Enable SSL termination for all services

This change makes it so that all services are expecting SSL termination
at the load balancer by default. This is more indicative of how a real
world deployment will be setup and is being added such that we can test
a more production like deployment system by default.

The AIO will now terminate SSL in HAProxy using a self-signed cert.

Depends-On: I63cfecd6793ba2b28c294d939c9b1c466940cbd1
Depends-On: Iba63636d733fa1eb095564b8bf33a8159d9c2a00
Depends-On: Ib31a48dd480ecb376a6a8c5b35b09dfa5d2e58f6
Depends-On: Ibdeb8b981ca770ce4f56beeae05afd3379964859
Change-Id: Id87fab39c929e0860abbc3755ad386aa6893b151
Co-Authored-By: Logan V <logan2211@gmail.com>
Signed-off-by: Logan V <logan2211@gmail.com>
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>
This commit is contained in:
Kevin Carter 2016-04-14 15:42:13 -05:00 committed by Jean-Philippe Evrard
parent 99a190be9b
commit 92eb98e1d2
8 changed files with 240 additions and 129 deletions

View File

@ -3,10 +3,11 @@
Configuring HAProxy (optional) Configuring HAProxy (optional)
------------------------------ ------------------------------
HAProxy provides load balancing for high availability architectures deployed by HAProxy provides load balancing services and SSL termination when hardware
OpenStack-Ansible. The default HAProxy configuration provides highly-available load balancers are not available for high availability architectures deployed
load balancing services via keepalived if there are more than one hosts in the by OpenStack-Ansible. The default HAProxy configuration provides highly-
``haproxy_hosts`` group. available load balancing services via keepalived if there is more than one
host in the ``haproxy_hosts`` group.
.. note:: .. note::

View File

@ -97,20 +97,9 @@
tags: tags:
- haproxy-service-config - haproxy-service-config
roles: roles:
- { role: "haproxy_server", tags: [ "haproxy-server" ] } - role: "haproxy_server"
- role: haproxy_server tags:
haproxy_service_configs: - "haproxy-server"
- service:
haproxy_service_name: keystone_internal
haproxy_backend_nodes: "{{ groups['keystone_all'] }}"
haproxy_bind: "{{ internal_lb_vip_address }}"
haproxy_port: 5000
haproxy_ssl: "{% if haproxy_ssl | bool and keystone_service_internaluri_proto == 'https' %}true{% else %}false{% endif %}"
haproxy_balance_type: "{{ (keystone_ssl_internal | bool) | ternary('tcp','http') }}"
haproxy_balance_alg: "{{ (keystone_ssl_internal | bool) | ternary('source', 'leastconn') }}"
haproxy_backend_options: "{{ (keystone_ssl_internal | bool) | ternary(haproxy_backend_options_https, haproxy_backend_options_http) }}"
when: internal_lb_vip_address != external_lb_vip_address
- role: "rsyslog_client" - role: "rsyslog_client"
rsyslog_client_log_rotate_file: haproxy_log_rotate rsyslog_client_log_rotate_file: haproxy_log_rotate
rsyslog_client_log_dir: "/var/log/haproxy" rsyslog_client_log_dir: "/var/log/haproxy"

