Enable SSL termination for all services
This change makes it so that all services are expecting SSL termination at the load balancer by default. This is more indicative of how a real world deployment will be setup and is being added such that we can test a more production like deployment system by default. The AIO will now terminate SSL in HAProxy using a self-signed cert. Depends-On: I63cfecd6793ba2b28c294d939c9b1c466940cbd1 Depends-On: Iba63636d733fa1eb095564b8bf33a8159d9c2a00 Depends-On: Ib31a48dd480ecb376a6a8c5b35b09dfa5d2e58f6 Depends-On: Ibdeb8b981ca770ce4f56beeae05afd3379964859 Change-Id: Id87fab39c929e0860abbc3755ad386aa6893b151 Co-Authored-By: Logan V <logan2211@gmail.com> Signed-off-by: Logan V <logan2211@gmail.com> Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
This commit is contained in:
parent
99a190be9b
commit
92eb98e1d2
@ -3,10 +3,11 @@
|
|||||||
Configuring HAProxy (optional)
|
Configuring HAProxy (optional)
|
||||||
------------------------------
|
------------------------------
|
||||||
|
|
||||||
HAProxy provides load balancing for high availability architectures deployed by
|
HAProxy provides load balancing services and SSL termination when hardware
|
||||||
OpenStack-Ansible. The default HAProxy configuration provides highly-available
|
load balancers are not available for high availability architectures deployed
|
||||||
load balancing services via keepalived if there are more than one hosts in the
|
by OpenStack-Ansible. The default HAProxy configuration provides highly-
|
||||||
``haproxy_hosts`` group.
|
available load balancing services via keepalived if there is more than one
|
||||||
|
host in the ``haproxy_hosts`` group.
|
||||||
|
|
||||||
.. note::
|
.. note::
|
||||||
|
|
||||||
|
@ -97,20 +97,9 @@
|
|||||||
tags:
|
tags:
|
||||||
- haproxy-service-config
|
- haproxy-service-config
|
||||||
roles:
|
roles:
|
||||||
- { role: "haproxy_server", tags: [ "haproxy-server" ] }
|
- role: "haproxy_server"
|
||||||
- role: haproxy_server
|
tags:
|
||||||
haproxy_service_configs:
|
- "haproxy-server"
|
||||||
- service:
|
|
||||||
haproxy_service_name: keystone_internal
|
|
||||||
haproxy_backend_nodes: "{{ groups['keystone_all'] }}"
|
|
||||||
haproxy_bind: "{{ internal_lb_vip_address }}"
|
|
||||||
haproxy_port: 5000
|
|
||||||
haproxy_ssl: "{% if haproxy_ssl | bool and keystone_service_internaluri_proto == 'https' %}true{% else %}false{% endif %}"
|
|
||||||
haproxy_balance_type: "{{ (keystone_ssl_internal | bool) | ternary('tcp','http') }}"
|
|
||||||
haproxy_balance_alg: "{{ (keystone_ssl_internal | bool) | ternary('source', 'leastconn') }}"
|
|
||||||
haproxy_backend_options: "{{ (keystone_ssl_internal | bool) | ternary(haproxy_backend_options_https, haproxy_backend_options_http) }}"
|
|
||||||
when: internal_lb_vip_address != external_lb_vip_address
|
|
||||||
|
|
||||||
- role: "rsyslog_client"
|
- role: "rsyslog_client"
|
||||||
rsyslog_client_log_rotate_file: haproxy_log_rotate
|
rsyslog_client_log_rotate_file: haproxy_log_rotate
|
||||||
rsyslog_client_log_dir: "/var/log/haproxy"
|
rsyslog_client_log_dir: "/var/log/haproxy"
|
||||||
|
@ -38,6 +38,11 @@ rsyslog_server_storage_directory: /var/log/log-storage
|
|||||||
openstack_repo_url: "http://{{ internal_lb_vip_address }}:{{ repo_server_port }}"
|
openstack_repo_url: "http://{{ internal_lb_vip_address }}:{{ repo_server_port }}"
|
||||||
openstack_repo_git_url: "http://{{ internal_lb_vip_address }}:{{ repo_server_port }}/openstackgit"
|
openstack_repo_git_url: "http://{{ internal_lb_vip_address }}:{{ repo_server_port }}/openstackgit"
|
||||||
|
|
||||||
|
## Enable external SSL handling for general OpenStack services
|
||||||
|
openstack_external_ssl: true
|
||||||
|
nova_external_ssl: "{{ openstack_external_ssl }}"
|
||||||
|
keystone_external_ssl: "{{ openstack_external_ssl }}"
|
||||||
|
horizon_external_ssl: "{{ openstack_external_ssl }}"
|
||||||
|
|
||||||
## LXC options
|
## LXC options
|
||||||
lxc_container_domain: "openstack.local"
|
lxc_container_domain: "openstack.local"
|
||||||
@ -97,7 +102,7 @@ ssl_protocol: "ALL -SSLv2 -SSLv3"
|
|||||||
ssl_cipher_suite: "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"
|
ssl_cipher_suite: "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"
|
||||||
|
|
||||||
## OpenStack global Endpoint Protos
|
## OpenStack global Endpoint Protos
|
||||||
#openstack_service_publicuri_proto: http
|
openstack_service_publicuri_proto: https
|
||||||
#openstack_service_adminuri_proto: http
|
#openstack_service_adminuri_proto: http
|
||||||
#openstack_service_internaluri_proto: http
|
#openstack_service_internaluri_proto: http
|
||||||
|
|
||||||
@ -114,6 +119,8 @@ aodh_db_ip: localhost
|
|||||||
aodh_db_port: 27017
|
aodh_db_port: 27017
|
||||||
