Enable haproxy for keystone on controller if SSL enabled

There is only 1 DNS entry created on the public network, so the public VIP must serve keystone for SSL enabled deployment. (Recommit with fix of Change-Id: Iaaba02f55e2501b3e8b45b3b330d05f7b007af03 ) Change-Id: I37cbe436a6f0c19014259f4c9fb8b75efcf18450 Closes-Bug: #1484465
2015-08-18 13:05:23 +03:00 · 2015-08-18 13:05:23 +03:00 · 55f6321e42
parent 989683f1f3
commit 55f6321e42
1 changed files with 28 additions and 0 deletions
--- a/deployment_scripts/keystone-controller.pp
+++ b/deployment_scripts/keystone-controller.pp
@ -1,5 +1,6 @@
 notice('MODULAR: detach-keystone/controller-keystone.pp')

+$network_metadata = hiera('network_metadata')
 $access_hash      = hiera_hash('access',{})
 $service_endpoint = hiera('service_endpoint')

@ -9,6 +10,12 @@ $admin_user       = $access_hash['user']
 $admin_password   = $access_hash['password']
 $region           = hiera('region', 'RegionOne')

+$keystone_hash    = hiera_hash('keystone', {})
+# enabled by default
+$public_ssl_hash = hiera('public_ssl')
+#todo(sv): change to 'keystone' as soon as keystone as node-role was ready
+$keystones_address_map = get_node_to_ipaddr_map_by_network_role(get_nodes_hash_by_roles($network_metadata, ['primary-standalone-keystone', 'standalone-keystone']), 'keystone/api')
+
 $murano_settings_hash = hiera('murano_settings', {})
 if has_key($murano_settings_hash, 'murano_repo_url') {
  $murano_repo_url = $murano_settings_hash['murano_repo_url']
@ -25,3 +32,24 @@ class { 'openstack::auth_file':
  murano_repo_url => $murano_repo_url,
 }

+# Enable keystone on public VIP only if SSL for services is enabled
+if ($public_ssl_hash['services']) {
+  $server_names        = pick(hiera_array('keystone_names', undef),
+                              keys($keystones_address_map))
+  $ipaddresses         = pick(hiera_array('keystone_ipaddresses', undef),
+                              values($keystones_address_map))
+  $public_virtual_ip   = hiera('public_vip')
+  $internal_virtual_ip = hiera('management_vip')
+  # configure keystone ha proxy
+  class { '::openstack::ha::keystone':
+    internal_virtual_ip => $internal_virtual_ip,
+    ipaddresses         => $ipaddresses,
+    public_virtual_ip   => $public_virtual_ip,
+    server_names        => $server_names,
+    public_ssl          => $public_ssl_hash['services'],
+  }
+  Package['socat'] -> Class['openstack::ha::keystone']
+  package { 'socat':
+    ensure => 'present',
+  }
+}