View File

@ -38,6 +38,11 @@ rsyslog_server_storage_directory: /var/log/log-storage
openstack_repo_url: "http://{{ internal_lb_vip_address }}:{{ repo_server_port }}" openstack_repo_url: "http://{{ internal_lb_vip_address }}:{{ repo_server_port }}"
openstack_repo_git_url: "http://{{ internal_lb_vip_address }}:{{ repo_server_port }}/openstackgit" openstack_repo_git_url: "http://{{ internal_lb_vip_address }}:{{ repo_server_port }}/openstackgit"
## Enable external SSL handling for general OpenStack services
openstack_external_ssl: true
nova_external_ssl: "{{ openstack_external_ssl }}"
keystone_external_ssl: "{{ openstack_external_ssl }}"
horizon_external_ssl: "{{ openstack_external_ssl }}"
## LXC options ## LXC options
lxc_container_domain: "openstack.local" lxc_container_domain: "openstack.local"
@ -97,7 +102,7 @@ ssl_protocol: "ALL -SSLv2 -SSLv3"
ssl_cipher_suite: "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS" ssl_cipher_suite: "ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS"
## OpenStack global Endpoint Protos ## OpenStack global Endpoint Protos
#openstack_service_publicuri_proto: http openstack_service_publicuri_proto: https
#openstack_service_adminuri_proto: http #openstack_service_adminuri_proto: http
#openstack_service_internaluri_proto: http #openstack_service_internaluri_proto: http
@ -114,6 +119,8 @@ aodh_db_ip: localhost
aodh_db_port: 27017 aodh_db_port: 27017
aodh_connection_string: "{{ aodh_db_type }}://{{ aodh_database_user }}:{{ aodh_container_db_password }}@{{ aodh_db_ip }}:{{ aodh_db_port }}/{{ aodh_database_name }}" aodh_connection_string: "{{ aodh_db_type }}://{{ aodh_database_user }}:{{ aodh_container_db_password }}@{{ aodh_db_ip }}:{{ aodh_db_port }}/{{ aodh_database_name }}"
aodh_service_in_ldap: "{{ service_ldap_backend_enabled }}" aodh_service_in_ldap: "{{ service_ldap_backend_enabled }}"
aodh_service_proto: http
aodh_service_publicuri: "{{ openstack_service_publicuri_proto|default(aodh_service_proto) }}://{{ external_lb_vip_address }}:{{ aodh_service_port }}"
## Ceilometer ## Ceilometer
@ -121,6 +128,7 @@ ceilometer_service_port: 8777
ceilometer_service_proto: http ceilometer_service_proto: http
ceilometer_service_user_name: ceilometer ceilometer_service_user_name: ceilometer
ceilometer_service_tenant_name: service ceilometer_service_tenant_name: service
ceilometer_service_publicuri: "{{ openstack_service_publicuri_proto|default(ceilometer_service_proto) }}://{{ external_lb_vip_address }}:{{ ceilometer_service_port }}"
ceilometer_service_adminuri: "{{ ceilometer_service_proto }}://{{ internal_lb_vip_address }}:{{ ceilometer_service_port }}" ceilometer_service_adminuri: "{{ ceilometer_service_proto }}://{{ internal_lb_vip_address }}:{{ ceilometer_service_port }}"
ceilometer_service_adminurl: "{{ ceilometer_service_adminuri }}/" ceilometer_service_adminurl: "{{ ceilometer_service_adminuri }}/"
ceilometer_service_region: "{{ service_region }}" ceilometer_service_region: "{{ service_region }}"
@ -132,6 +140,7 @@ ceilometer_service_in_ldap: "{{ service_ldap_backend_enabled }}"
## Nova ## Nova
nova_service_port: 8774 nova_service_port: 8774
nova_service_proto: http nova_service_proto: http
nova_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(nova_service_proto) }}"
nova_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(nova_service_proto) }}" nova_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(nova_service_proto) }}"
nova_service_user_name: nova nova_service_user_name: nova
nova_service_project_name: service nova_service_project_name: service
@ -154,6 +163,7 @@ nova_glance_api_servers: "{{ glance_api_servers }}"
## Neutron ## Neutron
neutron_service_port: 9696 neutron_service_port: 9696
neutron_service_proto: http neutron_service_proto: http
neutron_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(neutron_service_proto) }}"
neutron_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(neutron_service_proto) }}" neutron_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(neutron_service_proto) }}"
neutron_service_user_name: neutron neutron_service_user_name: neutron
neutron_service_project_name: service neutron_service_project_name: service
@ -171,6 +181,7 @@ neutron_rabbitmq_vhost: /neutron
## Glance ## Glance
glance_service_port: 9292 glance_service_port: 9292
glance_service_proto: http glance_service_proto: http
glance_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(glance_service_proto) }}"
glance_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(glance_service_proto) }}" glance_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(glance_service_proto) }}"
glance_service_user_name: glance glance_service_user_name: glance
glance_service_project_name: service glance_service_project_name: service
@ -190,9 +201,9 @@ keystone_admin_tenant_name: admin
keystone_admin_port: 35357 keystone_admin_port: 35357
keystone_service_port: 5000 keystone_service_port: 5000
keystone_service_proto: http keystone_service_proto: http
keystone_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(keystone_service_proto) }}"
keystone_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(keystone_service_proto) }}" keystone_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(keystone_service_proto) }}"
keystone_service_internaluri_proto: "{{ openstack_service_internaluri_proto | default(keystone_service_proto) }}" keystone_service_internaluri_proto: "{{ openstack_service_internaluri_proto | default(keystone_service_proto) }}"
keystone_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(keystone_service_proto) }}"
keystone_service_user_name: keystone keystone_service_user_name: keystone
keystone_service_tenant_name: service keystone_service_tenant_name: service
keystone_service_region: "{{ service_region }}" keystone_service_region: "{{ service_region }}"
@ -232,6 +243,7 @@ heat_service_region: "{{ service_region }}"
heat_service_in_ldap: "{{ service_ldap_backend_enabled }}" heat_service_in_ldap: "{{ service_ldap_backend_enabled }}"
heat_rabbitmq_userid: heat heat_rabbitmq_userid: heat
heat_rabbitmq_vhost: /heat heat_rabbitmq_vhost: /heat
heat_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(heat_service_proto) }}"
## Cinder ## Cinder
@ -258,6 +270,7 @@ cinder_rabbitmq_userid: cinder
cinder_rabbitmq_vhost: /cinder cinder_rabbitmq_vhost: /cinder
cinder_glance_api_servers: "{{ glance_api_servers }}" cinder_glance_api_servers: "{{ glance_api_servers }}"
cinder_glance_api_version: "{{ (cinder_backends_rbd_inuse|bool and glance_default_store == 'rbd') | ternary('2','1') }}" cinder_glance_api_version: "{{ (cinder_backends_rbd_inuse|bool and glance_default_store == 'rbd') | ternary('2','1') }}"
cinder_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(cinder_service_proto) }}"
## Swift ## Swift
@ -270,6 +283,7 @@ swift_service_region: "{{ service_region }}"
swift_service_in_ldap: "{{ service_ldap_backend_enabled }}" swift_service_in_ldap: "{{ service_ldap_backend_enabled }}"
swift_rabbitmq_userid: swift swift_rabbitmq_userid: swift
swift_rabbitmq_vhost: /swift swift_rabbitmq_vhost: /swift
swift_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(swift_service_proto) }}"
## Ironic ## Ironic