aodh_connection_string: "{{ aodh_db_type }}://{{ aodh_database_user }}:{{ aodh_container_db_password }}@{{ aodh_db_ip }}:{{ aodh_db_port }}/{{ aodh_database_name }}"
|
aodh_connection_string: "{{ aodh_db_type }}://{{ aodh_database_user }}:{{ aodh_container_db_password }}@{{ aodh_db_ip }}:{{ aodh_db_port }}/{{ aodh_database_name }}"
|
||||||
aodh_service_in_ldap: "{{ service_ldap_backend_enabled }}"
|
aodh_service_in_ldap: "{{ service_ldap_backend_enabled }}"
|
||||||
|
aodh_service_proto: http
|
||||||
|
aodh_service_publicuri: "{{ openstack_service_publicuri_proto|default(aodh_service_proto) }}://{{ external_lb_vip_address }}:{{ aodh_service_port }}"
|
||||||
|
|
||||||
|
|
||||||
## Ceilometer
|
## Ceilometer
|
||||||
@ -121,6 +128,7 @@ ceilometer_service_port: 8777
|
|||||||
ceilometer_service_proto: http
|
ceilometer_service_proto: http
|
||||||
ceilometer_service_user_name: ceilometer
|
ceilometer_service_user_name: ceilometer
|
||||||
ceilometer_service_tenant_name: service
|
ceilometer_service_tenant_name: service
|
||||||
|
ceilometer_service_publicuri: "{{ openstack_service_publicuri_proto|default(ceilometer_service_proto) }}://{{ external_lb_vip_address }}:{{ ceilometer_service_port }}"
|
||||||
ceilometer_service_adminuri: "{{ ceilometer_service_proto }}://{{ internal_lb_vip_address }}:{{ ceilometer_service_port }}"
|
ceilometer_service_adminuri: "{{ ceilometer_service_proto }}://{{ internal_lb_vip_address }}:{{ ceilometer_service_port }}"
|
||||||
ceilometer_service_adminurl: "{{ ceilometer_service_adminuri }}/"
|
ceilometer_service_adminurl: "{{ ceilometer_service_adminuri }}/"
|
||||||
ceilometer_service_region: "{{ service_region }}"
|
ceilometer_service_region: "{{ service_region }}"
|
||||||
@ -132,6 +140,7 @@ ceilometer_service_in_ldap: "{{ service_ldap_backend_enabled }}"
|
|||||||
## Nova
|
## Nova
|
||||||
nova_service_port: 8774
|
nova_service_port: 8774
|
||||||
nova_service_proto: http
|
nova_service_proto: http
|
||||||
|
nova_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(nova_service_proto) }}"
|
||||||
nova_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(nova_service_proto) }}"
|
nova_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(nova_service_proto) }}"
|
||||||
nova_service_user_name: nova
|
nova_service_user_name: nova
|
||||||
nova_service_project_name: service
|
nova_service_project_name: service
|
||||||
@ -154,6 +163,7 @@ nova_glance_api_servers: "{{ glance_api_servers }}"
|
|||||||
## Neutron
|
## Neutron
|
||||||
neutron_service_port: 9696
|
neutron_service_port: 9696
|
||||||
neutron_service_proto: http
|
neutron_service_proto: http
|
||||||
|
neutron_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(neutron_service_proto) }}"
|
||||||
neutron_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(neutron_service_proto) }}"
|
neutron_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(neutron_service_proto) }}"
|
||||||
neutron_service_user_name: neutron
|
neutron_service_user_name: neutron
|
||||||
neutron_service_project_name: service
|
neutron_service_project_name: service
|
||||||
@ -171,6 +181,7 @@ neutron_rabbitmq_vhost: /neutron
|
|||||||
## Glance
|
## Glance
|
||||||
glance_service_port: 9292
|
glance_service_port: 9292
|
||||||
glance_service_proto: http
|
glance_service_proto: http
|
||||||
|
glance_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(glance_service_proto) }}"
|
||||||
glance_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(glance_service_proto) }}"
|
glance_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(glance_service_proto) }}"
|
||||||
glance_service_user_name: glance
|
glance_service_user_name: glance
|
||||||
glance_service_project_name: service
|
glance_service_project_name: service
|
||||||
@ -190,9 +201,9 @@ keystone_admin_tenant_name: admin
|
|||||||
keystone_admin_port: 35357
|
keystone_admin_port: 35357
|
||||||
keystone_service_port: 5000
|
keystone_service_port: 5000
|
||||||
keystone_service_proto: http
|
keystone_service_proto: http
|
||||||
|
keystone_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(keystone_service_proto) }}"
|
||||||
keystone_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(keystone_service_proto) }}"
|
keystone_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(keystone_service_proto) }}"
|
||||||
keystone_service_internaluri_proto: "{{ openstack_service_internaluri_proto | default(keystone_service_proto) }}"
|
keystone_service_internaluri_proto: "{{ openstack_service_internaluri_proto | default(keystone_service_proto) }}"
|
||||||
keystone_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(keystone_service_proto) }}"
|
|
||||||
keystone_service_user_name: keystone
|
keystone_service_user_name: keystone
|
||||||
keystone_service_tenant_name: service
|
keystone_service_tenant_name: service
|
||||||
