This change adds the haproxy options if defined by the
charm class to enable HTTP checks to the HAProxy
configuration, instead of the default TCP connection
checks.
options.ssl check if the environment is using http or
https mode. We disable certificate verification because
we are only interested in the health of the service.
Fix for tox4 compability
Closes-Bug: #1880610
Change-Id: Ie091fdfe560b6a060f0c29c6b92a99f5e564eddf
The previous config didn't actually log anything, and it has been fixed
for classic OpenStack API charms through charm-helpers. We need to
update layer-openstack as well to reflect those changes to reactive
OpenStack API charms.
Closes-Bug: #1697002
Related-Bug: #1940037
Change-Id: I523369673471f63346428f7f739a2429aa5084b3
Apache2's default value for KeepAliveTimeout is 5 seconds, which is okay
for general web-page serving use cases. However, sessions and connection
pools created by keystoneauth1.session.Session can be terminated
unnecessarily during multiple API calls in a session due to the short
KeepAliveTimeout.
Let's ease KeepAliveTimeout to 75 seconds, which is fairly standard for
API services behind a reverse proxy since it's the default value of
nginx.
Closes-Bug: #1947010
Change-Id: I752a836676d895ef783362810ed6764980e8574b
Currently the template hardcodes the `project_name` to `services`
which is not necessarily correct. Instead the template should use the
`identity_service.service_tenant`.
Closes-Bug: #1908945
Signed-off-by: Nicolas Bock <nicolas.bock@canonical.com>
Change-Id: Idd2a7c436f5448505bdfe5a53738a8e2071ed272
The last update was 2016, and it's time to drop TLSv1 and TLSv1.1 as the
base configuration recommended by Mozilla.
https://wiki.mozilla.org/Security/Server_Side_TLS
This is equivalent to a charm-helper's change:
27d6ceb385
Change-Id: Ic7c3751d5cfce33517072bfca865e03f6f84f423
Closes-Bug: #1886630
The placement config may be useful among more than one charm as
more services start to use the placement service. This patch adds
a single source of placement sectional config.
Change-Id: Id99e750f7b43dd0c893790eaa6fb79f7ce064f12
Related-Bug: 1850691
Move workdir to avoid charm build error in gate test. Move built
artifact back so CI can inspect it. (The layer build-only job in
CI should get an update to cope with this itself)
Change-Id: Icee40b83e6924a6adc9ee1f97eff04522121d5fa
Closes-Bug: #1823729
Current versions of OpenStack use the transport url rather than
rabbit_hosts and various other configuration settings.
Adding a new template for transport url and current
oslo-messaging-rabbit settings.
Allow the setting ssl_ca at the OpenStack principle layer.
Depends-On: Ie17b481bce3e3bfdf71b15ca7667f8688739d608
Change-Id: I6bb56a59cd65310d644aa25ae203996b22ec4b4e
Partial-Bug: #1807233
Ensure that oslo.middleware parses any proxy information
forwarded from haproxy/apache with regards to protocol;
this ensures that https connections are correctly detected.
Change-Id: I16a9e8a74cdf6c56ad64902343f79b0ed51ccb6f
Closes-Bug: 1758675
Hard coded default domain causes problem sometimes
Adding code for supporting service_domain
Please note that each charm using
layer openstack charm also need to be fixed
if you want to use service_domain instead of default
Change-Id: I1d56359a64c23019151c9c9186ca0c7374735536
The default HAProxy timeout values are fairly strict. On a busy cloud
it is common to exceed one or more of these timeouts. The only
indication that HAProxy has exceeded a timeout and dropped the
connection is errors such as "BadStatusLine" or "EOF." These can be
very difficult to diagnose when intermittent.
This change updates the default timeout values to more real world
settings. These values have been extensively tested in ServerStack.
Configured values will not be overridden.
Change-Id: I1f0167002fdc1e9e14eaa9ed9a6a365173a3406e
This patchset implements necessary actions which are required to
properly set headers when using SSL.
Change-Id: I8cf4c048835b85c0845083768ec2d66e940cb15f
Closes-Bug: #1736417
Enable dual stack IPv4 and IPv6 VIPs on the same interface.
HAProxy always listens on both IPv4 and IPv6 allowing connectivity
on either protocol.
Change-Id: I3079b25ba5ad51a61288519e4c78e0ae729d3dfa
Add template for memcache config and amend keystone auth token
config fragment to point at memcache server if one is available
Add metadata.yaml to satisfy charm proof
Change-Id: I2c50fcb261e70648f5985c9e927ff58741877470
The section-keystone-authtoken template is not using the adapter
namespaces nor does it support keystone v3
Change-Id: Ic6f66feb123c131334245f499904dbd23937ce94
The value of the kombu_ssl_ca_certs configuration option should be
the CA file rather than the cert itself
Change-Id: I39c323112fc65583242d22c0b6061fe825b9be50
Remove old template for apache pre-2.4 and update
openstack_https_frontend.conf to match adapter parameters
Add tox targets to placate CI
Change-Id: I03acf7e3e524b2a15756a07e0a2d13ed88eaefac