View File

@ -75,12 +75,12 @@ galera_monitoring_user: monitoring
haproxy_bind_on_non_local: False haproxy_bind_on_non_local: False
## haproxy SSL ## haproxy SSL
haproxy_ssl: no haproxy_ssl: true
haproxy_ssl_dh_param: 2048 haproxy_ssl_dh_param: 2048
haproxy_ssl_self_signed_regen: no haproxy_ssl_self_signed_regen: no
haproxy_ssl_cert: /etc/ssl/certs/haproxy.cert haproxy_ssl_cert: /etc/ssl/certs/haproxy.cert
haproxy_ssl_key: /etc/ssl/private/haproxy.key haproxy_ssl_key: /etc/ssl/private/haproxy.key
haproxy_ssl_pem: /etc/ssl/private/haproxy.pem haproxy_ssl_pem: /etc/ssl/private/haproxy.pem
haproxy_ssl_ca_cert: /etc/ssl/certs/haproxy-ca.pem haproxy_ssl_ca_cert: /etc/ssl/certs/haproxy-ca.pem
haproxy_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ internal_lb_vip_address }}/subjectAltName=IP.1={{ external_lb_vip_address }}" haproxy_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ external_lb_vip_address }}/subjectAltName=IP.1={{ external_lb_vip_address }}"
haproxy_ssl_cipher_suite: "{{ ssl_cipher_suite }}" haproxy_ssl_cipher_suite: "{{ ssl_cipher_suite }}"

View File

@ -18,6 +18,11 @@
src: service.j2 src: service.j2
dest: "/etc/haproxy/conf.d/{{ item.service.haproxy_service_name }}" dest: "/etc/haproxy/conf.d/{{ item.service.haproxy_service_name }}"
with_items: haproxy_service_configs with_items: haproxy_service_configs
when: >
(item.service.haproxy_backend_nodes is defined and
item.service.haproxy_backend_nodes | length > 0) or
(item.service.haproxy_backup_nodes is defined and
item.service.haproxy_backup_nodes | length > 0)
notify: Restart haproxy notify: Restart haproxy
tags: tags:
- haproxy-service-config - haproxy-service-config