keystone_service_region: "{{ service_region }}"
|
keystone_service_region: "{{ service_region }}"
|
||||||
@ -232,6 +243,7 @@ heat_service_region: "{{ service_region }}"
|
|||||||
heat_service_in_ldap: "{{ service_ldap_backend_enabled }}"
|
heat_service_in_ldap: "{{ service_ldap_backend_enabled }}"
|
||||||
heat_rabbitmq_userid: heat
|
heat_rabbitmq_userid: heat
|
||||||
heat_rabbitmq_vhost: /heat
|
heat_rabbitmq_vhost: /heat
|
||||||
|
heat_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(heat_service_proto) }}"
|
||||||
|
|
||||||
|
|
||||||
## Cinder
|
## Cinder
|
||||||
@ -258,6 +270,7 @@ cinder_rabbitmq_userid: cinder
|
|||||||
cinder_rabbitmq_vhost: /cinder
|
cinder_rabbitmq_vhost: /cinder
|
||||||
cinder_glance_api_servers: "{{ glance_api_servers }}"
|
cinder_glance_api_servers: "{{ glance_api_servers }}"
|
||||||
cinder_glance_api_version: "{{ (cinder_backends_rbd_inuse|bool and glance_default_store == 'rbd') | ternary('2','1') }}"
|
cinder_glance_api_version: "{{ (cinder_backends_rbd_inuse|bool and glance_default_store == 'rbd') | ternary('2','1') }}"
|
||||||
|
cinder_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(cinder_service_proto) }}"
|
||||||
|
|
||||||
|
|
||||||
## Swift
|
## Swift
|
||||||
@ -270,6 +283,7 @@ swift_service_region: "{{ service_region }}"
|
|||||||
swift_service_in_ldap: "{{ service_ldap_backend_enabled }}"
|
swift_service_in_ldap: "{{ service_ldap_backend_enabled }}"
|
||||||
swift_rabbitmq_userid: swift
|
swift_rabbitmq_userid: swift
|
||||||
swift_rabbitmq_vhost: /swift
|
swift_rabbitmq_vhost: /swift
|
||||||
|
swift_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(swift_service_proto) }}"
|
||||||
|
|
||||||
|
|
||||||
## Ironic
|
## Ironic
|
||||||
|
@ -75,12 +75,12 @@ galera_monitoring_user: monitoring
|
|||||||
haproxy_bind_on_non_local: False
|
haproxy_bind_on_non_local: False
|
||||||
|
|
||||||
## haproxy SSL
|
## haproxy SSL
|
||||||
haproxy_ssl: no
|
haproxy_ssl: true
|
||||||
haproxy_ssl_dh_param: 2048
|
haproxy_ssl_dh_param: 2048
|
||||||
haproxy_ssl_self_signed_regen: no
|
haproxy_ssl_self_signed_regen: no
|
||||||
haproxy_ssl_cert: /etc/ssl/certs/haproxy.cert
|
haproxy_ssl_cert: /etc/ssl/certs/haproxy.cert
|
||||||
haproxy_ssl_key: /etc/ssl/private/haproxy.key
|
haproxy_ssl_key: /etc/ssl/private/haproxy.key
|
||||||
haproxy_ssl_pem: /etc/ssl/private/haproxy.pem
|
haproxy_ssl_pem: /etc/ssl/private/haproxy.pem
|
||||||
haproxy_ssl_ca_cert: /etc/ssl/certs/haproxy-ca.pem
|
haproxy_ssl_ca_cert: /etc/ssl/certs/haproxy-ca.pem
|
||||||
haproxy_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ internal_lb_vip_address }}/subjectAltName=IP.1={{ external_lb_vip_address }}"
|
haproxy_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ external_lb_vip_address }}/subjectAltName=IP.1={{ external_lb_vip_address }}"
|
||||||
haproxy_ssl_cipher_suite: "{{ ssl_cipher_suite }}"
|
haproxy_ssl_cipher_suite: "{{ ssl_cipher_suite }}"
|
||||||
|
@ -18,6 +18,11 @@
|
|||||||
src: service.j2
|
src: service.j2
|
||||||
dest: "/etc/haproxy/conf.d/{{ item.service.haproxy_service_name }}"
|
dest: "/etc/haproxy/conf.d/{{ item.service.haproxy_service_name }}"
|
||||||
with_items: haproxy_service_configs
|
with_items: haproxy_service_configs
|
||||||
|
when: >
|
||||||
|
(item.service.haproxy_backend_nodes is defined and
|
||||||
|
item.service.haproxy_backend_nodes | length > 0) or
|
||||||
|
(item.service.haproxy_backup_nodes is defined and
|
||||||
|
item.service.haproxy_backup_nodes | length > 0)
|
||||||
notify: Restart haproxy
|
notify: Restart haproxy
|
||||||
tags:
|
tags:
|
||||||
- haproxy-service-config
|
- haproxy-service-config
|
||||||
|
@ -1,56 +1,116 @@
|
|||||||
# {{ ansible_managed }}
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
frontend {{ item.service.haproxy_service_name }}-front
|
{% set request_option = item.service.haproxy_balance_type | default("http") -%}
|
||||||
bind {{ item.service.haproxy_bind|default('*') }}:{{ item.service.haproxy_port }} {% if item.service.haproxy_ssl is defined and item.service.haproxy_ssl | bool %}ssl crt {{ haproxy_ssl_pem }} ciphers {{ haproxy_ssl_cipher_suite }}{% endif %}
|
|
||||||
|
|
||||||
{% if item.service.haproxy_balance_type == "http" %}
|
|
||||||
option httplog
|
|
||||||
option forwardfor except 127.0.0.0/8
|
|
||||||
option http-server-close
|
|
||||||
|
|
||||||
{%- set request_option = "http" %}
|
|
||||||
{% else %}
|
|
||||||
option tcplog
|
|
||||||
{%- set request_option = "tcp" %}
|
|
||||||
{% endif %}
|
|
||||||
|
|
||||||
{% if item.service.haproxy_ssl is defined and item.service.haproxy_ssl | bool %}
|
|
||||||
reqadd X-Forwarded-Proto:\ https
|
|
||||||
{% endif %}
|
|
||||||
|
|
||||||
{% if item.service.haproxy_timeout_client is defined %}
|
|
||||||
timeout client {{ item.service.haproxy_timeout_client }}
