Move HTTPS termination in front of haproxy + pacemaker.

2013-02-14 19:44:27 -08:00 · 2013-02-14 19:44:27 -08:00 · 66e07c4634
parent e36d0ada42
commit 66e07c4634
4 changed files with 88 additions and 42 deletions
--- a/hooks/glance-common
+++ b/hooks/glance-common
@ -123,23 +123,32 @@ do_openstack_upgrade() {
 configure_https() {
  # request openstack-common setup reverse proxy mapping for API and registry
  # servers
-  service_ctl all stop
-  if setup_https 9191:9181 9292:9282 ; then
-    juju-log "$CHARM: Configuring glance for HTTPS reverse proxying."
-    # configure servers to listen on new ports accordingly.
-    set_or_update bind_port "9181" "registry"
-    set_or_update bind_port "9282" "api"
-    set_or_update registry_port "9181" "api"
-    juju-log "$CHARM: Reverse proxy in place, updating Keystone catalog via "\
-             "identiy-service relation (if it exists)."
+  service_ctl glance-api stop
+  if [[ -n "$(peer_units)" ]] || is_clustered ; then
+    echo "configure_https clustered."
+    # haproxy may already be configured. need to push it back in the request
+    # pipeline in preparation for a change from:
+    #  from:  haproxy (9292) -> glance_api (9282)
+    #  to:    ssl (9292) -> haproxy (9291) -> glance_api (9272)
+    local next_server=$(determine_haproxy_port 9292)
+    local api_port=$(determine_api_port 9292)
+    echo "configure_haproxy glance_api:$next_server:$api_port"
+    configure_haproxy "glance_api:$next_server:$api_port"
  else
-    set_or_update bind_port "9191" "registry"
-    set_or_update bind_port "9292" "api"
-    set_or_update registry_port "9191" "api"
+    echo "configure_https NOT clustered."
+    # if not clustered, the glance-api is next in the pipeline.
+    local api_port=$(determine_api_port 9292)
+    local next_server=$api_port
  fi
+  echo "CONF PIPELINE: 9292 -> $next_server -> $api_port"
+  setup_https 9292:$next_server
+
+  # configure servers to listen on new ports accordingly.
+  set_or_update bind_port "$api_port" "api"
+  service_ctl all start
+
  # (re)configure ks endpoint accordingly
  for r_id in "$(relation-ids identity-service)" ; do
    keystone_joined "$r_id"
  done
-  service_ctl all start
 }
--- a/hooks/glance-relations
+++ b/hooks/glance-relations
@ -195,15 +195,14 @@ function keystone_joined {
  eligible_leader 'res_glance_vip' || return 0
  local r_id="$1"
  [[ -n "$r_id" ]] && r_id=" -r $r_id"
-  # advertise our API endpoint to keystone
+
+  # determine correct endpoint URL
  https && scheme="https" || scheme="http"
-  port=9292
-  if is_clustered; then
-    port=$(($port + 10000))
-    url="$scheme://$(config-get vip):$port/v1"
-  else
-    url="$scheme://$(unit-get private-address):$port/v1"
-  fi
+  is_clustered && local host=$(config-get vip) ||
+    local host=$(unit-get private-address)
+  url="$scheme://$host:9292/v1"
+
+  # advertise our API endpoint to keystone
  relation-set service="glance" \
    region="$(config-get region)" public_url=$url admin_url=$url internal_url=$url
 }
@ -288,7 +287,15 @@ function config_changed() {
 }

 function cluster_changed() {
-  configure_haproxy "glance_api:9292"
+  echo "CLUSTER CHANGED"
+  local haproxy_port=$(determine_haproxy_port 9292)
+  local backend_port=$(determine_api_port 9292)
+  echo "haproxy_port: $haproxy_port"
+  echo "backend_port: $backend_port"
+  service glance-api stop
+  configure_haproxy "glance_api:$haproxy_port:$backend_port"
+  set_or_update bind_port "$backend_port" "api"
+  service glance-api start
 }

