Implement Option for Two VIPs to separate API traffic

To improve security, operators have asked for two VIPs for
their cloud.

VIP 1 is the internal VIP that can reach internal and admin endpoints.
In addition, the internal VIP can also reach other internal services,
such as the database and message services.
VIP 2 is the external VIP that can only reach public endpoints.

With one VIP only, all services are reached at the same address.

To add a second VIP, this patch adds two new configuration parameters.

kolla_external_vip_address: is an IPv4 address to use for created VIP
kolla_external_vip_interface: is the network interface to use for VIP
In this scenario, the first VIP (the internal VIP), is defined by
the original parameters (kolla_internal address and network_interface).

When using two VIPs, the existing kolla_external_address parameter
should be/point to/resolve to the kolla_external_vip_address.

Closes-bug: 1535333

Change-Id: I5bfcefaf7899298455cdade8209c34324aebfecb
This commit is contained in:
Dave McCowan 2016-02-18 13:50:39 -05:00
parent 3f8bc07270
commit 34c2cb8e64
4 changed files with 164 additions and 4 deletions

View File

@ -23,7 +23,8 @@ kolla_base_distro: "centos"
kolla_install_type: "binary"
# Value set in the public_url endpoint in Keystone
kolla_external_address: "{{ kolla_internal_address }}"
kolla_external_vip_address: "{{ kolla_internal_address }}"
kolla_external_address: "{{ kolla_external_vip_address }}"
kolla_enable_sanity_checks: "no"
@ -66,6 +67,7 @@ docker_common_options:
####################
# Networking options
####################
kolla_external_vip_interface: "{{ network_interface }}"
api_interface: "{{ network_interface }}"
storage_interface: "{{ network_interface }}"
tunnel_interface: "{{ network_interface }}"
@ -204,6 +206,7 @@ rabbitmq_user: "openstack"
# HAProxy options
####################
haproxy_user: "openstack"
haproxy_enable_external_vip: "{{ 'no' if kolla_external_vip_address == kolla_internal_address else 'yes' }}"
#################################

