Make keystone session stickiness optional

As part of Bug 1527717, we added in support of session stickiness for keystone to allow for federation support in keystone. This introduced performance issues with keystone and should not be configured by default. This change disables the stickiness by default but allows for it to be enabled by adding a 'federation' key to the keystone hiera hash. DocImpact: Keystone HAProxy session stickiness can be enabled by adding a 'federation' key to the keystone hiera configuration. By default session stickiness is disabled. Change-Id: Id43446a9f923417b8fa140ffcfddb6797f1b4e48 Related-Bug: #1527717 Closes-Bug: #1582202
2016-05-16 09:54:12 -06:00 · 2016-05-16 09:54:12 -06:00 · 8ebe5f1547
parent 17a0775e0e
commit 8ebe5f1547
4 changed files with 116 additions and 40 deletions
--- a/deployment/puppet/openstack/manifests/ha/keystone.pp
+++ b/deployment/puppet/openstack/manifests/ha/keystone.pp
@ -48,19 +48,41 @@
 # [*server_names*]
 #   (required) Array. This is an array of server names for the haproxy service
 #
+# [*federation_enabled*]
+#   (Optional) If enabled, sticky sessions will be enabled for keystone sessions
+#   to properly support federation.
+#
 class openstack::ha::keystone (
  $internal_virtual_ip,
  $ipaddresses,
  $public_virtual_ip,
  $server_names,
-  $public_ssl        = false,
-  $public_ssl_path   = undef,
-  $internal_ssl      = false,
-  $internal_ssl_path = undef,
-  $admin_ssl         = false,
-  $admin_ssl_path    = undef,
+  $public_ssl         = false,
+  $public_ssl_path    = undef,
+  $internal_ssl       = false,
+  $internal_ssl_path  = undef,
+  $admin_ssl          = false,
+  $admin_ssl_path     = undef,
+  $federation_enabled = false,
 ) {

+  $base_options = {
+    'option'       => ['httpchk GET /v3', 'httplog', 'httpclose', 'forwardfor'],
+    'http-request' => 'set-header X-Forwarded-Proto https if { ssl_fc }',
+  }
+
+  if $federation_enabled {
+    # See LP#1527717
+    $session_options = {
+      'stick'       => ['on src'],
+      'stick-table' => ['type ip size 200k expire 2m'],
+    }
+  } else {
+    $session_options = { }
+  }
+
+  $config_options = merge($base_options, $session_options)
+
  # defaults for any haproxy_service within this class
  Openstack::Ha::Haproxy_service {
    internal_virtual_ip    => $internal_virtual_ip,
@ -71,12 +93,7 @@ class openstack::ha::keystone (
    public_ssl_path        => $public_ssl_path,
    internal_ssl           => $internal_ssl,
    internal_ssl_path      => $internal_ssl_path,
-    haproxy_config_options => {
-      option         => ['httpchk GET /v3', 'httplog', 'httpclose', 'forwardfor'],
-      stick          => ['on src'],
-      stick-table    => ['type ip size 200k expire 2m'],
-      'http-request' => 'set-header X-Forwarded-Proto https if { ssl_fc }',
-    },
+    haproxy_config_options => $config_options,
    balancermember_options => 'check inter 10s fastinter 2s downinter 2s rise 30 fall 3',
  }

--- a/deployment/puppet/openstack/spec/classes/openstack_ha_keystone_spec.rb
+++ b/deployment/puppet/openstack/spec/classes/openstack_ha_keystone_spec.rb
@ -1,17 +1,23 @@
 require 'spec_helper'

