haproxy: support single external frontend

Use case: exposing single external https frontend and load balancing services using FQDNs. Support different ports for internal and external endpoints. Introduced kolla_url filter to normalize urls like: - https://magnum.external:443/v1 - http://magnum.external:80/v1 Change-Id: I9fb03fe1cebce5c7198d523e015280c69f139cd0 Co-Authored-By: Jakub Darmach <[email protected]> (cherry picked from commit 4bc410c)
stackhpc · Nov 13, 2023 · f81df98 · f81df98
1 parent dba81b7
commit f81df98
Show file tree

Hide file tree

Showing 57 changed files with 543 additions and 143 deletions.
diff --git a/ansible/filter_plugins/address.py b/ansible/filter_plugins/address.py
@@ -15,6 +15,7 @@
 # limitations under the License.
 
 from kolla_ansible.kolla_address import kolla_address
+from kolla_ansible.kolla_url import kolla_url
 from kolla_ansible.put_address_in_context import put_address_in_context
 
 
@@ -24,5 +25,6 @@ class FilterModule(object):
     def filters(self):
         return {
             'kolla_address': kolla_address,
+            'kolla_url': kolla_url,
             'put_address_in_context': put_address_in_context,
         }
diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml
diff --git a/ansible/roles/aodh/defaults/main.yml b/ansible/roles/aodh/defaults/main.yml
@@ -19,7 +19,8 @@ aodh_services:
         enabled: "{{ enable_aodh }}"
         mode: "http"
         external: true
-        port: "{{ aodh_api_port }}"
+        external_fqdn: "{{ aodh_external_fqdn }}"
+        port: "{{ aodh_api_public_port }}"
         listen_port: "{{ aodh_api_listen_port }}"
   aodh-evaluator:
     container_name: aodh_evaluator
@@ -207,8 +208,8 @@ aodh_notifier_extra_volumes: "{{ aodh_extra_volumes }}"
 ####################
 # OpenStack
 ####################
-aodh_internal_endpoint: "{{ internal_protocol }}://{{ aodh_internal_fqdn | put_address_in_context('url') }}:{{ aodh_api_port }}"
-aodh_public_endpoint: "{{ public_protocol }}://{{ aodh_external_fqdn | put_address_in_context('url') }}:{{ aodh_api_port }}"
+aodh_internal_endpoint: "{{ aodh_internal_fqdn | kolla_url(internal_protocol, aodh_api_port) }}"
+aodh_public_endpoint: "{{ aodh_external_fqdn | kolla_url(public_protocol, aodh_api_public_port) }}"
 
 aodh_logging_debug: "{{ openstack_logging_debug }}"
 

diff --git a/ansible/roles/barbican/defaults/main.yml b/ansible/roles/barbican/defaults/main.yml
@@ -20,7 +20,8 @@ barbican_services:
         enabled: "{{ enable_barbican }}"
         mode: "http"
         external: true
-        port: "{{ barbican_api_port }}"
+        external_fqdn: "{{ barbican_external_fqdn }}"
+        port: "{{ barbican_api_public_port }}"
         listen_port: "{{ barbican_api_listen_port }}"
         tls_backend: "{{ barbican_enable_tls_backend }}"
   barbican-keystone-listener:

diff --git a/ansible/roles/blazar/defaults/main.yml b/ansible/roles/blazar/defaults/main.yml
@@ -14,11 +14,14 @@ blazar_services:
         mode: "http"
         external: false
         port: "{{ blazar_api_port }}"
+        listen_port: "{{ blazar_api_listen_port }}"
       blazar_api_external:
         enabled: "{{ enable_blazar }}"
         mode: "http"
         external: true
-        port: "{{ blazar_api_port }}"
+        external_fqdn: "{{ blazar_external_fqdn }}"
+        port: "{{ blazar_api_public_port }}"
+        listen_port: "{{ blazar_api_listen_port }}"
   blazar-manager:
     container_name: blazar_manager
     group: blazar-manager
@@ -126,8 +129,8 @@ blazar_manager_extra_volumes: "{{ blazar_extra_volumes }}"
 ####################
 # OpenStack
 ####################
-blazar_internal_endpoint: "{{ internal_protocol }}://{{ kolla_internal_fqdn | put_address_in_context('url') }}:{{ blazar_api_port }}/v1"
-blazar_public_endpoint: "{{ public_protocol }}://{{ kolla_external_fqdn | put_address_in_context('url') }}:{{ blazar_api_port }}/v1"
+blazar_internal_endpoint: "{{ blazar_internal_fqdn | kolla_url(internal_protocol, blazar_api_port, '/v1') }}"
+blazar_public_endpoint: "{{ blazar_external_fqdn | kolla_url(public_protocol, blazar_api_public_port, '/v1') }}"
 
