Remove extra keystone admin haproxy listen and allow TLS

The current code exposes an unused public listen directive in HAProxy
for the keystone admin endpoint. This is not ideal and should be
removed, as it exposes the service unnecessarily. We should stick to
just exposing it to the ctlplane network as is the default.

If folks really need to expose it to the public network, they can do so
by modifying the ServiceNetMap through t-h-t and setting the keystone
admin endpoint's network to external.

Now, for "single" or "internal" haproxy endpoints, this adds the ability
to detect if they're using the external network, and thus use TLS on it.
Which is something a deployer would want if they exposed the keystone
admin endpoint in such a way.

Conflicts:
	manifests/haproxy.pp
	manifests/haproxy/endpoint.pp

(cherry picked from commit 5222b8d920)
(cherry picked from commit 673c45e789)

Change-Id: I79563f62fd49a4f7654779157ebda3c239d6dd22
Closes-Bug: #1710909
Closes-Bug: #1639996
This commit is contained in:
Juan Antonio Osorio Robles 2017-08-15 19:02:42 +03:00
parent 6319d560e6
commit 4d6fb86be4
2 changed files with 27 additions and 12 deletions

View File

@ -277,7 +277,6 @@
# 'ironic_inspector_port' (Defaults to 5050)
# 'ironic_inspector_ssl_port' (Defaults to 13050)
# 'keystone_admin_api_port' (Defaults to 35357)
# 'keystone_admin_api_ssl_port' (Defaults to 13357)
# 'keystone_public_api_port' (Defaults to 5000)
# 'keystone_public_api_ssl_port' (Defaults to 13000)
# 'manila_api_port' (Defaults to 8786)
@ -387,7 +386,6 @@ class tripleo::haproxy (
ironic_inspector_port => 5050,
ironic_inspector_ssl_port => 13050,
keystone_admin_api_port => 35357,
keystone_admin_api_ssl_port => 13357,
keystone_public_api_port => 5000,
keystone_public_api_ssl_port => 13000,
manila_api_port => 8786,
@ -537,18 +535,17 @@ class tripleo::haproxy (
if $keystone_admin {
::tripleo::haproxy::endpoint { 'keystone_admin':
public_virtual_ip => $public_virtual_ip,
internal_ip => hiera('keystone_admin_api_vip', $controller_virtual_ip),
service_port => $ports[keystone_admin_api_port],
ip_addresses => hiera('keystone_admin_api_node_ips', $controller_hosts_real),
server_names => hiera('keystone_admin_api_node_names', $controller_hosts_names_real),
mode => 'http',
listen_options => {
internal_ip => hiera('keystone_admin_api_vip', $controller_virtual_ip),
service_port => $ports[keystone_admin_api_port],
ip_addresses => hiera('keystone_admin_api_node_ips', $controller_hosts_real),
server_names => hiera('keystone_admin_api_node_names', $controller_hosts_names_real),
mode => 'http',
listen_options => {
'http-request' => [
'set-header X-Forwarded-Proto https if { ssl_fc }',
'set-header X-Forwarded-Proto http if !{ ssl_fc }'],
},
public_ssl_port => $ports[keystone_admin_api_ssl_port],
service_network => hiera('keystone_admin_api_network', undef)
}
}

View File

@ -68,6 +68,11 @@
# Certificate path used to enable TLS for the internal proxy endpoint.
# Defaults to undef.
#
# [*service_network*]
# (optional) Indicates the network that the service is running on. Used for
# fetching the certificate for that specific network.
# Defaults to undef
#
define tripleo::haproxy::endpoint (
$internal_ip,
$service_port,
@ -83,6 +88,7 @@ define tripleo::haproxy::endpoint (
$public_ssl_port = undef,
$public_certificate = undef,
$internal_certificate = undef,
$service_network = undef,
) {
if $public_virtual_ip {
# service exposed to the public network
@ -99,10 +105,22 @@ define tripleo::haproxy::endpoint (
}
if $internal_certificate {
if $service_network == 'external' and $public_certificate {
# NOTE(jaosorior): This service has been configured to use the external
# network. We should use the public certificate in this case.
$internal_cert_path = $public_certificate
} else {
$internal_cert_path = $internal_certificate
}
$internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"),
union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate]))
union($haproxy_listen_bind_param, ['ssl', 'crt', $internal_cert_path]))
} else {
$internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"), $haproxy_listen_bind_param)
if $service_network == 'external' and $public_certificate {
$internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"),
union($haproxy_listen_bind_param, ['ssl', 'crt', $public_certificate]))
} else {
$internal_bind_opts = list_to_hash(suffix(any2array($internal_ip), ":${service_port}"), $haproxy_listen_bind_param)
}
}
$bind_opts = merge($internal_bind_opts, $public_bind_opts)