View File

@ -1,56 +1,116 @@
# {{ ansible_managed }} # {{ ansible_managed }}
frontend {{ item.service.haproxy_service_name }}-front {% set request_option = item.service.haproxy_balance_type | default("http") -%}
bind {{ item.service.haproxy_bind|default('*') }}:{{ item.service.haproxy_port }} {% if item.service.haproxy_ssl is defined and item.service.haproxy_ssl | bool %}ssl crt {{ haproxy_ssl_pem }} ciphers {{ haproxy_ssl_cipher_suite }}{% endif %}
{% if item.service.haproxy_balance_type == "http" %}
option httplog
option forwardfor except 127.0.0.0/8
option http-server-close
{%- set request_option = "http" %}
{% else %}
option tcplog
{%- set request_option = "tcp" %}
{% endif %}
{% if item.service.haproxy_ssl is defined and item.service.haproxy_ssl | bool %}
reqadd X-Forwarded-Proto:\ https
{% endif %}
{% if item.service.haproxy_timeout_client is defined %}
timeout client {{ item.service.haproxy_timeout_client }}
{% endif %}
{% if item.service.haproxy_whitelist_hosts is defined and item.service.haproxy_whitelist_hosts == true %}
acl white_list src 127.0.0.1/8 10.0.3.0/24 {{ container_cidr }}
{{ request_option }}-request content accept if white_list
{{ request_option }}-request content reject
{% endif %}
mode {{ item.service.haproxy_balance_type }}
default_backend {{ item.service.haproxy_service_name }}-back
{% if item.service.haproxy_backend_port is not defined %} {% if item.service.haproxy_backend_port is not defined %}
{% set haproxy_backend_port = item.service.haproxy_port %} {% set haproxy_backend_port = item.service.haproxy_port %}
{% else %} {% else %}
{% set haproxy_backend_port = item.service.haproxy_backend_port %} {% set haproxy_backend_port = item.service.haproxy_backend_port %}
{% endif -%}
{% set vip_binds = [external_lb_vip_address] -%}
{%- if internal_lb_vip_address not in vip_binds %}
{% set _ = vip_binds.append(internal_lb_vip_address) %}
{% endif -%}
{%- if extra_lb_vip_addresses is defined %}
{% for vip_address in extra_lb_vip_addresses %}
{% set _ = vip_binds.append(vip_address) %}
{% endfor %}
{% endif -%}
{%- if item.service.haproxy_bind is defined %}
{% if item.service.haproxy_bind not in vip_binds %}
{% set _ = vip_binds.append(item.service.haproxy_bind) %}
{% endif %} {% endif %}
{% endif -%}
{% for vip_bind in vip_binds %}
{% if item.service.haproxy_redirect_http_port is defined %}
{% if (loop.index == 1 or item.service.haproxy_ssl_all_vips | default(false) | bool) %}
frontend {{ item.service.haproxy_service_name }}-redirect-front-{{ loop.index }}
bind {{ vip_bind }}:{{ item.service.haproxy_redirect_http_port }}
mode http
redirect scheme https if !{ ssl_fc }
{% endif %}
{% endif %}
frontend {{ item.service.haproxy_service_name }}-front-{{ loop.index }}
bind {{ vip_bind }}:{{ item.service.haproxy_port }} {% if (item.service.haproxy_ssl | default(false) | bool) and (loop.index == 1 or item.service.haproxy_ssl_all_vips | default(false) | bool) %}ssl crt {{ haproxy_ssl_pem }} ciphers {{ haproxy_ssl_cipher_suite }}{% endif %}
{% if request_option == "http" %}
option httplog
option forwardfor except 127.0.0.0/8
option http-server-close
{% elif request_option == "tcp" %}
option tcplog
{% endif %}
{% if item.service.haproxy_timeout_client is defined %}
timeout client {{ item.service.haproxy_timeout_client }}
{% endif %}
{% if item.service.haproxy_whitelist_networks is defined %}
acl white_list src 127.0.0.1/8 {{ item.service.haproxy_whitelist_networks | join(' ') }}
tcp-request content accept if white_list
tcp-request content reject
{% endif %}
{% if (item.service.haproxy_ssl | default(false) | bool) and request_option == 'http' and (loop.index == 1 or item.service.haproxy_ssl_all_vips | default(false) | bool) %}
reqadd X-Forwarded-Proto:\ https
{% endif %}
mode {{ item.service.haproxy_balance_type }}
default_backend {{ item.service.haproxy_service_name }}-back
{% endfor %}
{% set backend_options = item.service.haproxy_backend_options|default([]) %}
backend {{ item.service.haproxy_service_name }}-back backend {{ item.service.haproxy_service_name }}-back
mode {{ item.service.haproxy_balance_type }} mode {{ item.service.haproxy_balance_type }}
balance {{ item.service.haproxy_balance_alg|default("leastconn") }} balance {{ item.service.haproxy_balance_alg|default("leastconn") }}
{% for option in item.service.haproxy_backend_options|default([]) %}
option {{ option }}
{% endfor %}
{% if item.service.haproxy_timeout_server is defined %} {% if item.service.haproxy_timeout_server is defined %}
timeout server {{ item.service.haproxy_timeout_server }} timeout server {{ item.service.haproxy_timeout_server }}
{% endif %} {% endif %}
stick store-request src
stick-table type ip size 256k expire 30m
{% if request_option == "http" %}
option forwardfor
option httplog
{% elif request_option == "tcp" %}
option tcplog
{% endif %}
{% for option in backend_options %}
option {{ option }}
{% endfor %}
{% for host_name in item.service.haproxy_backend_nodes %} {% for host_name in item.service.haproxy_backend_nodes %}
server {{ host_name }} {{ hostvars[host_name]['ansible_ssh_host'] }}:{{ haproxy_backend_port }} check port {{ haproxy_backend_port }} inter {{ haproxy_interval }} rise {{ item.service.haproxy_backend_nodes|count }} fall {{ item.service.haproxy_backend_nodes|count }} {% set entry = [] %}
{% set _ = entry.append("server") %}
{% set _ = entry.append(host_name | string) %}
{% set _ = entry.append(hostvars[host_name]['ansible_ssh_host'] + ":" + haproxy_backend_port | string) %}
{% set _ = entry.append("check") %}
{% set _ = entry.append("port") %}
{% set _ = entry.append(haproxy_backend_port | string) %}
{% set _ = entry.append("inter") %}
{% set _ = entry.append(haproxy_interval | string) %}
{% set _ = entry.append("rise") %}
{% set _ = entry.append(item.service.haproxy_backend_nodes | count | string) %}
{% set _ = entry.append("fall") %}
{% set _ = entry.append(item.service.haproxy_backend_nodes | count | string) %}
{{ entry | join(' ') }}
{% endfor %} {% endfor %}
{% for host_name in item.service.haproxy_backup_nodes|default([]) %} {% for host_name in item.service.haproxy_backup_nodes|default([]) %}
server {{ host_name }} {{ hostvars[host_name]['ansible_ssh_host'] }}:{{ haproxy_backend_port }} check port {{ haproxy_backend_port }} inter {{ haproxy_interval }} rise {{ item.service.haproxy_backend_nodes|count }} fall {{ item.service.haproxy_backend_nodes|count }} backup {% set entry = [] %}
{% set _ = entry.append("server") %}
{% set _ = entry.append(host_name | string) %}
{% set _ = entry.append(hostvars[host_name]['ansible_ssh_host'] + ":" + haproxy_backend_port | string) %}
{% set _ = entry.append("check") %}
{% set _ = entry.append("port") %}
{% set _ = entry.append(haproxy_backend_port | string) %}
{% set _ = entry.append("inter") %}
{% set _ = entry.append(haproxy_interval | string) %}
{% set _ = entry.append("rise") %}
{% set _ = entry.append(item.service.haproxy_backup_nodes | count | string) %}
{% set _ = entry.append("fall") %}
{% set _ = entry.append(item.service.haproxy_backup_nodes | count | string) %}
{% set _ = entry.append("backup") %}
{{ entry | join(' ') }}
{% endfor %} {% endfor %}