 blazar_logging_debug: "{{ openstack_logging_debug }}"
 

diff --git a/ansible/roles/ceph-rgw/defaults/main.yml b/ansible/roles/ceph-rgw/defaults/main.yml
@@ -16,7 +16,8 @@ ceph_rgw_services:
         enabled: "{{ enable_ceph_rgw_loadbalancer | bool }}"
         mode: "http"
         external: true
-        port: "{{ ceph_rgw_port }}"
+        external_fqdn: "{{ ceph_rgw_external_fqdn }}"
+        port: "{{ ceph_rgw_public_port }}"
         custom_member_list: "{{ ceph_rgw_haproxy_members }}"
 
 ####################
@@ -59,8 +60,8 @@ ceph_rgw_swift_account_in_url: false
 
 ceph_rgw_endpoint_path: "{{ '/' if ceph_rgw_swift_compatibility | bool else '/swift/' }}v1{% if ceph_rgw_swift_account_in_url | bool %}/AUTH_%(project_id)s{% endif %}"
 
-ceph_rgw_internal_endpoint: "{{ internal_protocol }}://{{ ceph_rgw_internal_fqdn | put_address_in_context('url') }}:{{ ceph_rgw_port }}{{ ceph_rgw_endpoint_path }}"
-ceph_rgw_public_endpoint: "{{ public_protocol }}://{{ ceph_rgw_external_fqdn | put_address_in_context('url') }}:{{ ceph_rgw_port }}{{ ceph_rgw_endpoint_path }}"
+ceph_rgw_internal_endpoint: "{{ ceph_rgw_internal_fqdn | kolla_url(internal_protocol, ceph_rgw_port, ceph_rgw_endpoint_path) }}"
+ceph_rgw_public_endpoint: "{{ ceph_rgw_external_fqdn | kolla_url(public_protocol, ceph_rgw_public_port, ceph_rgw_endpoint_path) }}"
 
 ceph_rgw_keystone_user: "ceph_rgw"
 

diff --git a/ansible/roles/cinder/defaults/main.yml b/ansible/roles/cinder/defaults/main.yml
@@ -20,7 +20,8 @@ cinder_services:
         enabled: "{{ enable_cinder }}"
         mode: "http"
         external: true
-        port: "{{ cinder_api_port }}"
+        external_fqdn: "{{ cinder_external_fqdn }}"
+        port: "{{ cinder_api_public_port }}"
         listen_port: "{{ cinder_api_listen_port }}"
         tls_backend: "{{ cinder_enable_tls_backend }}"
   cinder-scheduler:
@@ -209,8 +210,8 @@ cinder_enable_conversion_tmpfs: false
 ####################
 # OpenStack
 ####################
-cinder_internal_base_endpoint: "{{ internal_protocol }}://{{ cinder_internal_fqdn | put_address_in_context('url') }}:{{ cinder_api_port }}"
-cinder_public_base_endpoint: "{{ public_protocol }}://{{ cinder_external_fqdn | put_address_in_context('url') }}:{{ cinder_api_port }}"
+cinder_internal_base_endpoint: "{{ cinder_internal_fqdn | kolla_url(internal_protocol, cinder_api_port) }}"
+cinder_public_base_endpoint: "{{ cinder_external_fqdn | kolla_url(public_protocol, cinder_api_public_port) }}"
 
 cinder_v3_internal_endpoint: "{{ cinder_internal_base_endpoint }}/v3/%(tenant_id)s"
 cinder_v3_public_endpoint: "{{ cinder_public_base_endpoint }}/v3/%(tenant_id)s"

