Implement Option for Two VIPs to separate API traffic

To improve security, operators have asked for two VIPs for their cloud. VIP 1 is the internal VIP that can reach internal and admin endpoints. In addition, the internal VIP can also reach other internal services, such as the database and message services. VIP 2 is the external VIP that can only reach public endpoints. With one VIP only, all services are reached at the same address. To add a second VIP, this patch adds two new configuration parameters. kolla_external_vip_address: is an IPv4 address to use for created VIP kolla_external_vip_interface: is the network interface to use for VIP In this scenario, the first VIP (the internal VIP), is defined by the original parameters (kolla_internal address and network_interface). When using two VIPs, the existing kolla_external_address parameter should be/point to/resolve to the kolla_external_vip_address. Closes-bug: 1535333 Change-Id: I5bfcefaf7899298455cdade8209c34324aebfecb
2016-02-18 13:50:39 -05:00 · 2016-02-18 13:50:39 -05:00 · 34c2cb8e64
commit 34c2cb8e64
parent 3f8bc07270
4 changed files with 164 additions and 4 deletions
--- a/ansible/group_vars/all.yml
+++ b/ansible/group_vars/all.yml
@ -23,7 +23,8 @@ kolla_base_distro: "centos"
 kolla_install_type: "binary"

 # Value set in the public_url endpoint in Keystone
-kolla_external_address: "{{ kolla_internal_address }}"
+kolla_external_vip_address: "{{ kolla_internal_address }}"
+kolla_external_address: "{{ kolla_external_vip_address }}"

 kolla_enable_sanity_checks: "no"

@ -66,6 +67,7 @@ docker_common_options:
 ####################
 # Networking options
 ####################
+kolla_external_vip_interface: "{{ network_interface }}"
 api_interface: "{{ network_interface }}"
 storage_interface: "{{ network_interface }}"
 tunnel_interface: "{{ network_interface }}"
@ -204,6 +206,7 @@ rabbitmq_user: "openstack"
 # HAProxy options
 ####################
 haproxy_user: "openstack"
+haproxy_enable_external_vip: "{{ 'no' if kolla_external_vip_address == kolla_internal_address else 'yes' }}"


 #################################
--- a/ansible/roles/haproxy/templates/haproxy.cfg.j2
+++ b/ansible/roles/haproxy/templates/haproxy.cfg.j2
@ -55,11 +55,19 @@ listen mongodb
 {% endif %}

 {% if enable_keystone | bool %}
-listen keystone_public
+listen keystone_internal
  bind {{ kolla_internal_address }}:{{ keystone_public_port }}
 {% for host in groups['keystone'] %}
  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ keystone_public_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
+{% if haproxy_enable_external_vip | bool %}
+
+listen keystone_external
+  bind {{ kolla_external_vip_address }}:{{ keystone_public_port }}
+{% for host in groups['keystone'] %}
+  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ keystone_public_port }} check inter 2000 rise 2 fall 5
+{% endfor %}
+{% endif %}

 listen keystone_admin
  bind {{ kolla_internal_address }}:{{ keystone_admin_port }}
@ -80,6 +88,20 @@ listen glance_api
 {% for host in groups['glance-api'] %}
  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ glance_api_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
+{% if haproxy_enable_external_vip | bool %}
+
+listen glance_registry_external
+  bind {{ kolla_external_vip_address }}:{{ glance_registry_port }}
+{% for host in groups['glance-registry'] %}
+  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ glance_registry_port }} check inter 2000 rise 2 fall 5
+{% endfor %}
+
+listen glance_api_external
+  bind {{ kolla_external_vip_address }}:{{ glance_api_port }}
+{% for host in groups['glance-api'] %}
+  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ glance_api_port }} check inter 2000 rise 2 fall 5
+{% endfor %}
+{% endif %}
 {% endif %}

 {% if enable_nova | bool %}
@ -114,6 +136,40 @@ listen nova_spicehtml5proxy
  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ nova_spicehtml5proxy_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
 {% endif %}
+{% if haproxy_enable_external_vip | bool %}
+
+listen nova_api_external
+  bind {{ kolla_external_vip_address }}:{{ nova_api_port }}
+{% for host in groups['nova-api'] %}
+  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ nova_api_port }} check inter 2000 rise 2 fall 5
+{% endfor %}
+
+listen nova_api_ec2_external
+  bind {{ kolla_external_vip_address }}:{{ nova_api_ec2_port }}
+{% for host in groups['nova-api'] %}
+  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ nova_api_ec2_port }} check inter 2000 rise 2 fall 5
+{% endfor %}
+
+listen nova_metadata_external
+  bind {{ kolla_external_vip_address }}:{{ nova_metadata_port }}
+{% for host in groups['nova-api'] %}
+  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ nova_metadata_port }} check inter 2000 rise 2 fall 5
+{% endfor %}
+
+{% if nova_console == 'novnc' %}
+listen nova_novncproxy_external
+  bind {{ kolla_external_vip_address }}:{{ nova_novncproxy_port }}
+{% for host in groups['nova-novncproxy'] %}
+  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ nova_novncproxy_port }} check inter 2000 rise 2 fall 5
+{% endfor %}
+{% elif nova_console == 'spice' %}
+listen nova_spicehtml5proxy_external
+  bind {{ kolla_external_vip_address }}:{{ nova_spicehtml5proxy_port }}
+{% for host in groups['nova-spicehtml5proxy'] %}
+  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ nova_spicehtml5proxy_port }} check inter 2000 rise 2 fall 5
+{% endfor %}
+{% endif %}
+{% endif %}
 {% endif %}

 {% if enable_neutron | bool %}
@ -122,6 +178,14 @@ listen neutron_server
 {% for host in groups['neutron-server'] %}
  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ neutron_server_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
+{% if haproxy_enable_external_vip | bool %}
+
+listen neutron_server_external
+  bind {{ kolla_external_vip_address }}:{{ neutron_server_port }}
+{% for host in groups['neutron-server'] %}
+  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ neutron_server_port }} check inter 2000 rise 2 fall 5
+{% endfor %}
+{% endif %}
 {% endif %}

 {% if enable_horizon | bool %}
@ -130,6 +194,14 @@ listen horizon
 {% for host in groups['horizon'] %}
  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:80 check inter 2000 rise 2 fall 5
 {% endfor %}
+{% if haproxy_enable_external_vip | bool %}
+
+listen horizon_external
+  bind {{ kolla_external_vip_address }}:80
+{% for host in groups['horizon'] %}
+  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:80 check inter 2000 rise 2 fall 5
+{% endfor %}
+{% endif %}
 {% endif %}

 {% if enable_cinder | bool %}
@ -138,6 +210,14 @@ listen cinder_api
 {% for host in groups['cinder-api'] %}
  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ cinder_api_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
+{% if haproxy_enable_external_vip | bool %}
+
+listen cinder_api_external
+  bind {{ kolla_external_vip_address }}:{{ cinder_api_port }}
+{% for host in groups['cinder-api'] %}
+  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ cinder_api_port }} check inter 2000 rise 2 fall 5
+{% endfor %}
+{% endif %}
 {% endif %}

 {% if enable_heat | bool %}
@ -152,6 +232,20 @@ listen heat_api_cfn
 {% for host in groups['heat-api-cfn'] %}
  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ heat_api_cfn_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
+{% if haproxy_enable_external_vip | bool %}
+
+listen heat_api_external
+  bind {{ kolla_external_vip_address }}:{{ heat_api_port }}
+{% for host in groups['heat-api'] %}
+  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ heat_api_port }} check inter 2000 rise 2 fall 5
+{% endfor %}
+
+listen heat_api_cfn_external
+  bind {{ kolla_external_vip_address }}:{{ heat_api_cfn_port }}
+{% for host in groups['heat-api-cfn'] %}
+  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ heat_api_cfn_port }} check inter 2000 rise 2 fall 5
+{% endfor %}
+{% endif %}
 {% endif %}

 {% if enable_ironic | bool %}
@ -160,6 +254,14 @@ listen ironic_api
 {% for host in groups['ironic-api'] %}
  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ ironic_api_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
+{% if haproxy_enable_external_vip | bool %}
+
+listen ironic_api_external
+  bind {{ kolla_external_vip_address}}:{{ ironic_api_port }}
+{% for host in groups['ironic-api'] %}
+  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ ironic_api_port }} check inter 2000 rise 2 fall 5
+{% endfor %}
+{% endif %}
 {% endif %}

 {% if enable_swift | bool %}
@ -168,6 +270,14 @@ listen swift_api
 {% for host in groups['swift-proxy-server'] %}
  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ swift_proxy_server_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
+{% if haproxy_enable_external_vip | bool %}
+
+listen swift_api_external
+  bind {{ kolla_external_vip_address}}:{{ swift_proxy_server_port }}
+{% for host in groups['swift-proxy-server'] %}
+  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ swift_proxy_server_port }} check inter 2000 rise 2 fall 5
+{% endfor %}
+{% endif %}
 {% endif %}