|
|
||||||
{% endif %}
|
|
||||||
|
|
||||||
{% if item.service.haproxy_whitelist_hosts is defined and item.service.haproxy_whitelist_hosts == true %}
|
|
||||||
acl white_list src 127.0.0.1/8 10.0.3.0/24 {{ container_cidr }}
|
|
||||||
|
|
||||||
{{ request_option }}-request content accept if white_list
|
|
||||||
{{ request_option }}-request content reject
|
|
||||||
{% endif %}
|
|
||||||
|
|
||||||
mode {{ item.service.haproxy_balance_type }}
|
|
||||||
default_backend {{ item.service.haproxy_service_name }}-back
|
|
||||||
|
|
||||||
|
|
||||||
{% if item.service.haproxy_backend_port is not defined %}
|
{% if item.service.haproxy_backend_port is not defined %}
|
||||||
{% set haproxy_backend_port = item.service.haproxy_port %}
|
{% set haproxy_backend_port = item.service.haproxy_port %}
|
||||||
{% else %}
|
{% else %}
|
||||||
{% set haproxy_backend_port = item.service.haproxy_backend_port %}
|
{% set haproxy_backend_port = item.service.haproxy_backend_port %}
|
||||||
|
{% endif -%}
|
||||||
|
|
||||||
|
{% set vip_binds = [external_lb_vip_address] -%}
|
||||||
|
{%- if internal_lb_vip_address not in vip_binds %}
|
||||||
|
{% set _ = vip_binds.append(internal_lb_vip_address) %}
|
||||||
|
{% endif -%}
|
||||||
|
|
||||||
|
{%- if extra_lb_vip_addresses is defined %}
|
||||||
|
{% for vip_address in extra_lb_vip_addresses %}
|
||||||
|
{% set _ = vip_binds.append(vip_address) %}
|
||||||
|
{% endfor %}
|
||||||
|
{% endif -%}
|
||||||
|
|
||||||
|
{%- if item.service.haproxy_bind is defined %}
|
||||||
|
{% if item.service.haproxy_bind not in vip_binds %}
|
||||||
|
{% set _ = vip_binds.append(item.service.haproxy_bind) %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
{% endif -%}
|
||||||
|
|
||||||
|
{% for vip_bind in vip_binds %}
|
||||||
|
{% if item.service.haproxy_redirect_http_port is defined %}
|
||||||
|
{% if (loop.index == 1 or item.service.haproxy_ssl_all_vips | default(false) | bool) %}
|
||||||
|
|
||||||
|
frontend {{ item.service.haproxy_service_name }}-redirect-front-{{ loop.index }}
|
||||||
|
bind {{ vip_bind }}:{{ item.service.haproxy_redirect_http_port }}
|
||||||
|
mode http
|
||||||
|
redirect scheme https if !{ ssl_fc }
|
||||||
|
{% endif %}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
frontend {{ item.service.haproxy_service_name }}-front-{{ loop.index }}
|
||||||
|
bind {{ vip_bind }}:{{ item.service.haproxy_port }} {% if (item.service.haproxy_ssl | default(false) | bool) and (loop.index == 1 or item.service.haproxy_ssl_all_vips | default(false) | bool) %}ssl crt {{ haproxy_ssl_pem }} ciphers {{ haproxy_ssl_cipher_suite }}{% endif %}
|
||||||
|
|
||||||
|
{% if request_option == "http" %}
|
||||||
|
option httplog
|
||||||
|
option forwardfor except 127.0.0.0/8
|
||||||
|
option http-server-close
|
||||||
|
{% elif request_option == "tcp" %}
|
||||||
|
option tcplog
|
||||||
|
{% endif %}
|
||||||
|
{% if item.service.haproxy_timeout_client is defined %}
|
||||||
|
timeout client {{ item.service.haproxy_timeout_client }}
|
||||||
|
{% endif %}
|
||||||
|
{% if item.service.haproxy_whitelist_networks is defined %}
|
||||||
|
acl white_list src 127.0.0.1/8 {{ item.service.haproxy_whitelist_networks | join(' ') }}
|
||||||
|
tcp-request content accept if white_list
|
||||||
|
tcp-request content reject
|
||||||
|
{% endif %}
|
||||||
|
{% if (item.service.haproxy_ssl | default(false) | bool) and request_option == 'http' and (loop.index == 1 or item.service.haproxy_ssl_all_vips | default(false) | bool) %}
|
||||||
|
reqadd X-Forwarded-Proto:\ https
|
||||||
|
{% endif %}
|
||||||
|
mode {{ item.service.haproxy_balance_type }}
|
||||||
|
default_backend {{ item.service.haproxy_service_name }}-back
|
||||||
|
{% endfor %}
|
||||||
|
|
||||||
|
{% set backend_options = item.service.haproxy_backend_options|default([]) %}
|
||||||
|
|
||||||
backend {{ item.service.haproxy_service_name }}-back
|
backend {{ item.service.haproxy_service_name }}-back
|
||||||
mode {{ item.service.haproxy_balance_type }}
|
mode {{ item.service.haproxy_balance_type }}
|
||||||
balance {{ item.service.haproxy_balance_alg|default("leastconn") }}
|
balance {{ item.service.haproxy_balance_alg|default("leastconn") }}
|
||||||
{% for option in item.service.haproxy_backend_options|default([]) %}
|
|
||||||
option {{ option }}
|
|
||||||
{% endfor %}
|
|
||||||
{% if item.service.haproxy_timeout_server is defined %}
|
{% if item.service.haproxy_timeout_server is defined %}
|
||||||
timeout server {{ item.service.haproxy_timeout_server }}
|
timeout server {{ item.service.haproxy_timeout_server }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
stick store-request src
|
||||||
|
stick-table type ip size 256k expire 30m
|
||||||
|
{% if request_option == "http" %}
|
||||||
|
option forwardfor