diff --git a/ansible/roles/cloudkitty/defaults/main.yml b/ansible/roles/cloudkitty/defaults/main.yml
@@ -14,11 +14,14 @@ cloudkitty_services:
         mode: "http"
         external: false
         port: "{{ cloudkitty_api_port }}"
+        listen_port: "{{ cloudkitty_api_listen_port }}"
       cloudkitty_api_external:
         enabled: "{{ enable_cloudkitty }}"
         mode: "http"
         external: true
-        port: "{{ cloudkitty_api_port }}"
+        external_fqdn: "{{ cloudkitty_external_fqdn }}"
+        port: "{{ cloudkitty_api_public_port }}"
+        listen_port: "{{ cloudkitty_api_listen_port }}"
   cloudkitty-processor:
     container_name: "cloudkitty_processor"
     group: "cloudkitty-processor"
@@ -118,8 +121,8 @@ cloudkitty_api_extra_volumes: "{{ cloudkitty_extra_volumes }}"
 ####################
 # OpenStack
 ####################
-cloudkitty_internal_endpoint: "{{ internal_protocol }}://{{ kolla_internal_fqdn | put_address_in_context('url') }}:{{ cloudkitty_api_port }}"
-cloudkitty_public_endpoint: "{{ public_protocol }}://{{ kolla_external_fqdn | put_address_in_context('url') }}:{{ cloudkitty_api_port }}"
+cloudkitty_internal_endpoint: "{{ cloudkitty_internal_fqdn | kolla_url(internal_protocol, cloudkitty_api_port) }}"
+cloudkitty_public_endpoint: "{{ cloudkitty_external_fqdn | kolla_url(public_protocol, cloudkitty_api_public_port) }}"
 
 cloudkitty_logging_debug: "{{ openstack_logging_debug }}"
 

diff --git a/ansible/roles/cyborg/defaults/main.yml b/ansible/roles/cyborg/defaults/main.yml
@@ -141,8 +141,8 @@ cyborg_conductor_extra_volumes: "{{ cyborg_extra_volumes }}"
 ####################
 # OpenStack
 ####################
-cyborg_internal_endpoint: "{{ internal_protocol }}://{{ kolla_internal_fqdn | put_address_in_context('url') }}:{{ cyborg_api_port }}/v2"
-cyborg_public_endpoint: "{{ public_protocol }}://{{ kolla_external_fqdn | put_address_in_context('url') }}:{{ cyborg_api_port }}/v2"
+cyborg_internal_endpoint: "{{ cyborg_internal_fqdn | kolla_url(internal_protocol, cyborg_api_port) }}"
+cyborg_public_endpoint: "{{ cyborg_external_fqdn | kolla_url(public_protocol, cyborg_api_port) }}"
 
 cyborg_logging_debug: "{{ openstack_logging_debug }}"
 

diff --git a/ansible/roles/designate/defaults/main.yml b/ansible/roles/designate/defaults/main.yml
@@ -19,7 +19,8 @@ designate_services:
         enabled: "{{ enable_designate }}"
         mode: "http"
         external: true
-        port: "{{ designate_api_port }}"
+        external_fqdn: "{{ designate_external_fqdn }}"
+        port: "{{ designate_api_public_port }}"
         listen_port: "{{ designate_api_listen_port }}"
   designate-backend-bind9:
     container_name: designate_backend_bind9

diff --git a/ansible/roles/freezer/defaults/main.yml b/ansible/roles/freezer/defaults/main.yml
@@ -13,11 +13,14 @@ freezer_services:
         mode: "http"
         external: false
         port: "{{ freezer_api_port }}"
+        listen_port: "{{ freezer_api_listen_port }}"
       freezer_api_external:
         enabled: "{{ enable_freezer }}"
         mode: "http"
         external: true
-        port: "{{ freezer_api_port }}"
+        external_fqdn: "{{ freezer_external_fqdn }}"
+        port: "{{ freezer_api_public_port }}"
+        listen_port: "{{ freezer_api_listen_port }}"
   freezer-scheduler:
     container_name: freezer_scheduler
     group: freezer-scheduler
@@ -97,8 +100,8 @@ freezer_scheduler_extra_volumes: "{{ freezer_extra_volumes }}"
 ####################
 # OpenStack
 ####################
-freezer_internal_endpoint: "{{ internal_protocol }}://{{ kolla_internal_fqdn | put_address_in_context('url') }}:{{ freezer_api_port }}"
-freezer_public_endpoint: "{{ public_protocol }}://{{ kolla_external_fqdn | put_address_in_context('url') }}:{{ freezer_api_port }}"
+freezer_internal_endpoint: "{{ freezer_internal_fqdn | kolla_url(internal_protocol, freezer_api_port) }}"
+freezer_public_endpoint: "{{ freezer_external_fqdn | kolla_url(public_protocol, freezer_api_public_port) }}"
 
