Move HTTPS termination in front of haproxy + pacemaker.
This commit is contained in:
parent
e36d0ada42
commit
66e07c4634
|
@ -123,23 +123,32 @@ do_openstack_upgrade() {
|
|||
configure_https() {
|
||||
# request openstack-common setup reverse proxy mapping for API and registry
|
||||
# servers
|
||||
service_ctl all stop
|
||||
if setup_https 9191:9181 9292:9282 ; then
|
||||
juju-log "$CHARM: Configuring glance for HTTPS reverse proxying."
|
||||
# configure servers to listen on new ports accordingly.
|
||||
set_or_update bind_port "9181" "registry"
|
||||
set_or_update bind_port "9282" "api"
|
||||
set_or_update registry_port "9181" "api"
|
||||
juju-log "$CHARM: Reverse proxy in place, updating Keystone catalog via "\
|
||||
"identiy-service relation (if it exists)."
|
||||
service_ctl glance-api stop
|
||||
if [[ -n "$(peer_units)" ]] || is_clustered ; then
|
||||
echo "configure_https clustered."
|
||||
# haproxy may already be configured. need to push it back in the request
|
||||
# pipeline in preparation for a change from:
|
||||
# from: haproxy (9292) -> glance_api (9282)
|
||||
# to: ssl (9292) -> haproxy (9291) -> glance_api (9272)
|
||||
local next_server=$(determine_haproxy_port 9292)
|
||||
local api_port=$(determine_api_port 9292)
|
||||
echo "configure_haproxy glance_api:$next_server:$api_port"
|
||||
configure_haproxy "glance_api:$next_server:$api_port"
|
||||
else
|
||||
set_or_update bind_port "9191" "registry"
|
||||
set_or_update bind_port "9292" "api"
|
||||
set_or_update registry_port "9191" "api"
|
||||
echo "configure_https NOT clustered."
|
||||
# if not clustered, the glance-api is next in the pipeline.
|
||||
local api_port=$(determine_api_port 9292)
|
||||
local next_server=$api_port
|
||||
fi
|
||||
echo "CONF PIPELINE: 9292 -> $next_server -> $api_port"
|
||||
setup_https 9292:$next_server
|
||||
|
||||
# configure servers to listen on new ports accordingly.
|
||||
set_or_update bind_port "$api_port" "api"
|
||||
service_ctl all start
|
||||
|
||||
# (re)configure ks endpoint accordingly
|
||||
for r_id in "$(relation-ids identity-service)" ; do
|
||||
keystone_joined "$r_id"
|
||||
done
|
||||
service_ctl all start
|
||||
}
|
||||
|
|
|
@ -195,15 +195,14 @@ function keystone_joined {
|
|||
eligible_leader 'res_glance_vip' || return 0
|
||||
local r_id="$1"
|
||||
[[ -n "$r_id" ]] && r_id=" -r $r_id"
|
||||
# advertise our API endpoint to keystone
|
||||
|
||||
# determine correct endpoint URL
|
||||
https && scheme="https" || scheme="http"
|
||||
port=9292
|
||||
if is_clustered; then
|
||||
port=$(($port + 10000))
|
||||
url="$scheme://$(config-get vip):$port/v1"
|
||||
else
|
||||
url="$scheme://$(unit-get private-address):$port/v1"
|
||||
fi
|
||||
is_clustered && local host=$(config-get vip) ||
|
||||
local host=$(unit-get private-address)
|
||||
url="$scheme://$host:9292/v1"
|
||||
|
||||
# advertise our API endpoint to keystone
|
||||
relation-set service="glance" \
|
||||
region="$(config-get region)" public_url=$url admin_url=$url internal_url=$url
|
||||
}
|
||||
|
@ -288,7 +287,15 @@ function config_changed() {
|
|||
}
|
||||
|
||||
function cluster_changed() {
|
||||
configure_haproxy "glance_api:9292"
|
||||
echo "CLUSTER CHANGED"
|
||||
local haproxy_port=$(determine_haproxy_port 9292)
|
||||
local backend_port=$(determine_api_port 9292)
|
||||
echo "haproxy_port: $haproxy_port"
|
||||
echo "backend_port: $backend_port"
|
||||
service glance-api stop
|
||||
configure_haproxy "glance_api:$haproxy_port:$backend_port"
|
||||
set_or_update bind_port "$backend_port" "api"
|
||||
service glance-api start
|
||||
}
|
||||
|
||||
function upgrade_charm() {
|
||||
|
@ -333,9 +340,10 @@ function ha_relation_joined() {
|
|||
function ha_relation_changed() {
|
||||
local clustered=`relation-get clustered`
|
||||
if [ -n "$clustered" ] && is_leader 'res_glance_vip'; then
|
||||
local port=$((9292 + 10000))
|
||||
local host=$(config-get vip)
|
||||
local url="http://$host:$port/v1"
|
||||
https && local scheme="https" || local scheme="http"
|
||||
local url="$scheme://$host:9292/v1"
|
||||
|
||||
for r_id in `relation-ids identity-service`; do
|
||||
relation-set -r $r_id service="glance" \
|
||||
region="$(config-get region)" \
|
||||
|
@ -343,7 +351,7 @@ function ha_relation_changed() {
|
|||
done
|
||||
for r_id in `relation-ids image-service`; do
|
||||
relation-set -r $r_id \
|
||||
glance-api-server="$host:$port"
|
||||
glance-api-server="$host:9292"