|
||||||
|
option httplog
|
||||||
|
{% elif request_option == "tcp" %}
|
||||||
|
option tcplog
|
||||||
|
{% endif %}
|
||||||
|
{% for option in backend_options %}
|
||||||
|
option {{ option }}
|
||||||
|
{% endfor %}
|
||||||
|
|
||||||
{% for host_name in item.service.haproxy_backend_nodes %}
|
{% for host_name in item.service.haproxy_backend_nodes %}
|
||||||
server {{ host_name }} {{ hostvars[host_name]['ansible_ssh_host'] }}:{{ haproxy_backend_port }} check port {{ haproxy_backend_port }} inter {{ haproxy_interval }} rise {{ item.service.haproxy_backend_nodes|count }} fall {{ item.service.haproxy_backend_nodes|count }}
|
{% set entry = [] %}
|
||||||
|
{% set _ = entry.append("server") %}
|
||||||
|
{% set _ = entry.append(host_name | string) %}
|
||||||
|
{% set _ = entry.append(hostvars[host_name]['ansible_ssh_host'] + ":" + haproxy_backend_port | string) %}
|
||||||
|
{% set _ = entry.append("check") %}
|
||||||
|
{% set _ = entry.append("port") %}
|
||||||
|
{% set _ = entry.append(haproxy_backend_port | string) %}
|
||||||
|
{% set _ = entry.append("inter") %}
|
||||||
|
{% set _ = entry.append(haproxy_interval | string) %}
|
||||||
|
{% set _ = entry.append("rise") %}
|
||||||
|
{% set _ = entry.append(item.service.haproxy_backend_nodes | count | string) %}
|
||||||
|
{% set _ = entry.append("fall") %}
|
||||||
|
{% set _ = entry.append(item.service.haproxy_backend_nodes | count | string) %}
|
||||||
|
{{ entry | join(' ') }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
|
||||||
{% for host_name in item.service.haproxy_backup_nodes|default([]) %}
|
{% for host_name in item.service.haproxy_backup_nodes|default([]) %}
|
||||||
server {{ host_name }} {{ hostvars[host_name]['ansible_ssh_host'] }}:{{ haproxy_backend_port }} check port {{ haproxy_backend_port }} inter {{ haproxy_interval }} rise {{ item.service.haproxy_backend_nodes|count }} fall {{ item.service.haproxy_backend_nodes|count }} backup
|
{% set entry = [] %}
|
||||||
|
{% set _ = entry.append("server") %}
|
||||||
|
{% set _ = entry.append(host_name | string) %}
|
||||||
|
{% set _ = entry.append(hostvars[host_name]['ansible_ssh_host'] + ":" + haproxy_backend_port | string) %}
|
||||||
|
{% set _ = entry.append("check") %}
|
||||||
|
{% set _ = entry.append("port") %}
|
||||||
|
{% set _ = entry.append(haproxy_backend_port | string) %}
|
||||||
|
{% set _ = entry.append("inter") %}
|
||||||
|
{% set _ = entry.append(haproxy_interval | string) %}
|
||||||
|
{% set _ = entry.append("rise") %}
|
||||||
|
{% set _ = entry.append(item.service.haproxy_backup_nodes | count | string) %}
|
||||||
|
{% set _ = entry.append("fall") %}
|
||||||
|
{% set _ = entry.append(item.service.haproxy_backup_nodes | count | string) %}
|
||||||
|
{% set _ = entry.append("backup") %}
|
||||||
|
{{ entry | join(' ') }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
@ -12,18 +12,6 @@
|
|||||||
# See the License for the specific language governing permissions and
|
# See the License for the specific language governing permissions and
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
haproxy_backend_options_http:
|
|
||||||
- "forwardfor"
|
|
||||||
- "httpchk"
|
|
||||||
- "httplog"
|
|
||||||
|
|
||||||
haproxy_backend_options_https:
|
|
||||||
- "ssl-hello-chk"
|
|
||||||
|
|
||||||
keystone_ssl_admin: "{% if keystone_ssl is defined and keystone_ssl | bool and keystone_service_adminuri_proto == 'https' %}true{% else %}false{% endif %}"
|
|
||||||
keystone_ssl_internal: "{% if keystone_ssl is defined and keystone_ssl | bool and keystone_service_internaluri_proto == 'https' %}true{% else %}false{% endif %}"
|
|
||||||
keystone_ssl_public: "{% if keystone_ssl is defined and keystone_ssl | bool and keystone_service_publicuri_proto == 'https' %}true{% else %}false{% endif %}"
|
|
||||||
|
|
||||||
haproxy_service_configs:
|
haproxy_service_configs:
|
||||||
- service:
|
- service:
|
||||||
haproxy_service_name: galera
|
haproxy_service_name: galera
|
||||||
@ -35,158 +23,181 @@ haproxy_service_configs:
|
|||||||
haproxy_timeout_server: 5000s
|
haproxy_timeout_server: 5000s
|
||||||
haproxy_backend_options:
|
haproxy_backend_options:
|
||||||
- "mysql-check user {{ galera_monitoring_user }}"
|
- "mysql-check user {{ galera_monitoring_user }}"
|
||||||
|
haproxy_whitelist_networks:
|
||||||
|
- 192.168.0.0/16
|
||||||
|
- 172.16.0.0/12
|
||||||
|
- 10.0.0.0/8
|
||||||
|
- service:
|
||||||
|
haproxy_service_name: repo_all
|
||||||
|
haproxy_backend_nodes: "{{ groups['repo_all'] | default([]) }}"
|
||||||
|
haproxy_ssl: "{{ haproxy_ssl }}"
|
||||||
|
haproxy_port: 8181
|
||||||
|
haproxy_balance_type: http
|
||||||
|
haproxy_backend_options:
|
||||||
|
- "httpchk HEAD /"
|
||||||
- service:
|
- service:
|
||||||
haproxy_service_name: glance_api
|