-  describe 'openstack::ha::keystone' do
-    let(:params) { {:internal_virtual_ip => '127.0.0.1',
-                    :ipaddresses         => ['127.0.0.2', '127.0.0.3'],
-                    :public_virtual_ip   => '192.168.0.1',
-                    :server_names        => ['node-1', 'node-2'],
-                    :public_ssl          => true,
-                    :public_ssl_path     => '/var/lib/fuel/haproxy/public_keystone.pem',
-                 } }
-    let(:facts) { {:kernel => 'Linux',
-                   :concat_basedir => '/var/lib/puppet/concat',
-                   :fqdn           => 'some.host.tld'
-                } }
+describe 'openstack::ha::keystone' do
+  let(:facts) do
+    { :kernel         => 'Linux',
+      :concat_basedir => '/var/lib/puppet/concat',
+      :fqdn           => 'some.host.tld',
+    }
+  end
+
+  context 'default parameters' do
+    let(:params) do
+      { :internal_virtual_ip => '127.0.0.1',
+        :ipaddresses         => ['127.0.0.2', '127.0.0.3'],
+        :public_virtual_ip   => '192.168.0.1',
+        :server_names        => ['node-1', 'node-2'],
+        :public_ssl          => true,
+        :public_ssl_path     => '/var/lib/fuel/haproxy/public_keystone.pem',
+      }
+    end

    it "should properly configure keystone haproxy based on ssl" do
      should contain_openstack__ha__haproxy_service('keystone-1').with(
@ -22,8 +28,6 @@ require 'spec_helper'
        'public_ssl_path'        => '/var/lib/fuel/haproxy/public_keystone.pem',
        'haproxy_config_options' => {
          'option'       => ['httpchk GET /v3', 'httplog','httpclose', 'forwardfor'],
-          'stick'          => ['on src'],
-          'stick-table'    => ['type ip size 200k expire 2m'],
          'http-request' => 'set-header X-Forwarded-Proto https if { ssl_fc }',
        },
        'balancermember_options' => 'check inter 10s fastinter 2s downinter 2s rise 30 fall 3',
@ -37,11 +41,56 @@ require 'spec_helper'
        'public'                 => false,
        'haproxy_config_options' => {
          'option'       => ['httpchk GET /v3', 'httplog','httpclose', 'forwardfor'],
-          'stick'          => ['on src'],
-          'stick-table'    => ['type ip size 200k expire 2m'],
          'http-request' => 'set-header X-Forwarded-Proto https if { ssl_fc }',
        },
        'balancermember_options' => 'check inter 10s fastinter 2s downinter 2s rise 30 fall 3',
      )
    end
  end
+
+  context 'with keystone federation' do
+    let(:params) do
+      { :internal_virtual_ip => '127.0.0.1',
+        :ipaddresses         => ['127.0.0.2', '127.0.0.3'],
+        :public_virtual_ip   => '192.168.0.1',
+        :server_names        => ['node-1', 'node-2'],
+        :public_ssl          => true,
+        :public_ssl_path     => '/var/lib/fuel/haproxy/public_keystone.pem',
+        :federation_enabled  => true,
+      }
+    end
+
+    it "should properly configure keystone haproxy based on ssl" do
+      should contain_openstack__ha__haproxy_service('keystone-1').with(
+        'order'                  => '020',
+        'listen_port'            => 5000,
+        'public'                 => true,
+        'public_ssl'             => true,
+        'public_ssl_path'        => '/var/lib/fuel/haproxy/public_keystone.pem',
+        'haproxy_config_options' => {
+          'option'       => ['httpchk GET /v3', 'httplog','httpclose', 'forwardfor'],
+          'stick'        => ['on src'],
+          'stick-table'  => ['type ip size 200k expire 2m'],
+          'http-request' => 'set-header X-Forwarded-Proto https if { ssl_fc }',
+        },
+        'balancermember_options' => 'check inter 10s fastinter 2s downinter 2s rise 30 fall 3',
+      )
+    end
+
+    it "should properly configure keystone admin haproxy without ssl" do
+      should contain_openstack__ha__haproxy_service('keystone-2').with(
+        'order'                  => '030',
+        'listen_port'            => 35357,
+        'public'                 => false,
+        'haproxy_config_options' => {
+          'option'       => ['httpchk GET /v3', 'httplog','httpclose', 'forwardfor'],
+          'stick'        => ['on src'],
+          'stick-table'  => ['type ip size 200k expire 2m'],
+          'http-request' => 'set-header X-Forwarded-Proto https if { ssl_fc }',
+        },
+        'balancermember_options' => 'check inter 10s fastinter 2s downinter 2s rise 30 fall 3',
+      )
+    end
+
+  end
+end
--- a/deployment/puppet/osnailyfacter/manifests/openstack_haproxy/openstack_haproxy_keystone.pp
+++ b/deployment/puppet/osnailyfacter/manifests/openstack_haproxy/openstack_haproxy_keystone.pp
@ -25,6 +25,7 @@ class osnailyfacter::openstack_haproxy::openstack_haproxy_keystone {
    $ipaddresses          = hiera_array('keystone_ipaddresses', values($keystone_address_map))
    $public_virtual_ip    = pick(hiera('public_service_endpoint', undef), hiera('public_vip'))
    $internal_virtual_ip  = pick(hiera('service_endpoint', undef), hiera('management_vip'))
+    $keystone_federation  = pick($keystone_hash['federation'], false)

