diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml index 90dbc53596..4fd6dd180c 100644 --- a/ansible/group_vars/all.yml +++ b/ansible/group_vars/all.yml @@ -1325,6 +1325,7 @@ enable_prometheus_proxysql_exporter: "{{ enable_prometheus | bool and enable_pro prometheus_alertmanager_user: "admin" prometheus_ceph_exporter_interval: "{{ prometheus_scrape_interval }}" prometheus_grafana_user: "grafana" +prometheus_haproxy_user: "haproxy" prometheus_skyline_user: "skyline" prometheus_scrape_interval: "60s" prometheus_openstack_exporter_interval: "{{ prometheus_scrape_interval }}" diff --git a/ansible/roles/opensearch/defaults/main.yml b/ansible/roles/opensearch/defaults/main.yml index 8a0fa366fc..b669a6f269 100644 --- a/ansible/roles/opensearch/defaults/main.yml +++ b/ansible/roles/opensearch/defaults/main.yml @@ -39,8 +39,7 @@ opensearch_services: auth_user: "{{ opensearch_dashboards_user }}" auth_pass: "{{ opensearch_dashboards_password }}" backend_http_extra: - - "option httpchk" - - "http-check expect status 401" + - "option httpchk GET /api/status" opensearch_dashboards_external: enabled: "{{ enable_opensearch_dashboards_external | bool }}" mode: "http" @@ -51,8 +50,7 @@ opensearch_services: auth_user: "{{ opensearch_dashboards_user }}" auth_pass: "{{ opensearch_dashboards_password }}" backend_http_extra: - - "option httpchk" - - "http-check expect status 401" + - "option httpchk GET /api/status" #################### diff --git a/ansible/roles/prometheus/defaults/main.yml b/ansible/roles/prometheus/defaults/main.yml index e96988434b..e5588d3a26 100644 --- a/ansible/roles/prometheus/defaults/main.yml +++ b/ansible/roles/prometheus/defaults/main.yml @@ -15,7 +15,8 @@ prometheus_services: port: "{{ prometheus_port }}" active_passive: "{{ prometheus_active_passive | bool }}" backend_http_extra: - - "option httpchk" + - "option httpchk GET /-/ready HTTP/1.0" + - "http-check send hdr Authorization 'Basic {{ (prometheus_haproxy_user + ':' + prometheus_haproxy_password) | b64encode }}'" prometheus_server_external: enabled: "{{ enable_prometheus_server_external | bool }}" mode: "http" @@ -25,7 +26,8 @@ prometheus_services: listen_port: "{{ prometheus_listen_port }}" active_passive: "{{ prometheus_active_passive | bool }}" backend_http_extra: - - "option httpchk" + - "option httpchk GET /-/ready HTTP/1.0" + - "http-check send hdr Authorization 'Basic {{ (prometheus_haproxy_user + ':' + prometheus_haproxy_password) | b64encode }}'" prometheus-node-exporter: container_name: prometheus_node_exporter group: prometheus-node-exporter @@ -156,12 +158,14 @@ prometheus_basic_auth_users_default: - username: "{{ prometheus_grafana_user }}" password: "{{ prometheus_grafana_password }}" enabled: "{{ enable_grafana }}" + - username: "{{ prometheus_haproxy_user }}" + password: "{{ prometheus_haproxy_password }}" + enabled: "{{ enable_haproxy | bool }}" - username: "{{ prometheus_skyline_user }}" password: "{{ prometheus_skyline_password }}" enabled: "{{ enable_skyline }}" prometheus_basic_auth_users_extra: [] - #################### # Database #################### diff --git a/etc/kolla/passwords.yml b/etc/kolla/passwords.yml index 5ce37b5b54..c8330296cb 100644 --- a/etc/kolla/passwords.yml +++ b/etc/kolla/passwords.yml @@ -228,6 +228,7 @@ prometheus_mysql_exporter_database_password: prometheus_alertmanager_password: prometheus_password: prometheus_grafana_password: +prometheus_haproxy_password: prometheus_skyline_password: prometheus_bcrypt_salt: diff --git a/releasenotes/notes/haproxy_healthchecks_to_l7-b05e8c7b177d1544.yaml b/releasenotes/notes/haproxy_healthchecks_to_l7-b05e8c7b177d1544.yaml index e9308c6d47..e7189b4f40 100644 --- a/releasenotes/notes/haproxy_healthchecks_to_l7-b05e8c7b177d1544.yaml +++ b/releasenotes/notes/haproxy_healthchecks_to_l7-b05e8c7b177d1544.yaml @@ -3,3 +3,5 @@ features: - | Implement Layer 7 Healthchecks for HA Proxy. This should fix traffic being sent to unhealthy servers in some scenarios. + Adds Prometheus ``haproxy`` user for handling authenticated l7 + healthchecks.