haproxy_service_name: glance_api
|
||||||
haproxy_backend_nodes: "{{ groups['glance_api'] | default([]) }}"
|
haproxy_backend_nodes: "{{ groups['glance_api'] | default([]) }}"
|
||||||
|
haproxy_ssl: "{{ haproxy_ssl }}"
|
||||||
haproxy_port: 9292
|
haproxy_port: 9292
|
||||||
haproxy_balance_type: http
|
haproxy_balance_type: http
|
||||||
haproxy_backend_options:
|
haproxy_backend_options:
|
||||||
- "forwardfor"
|
- "httpchk /healthcheck"
|
||||||
- "httpchk /versions"
|
|
||||||
- "httplog"
|
|
||||||
- service:
|
- service:
|
||||||
haproxy_service_name: glance_registry
|
haproxy_service_name: glance_registry
|
||||||
haproxy_backend_nodes: "{{ groups['glance_registry'] | default([]) }}"
|
haproxy_backend_nodes: "{{ groups['glance_registry'] | default([]) }}"
|
||||||
|
haproxy_ssl: "{{ haproxy_ssl }}"
|
||||||
haproxy_port: 9191
|
haproxy_port: 9191
|
||||||
haproxy_balance_type: http
|
haproxy_balance_type: http
|
||||||
|
haproxy_backend_options:
|
||||||
|
- "httpchk /healthcheck"
|
||||||
|
haproxy_whitelist_networks:
|
||||||
|
- 192.168.0.0/16
|
||||||
|
- 172.16.0.0/12
|
||||||
|
- 10.0.0.0/8
|
||||||
- service:
|
- service:
|
||||||
haproxy_service_name: heat_api_cfn
|
haproxy_service_name: heat_api_cfn
|
||||||
haproxy_backend_nodes: "{{ groups['heat_api_cfn'] | default([]) }}"
|
haproxy_backend_nodes: "{{ groups['heat_api_cfn'] | default([]) }}"
|
||||||
haproxy_port: 8000
|
haproxy_port: 8000
|
||||||
|
haproxy_ssl: "{{ haproxy_ssl }}"
|
||||||
haproxy_balance_type: http
|
haproxy_balance_type: http
|
||||||
haproxy_backend_options:
|
haproxy_backend_options:
|
||||||
- "forwardfor"
|
- "httpchk HEAD /"
|
||||||
- "httpchk"
|
|
||||||
- "httplog"
|
|
||||||
- service:
|
- service:
|
||||||
haproxy_service_name: heat_api_cloudwatch
|
haproxy_service_name: heat_api_cloudwatch
|
||||||
haproxy_backend_nodes: "{{ groups['heat_api_cloudwatch'] | default([]) }}"
|
haproxy_backend_nodes: "{{ groups['heat_api_cloudwatch'] | default([]) }}"
|
||||||
haproxy_port: 8003
|
haproxy_port: 8003
|
||||||
|
haproxy_ssl: "{{ haproxy_ssl }}"
|
||||||
haproxy_balance_type: http
|
haproxy_balance_type: http
|
||||||
haproxy_backend_options:
|
haproxy_backend_options:
|
||||||
- "forwardfor"
|
- "httpchk HEAD /"
|
||||||
- "httpchk"
|
|
||||||
- "httplog"
|
|
||||||
- service:
|
- service:
|
||||||
haproxy_service_name: heat_api
|
haproxy_service_name: heat_api
|
||||||
haproxy_backend_nodes: "{{ groups['heat_api'] | default([]) }}"
|
haproxy_backend_nodes: "{{ groups['heat_api'] | default([]) }}"
|
||||||
haproxy_port: 8004
|
haproxy_port: 8004
|
||||||
|
haproxy_ssl: "{{ haproxy_ssl }}"
|
||||||
haproxy_balance_type: http
|
haproxy_balance_type: http
|
||||||
haproxy_backend_options:
|
haproxy_backend_options:
|
||||||
- "forwardfor"
|
- "httpchk HEAD /"
|
||||||
- "httpchk"
|
- service:
|
||||||
- "httplog"
|
haproxy_service_name: keystone_service
|
||||||
|
haproxy_backend_nodes: "{{ groups['keystone_all'] | default([]) }}"
|
||||||
|
haproxy_port: 5000
|
||||||
|
haproxy_ssl: "{{ haproxy_ssl }}"
|
||||||
|
haproxy_balance_type: "http"
|
||||||
|
haproxy_backend_options:
|
||||||
|
- "httpchk HEAD /"
|
||||||
- service:
|
- service:
|
||||||
haproxy_service_name: keystone_admin
|
haproxy_service_name: keystone_admin
|
||||||
haproxy_backend_nodes: "{{ groups['keystone_all'] | default([]) }}"
|
haproxy_backend_nodes: "{{ groups['keystone_all'] | default([]) }}"
|
||||||
haproxy_port: 35357
|
haproxy_port: 35357
|
||||||
haproxy_ssl: "{% if haproxy_ssl | bool and keystone_service_adminuri_proto == 'https' %}true{% else %}false{% endif %}"
|
haproxy_balance_type: "http"
|
||||||
haproxy_balance_type: "{{ (keystone_ssl_admin | bool) | ternary('tcp', 'http') }}"
|
haproxy_backend_options:
|
||||||
haproxy_balance_alg: "{{ (keystone_ssl_admin | bool) | ternary('source', 'leastconn') }}"
|
- "httpchk HEAD /"
|
||||||
haproxy_backend_options: "{{ (keystone_ssl_admin | bool) | ternary(haproxy_backend_options_https, haproxy_backend_options_http) }}"
|
haproxy_whitelist_networks:
|
||||||
- service:
|
- 192.168.0.0/16
|
||||||
haproxy_service_name: keystone_service
|
- 172.16.0.0/12
|
||||||
haproxy_backend_nodes: "{{ groups['keystone_all'] | default([]) }}"
|
- 10.0.0.0/8
|
||||||
haproxy_bind: "{% if internal_lb_vip_address == external_lb_vip_address %}*{% else %}{{ external_lb_vip_address }}{% endif %}"
|
|
||||||
haproxy_port: 5000
|
|
||||||
haproxy_ssl: "{% if haproxy_ssl | bool and keystone_service_publicuri_proto == 'https' %}true{% else %}false{% endif %}"
|
|
||||||
haproxy_balance_type: "{{ (keystone_ssl_public | bool) | ternary('tcp','http') }}"
|
|
||||||
haproxy_balance_alg: "{{ (keystone_ssl_public | bool) | ternary('source', 'leastconn') }}"
|
|
||||||
haproxy_backend_options: "{{ (keystone_ssl_public | bool) | ternary(haproxy_backend_options_https, haproxy_backend_options_http) }}"