View File

@ -12,18 +12,6 @@
# See the License for the specific language governing permissions and # See the License for the specific language governing permissions and
# limitations under the License. # limitations under the License.
haproxy_backend_options_http:
- "forwardfor"
- "httpchk"
- "httplog"
haproxy_backend_options_https:
- "ssl-hello-chk"
keystone_ssl_admin: "{% if keystone_ssl is defined and keystone_ssl | bool and keystone_service_adminuri_proto == 'https' %}true{% else %}false{% endif %}"
keystone_ssl_internal: "{% if keystone_ssl is defined and keystone_ssl | bool and keystone_service_internaluri_proto == 'https' %}true{% else %}false{% endif %}"
keystone_ssl_public: "{% if keystone_ssl is defined and keystone_ssl | bool and keystone_service_publicuri_proto == 'https' %}true{% else %}false{% endif %}"
haproxy_service_configs: haproxy_service_configs:
- service: - service:
haproxy_service_name: galera haproxy_service_name: galera
@ -35,158 +23,181 @@ haproxy_service_configs:
haproxy_timeout_server: 5000s haproxy_timeout_server: 5000s
haproxy_backend_options: haproxy_backend_options:
- "mysql-check user {{ galera_monitoring_user }}" - "mysql-check user {{ galera_monitoring_user }}"
haproxy_whitelist_networks:
- 192.168.0.0/16
- 172.16.0.0/12
- 10.0.0.0/8
- service:
haproxy_service_name: repo_all
haproxy_backend_nodes: "{{ groups['repo_all'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_port: 8181
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk HEAD /"
- service: - service:
haproxy_service_name: glance_api haproxy_service_name: glance_api
haproxy_backend_nodes: "{{ groups['glance_api'] | default([]) }}" haproxy_backend_nodes: "{{ groups['glance_api'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_port: 9292 haproxy_port: 9292
haproxy_balance_type: http haproxy_balance_type: http
haproxy_backend_options: haproxy_backend_options:
- "forwardfor" - "httpchk /healthcheck"
- "httpchk /versions"
- "httplog"
- service: - service:
haproxy_service_name: glance_registry haproxy_service_name: glance_registry
haproxy_backend_nodes: "{{ groups['glance_registry'] | default([]) }}" haproxy_backend_nodes: "{{ groups['glance_registry'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_port: 9191 haproxy_port: 9191
haproxy_balance_type: http haproxy_balance_type: http
haproxy_backend_options:
- "httpchk /healthcheck"
haproxy_whitelist_networks:
- 192.168.0.0/16
- 172.16.0.0/12
- 10.0.0.0/8
- service: - service:
haproxy_service_name: heat_api_cfn haproxy_service_name: heat_api_cfn
haproxy_backend_nodes: "{{ groups['heat_api_cfn'] | default([]) }}" haproxy_backend_nodes: "{{ groups['heat_api_cfn'] | default([]) }}"
haproxy_port: 8000 haproxy_port: 8000
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_balance_type: http haproxy_balance_type: http
haproxy_backend_options: haproxy_backend_options:
- "forwardfor" - "httpchk HEAD /"
- "httpchk"
- "httplog"
- service: - service:
haproxy_service_name: heat_api_cloudwatch haproxy_service_name: heat_api_cloudwatch
haproxy_backend_nodes: "{{ groups['heat_api_cloudwatch'] | default([]) }}" haproxy_backend_nodes: "{{ groups['heat_api_cloudwatch'] | default([]) }}"
haproxy_port: 8003 haproxy_port: 8003
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_balance_type: http haproxy_balance_type: http
haproxy_backend_options: haproxy_backend_options:
- "forwardfor" - "httpchk HEAD /"
- "httpchk"
- "httplog"
- service: - service:
haproxy_service_name: heat_api haproxy_service_name: heat_api
haproxy_backend_nodes: "{{ groups['heat_api'] | default([]) }}" haproxy_backend_nodes: "{{ groups['heat_api'] | default([]) }}"
haproxy_port: 8004 haproxy_port: 8004
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_balance_type: http haproxy_balance_type: http
haproxy_backend_options: haproxy_backend_options:
- "forwardfor" - "httpchk HEAD /"
- "httpchk" - service:
