Merge "Redirect keystone admin endpoint to public endpoint"

2019-01-25 18:46:39 +00:00 · 2019-01-25 18:46:39 +00:00 · 641d5e354a
parent 5144018900 5bd82e9ef0
commit 641d5e354a
2 changed files with 33 additions and 12 deletions
--- a/manifests/haproxy.pp
+++ b/manifests/haproxy.pp
@ -913,7 +913,8 @@ class tripleo::haproxy (
    # same IP.
    ::tripleo::haproxy::endpoint { 'keystone_admin':
      internal_ip     => hiera('keystone_admin_api_vip', $controller_virtual_ip),
-      service_port    => $ports[keystone_admin_api_port],
+      service_port    => $ports[keystone_public_api_port],
+      haproxy_port    => $ports[keystone_admin_api_port],
      ip_addresses    => hiera('keystone_public_api_node_ips', $controller_hosts_real),
      server_names    => hiera('keystone_public_api_node_names', $controller_hosts_names_real),
      mode            => 'http',
--- a/manifests/haproxy/endpoint.pp
+++ b/manifests/haproxy/endpoint.pp
@ -28,6 +28,10 @@
 #  Options for the balancer member, specified after the server declaration.
 #  These should go in the member's configuration block.
 #
+# [*haproxy_port*]
+#  An alternative port, on which haproxy will listen for incoming requests.
+#  Defaults to service_port.
+#
 # [*base_service_name*]
 #  In cases where the service name doesn't match the endpoint name, you can
 #  specify this option in order to get an appropriate value for $ip_addresses
@ -115,6 +119,7 @@ define tripleo::haproxy::endpoint (
  $internal_ip,
  $service_port,
  $member_options,
+  $haproxy_port                = undef,
  $base_service_name           = undef,
  $ip_addresses                = hiera("${name}_node_ips", undef),
  $server_names                = hiera("${name}_node_names", undef),
@ -135,6 +140,14 @@ define tripleo::haproxy::endpoint (
  $session_cookie              = 'STICKYSESSION',
 ) {

+  if $haproxy_port {
+    $haproxy_port_real = $haproxy_port
+    $service_port_real = $service_port
+  } else {
+    $haproxy_port_real = $service_port
+    $service_port_real = $service_port
+  }
+
  if $base_service_name {
    $ip_addresses_real = hiera("${base_service_name}_node_ips", undef)
  } else {
@ -165,7 +178,7 @@ define tripleo::haproxy::endpoint (
                                        union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate]))
    } else {
      $listen_options_precookie = merge($listen_options, $custom_options)
-      $public_bind_opts = list_to_hash(suffix(any2array($public_virtual_ip), ":${service_port}"), $haproxy_listen_bind_param)
+      $public_bind_opts = list_to_hash(suffix(any2array($public_virtual_ip), ":${haproxy_port_real}"), $haproxy_listen_bind_param)
    }
  } else {
    # internal service only
@ -197,14 +210,14 @@ define tripleo::haproxy::endpoint (
      # contain the path that we'll use under 'service_pem'.
      $internal_cert_path = $internal_certificates_specs["haproxy-${service_network}"]['service_pem']
    }
-    $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"),
+    $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${haproxy_port_real}"),
                                        union($haproxy_listen_bind_param, ['ssl', 'crt', $internal_cert_path]))
  } else {
    if $service_network == 'external' and $public_certificate {
-      $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"),
+      $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${haproxy_port_real}"),
                                          union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate]))
    } else {
-      $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"), $haproxy_listen_bind_param)
+      $internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${haproxy_port_real}"), $haproxy_listen_bind_param)
    }
  }
  if $authorized_userlist {
@ -236,7 +249,7 @@ define tripleo::haproxy::endpoint (
      $non_colon_ip = regsubst($ip, ':', '-', 'G')
      haproxy::balancermember { "${name}_${non_colon_ip}_${server}":
        listening_service => $name,
-        ports             => $service_port,
+        ports             => $service_port_real,
        ipaddresses       => $ip,
        server_names      => $server,
        options           => union($member_options, ["cookie ${server}"]),
@ -245,7 +258,7 @@ define tripleo::haproxy::endpoint (
  } else {
    haproxy::balancermember { "${name}":
      listening_service => $name,
-      ports             => $service_port,
+      ports             => $service_port_real,
      ipaddresses       => $ip_addresses_real,
      server_names      => $server_names_real,
      options           => $member_options,
@ -258,10 +271,17 @@ define tripleo::haproxy::endpoint (
    # a port for the regular service and also the ssl port for the service.
    # It makes sure we're not trying to create TCP iptables rules where no port
    # is specified.
-    if $service_port {
-      $haproxy_firewall_rules = {
+    if $service_port_real {
+      $service_firewall_rules = {
        "100 ${name}_haproxy"     => {
-          'dport' => $service_port,
+          'dport' => $service_port_real,
+        },
+      }
+    }
+    if $service_port_real != $haproxy_port_real {
+      $haproxy_firewall_rules = {
+        "100 ${name}_haproxy_frontend"     => {
+          'dport' => $haproxy_port_real,
        },
      }
    }
@ -274,8 +294,8 @@ define tripleo::haproxy::endpoint (
    } else {
      $haproxy_ssl_firewall_rules = {}
    }
-    $firewall_rules = merge($haproxy_firewall_rules, $haproxy_ssl_firewall_rules)
-    if $service_port or $public_ssl_port {
+    $firewall_rules = merge($service_firewall_rules, $haproxy_firewall_rules, $haproxy_ssl_firewall_rules)
+    if $service_port_real or $public_ssl_port {
      create_resources('tripleo::firewall::rule', $firewall_rules)
    }
  }