|
|
||||||
- service:
|
- service:
|
||||||
haproxy_service_name: neutron_server
|
haproxy_service_name: neutron_server
|
||||||
haproxy_backend_nodes: "{{ groups['neutron_server'] | default([]) }}"
|
haproxy_backend_nodes: "{{ groups['neutron_server'] | default([]) }}"
|
||||||
haproxy_port: 9696
|
haproxy_port: 9696
|
||||||
|
haproxy_ssl: "{{ haproxy_ssl }}"
|
||||||
haproxy_balance_type: http
|
haproxy_balance_type: http
|
||||||
haproxy_backend_options:
|
haproxy_backend_options:
|
||||||
- "forwardfor"
|
- "httpchk HEAD /"
|
||||||
- "httpchk"
|
|
||||||
- "httplog"
|
|
||||||
- service:
|
- service:
|
||||||
haproxy_service_name: nova_api_metadata
|
haproxy_service_name: nova_api_metadata
|
||||||
haproxy_backend_nodes: "{{ groups['nova_api_metadata'] | default([]) }}"
|
haproxy_backend_nodes: "{{ groups['nova_api_metadata'] | default([]) }}"
|
||||||
haproxy_port: 8775
|
haproxy_port: 8775
|
||||||
|
haproxy_ssl: "{{ haproxy_ssl }}"
|
||||||
haproxy_balance_type: http
|
haproxy_balance_type: http
|
||||||
haproxy_backend_options:
|
haproxy_backend_options:
|
||||||
- "httpchk"
|
- "httpchk HEAD /"
|
||||||
- "httplog"
|
haproxy_whitelist_networks:
|
||||||
|
- 192.168.0.0/16
|
||||||
|
- 172.16.0.0/12
|
||||||
|
- 10.0.0.0/8
|
||||||
- service:
|
- service:
|
||||||
haproxy_service_name: nova_api_os_compute
|
haproxy_service_name: nova_api_os_compute
|
||||||
haproxy_backend_nodes: "{{ groups['nova_api_os_compute'] | default([]) }}"
|
haproxy_backend_nodes: "{{ groups['nova_api_os_compute'] | default([]) }}"
|
||||||
|
haproxy_ssl: "{{ haproxy_ssl }}"
|
||||||
haproxy_port: 8774
|
haproxy_port: 8774
|
||||||
haproxy_balance_type: http
|
haproxy_balance_type: http
|
||||||
haproxy_backend_options:
|
haproxy_backend_options:
|
||||||
- "forwardfor"
|
- "httpchk HEAD /"
|
||||||
- "httpchk"
|
|
||||||
- "httplog"
|
|
||||||
- service:
|
- service:
|
||||||
haproxy_service_name: nova_console
|
haproxy_service_name: nova_console
|
||||||
haproxy_backend_nodes: "{{ groups['nova_console'] | default([]) }}"
|
haproxy_backend_nodes: "{{ groups['nova_console'] | default([]) }}"
|
||||||
haproxy_ssl: "{% if haproxy_ssl | bool and nova_spice_html5proxy_base_proto == 'https' %}true{% else %}false{% endif %}"
|
haproxy_ssl: "{{ haproxy_ssl }}"
|
||||||
haproxy_port: 6082
|
haproxy_port: 6082
|
||||||
haproxy_balance_type: tcp
|
haproxy_balance_type: tcp
|
||||||
haproxy_timeout_client: 60m
|
haproxy_timeout_client: 60m
|
||||||
haproxy_timeout_server: 60m
|
haproxy_timeout_server: 60m
|
||||||
haproxy_balance_alg: source
|
haproxy_balance_alg: source
|
||||||
|
haproxy_backend_options:
|
||||||
|
- tcp-check
|
||||||
- service:
|
- service:
|
||||||
haproxy_service_name: nova_console_novnc
|
haproxy_service_name: nova_console_novnc
|
||||||
haproxy_backend_nodes: "{{ groups['nova_console'] | default([]) }}"
|
haproxy_backend_nodes: "{{ groups['nova_console'] | default([]) }}"
|
||||||
haproxy_ssl: "{% if haproxy_ssl | bool and nova_novncproxy_proto == 'https' %}true{% else %}false{% endif %}"
|
haproxy_ssl: "{{ haproxy_ssl }}"
|
||||||
haproxy_port: 6080
|
haproxy_port: 6080
|
||||||
haproxy_balance_type: tcp
|
haproxy_balance_type: tcp
|
||||||
haproxy_timeout_client: 60m
|
haproxy_timeout_client: 60m
|
||||||
haproxy_timeout_server: 60m
|
haproxy_timeout_server: 60m
|
||||||
haproxy_balance_alg: source
|
haproxy_balance_alg: source
|
||||||
|
haproxy_backend_options:
|
||||||
|
- tcp-check
|
||||||
- service:
|
- service:
|
||||||
haproxy_service_name: cinder_api
|
haproxy_service_name: cinder_api
|
||||||
haproxy_backend_nodes: "{{ groups['cinder_api'] | default([]) }}"
|
haproxy_backend_nodes: "{{ groups['cinder_api'] | default([]) }}"
|
||||||
|
haproxy_ssl: "{{ haproxy_ssl }}"
|
||||||
haproxy_port: 8776
|
haproxy_port: 8776
|
||||||
haproxy_balance_type: http
|
haproxy_balance_type: http
|
||||||
haproxy_backend_options:
|
haproxy_backend_options:
|
||||||
- "forwardfor"
|
- "httpchk HEAD /"
|
||||||
- "httpchk"
|
|
||||||
- "httplog"
|
|
||||||
- service:
|
- service:
|
||||||
haproxy_service_name: horizon
|
haproxy_service_name: horizon
|
||||||
haproxy_backend_nodes: "{{ groups['horizon_all'] | default([]) }}"
|
haproxy_backend_nodes: "{{ groups['horizon_all'] | default([]) }}"
|
||||||
haproxy_port: 80
|
haproxy_ssl: "{{ haproxy_ssl }}"
|
||||||
haproxy_balance_type: http
|
haproxy_ssl_all_vips: true
|
||||||
haproxy_backend_options:
|
|
||||||
- "forwardfor"
|
|
||||||
- "httpchk"
|
|
||||||
- "httplog"
|
|
||||||
- service:
|
|
||||||
haproxy_service_name: horizon_ssl
|
|
||||||
haproxy_backend_nodes: "{{ groups['horizon_all'] | default([]) }}"
|
|
||||||
haproxy_port: 443
|
haproxy_port: 443
|
||||||
haproxy_balance_type: tcp
|
haproxy_backend_port: 80