- "httplog" haproxy_service_name: keystone_service
haproxy_backend_nodes: "{{ groups['keystone_all'] | default([]) }}"
haproxy_port: 5000
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_balance_type: "http"
haproxy_backend_options:
- "httpchk HEAD /"
- service: - service:
haproxy_service_name: keystone_admin haproxy_service_name: keystone_admin
haproxy_backend_nodes: "{{ groups['keystone_all'] | default([]) }}" haproxy_backend_nodes: "{{ groups['keystone_all'] | default([]) }}"
haproxy_port: 35357 haproxy_port: 35357
haproxy_ssl: "{% if haproxy_ssl | bool and keystone_service_adminuri_proto == 'https' %}true{% else %}false{% endif %}" haproxy_balance_type: "http"
haproxy_balance_type: "{{ (keystone_ssl_admin | bool) | ternary('tcp', 'http') }}" haproxy_backend_options:
haproxy_balance_alg: "{{ (keystone_ssl_admin | bool) | ternary('source', 'leastconn') }}" - "httpchk HEAD /"
haproxy_backend_options: "{{ (keystone_ssl_admin | bool) | ternary(haproxy_backend_options_https, haproxy_backend_options_http) }}" haproxy_whitelist_networks:
- service: - 192.168.0.0/16
haproxy_service_name: keystone_service - 172.16.0.0/12
haproxy_backend_nodes: "{{ groups['keystone_all'] | default([]) }}" - 10.0.0.0/8
haproxy_bind: "{% if internal_lb_vip_address == external_lb_vip_address %}*{% else %}{{ external_lb_vip_address }}{% endif %}"
haproxy_port: 5000
haproxy_ssl: "{% if haproxy_ssl | bool and keystone_service_publicuri_proto == 'https' %}true{% else %}false{% endif %}"
haproxy_balance_type: "{{ (keystone_ssl_public | bool) | ternary('tcp','http') }}"
haproxy_balance_alg: "{{ (keystone_ssl_public | bool) | ternary('source', 'leastconn') }}"
haproxy_backend_options: "{{ (keystone_ssl_public | bool) | ternary(haproxy_backend_options_https, haproxy_backend_options_http) }}"
- service: - service:
haproxy_service_name: neutron_server haproxy_service_name: neutron_server
haproxy_backend_nodes: "{{ groups['neutron_server'] | default([]) }}" haproxy_backend_nodes: "{{ groups['neutron_server'] | default([]) }}"
haproxy_port: 9696 haproxy_port: 9696
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_balance_type: http haproxy_balance_type: http
haproxy_backend_options: haproxy_backend_options:
- "forwardfor" - "httpchk HEAD /"
- "httpchk"
- "httplog"
- service: - service:
haproxy_service_name: nova_api_metadata haproxy_service_name: nova_api_metadata
haproxy_backend_nodes: "{{ groups['nova_api_metadata'] | default([]) }}" haproxy_backend_nodes: "{{ groups['nova_api_metadata'] | default([]) }}"
haproxy_port: 8775 haproxy_port: 8775
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_balance_type: http haproxy_balance_type: http
haproxy_backend_options: haproxy_backend_options:
- "httpchk" - "httpchk HEAD /"
- "httplog" haproxy_whitelist_networks:
- 192.168.0.0/16
- 172.16.0.0/12
- 10.0.0.0/8
- service: - service:
haproxy_service_name: nova_api_os_compute haproxy_service_name: nova_api_os_compute
haproxy_backend_nodes: "{{ groups['nova_api_os_compute'] | default([]) }}" haproxy_backend_nodes: "{{ groups['nova_api_os_compute'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_port: 8774 haproxy_port: 8774
haproxy_balance_type: http haproxy_balance_type: http
haproxy_backend_options: haproxy_backend_options:
- "forwardfor" - "httpchk HEAD /"
- "httpchk"
- "httplog"
- service: - service:
haproxy_service_name: nova_console haproxy_service_name: nova_console
haproxy_backend_nodes: "{{ groups['nova_console'] | default([]) }}" haproxy_backend_nodes: "{{ groups['nova_console'] | default([]) }}"
haproxy_ssl: "{% if haproxy_ssl | bool and nova_spice_html5proxy_base_proto == 'https' %}true{% else %}false{% endif %}" haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_port: 6082 haproxy_port: 6082
haproxy_balance_type: tcp haproxy_balance_type: tcp
haproxy_timeout_client: 60m haproxy_timeout_client: 60m
