loadbalancer.pp: Enable HAProxy binding on 80 and 443
Currently, one can enable HA only on plain http or https for horizon, but can't have it enabled for both at the same time. This commit makes configuration for horizon http and https completly independent, one can decide to enable one and not the other, add specific bind options for one and not the other, etc...
This commit is contained in:
Yanis Guenane
Yanis Guenane
parent
96bed45767
commit
f2e29b1a2c
@ -180,6 +180,7 @@ class cloud::loadbalancer(
|
||||
$keystone_api_admin = true,
|
||||
$trove_api = true,
|
||||
$horizon = true,
|
||||
$horizon_ssl = false,
|
||||
$spice = true,
|
||||
$haproxy_auth = 'admin:changeme',
|
||||
$keepalived_state = 'BACKUP',
|
||||
@ -205,6 +206,7 @@ class cloud::loadbalancer(
|
||||
$swift_bind_options = [],
|
||||
$spice_bind_options = [],
|
||||
$horizon_bind_options = [],
|
||||
$horizon_ssl_bind_options = [],
|
||||
$galera_bind_options = [],
|
||||
$ks_ceilometer_public_port = 8777,
|
||||
$ks_cinder_public_port = 8776,
|
||||
@ -222,6 +224,7 @@ class cloud::loadbalancer(
|
||||
$ks_swift_public_port = 8080,
|
||||
$ks_trove_public_port = 8779,
|
||||
$horizon_port = 80,
|
||||
$horizon_ssl_port = 443,
|
||||
$spice_port = 6082,
|
||||
$vip_public_ip = ['127.0.0.1'],
|
||||
$vip_internal_ip = false,
|
||||
@ -229,8 +232,6 @@ class cloud::loadbalancer(
|
||||
# Deprecated parameters
|
||||
$keepalived_interface = false,
|
||||
$keepalived_ipvs = false,
|
||||
$horizon_ssl = false,
|
||||
$horizon_ssl_port = false,
|
||||
){
|
||||
|
||||
# Manage deprecation when using old parameters
|
||||
@ -246,32 +247,6 @@ class cloud::loadbalancer(
|
||||
} else {
|
||||
$keepalived_public_ipvs_real = $keepalived_public_ipvs
|
||||
}
|
||||
if $horizon_ssl {
|
||||
warning('horizon_ssl parameter is deprecated. Specify ssl in the horizon_bind_options instead.')
|
||||
$horizon_httpchk = 'ssl-hello-chk'
|
||||
$horizon_options = {
|
||||
'mode' => 'tcp',
|
||||
'cookie' => 'sessionid prefix',
|
||||
'balance' => 'leastconn' }
|
||||
} else {
|
||||
$horizon_httpchk = "httpchk GET /${horizon_auth_url} \"HTTP/1.0\\r\\nUser-Agent: HAproxy-${::hostname}\""
|
||||
if 'ssl' in $horizon_bind_options {
|
||||
$horizon_options = {
|
||||
'cookie' => 'sessionid prefix',
|
||||
'reqadd' => 'X-Forwarded-Proto:\ https if { ssl_fc }',
|
||||
'balance' => 'leastconn' }
|
||||
} else {
|
||||
$horizon_options = {
|
||||
'cookie' => 'sessionid prefix',
|
||||
'balance' => 'leastconn' }
|
||||
}
|
||||
}
|
||||
if $horizon_ssl_port {
|
||||
warning('horizon_ssl_port parameter is deprecated. Specify port with the horizon_port instead.')
|
||||
$horizon_port_real = $horizon_ssl_port
|
||||
} else {
|
||||
$horizon_port_real = $horizon_port
|
||||
}
|
||||
# end of deprecation support
|
||||
|
||||
# Fail if OpenStack and Galera VIP are not in the VIP list
|
||||
@ -459,15 +434,42 @@ class cloud::loadbalancer(
|
||||
} else {
|
||||
$horizon_auth_url = 'horizon'
|
||||
}
|
||||
|
||||
$horizon_ssl_options = {
|
||||
'mode' => 'tcp',
|
||||
'cookie' => 'sessionid prefix',
|
||||
'balance' => 'leastconn'
|
||||
}
|
||||
|
||||
if 'ssl' in $horizon_bind_options {
|
||||
$horizon_options = {
|
||||
'cookie' => 'sessionid prefix',
|
||||
'reqadd' => 'X-Forwarded-Proto:\ https if { ssl_fc }',
|
||||
'balance' => 'leastconn'
|
||||
}
|
||||
} else {
|
||||
$horizon_options = {
|
||||
'cookie' => 'sessionid prefix',
|
||||
'balance' => 'leastconn'
|
||||
}
|
||||
}
|
||||
|
||||
cloud::loadbalancer::binding { 'horizon_cluster':
|
||||
ip => $vip_public_ip,
|
||||
# to maintain backward compatibility
|
||||
port => $horizon_port_real,
|
||||
httpchk => $horizon_httpchk,
|
||||
ip => $horizon,
|
||||
port => $horizon_port,
|
||||
httpchk => "httpchk GET /${horizon_auth_url} \"HTTP/1.0\\r\\nUser-Agent: HAproxy-${::hostname}\"",
|
||||
options => $horizon_options,
|
||||
bind_options => $horizon_bind_options,
|
||||
}
|
||||
|
||||
cloud::loadbalancer::binding { 'horizon_ssl_cluster':
|
||||
ip => $horizon_ssl,
|
||||
port => $horizon_ssl_port,
|
||||
httpchk => 'ssl-hello-chk',
|
||||
options => $horizon_ssl_options,
|
||||
bind_options => $horizon_ssl_bind_options,
|
||||
}
|
||||
|
||||
if ($galera_ip in $keepalived_public_ipvs_real) {
|
||||
warning('Exposing Galera cluster to public network is a security issue.')