View File

@ -55,11 +55,19 @@ listen mongodb
{% endif %}
{% if enable_keystone | bool %}
listen keystone_public
listen keystone_internal
bind {{ kolla_internal_address }}:{{ keystone_public_port }}
{% for host in groups['keystone'] %}
server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ keystone_public_port }} check inter 2000 rise 2 fall 5
{% endfor %}
{% if haproxy_enable_external_vip | bool %}
listen keystone_external
bind {{ kolla_external_vip_address }}:{{ keystone_public_port }}
{% for host in groups['keystone'] %}
server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ keystone_public_port }} check inter 2000 rise 2 fall 5
{% endfor %}
{% endif %}
listen keystone_admin
bind {{ kolla_internal_address }}:{{ keystone_admin_port }}
@ -80,6 +88,20 @@ listen glance_api
{% for host in groups['glance-api'] %}
server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ glance_api_port }} check inter 2000 rise 2 fall 5
{% endfor %}
{% if haproxy_enable_external_vip | bool %}
listen glance_registry_external
bind {{ kolla_external_vip_address }}:{{ glance_registry_port }}
{% for host in groups['glance-registry'] %}
server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ glance_registry_port }} check inter 2000 rise 2 fall 5
{% endfor %}
listen glance_api_external
bind {{ kolla_external_vip_address }}:{{ glance_api_port }}
{% for host in groups['glance-api'] %}
server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ glance_api_port }} check inter 2000 rise 2 fall 5
{% endfor %}
{% endif %}
{% endif %}
{% if enable_nova | bool %}
@ -114,6 +136,40 @@ listen nova_spicehtml5proxy
server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ nova_spicehtml5proxy_port }} check inter 2000 rise 2 fall 5
{% endfor %}
{% endif %}
{% if haproxy_enable_external_vip | bool %}
listen nova_api_external
bind {{ kolla_external_vip_address }}:{{ nova_api_port }}
{% for host in groups['nova-api'] %}
server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ nova_api_port }} check inter 2000 rise 2 fall 5
{% endfor %}
listen nova_api_ec2_external
bind {{ kolla_external_vip_address }}:{{ nova_api_ec2_port }}
{% for host in groups['nova-api'] %}
server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ nova_api_ec2_port }} check inter 2000 rise 2 fall 5
{% endfor %}
listen nova_metadata_external
bind {{ kolla_external_vip_address }}:{{ nova_metadata_port }}
{% for host in groups['nova-api'] %}
server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ nova_metadata_port }} check inter 2000 rise 2 fall 5
{% endfor %}
{% if nova_console == 'novnc' %}
listen nova_novncproxy_external
bind {{ kolla_external_vip_address }}:{{ nova_novncproxy_port }}
{% for host in groups['nova-novncproxy'] %}
server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ nova_novncproxy_port }} check inter 2000 rise 2 fall 5
{% endfor %}
{% elif nova_console == 'spice' %}
listen nova_spicehtml5proxy_external
bind {{ kolla_external_vip_address }}:{{ nova_spicehtml5proxy_port }}
{% for host in groups['nova-spicehtml5proxy'] %}
server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ nova_spicehtml5proxy_port }} check inter 2000 rise 2 fall 5
{% endfor %}
{% endif %}
{% endif %}
{% endif %}
{% if enable_neutron | bool %}
@ -122,6 +178,14 @@ listen neutron_server
{% for host in groups['neutron-server'] %}
server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ neutron_server_port }} check inter 2000 rise 2 fall 5
{% endfor %}
{% if haproxy_enable_external_vip | bool %}
listen neutron_server_external
bind {{ kolla_external_vip_address }}:{{ neutron_server_port }}
{% for host in groups['neutron-server'] %}
server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ neutron_server_port }} check inter 2000 rise 2 fall 5
{% endfor %}
{% endif %}
{% endif %}
{% if enable_horizon | bool %}
@ -130,6 +194,14 @@ listen horizon
{% for host in groups['horizon'] %}
server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:80 check inter 2000 rise 2 fall 5
{% endfor %}
{% if haproxy_enable_external_vip | bool %}
listen horizon_external
bind {{ kolla_external_vip_address }}:80
{% for host in groups['horizon'] %}
server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:80 check inter 2000 rise 2 fall 5
{% endfor %}
{% endif %}
{% endif %}
{% if enable_cinder | bool %}
@ -138,6 +210,14 @@ listen cinder_api
{% for host in groups['cinder-api'] %}
server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ cinder_api_port }} check inter 2000 rise 2 fall 5
{% endfor %}
{% if haproxy_enable_external_vip | bool %}
listen cinder_api_external
bind {{ kolla_external_vip_address }}:{{ cinder_api_port }}
{% for host in groups['cinder-api'] %}
server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ cinder_api_port }} check inter 2000 rise 2 fall 5
{% endfor %}
{% endif %}
{% endif %}
{% if enable_heat | bool %}
@ -152,6 +232,20 @@ listen heat_api_cfn
{% for host in groups['heat-api-cfn'] %}
server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ heat_api_cfn_port }} check inter 2000 rise 2 fall 5
{% endfor %}
{% if haproxy_enable_external_vip | bool %}
listen heat_api_external
bind {{ kolla_external_vip_address }}:{{ heat_api_port }}
{% for host in groups['heat-api'] %}
server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ heat_api_port }} check inter 2000 rise 2 fall 5
{% endfor %}
listen heat_api_cfn_external
bind {{ kolla_external_vip_address }}:{{ heat_api_cfn_port }}
{% for host in groups['heat-api-cfn'] %}
server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ heat_api_cfn_port }} check inter 2000 rise 2 fall 5
{% endfor %}
{% endif %}
{% endif %}
{% if enable_ironic | bool %}
@ -160,6 +254,14 @@ listen ironic_api
{% for host in groups['ironic-api'] %}
server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ ironic_api_port }} check inter 2000 rise 2 fall 5
{% endfor %}
{% if haproxy_enable_external_vip | bool %}
listen ironic_api_external
bind {{ kolla_external_vip_address}}:{{ ironic_api_port }}
{% for host in groups['ironic-api'] %}
server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ ironic_api_port }} check inter 2000 rise 2 fall 5
{% endfor %}
{% endif %}
{% endif %}
{% if enable_swift | bool %}
@ -168,6 +270,14 @@ listen swift_api
{% for host in groups['swift-proxy-server'] %}
server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ swift_proxy_server_port }} check inter 2000 rise 2 fall 5
{% endfor %}
{% if haproxy_enable_external_vip | bool %}
listen swift_api_external
bind {{ kolla_external_vip_address}}:{{ swift_proxy_server_port }}
{% for host in groups['swift-proxy-server'] %}
server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ swift_proxy_server_port }} check inter 2000 rise 2 fall 5
{% endfor %}
{% endif %}
{% endif %}
{% if enable_murano | bool %}
@ -176,6 +286,14 @@ listen murano_api
{% for host in groups['murano-api'] %}
server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ murano_api_port }} check inter 2000 rise 2 fall 5
{% endfor %}
{% if haproxy_enable_external_vip | bool %}
listen murano_api_external
bind {{ kolla_external_vip_address }}:{{ murano_api_port }}
{% for host in groups['murano-api'] %}
server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ murano_api_port }} check inter 2000 rise 2 fall 5
{% endfor %}
{% endif %}
{% endif %}
{% if enable_magnum | bool %}
@ -184,6 +302,14 @@ listen magnum_api
{% for host in groups['magnum-api'] %}
server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ magnum_api_port }} check inter 2000 rise 2 fall 5
{% endfor %}
{% if haproxy_enable_external_vip | bool %}
listen magnum_api_external
bind {{ kolla_external_vip_address }}:{{ magnum_api_port }}
{% for host in groups['magnum-api'] %}
server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ magnum_api_port }} check inter 2000 rise 2 fall 5
{% endfor %}
{% endif %}
{% endif %}
{% if enable_ceph | bool and enable_ceph_rgw | bool %}
@ -192,4 +318,12 @@ listen radosgw
{% for host in groups['ceph-rgw'] %}
server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ rgw_port }} check inter 2000 rise 2 fall 5
{% endfor %}
{% if haproxy_enable_external_vip | bool %}
listen radosgw_external
bind {{ kolla_external_vip_address}}:{{ rgw_port }}
{% for host in groups['ceph-rgw'] %}
server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['ansible_' + hostvars[host]['api_interface']]['ipv4']['address'] }}:{{ rgw_port }} check inter 2000 rise 2 fall 5
{% endfor %}
{% endif %}
{% endif %}