haproxy_timeout_server: 60m haproxy_timeout_server: 60m
haproxy_balance_alg: source haproxy_balance_alg: source
haproxy_backend_options:
- tcp-check
- service: - service:
haproxy_service_name: nova_console_novnc haproxy_service_name: nova_console_novnc
haproxy_backend_nodes: "{{ groups['nova_console'] | default([]) }}" haproxy_backend_nodes: "{{ groups['nova_console'] | default([]) }}"
haproxy_ssl: "{% if haproxy_ssl | bool and nova_novncproxy_proto == 'https' %}true{% else %}false{% endif %}" haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_port: 6080 haproxy_port: 6080
haproxy_balance_type: tcp haproxy_balance_type: tcp
haproxy_timeout_client: 60m haproxy_timeout_client: 60m
haproxy_timeout_server: 60m haproxy_timeout_server: 60m
haproxy_balance_alg: source haproxy_balance_alg: source
haproxy_backend_options:
- tcp-check
- service: - service:
haproxy_service_name: cinder_api haproxy_service_name: cinder_api
haproxy_backend_nodes: "{{ groups['cinder_api'] | default([]) }}" haproxy_backend_nodes: "{{ groups['cinder_api'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_port: 8776 haproxy_port: 8776
haproxy_balance_type: http haproxy_balance_type: http
haproxy_backend_options: haproxy_backend_options:
- "forwardfor" - "httpchk HEAD /"
- "httpchk"
- "httplog"
- service: - service:
haproxy_service_name: horizon haproxy_service_name: horizon
haproxy_backend_nodes: "{{ groups['horizon_all'] | default([]) }}" haproxy_backend_nodes: "{{ groups['horizon_all'] | default([]) }}"
haproxy_port: 80 haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_balance_type: http haproxy_ssl_all_vips: true
haproxy_backend_options:
- "forwardfor"
- "httpchk"
- "httplog"
- service:
haproxy_service_name: horizon_ssl
haproxy_backend_nodes: "{{ groups['horizon_all'] | default([]) }}"
haproxy_port: 443 haproxy_port: 443
haproxy_balance_type: tcp haproxy_backend_port: 80
haproxy_redirect_http_port: 80
haproxy_balance_type: http
haproxy_balance_alg: source haproxy_balance_alg: source
haproxy_backend_options: haproxy_backend_options:
- "ssl-hello-chk" - "httpchk HEAD /"
- service: - service:
haproxy_service_name: swift_proxy haproxy_service_name: swift_proxy
haproxy_backend_nodes: "{{ groups['swift_proxy'] | default([]) }}" haproxy_backend_nodes: "{{ groups['swift_proxy'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_balance_alg: source haproxy_balance_alg: source
haproxy_port: 8080 haproxy_port: 8080
haproxy_balance_type: http haproxy_balance_type: http
- service: haproxy_backend_options:
haproxy_service_name: repo_all - "httpchk /healthcheck"
haproxy_backend_nodes: "{{ groups['pkg_repo'] | default([]) }}"
haproxy_port: 8181
haproxy_backend_port: 8181
haproxy_balance_type: http
- service: - service:
haproxy_service_name: ceilometer_api haproxy_service_name: ceilometer_api
haproxy_backend_nodes: "{{ groups['ceilometer_api_container'] | default([]) }}" haproxy_backend_nodes: "{{ groups['ceilometer_api_container'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_port: 8777 haproxy_port: 8777
haproxy_balance_type: http haproxy_balance_type: tcp
haproxy_backend_options:
- tcp-check
- service: - service:
haproxy_service_name: aodh_api haproxy_service_name: aodh_api
haproxy_backend_nodes: "{{ groups['aodh_api'] | default([]) }}" haproxy_backend_nodes: "{{ groups['aodh_api'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_port: 8042 haproxy_port: 8042
haproxy_balance_type: http haproxy_balance_type: tcp
haproxy_backend_options:
- tcp-check
- service: - service:
haproxy_service_name: ironic_api haproxy_service_name: ironic_api
haproxy_backend_nodes: "{{ groups['ironic_api'] | default([]) }}" haproxy_backend_nodes: "{{ groups['ironic_api'] | default([]) }}"
haproxy_ssl: "{{ haproxy_ssl }}"
haproxy_port: 6385 haproxy_port: 6385
haproxy_balance_type: http haproxy_balance_type: http
haproxy_backend_options:
- "httpchk HEAD /"