|
||||
done
|
||||
fi
|
||||
}
|
||||
|
|
|
@ -317,18 +317,16 @@ function get_block_device() {
|
|||
|
||||
HAPROXY_CFG=/etc/haproxy/haproxy.cfg
|
||||
HAPROXY_DEFAULT=/etc/default/haproxy
|
||||
|
||||
##########################################################################
|
||||
# Description: Configures HAProxy services for Openstack API's
|
||||
# Parameters:
|
||||
# Space delimited list of service:port combinations for which
|
||||
# Parameters:
|
||||
# Space delimited list of service:ext_port:int_port combinations for which
|
||||
# haproxy service configuration should be generated for. The function
|
||||
# assumes the name of the peer relation is 'cluster' and that every
|
||||
# service unit in the peer relation is running the same services.
|
||||
#
|
||||
# The HAProxy service will listen on port + 10000.
|
||||
# Example:
|
||||
# configure_haproxy cinder_api:12345 nova_api:9999
|
||||
# Example
|
||||
# configure_haproxy cinder_api:8776:8756i nova_api:8774:8764
|
||||
##########################################################################
|
||||
configure_haproxy() {
|
||||
local address=`unit-get private-address`
|
||||
|
@ -364,8 +362,10 @@ listen stats :8888
|
|||
EOF
|
||||
for service in $@; do
|
||||
local service_name=$(echo $service | cut -d : -f 1)
|
||||
local api_listen_port=$(echo $service | cut -d : -f 2)
|
||||
local haproxy_listen_port=$(($api_listen_port + 10000))
|
||||
local haproxy_listen_port=$(echo $service | cut -d : -f 2)
|
||||
local api_listen_port=$(echo $service | cut -d : -f 3)
|
||||
juju-log "Adding haproxy configuration entry for $service "\
|
||||
"($haproxy_listen_port -> $api_listen_port)"
|
||||
cat >> $HAPROXY_CFG << EOF
|
||||
listen $service_name 0.0.0.0:$haproxy_listen_port
|
||||
balance roundrobin
|
||||
|
@ -384,6 +384,13 @@ EOF
|
|||
done
|
||||
done
|
||||
echo "ENABLED=1" > $HAPROXY_DEFAULT
|
||||
if is_clustered ;
|
||||
if is_leader ; then
|
||||
service haproxy restart
|
||||
fi
|
||||
else
|
||||
service haproxy restart
|
||||
fi
|
||||
}
|
||||
|
||||
##########################################################################
|
||||
|
@ -649,13 +656,35 @@ setup_https() {
|
|||
[[ -z "$CHARM" ]] &&
|
||||
error_out "setup_https(): CHARM not set."
|
||||
if ! https ; then
|
||||
juju-log "ENSURE NO HTTPS"
|
||||
if disable_https $@ ; then
|
||||
return 1
|
||||
else
|
||||
error_out "Could not ensure HTTPS disabled for $@"
|
||||
fi
|
||||
disable_https $@
|
||||
else
|
||||
enable_https $@
|
||||
fi
|
||||
juju-log "ENSURE HTTPS"
|
||||
enable_https $@
|
||||
}
|
||||
|
||||
##########################################################################
|
||||
# Description: Determine correct API server listening port based on
|
||||
# existence of HTTPS reverse proxy and/or haproxy.
|
||||
# Paremeters: The standard public port for given service.
|
||||
# Returns: The correct listening port for API service.
|
||||
##########################################################################
|
||||
determine_api_port() {
|
||||
local public_port="$1"
|
||||
local i=0
|
||||
( [[ -n "$(peer_units)" ]] || is_clustered >/dev/null 2>&1 ) && i=$[$i + 1]
|
||||
https >/dev/null 2>&1 && i=$[$i + 1]
|
||||
echo $[$public_port - $[$i * 10]]
|
||||
}
|
||||
|
||||
##########################################################################
|
||||
# Description: Determine correct proxy listening port based on public IP +
|
||||
# existence of HTTPS reverse proxy.
|
||||
# Paremeters: The standard public port for given service.
|
||||
# Returns: The correct listening port for haproxy service public address.
|
||||
##########################################################################
|
||||
determine_haproxy_port() {
|
||||
local public_port="$1"
|
||||
local i=0
|
||||
https >/dev/null 2>&1 && i=$[$i + 1]
|
||||
echo $[$public_port - $[$i * 10]]
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue