starlingx
/
config
Code Issues Proposed changes
config/puppet-manifests/src/modules/platform/manifests/haproxy.pp

165 lines
4.3 KiB
Puppet
Raw Blame History

class platform::haproxy::params (
$private_ip_address,
$public_ip_address,
$enable_https = false,
$global_options = undef,
$tpm_object = undef,
$tpm_engine = '/usr/lib64/openssl/engines/libtpm2.so',
) { }
define platform::haproxy::proxy (
$server_name,
$private_port,
$public_port,
$public_ip_address = undef,
$private_ip_address = undef,
$server_timeout = undef,
$client_timeout = undef,
$x_forwarded_proto = true,
$enable_https = undef,
$public_api = true,
) {
include ::platform::haproxy::params
if $enable_https != undef {
$https_enabled = $enable_https
} else {
$https_enabled = $::platform::haproxy::params::enable_https
}
if $x_forwarded_proto {
if $https_enabled and $public_api {
$ssl_option = 'ssl crt /etc/ssl/private/server-cert.pem'
$proto = 'X-Forwarded-Proto:\ https'
# The value of max-age matches lighttpd.conf, and should be
# maintained for consistency
$hsts_option = 'Strict-Transport-Security:\ max-age=63072000;\ includeSubDomains'
} else {
$ssl_option = ' '
$proto = 'X-Forwarded-Proto:\ http'
$hsts_option = undef
}
} else {
$ssl_option = ' '
$proto = undef
$hsts_option = undef
}
if $public_ip_address {
$public_ip = $public_ip_address
} else {
$public_ip = $::platform::haproxy::params::public_ip_address
}
if $private_ip_address {
$private_ip = $private_ip_address
} else {
$private_ip = $::platform::haproxy::params::private_ip_address
}
if $client_timeout {
$real_client_timeout = "client ${client_timeout}"
} else {
$real_client_timeout = undef
}
haproxy::frontend { $name:
collect_exported => false,
name => $name,
bind => {
"${public_ip}:${public_port}" => $ssl_option,
},
options => {
'default_backend' => "${name}-internal",
'reqadd' => $proto,
'timeout' => $real_client_timeout,
'rspadd' => $hsts_option,
},
}
if $server_timeout {
$timeout_option = "server ${server_timeout}"
} else {
$timeout_option = undef
}
haproxy::backend { $name:
collect_exported => false,
name => "${name}-internal",
options => {
'server' => "${server_name} ${private_ip}:${private_port}",
'timeout' => $timeout_option,
}
}
}
class platform::haproxy::server {
include ::platform::params
include ::platform::haproxy::params
# If TPM mode is enabled then we need to configure
# the TPM object and the TPM OpenSSL engine in HAPROXY
$tpm_object = $::platform::haproxy::params::tpm_object
$tpm_engine = $::platform::haproxy::params::tpm_engine
if $tpm_object != undef {
$tpm_options = {'tpm-object' => $tpm_object, 'tpm-engine' => $tpm_engine}
$global_options = merge($::platform::haproxy::params::global_options, $tpm_options)
} else {
$global_options = $::platform::haproxy::params::global_options
}
class { '::haproxy':
global_options => $global_options,
}
user { 'haproxy':
ensure => 'present',
shell => '/sbin/nologin',
groups => [$::platform::params::protected_group_name],
} -> Class['::haproxy']
}
class platform::haproxy::reload {
platform::sm::restart {'haproxy': }
}
class platform::haproxy::runtime {
include ::platform::haproxy::server
include ::platform::patching::haproxy
include ::platform::sysinv::haproxy
include ::platform::nfv::haproxy
include ::platform::ceph::haproxy
include ::platform::fm::haproxy
if $::platform::params::distributed_cloud_role =='systemcontroller' {
include ::platform::dcmanager::haproxy
include ::platform::dcorch::haproxy
}
include ::openstack::keystone::haproxy
include ::openstack::neutron::haproxy
if $::platform::kubernetes::params::enabled != true {
include ::openstack::nova::haproxy
}
include ::openstack::glance::haproxy
include ::openstack::cinder::haproxy
include ::openstack::aodh::haproxy
include ::openstack::heat::haproxy
include ::openstack::murano::haproxy
include ::openstack::magnum::haproxy
include ::openstack::ironic::haproxy
include ::openstack::panko::haproxy
include ::openstack::gnocchi::haproxy
include ::openstack::swift::haproxy
include ::openstack::barbican::haproxy
class {'::platform::haproxy::reload':
stage => post
}
}
View Git Blame Copy Permalink