\\r\\nUser-Agent: HAproxy-myhost\""], + 'option' => ["tcpka", "forwardfor", "tcplog", "httpchk GET /#{platform_params[:auth_url]} \"HTTP/1.0\\r\\nUser-Agent: HAproxy-myhost\""], 'cookie' => 'sessionid prefix', 'balance' => 'leastconn', - }, + } )} end - context 'configure OpenStack Horizon SSL with backward compatibility' do - before do - params.merge!( - :horizon_ssl => true, - :horizon_ssl_port => '443' - ) - end - it { should contain_haproxy__listen('horizon_cluster').with( - :ipaddress => [params[:vip_public_ip]], - :ports => '443', - :options => { - 'mode' => 'tcp', - 'option' => ['tcpka','forwardfor','tcplog', 'ssl-hello-chk'], - 'cookie' => 'sessionid prefix', - 'balance' => 'leastconn', - }, - )} - end - - context 'configure OpenStack Horizon SSL binding' do + context 'configure OpenStack Horizon with SSL termination on HAProxy' do before do params.merge!( :horizon_port => '443', @@ -391,7 +367,7 @@ describe 'cloud::loadbalancer' do :options => { 'mode' => 'http', 'http-check' => 'expect ! rstatus ^5', - 'option' => ["tcpka", "forwardfor", "tcplog", "httpchk GET / \"HTTP/1.0\\r\\nUser-Agent: HAproxy-myhost\""], + 'option' => ["tcpka", "forwardfor", "tcplog", "httpchk GET /#{platform_params[:auth_url]} \"HTTP/1.0\\r\\nUser-Agent: HAproxy-myhost\""], 'cookie' => 'sessionid prefix', 'balance' => 'leastconn', 'reqadd' => 'X-Forwarded-Proto:\ https if { ssl_fc }' @@ -400,6 +376,25 @@ describe 'cloud::loadbalancer' do )} end + context 'configure OpenStack Horizon SSL with termination on the webserver' do + before do + params.merge!( + :horizon_ssl => true, + :horizon_ssl_port => '443' + ) + end + it { should contain_haproxy__listen('horizon_ssl_cluster').with( + :ipaddress => [params[:vip_public_ip]], + :ports => '443', + :options => { + 'mode' => 'tcp', + 'option' => ["tcpka", "forwardfor", "tcplog", "ssl-hello-chk"], + 'cookie' => 'sessionid prefix', + 'balance' => 'leastconn', + } + )} + end + context 'configure OpenStack Heat API SSL binding' do before do params.merge!( @@ -428,6 +423,10 @@ describe 'cloud::loadbalancer' do :concat_basedir => '/var/lib/puppet/concat' } end + let :platform_params do + { :auth_url => 'horizon' } + end + it_configures 'openstack loadbalancer' end @@ -438,6 +437,10 @@ describe 'cloud::loadbalancer' do :concat_basedir => '/var/lib/puppet/concat' } end + let :platform_params do + { :auth_url => 'dashboard' } + end + it_configures 'openstack loadbalancer' end