From 7de34bf57d2ba18f1d5cbc5e12800f61458de778 Mon Sep 17 00:00:00 2001 From: Juan Antonio Osorio Robles Date: Wed, 23 Jan 2019 07:41:52 +0200 Subject: [PATCH] Loadbalance keystone's admin endpoints towards the internal backends Instead of trying to loadbalance keystone's admin endpoint frontends towards the backends of the same network. We instead forward them towards the IP's where the public/internal endpoints are listening on. This way we definitely don't use the admin endpoint (a step towards getting rid of it), and we won't get SSL host failures when trying to access the one single endpoint. Change-Id: I577373b5ff110c47bc4dc350ca753b7a1957554f --- manifests/haproxy.pp | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp index 355c06283..a90187940 100644 --- a/manifests/haproxy.pp +++ b/manifests/haproxy.pp @@ -908,11 +908,14 @@ class tripleo::haproxy ( } if $keystone_admin { + # NOTE(jaosorior): Given that the admin endpoint is in the same vhost + # nowadays as the public/internal one. We can just loadbalance towards the + # same IP. ::tripleo::haproxy::endpoint { 'keystone_admin': internal_ip => hiera('keystone_admin_api_vip', $controller_virtual_ip), service_port => $ports[keystone_admin_api_port], - ip_addresses => hiera('keystone_admin_api_node_ips', $controller_hosts_real), - server_names => hiera('keystone_admin_api_node_names', $controller_hosts_names_real), + ip_addresses => hiera('keystone_public_api_node_ips', $controller_hosts_real), + server_names => hiera('keystone_public_api_node_names', $controller_hosts_names_real), mode => 'http', listen_options => merge($default_listen_options, { 'option' => [ 'httpchk GET /v3' ] }), service_network => $keystone_admin_network,