 function upgrade_charm() {
@ -333,9 +340,10 @@ function ha_relation_joined() {
 function ha_relation_changed() {
  local clustered=`relation-get clustered`
  if [ -n "$clustered" ] && is_leader 'res_glance_vip'; then
-    local port=$((9292 + 10000))
    local host=$(config-get vip)
-    local url="http://$host:$port/v1"
+    https && local scheme="https" || local scheme="http"
+    local url="$scheme://$host:9292/v1"
+
    for r_id in `relation-ids identity-service`; do
      relation-set -r $r_id service="glance" \
        region="$(config-get region)" \
@ -343,7 +351,7 @@ function ha_relation_changed() {
    done
    for r_id in `relation-ids image-service`; do
      relation-set -r $r_id \
-        glance-api-server="$host:$port"         
+        glance-api-server="$host:9292"
    done
  fi
 }
--- a/hooks/lib/openstack-common
+++ b/hooks/lib/openstack-common
@ -317,18 +317,16 @@ function get_block_device() {

 HAPROXY_CFG=/etc/haproxy/haproxy.cfg
 HAPROXY_DEFAULT=/etc/default/haproxy
-
 ##########################################################################
 # Description: Configures HAProxy services for Openstack API's
-# Parameters: 
-#   Space delimited list of service:port combinations for which
+# Parameters:
+#   Space delimited list of service:ext_port:int_port combinations for which
 #   haproxy service configuration should be generated for.  The function
 #   assumes the name of the peer relation is 'cluster' and that every
 #   service unit in the peer relation is running the same services.
 #
-#   The HAProxy service will listen on port + 10000.
-# Example:
-#   configure_haproxy cinder_api:12345 nova_api:9999 
+# Example
+#   configure_haproxy cinder_api:8776:8756i nova_api:8774:8764
 ##########################################################################
 configure_haproxy() {
  local address=`unit-get private-address`
@ -364,8 +362,10 @@ listen stats :8888
 EOF
  for service in $@; do
    local service_name=$(echo $service | cut -d : -f 1)
-    local api_listen_port=$(echo $service | cut -d : -f 2)
-    local haproxy_listen_port=$(($api_listen_port + 10000))
+    local haproxy_listen_port=$(echo $service | cut -d : -f 2)
+    local api_listen_port=$(echo $service | cut -d : -f 3)
+    juju-log "Adding haproxy configuration entry for $service "\
+             "($haproxy_listen_port -> $api_listen_port)"
    cat >> $HAPROXY_CFG << EOF
 listen $service_name 0.0.0.0:$haproxy_listen_port
  balance roundrobin
@ -384,6 +384,13 @@ EOF
    done
  done
  echo "ENABLED=1" > $HAPROXY_DEFAULT
+  if is_clustered ;
+    if is_leader ; then
+      service haproxy restart
+    fi
+  else
+    service haproxy restart
+  fi
 }

 ##########################################################################
@ -649,13 +656,35 @@ setup_https() {
  [[ -z "$CHARM" ]] &&
    error_out "setup_https(): CHARM not set."
  if ! https ; then
-    juju-log "ENSURE NO HTTPS"
-    if disable_https $@ ; then
-      return 1
-    else
-      error_out "Could not ensure HTTPS disabled for $@"
-    fi
+    disable_https $@
+  else
+    enable_https $@
  fi
-  juju-log "ENSURE HTTPS"
-  enable_https $@
+}
+
+##########################################################################
+# Description: Determine correct API server listening port based on
+# existence of HTTPS reverse proxy and/or haproxy.
+# Paremeters: The standard public port for given service.
+# Returns: The correct listening port for API service.
+##########################################################################
+determine_api_port() {
+  local public_port="$1"
+  local i=0
+  ( [[ -n "$(peer_units)" ]] || is_clustered >/dev/null 2>&1 ) && i=$[$i + 1]
+  https >/dev/null 2>&1 && i=$[$i + 1]
+  echo $[$public_port - $[$i * 10]]
+}
+
+##########################################################################
+# Description: Determine correct proxy listening port based on public IP +
+# existence of HTTPS reverse proxy.
+# Paremeters: The standard public port for given service.
+# Returns: The correct listening port for haproxy service public address.
+##########################################################################
+determine_haproxy_port() {
+  local public_port="$1"
+  local i=0
+  https >/dev/null 2>&1 && i=$[$i + 1]
+  echo $[$public_port - $[$i * 10]]
 }
--- a/2
+++ b/2
@ -1 +1 @@
-106
+119