stackforge/puppet-openstack-cloud
Code Issues Proposed changes

Merge pull request #598 from enovance/haproxy_horizon_allow_ssl_and_80

Browse Source 
loadbalancer.pp: Enable HAProxy binding on 80 and 443
This commit is contained in:
Emilien Macchi 2014-09-08 17:45:14 -04:00
commit 89341d6003
2 changed files with 66 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

66
manifests/loadbalancer.pp
View File

@ -180,6 +180,7 @@ class cloud::loadbalancer(
$keystone_api_admin = true, $keystone_api_admin = true,
$trove_api = true, $trove_api = true,
$horizon = true, $horizon = true,
$horizon_ssl = false,
$spice = true, $spice = true,
$haproxy_auth = 'admin:changeme', $haproxy_auth = 'admin:changeme',
$keepalived_state = 'BACKUP', $keepalived_state = 'BACKUP',
@ -205,6 +206,7 @@ class cloud::loadbalancer(
$swift_bind_options = [], $swift_bind_options = [],
$spice_bind_options = [], $spice_bind_options = [],
$horizon_bind_options = [], $horizon_bind_options = [],
$horizon_ssl_bind_options = [],
$galera_bind_options = [], $galera_bind_options = [],
$ks_ceilometer_public_port = 8777, $ks_ceilometer_public_port = 8777,
$ks_cinder_public_port = 8776, $ks_cinder_public_port = 8776,
@ -222,6 +224,7 @@ class cloud::loadbalancer(
$ks_swift_public_port = 8080, $ks_swift_public_port = 8080,
$ks_trove_public_port = 8779, $ks_trove_public_port = 8779,
$horizon_port = 80, $horizon_port = 80,
$horizon_ssl_port = 443,
$spice_port = 6082, $spice_port = 6082,
$vip_public_ip = ['127.0.0.1'], $vip_public_ip = ['127.0.0.1'],
$vip_internal_ip = false, $vip_internal_ip = false,
@ -229,8 +232,6 @@ class cloud::loadbalancer(
# Deprecated parameters # Deprecated parameters
$keepalived_interface = false, $keepalived_interface = false,
$keepalived_ipvs = false, $keepalived_ipvs = false,
$horizon_ssl = false,
$horizon_ssl_port = false,
){ ){
# Manage deprecation when using old parameters # Manage deprecation when using old parameters
@ -246,32 +247,6 @@ class cloud::loadbalancer(
} else { } else {
$keepalived_public_ipvs_real = $keepalived_public_ipvs $keepalived_public_ipvs_real = $keepalived_public_ipvs
} }
if $horizon_ssl {
warning('horizon_ssl parameter is deprecated. Specify ssl in the horizon_bind_options instead.')
$horizon_httpchk = 'ssl-hello-chk'
$horizon_options = {
'mode' => 'tcp',
'cookie' => 'sessionid prefix',
'balance' => 'leastconn' }
} else {
$horizon_httpchk = "httpchk GET /${horizon_auth_url} \"HTTP/1.0\\r\\nUser-Agent: HAproxy-${::hostname}\""
if 'ssl' in $horizon_bind_options {
$horizon_options = {
'cookie' => 'sessionid prefix',
'reqadd' => 'X-Forwarded-Proto:\ https if { ssl_fc }',
'balance' => 'leastconn' }
} else {
$horizon_options = {
'cookie' => 'sessionid prefix',
'balance' => 'leastconn' }
}
}
if $horizon_ssl_port {
warning('horizon_ssl_port parameter is deprecated. Specify port with the horizon_port instead.')
$horizon_port_real = $horizon_ssl_port
} else {
$horizon_port_real = $horizon_port
}
# end of deprecation support # end of deprecation support
# Fail if OpenStack and Galera VIP are not in the VIP list # Fail if OpenStack and Galera VIP are not in the VIP list
@ -459,15 +434,42 @@ class cloud::loadbalancer(
} else { } else {
$horizon_auth_url = 'horizon' $horizon_auth_url = 'horizon'
} }
$horizon_ssl_options = {
'mode' => 'tcp',
'cookie' => 'sessionid prefix',
'balance' => 'leastconn'
}
if 'ssl' in $horizon_bind_options {
$horizon_options = {
'cookie' => 'sessionid prefix',
'reqadd' => 'X-Forwarded-Proto:\ https if { ssl_fc }',
'balance' => 'leastconn'
}
} else {
$horizon_options = {
'cookie' => 'sessionid prefix',
'balance' => 'leastconn'
}
}
cloud::loadbalancer::binding { 'horizon_cluster': cloud::loadbalancer::binding { 'horizon_cluster':
ip => $vip_public_ip, ip => $horizon,
# to maintain backward compatibility port => $horizon_port,
port => $horizon_port_real, httpchk => "httpchk GET /${horizon_auth_url} \"HTTP/1.0\\r\\nUser-Agent: HAproxy-${::hostname}\"",
httpchk => $horizon_httpchk,
options => $horizon_options, options => $horizon_options,
bind_options => $horizon_bind_options, bind_options => $horizon_bind_options,
} }
cloud::loadbalancer::binding { 'horizon_ssl_cluster':
ip => $horizon_ssl,
port => $horizon_ssl_port,
httpchk => 'ssl-hello-chk',
options => $horizon_ssl_options,
bind_options => $horizon_ssl_bind_options,
}
if ($galera_ip in $keepalived_public_ipvs_real) { if ($galera_ip in $keepalived_public_ipvs_real) {
warning('Exposing Galera cluster to public network is a security issue.') warning('Exposing Galera cluster to public network is a security issue.')
} }