View File

@ -0,0 +1,31 @@
---
features:
- The HAProxy role provided by OpenStack-Ansible now terminates SSL
using a self-signed certificate by default. While this can be
disabled the inclusion of SSL services on all public endpoints as
a default will help make deployments more secure without any
additional user interaction. More information on SSL and certificate
generation can be `found here <http://docs.openstack.org/developer/openstack-ansible/install-guide/configure-haproxy.html#securing-haproxy-communication-with-ssl-certificates>`_.
upgrade:
- SSL termination is assumed enabled for all public endpoints by default.
If this is not needed it can be disabled by setting
the ``openstack_external_ssl`` option to **false** and the
``openstack_service_publicuri_proto`` to **http**.
- If HAProxy is used as the loadbalancer for a deployment it will generate
a self-signed certificate by default. If HAProxy is NOT used, an SSL
certificate should be installed on the external loadbalancer. The
installation of an SSL certificate on an external load balancer is not
covered by the deployment tooling.
- In previous releases connections to Horizon originally terminated SSL
at the Horizon container. While that is still an option, SSL is now
assumed to be terminated at the load balancer. If you wish to terminate
SSL at the horizon node change the ``horizon_external_ssl`` option to
**false**.
- Public endpoints will need to be updated using the Keystone admin API to
support secure endpoints. The Keystone ansible module will not recreate
the endpoints automatically. Documentation on the `Keystone service
catalog can be found here <http://docs.openstack.org/developer/keystone/configuration.html#service-catalog>`_.
security:
- A self-signed certificate will now be generated by default when HAproxy
is used as a load balancer. This certificate is used to terminate the
public endpoint for Horizon and all OpenStack API services.