View File

@ -5,7 +5,7 @@ vrrp_script check_alive {
rise 10
}
vrrp_instance Floating {
vrrp_instance kolla_internal_vip {
state MASTER
interface {{ api_interface }}
virtual_router_id 51
@ -18,3 +18,19 @@ vrrp_instance Floating {
check_alive
}
}
{% if haproxy_enable_external_vip | bool %}
vrrp_instance kolla_external_vip {
state MASTER
interface {{ kolla_external_vip_interface }}
virtual_router_id 52
priority {{ groups['haproxy'].index(inventory_hostname) + 1 }}
advert_int 1
virtual_ipaddress {
{{ kolla_external_vip_address }}
}
track_script {
check_alive
}
}
{% endif %}

View File

@ -15,7 +15,7 @@
#kolla_install_type: "binary"
# This should be a VIP, an unused IP on your network that will float between
# the hosts running keepalived for high-availibility. When running an All-In-One
# the hosts running keepalived for high-availability. When running an All-In-One
# without haproxy and keepalived, this should be the first IP on your
# 'network_interface' as set in the Networking section below.
kolla_internal_address: "10.10.10.254"
@ -27,6 +27,12 @@ kolla_internal_address: "10.10.10.254"
# It is recommended to use a DNS name as well, but not required.
#kolla_external_address: "{{ kolla_internal_address }}"
# This should be a VIP, an unused IP on your network that will float between
# the hosts running keepalived for high-availability. It defaults to the
# kolla_internal_address, allowing internal and external communication to
# share the same address. Specify a kolla_external_vip_address to
# separate internal and external requests between two VIPs.
#kolla_external_vip_address: "{{ kolla_internal_address }}"
####################
# Docker options
@ -49,6 +55,7 @@ network_interface: "eth0"
# These can be adjusted for even more customization. The default is the same as
# the 'network_interface'. These interfaces must container an IPv4 address.
#kolla_external_vip_interface: "{{ network_interface }}"
#api_interface: "{{ network_interface }}"
#storage_interface: "{{ network_interface }}"
#tunnel_interface: "{{ network_interface }}"