    # configure keystone ha proxy
    class { '::openstack::ha::keystone':
@ -38,6 +39,7 @@ class osnailyfacter::openstack_haproxy::openstack_haproxy_keystone {
      internal_ssl_path   => $internal_ssl_path,
      admin_ssl           => $admin_ssl,
      admin_ssl_path      => $admin_ssl_path,
+      federation_enabled  => $keystone_federation,
    }
  }

--- a/tests/noop/spec/hosts/openstack-haproxy/openstack-haproxy-keystone_spec.rb
+++ b/tests/noop/spec/hosts/openstack-haproxy/openstack-haproxy-keystone_spec.rb
@ -22,6 +22,24 @@ describe manifest do
      keystone_address_map.keys
    end

+    let(:keystone_hash) { Noop.hiera_hash('keystone') }
+
+    let(:config_options) do
+      options = {
+        'option' => ['httpchk GET /v3', 'httplog', 'httpclose', 'forwardfor'],
+        'http-request' => 'set-header X-Forwarded-Proto https if { ssl_fc }',
+      }
+      session_options = {
+        'stick' => ['on src'],
+        'stick-table' => ['type ip size 200k expire 2m'],
+      }
+
+      if keystone_hash['federation']
+        options.merge!(session_options)
+      end
+      options
+    end
+
    use_keystone = Noop.hiera_structure('keystone/enabled', true)

    if use_keystone and !Noop.hiera('external_lb', false)
@ -34,12 +52,7 @@ describe manifest do
          'listen_port'            => 5000,
          'public'                 => true,
          'public_ssl'             => public_ssl_keystone,
-          'haproxy_config_options' => {
-            'option'       => ['httpchk GET /v3', 'httplog', 'httpclose', 'forwardfor'],
-            'stick'          => ['on src'],
-            'stick-table'    => ['type ip size 200k expire 2m'],
-            'http-request' => 'set-header X-Forwarded-Proto https if { ssl_fc }',
-          },
+          'haproxy_config_options' => config_options,
        )
      end
      it "should properly configure keystone haproxy admin without public" do
@ -50,12 +63,7 @@ describe manifest do
          'server_names'           => server_names,
          'listen_port'            => 35357,
          'public'                 => false,
-          'haproxy_config_options' => {
-            'option'       => ['httpchk GET /v3', 'httplog', 'httpclose', 'forwardfor'],
-            'stick'          => ['on src'],
-            'stick-table'    => ['type ip size 200k expire 2m'],
-            'http-request' => 'set-header X-Forwarded-Proto https if { ssl_fc }',
-          },
+          'haproxy_config_options' => config_options,
        )
      end
    end