|
||||||
|
haproxy_redirect_http_port: 80
|
||||||
|
haproxy_balance_type: http
|
||||||
haproxy_balance_alg: source
|
haproxy_balance_alg: source
|
||||||
haproxy_backend_options:
|
haproxy_backend_options:
|
||||||
- "ssl-hello-chk"
|
- "httpchk HEAD /"
|
||||||
- service:
|
- service:
|
||||||
haproxy_service_name: swift_proxy
|
haproxy_service_name: swift_proxy
|
||||||
haproxy_backend_nodes: "{{ groups['swift_proxy'] | default([]) }}"
|
haproxy_backend_nodes: "{{ groups['swift_proxy'] | default([]) }}"
|
||||||
|
haproxy_ssl: "{{ haproxy_ssl }}"
|
||||||
haproxy_balance_alg: source
|
haproxy_balance_alg: source
|
||||||
haproxy_port: 8080
|
haproxy_port: 8080
|
||||||
haproxy_balance_type: http
|
haproxy_balance_type: http
|
||||||
- service:
|
haproxy_backend_options:
|
||||||
haproxy_service_name: repo_all
|
- "httpchk /healthcheck"
|
||||||
haproxy_backend_nodes: "{{ groups['pkg_repo'] | default([]) }}"
|
|
||||||
haproxy_port: 8181
|
|
||||||
haproxy_backend_port: 8181
|
|
||||||
haproxy_balance_type: http
|
|
||||||
- service:
|
- service:
|
||||||
haproxy_service_name: ceilometer_api
|
haproxy_service_name: ceilometer_api
|
||||||
haproxy_backend_nodes: "{{ groups['ceilometer_api_container'] | default([]) }}"
|
haproxy_backend_nodes: "{{ groups['ceilometer_api_container'] | default([]) }}"
|
||||||
|
haproxy_ssl: "{{ haproxy_ssl }}"
|
||||||
haproxy_port: 8777
|
haproxy_port: 8777
|
||||||
haproxy_balance_type: http
|
haproxy_balance_type: tcp
|
||||||
|
haproxy_backend_options:
|
||||||
|
- tcp-check
|
||||||
- service:
|
- service:
|
||||||
haproxy_service_name: aodh_api
|
haproxy_service_name: aodh_api
|
||||||
haproxy_backend_nodes: "{{ groups['aodh_api'] | default([]) }}"
|
haproxy_backend_nodes: "{{ groups['aodh_api'] | default([]) }}"
|
||||||
|
haproxy_ssl: "{{ haproxy_ssl }}"
|
||||||
haproxy_port: 8042
|
haproxy_port: 8042
|
||||||
haproxy_balance_type: http
|
haproxy_balance_type: tcp
|
||||||
|
haproxy_backend_options:
|
||||||
|
- tcp-check
|
||||||
- service:
|
- service:
|
||||||
haproxy_service_name: ironic_api
|
haproxy_service_name: ironic_api
|
||||||
haproxy_backend_nodes: "{{ groups['ironic_api'] | default([]) }}"
|
haproxy_backend_nodes: "{{ groups['ironic_api'] | default([]) }}"
|
||||||
|
haproxy_ssl: "{{ haproxy_ssl }}"
|
||||||
haproxy_port: 6385
|
haproxy_port: 6385
|
||||||
haproxy_balance_type: http
|
haproxy_balance_type: http
|
||||||
|
haproxy_backend_options:
|
||||||
|
- "httpchk HEAD /"
|
||||||
|
@ -0,0 +1,31 @@
|
|||||||
|
---
|
||||||
|
features:
|
||||||
|
- The HAProxy role provided by OpenStack-Ansible now terminates SSL
|
||||||
|
using a self-signed certificate by default. While this can be
|
||||||
|
disabled the inclusion of SSL services on all public endpoints as
|
||||||
|
a default will help make deployments more secure without any
|
||||||
|
additional user interaction. More information on SSL and certificate
|
||||||
|
generation can be `found here <http://docs.openstack.org/developer/openstack-ansible/install-guide/configure-haproxy.html#securing-haproxy-communication-with-ssl-certificates>`_.
|
||||||
|
upgrade:
|
||||||
|
- SSL termination is assumed enabled for all public endpoints by default.
|
||||||
|
If this is not needed it can be disabled by setting
|
||||||
|
the ``openstack_external_ssl`` option to **false** and the
|
||||||
|
``openstack_service_publicuri_proto`` to **http**.
|
||||||
|
- If HAProxy is used as the loadbalancer for a deployment it will generate
|
||||||
|
a self-signed certificate by default. If HAProxy is NOT used, an SSL
|
||||||
|
certificate should be installed on the external loadbalancer. The
|
||||||
|
installation of an SSL certificate on an external load balancer is not
|
||||||
|
covered by the deployment tooling.
|
||||||
|
- In previous releases connections to Horizon originally terminated SSL
|
||||||
|
at the Horizon container. While that is still an option, SSL is now
|
||||||
|
assumed to be terminated at the load balancer. If you wish to terminate
|
||||||
|
SSL at the horizon node change the ``horizon_external_ssl`` option to
|
||||||
|
**false**.
|
||||||
|
- Public endpoints will need to be updated using the Keystone admin API to
|
||||||
|
support secure endpoints. The Keystone ansible module will not recreate
|
||||||
|
the endpoints automatically. Documentation on the `Keystone service
|
||||||
|
catalog can be found here <http://docs.openstack.org/developer/keystone/configuration.html#service-catalog>`_.
|
||||||
|
security:
|
||||||
|
- A self-signed certificate will now be generated by default when HAproxy
|
||||||
|
is used as a load balancer. This certificate is used to terminate the
|
||||||
|
public endpoint for Horizon and all OpenStack API services.
|
Loading…
Reference in New Issue
Block a user