61
spec/classes/cloud_loadbalancer_spec.rb
View File

@ -338,45 +338,21 @@ describe 'cloud::loadbalancer' do
)} )}
end end
context 'configure OpenStack Horizon with backward compatibility' do context 'configure OpenStack Horizon' do
before do
params.merge!(
:horizon_ssl_port => '80'
)
end
it { should contain_haproxy__listen('horizon_cluster').with( it { should contain_haproxy__listen('horizon_cluster').with(
:ipaddress => [params[:vip_public_ip]], :ipaddress => [params[:vip_public_ip]],
:ports => '80', :ports => '80',
:options => { :options => {
'mode' => 'http', 'mode' => 'http',
'http-check' => 'expect ! rstatus ^5', 'http-check' => 'expect ! rstatus ^5',
'option' => ["tcpka", "forwardfor", "tcplog", "httpchk GET / \"HTTP/1.0\\r\\nUser-Agent: HAproxy-myhost\""], 'option' => ["tcpka", "forwardfor", "tcplog", "httpchk GET /#{platform_params[:auth_url]} \"HTTP/1.0\\r\\nUser-Agent: HAproxy-myhost\""],
'cookie' => 'sessionid prefix', 'cookie' => 'sessionid prefix',
'balance' => 'leastconn', 'balance' => 'leastconn',
}, }
)} )}
end end
context 'configure OpenStack Horizon SSL with backward compatibility' do context 'configure OpenStack Horizon with SSL termination on HAProxy' do
before do
params.merge!(
:horizon_ssl => true,
:horizon_ssl_port => '443'
)
end
it { should contain_haproxy__listen('horizon_cluster').with(
:ipaddress => [params[:vip_public_ip]],
:ports => '443',
:options => {
'mode' => 'tcp',
'option' => ['tcpka','forwardfor','tcplog', 'ssl-hello-chk'],
'cookie' => 'sessionid prefix',
'balance' => 'leastconn',
},
)}
end
context 'configure OpenStack Horizon SSL binding' do
before do before do
params.merge!( params.merge!(
:horizon_port => '443', :horizon_port => '443',
@ -391,7 +367,7 @@ describe 'cloud::loadbalancer' do
:options => { :options => {
'mode' => 'http', 'mode' => 'http',
'http-check' => 'expect ! rstatus ^5', 'http-check' => 'expect ! rstatus ^5',
'option' => ["tcpka", "forwardfor", "tcplog", "httpchk GET / \"HTTP/1.0\\r\\nUser-Agent: HAproxy-myhost\""], 'option' => ["tcpka", "forwardfor", "tcplog", "httpchk GET /#{platform_params[:auth_url]} \"HTTP/1.0\\r\\nUser-Agent: HAproxy-myhost\""],
'cookie' => 'sessionid prefix', 'cookie' => 'sessionid prefix',
'balance' => 'leastconn', 'balance' => 'leastconn',
'reqadd' => 'X-Forwarded-Proto:\ https if { ssl_fc }' 'reqadd' => 'X-Forwarded-Proto:\ https if { ssl_fc }'
@ -400,6 +376,25 @@ describe 'cloud::loadbalancer' do
)} )}
end end
context 'configure OpenStack Horizon SSL with termination on the webserver' do
before do
params.merge!(
:horizon_ssl => true,
:horizon_ssl_port => '443'
)
end
it { should contain_haproxy__listen('horizon_ssl_cluster').with(
:ipaddress => [params[:vip_public_ip]],
:ports => '443',
:options => {
'mode' => 'tcp',
'option' => ["tcpka", "forwardfor", "tcplog", "ssl-hello-chk"],
'cookie' => 'sessionid prefix',
'balance' => 'leastconn',
}
)}
end
context 'configure OpenStack Heat API SSL binding' do context 'configure OpenStack Heat API SSL binding' do
before do before do
params.merge!( params.merge!(
@ -428,6 +423,10 @@ describe 'cloud::loadbalancer' do
:concat_basedir => '/var/lib/puppet/concat' } :concat_basedir => '/var/lib/puppet/concat' }
end end
let :platform_params do
{ :auth_url => 'horizon' }
end
it_configures 'openstack loadbalancer' it_configures 'openstack loadbalancer'
end end
@ -438,6 +437,10 @@ describe 'cloud::loadbalancer' do
:concat_basedir => '/var/lib/puppet/concat' } :concat_basedir => '/var/lib/puppet/concat' }
end end
let :platform_params do
{ :auth_url => 'dashboard' }
end
it_configures 'openstack loadbalancer' it_configures 'openstack loadbalancer'
end end