 {% if enable_murano | bool %}
@ -176,6 +286,14 @@ listen murano_api
 {% for host in groups['murano-api'] %}
  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ murano_api_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
+{% if haproxy_enable_external_vip | bool %}
+
+listen murano_api_external
+  bind {{ kolla_external_vip_address }}:{{ murano_api_port }}
+{% for host in groups['murano-api'] %}
+  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ murano_api_port }} check inter 2000 rise 2 fall 5
+{% endfor %}
+{% endif %}
 {% endif %}

 {% if enable_magnum | bool %}
@ -184,6 +302,14 @@ listen magnum_api
 {% for host in groups['magnum-api'] %}
  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ magnum_api_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
+{% if haproxy_enable_external_vip | bool %}
+
+listen magnum_api_external
+  bind {{ kolla_external_vip_address }}:{{ magnum_api_port }}
+{% for host in groups['magnum-api'] %}
+  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ magnum_api_port }} check inter 2000 rise 2 fall 5
+{% endfor %}
+{% endif %}
 {% endif %}

 {% if enable_ceph | bool and enable_ceph_rgw | bool %}
@ -192,4 +318,12 @@ listen radosgw
 {% for host in groups['ceph-rgw'] %}
  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ rgw_port }} check inter 2000 rise 2 fall 5
 {% endfor %}
+{% if haproxy_enable_external_vip | bool %}
+
+listen radosgw_external
+  bind {{ kolla_external_vip_address}}:{{ rgw_port }}
+{% for host in groups['ceph-rgw'] %}
+  server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ rgw_port }} check inter 2000 rise 2 fall 5
+{% endfor %}
+{% endif %}
 {% endif %}
--- a/ansible/roles/haproxy/templates/keepalived.conf.j2
+++ b/ansible/roles/haproxy/templates/keepalived.conf.j2
@ -5,7 +5,7 @@ vrrp_script check_alive {
    rise 10
 }

-vrrp_instance Floating {
+vrrp_instance kolla_internal_vip {
    state MASTER
    interface {{ api_interface }}
    virtual_router_id 51
@ -18,3 +18,19 @@ vrrp_instance Floating {
        check_alive
    }
 }
+
+{% if haproxy_enable_external_vip | bool %}
+vrrp_instance kolla_external_vip {
+    state MASTER
+    interface {{ kolla_external_vip_interface }}
+    virtual_router_id 52
+    priority {{ groups['haproxy'].index(inventory_hostname) + 1 }}
+    advert_int 1
+    virtual_ipaddress {
+        {{ kolla_external_vip_address }}
+    }
+    track_script {
+        check_alive
+    }
+}
+{% endif %}
--- a/etc/kolla/globals.yml
+++ b/etc/kolla/globals.yml
@ -15,7 +15,7 @@
 #kolla_install_type: "binary"

 # This should be a VIP, an unused IP on your network that will float between
-# the hosts running keepalived for high-availibility. When running an All-In-One
+# the hosts running keepalived for high-availability. When running an All-In-One
 # without haproxy and keepalived, this should be the first IP on your
 # 'network_interface' as set in the Networking section below.
 kolla_internal_address: "10.10.10.254"
@ -27,6 +27,12 @@ kolla_internal_address: "10.10.10.254"
 # It is recommended to use a DNS name as well, but not required.
 #kolla_external_address: "{{ kolla_internal_address }}"

+# This should be a VIP, an unused IP on your network that will float between
+# the hosts running keepalived for high-availability. It defaults to the
+# kolla_internal_address, allowing internal and external communication to
+# share the same address.  Specify a kolla_external_vip_address to
+# separate internal and external requests between two VIPs.
+#kolla_external_vip_address: "{{ kolla_internal_address }}"

 ####################
 # Docker options
@ -49,6 +55,7 @@ network_interface: "eth0"

 # These can be adjusted for even more customization. The default is the same as
 # the 'network_interface'. These interfaces must container an IPv4 address.
+#kolla_external_vip_interface: "{{ network_interface }}"
 #api_interface: "{{ network_interface }}"
 #storage_interface: "{{ network_interface }}"
 #tunnel_interface: "{{ network_interface }}"