|
||||
}
|
||||
|
||||
@ -338,45 +338,21 @@ describe 'cloud::loadbalancer' do
|
||||
)}
|
||||
end
|
||||
|
||||
context 'configure OpenStack Horizon with backward compatibility' do
|
||||
before do
|
||||
params.merge!(
|
||||
:horizon_ssl_port => '80'
|
||||
)
|
||||
end
|
||||
context 'configure OpenStack Horizon' do
|
||||
it { should contain_haproxy__listen('horizon_cluster').with(
|
||||
:ipaddress => [params[:vip_public_ip]],
|
||||
:ports => '80',
|
||||
:options => {
|
||||
'mode' => 'http',
|
||||
'http-check' => 'expect ! rstatus ^5',
|
||||
'option' => ["tcpka", "forwardfor", "tcplog", "httpchk GET / \"HTTP/1.0\\r\\nUser-Agent: HAproxy-myhost\""],
|
||||
'option' => ["tcpka", "forwardfor", "tcplog", "httpchk GET /#{platform_params[:auth_url]} \"HTTP/1.0\\r\\nUser-Agent: HAproxy-myhost\""],
|
||||
'cookie' => 'sessionid prefix',
|
||||
'balance' => 'leastconn',
|
||||
},
|
||||
}
|
||||
)}
|
||||
end
|
||||
|
||||
context 'configure OpenStack Horizon SSL with backward compatibility' do
|
||||
before do
|
||||
params.merge!(
|
||||
:horizon_ssl => true,
|
||||
:horizon_ssl_port => '443'
|
||||
)
|
||||
end
|
||||
it { should contain_haproxy__listen('horizon_cluster').with(
|
||||
:ipaddress => [params[:vip_public_ip]],
|
||||
:ports => '443',
|
||||
:options => {
|
||||
'mode' => 'tcp',
|
||||
'option' => ['tcpka','forwardfor','tcplog', 'ssl-hello-chk'],
|
||||
'cookie' => 'sessionid prefix',
|
||||
'balance' => 'leastconn',
|
||||
},
|
||||
)}
|
||||
end
|
||||
|
||||
context 'configure OpenStack Horizon SSL binding' do
|
||||
context 'configure OpenStack Horizon with SSL termination on HAProxy' do
|
||||
before do
|
||||
params.merge!(
|
||||
:horizon_port => '443',
|
||||
@ -391,7 +367,7 @@ describe 'cloud::loadbalancer' do
|
||||
:options => {
|
||||
'mode' => 'http',
|
||||
'http-check' => 'expect ! rstatus ^5',
|
||||
'option' => ["tcpka", "forwardfor", "tcplog", "httpchk GET / \"HTTP/1.0\\r\\nUser-Agent: HAproxy-myhost\""],
|
||||
'option' => ["tcpka", "forwardfor", "tcplog", "httpchk GET /#{platform_params[:auth_url]} \"HTTP/1.0\\r\\nUser-Agent: HAproxy-myhost\""],
|
||||
'cookie' => 'sessionid prefix',
|
||||
'balance' => 'leastconn',
|
||||
'reqadd' => 'X-Forwarded-Proto:\ https if { ssl_fc }'
|
||||
@ -400,6 +376,25 @@ describe 'cloud::loadbalancer' do
|
||||
)}
|
||||
end
|
||||
|
||||
context 'configure OpenStack Horizon SSL with termination on the webserver' do
|
||||
before do
|
||||
params.merge!(
|
||||
:horizon_ssl => true,
|
||||
:horizon_ssl_port => '443'
|
||||
)
|
||||
end
|
||||
it { should contain_haproxy__listen('horizon_ssl_cluster').with(
|
||||
:ipaddress => [params[:vip_public_ip]],
|
||||
:ports => '443',
|
||||
:options => {
|
||||
'mode' => 'tcp',
|
||||
'option' => ["tcpka", "forwardfor", "tcplog", "ssl-hello-chk"],
|
||||
'cookie' => 'sessionid prefix',
|
||||
'balance' => 'leastconn',
|
||||
}
|
||||
)}
|
||||
end
|
||||
|
||||
context 'configure OpenStack Heat API SSL binding' do
|
||||
before do
|
||||
params.merge!(
|
||||
@ -428,6 +423,10 @@ describe 'cloud::loadbalancer' do
|
||||
:concat_basedir => '/var/lib/puppet/concat' }
|
||||
end
|
||||
|
||||
let :platform_params do
|
||||
{ :auth_url => 'horizon' }
|
||||
end
|
||||
|
||||
it_configures 'openstack loadbalancer'
|
||||
end
|
||||
|
||||
@ -438,6 +437,10 @@ describe 'cloud::loadbalancer' do
|
||||
:concat_basedir => '/var/lib/puppet/concat' }
|
||||
end
|
||||
|
||||
let :platform_params do
|
||||
{ :auth_url => 'dashboard' }
|
||||
end
|
||||
|
||||
it_configures 'openstack loadbalancer'
|
||||
end
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user