 freezer_logging_debug: "{{ openstack_logging_debug }}"
 

diff --git a/ansible/roles/glance/defaults/main.yml b/ansible/roles/glance/defaults/main.yml
@@ -26,7 +26,8 @@ glance_services:
         enabled: "{{ enable_glance | bool and not glance_enable_tls_backend | bool }}"
         mode: "http"
         external: true
-        port: "{{ glance_api_port }}"
+        external_fqdn: "{{ glance_external_fqdn }}"
+        port: "{{ glance_api_public_port }}"
         frontend_http_extra:
           - "timeout client {{ haproxy_glance_api_client_timeout }}"
         backend_http_extra:
@@ -57,7 +58,8 @@ glance_services:
         enabled: "{{ enable_glance | bool and glance_enable_tls_backend | bool }}"
         mode: "http"
         external: true
-        port: "{{ glance_api_port }}"
+        external_fqdn: "{{ glance_external_fqdn }}"
+        port: "{{ glance_api_public_port }}"
         frontend_http_extra:
           - "timeout client {{ haproxy_glance_api_client_timeout }}"
         backend_http_extra:

diff --git a/ansible/roles/gnocchi/defaults/main.yml b/ansible/roles/gnocchi/defaults/main.yml
@@ -13,12 +13,15 @@ gnocchi_services:
         enabled: "{{ enable_gnocchi }}"
         mode: "http"
         external: false
-        port: "{{ gnocchi_api_listen_port }}"
+        port: "{{ gnocchi_api_port }}"
+        listen_port: "{{ gnocchi_api_listen_port }}"
       gnocchi_api_external:
         enabled: "{{ enable_gnocchi }}"
         mode: "http"
         external: true
-        port: "{{ gnocchi_api_listen_port }}"
+        external_fqdn: "{{ gnocchi_external_fqdn }}"
+        port: "{{ gnocchi_api_public_port }}"
+        listen_port: "{{ gnocchi_api_listen_port }}"
   gnocchi-metricd:
     container_name: gnocchi_metricd
     group: gnocchi-metricd
@@ -160,8 +163,8 @@ gnocchi_statsd_extra_volumes: "{{ gnocchi_extra_volumes }}"
 ####################
 # OpenStack
 ####################
-gnocchi_internal_endpoint: "{{ internal_protocol }}://{{ gnocchi_internal_fqdn | put_address_in_context('url') }}:{{ gnocchi_api_port }}"
-gnocchi_public_endpoint: "{{ public_protocol }}://{{ gnocchi_external_fqdn | put_address_in_context('url') }}:{{ gnocchi_api_port }}"
+gnocchi_internal_endpoint: "{{ gnocchi_internal_fqdn | kolla_url(internal_protocol, gnocchi_api_port) }}"
+gnocchi_public_endpoint: "{{ gnocchi_external_fqdn | kolla_url(public_protocol, gnocchi_api_public_port) }}"
 
 gnocchi_logging_debug: "{{ openstack_logging_debug }}"
 

diff --git a/ansible/roles/grafana/defaults/main.yml b/ansible/roles/grafana/defaults/main.yml
@@ -13,11 +13,14 @@ grafana_services:
         mode: "http"
         external: false
         port: "{{ grafana_server_port }}"
+        listen_port: "{{ grafana_server_listen_port }}"
       grafana_server_external:
         enabled: "{{ enable_grafana_external | bool }}"
         mode: "http"
         external: true
-        port: "{{ grafana_server_port }}"
+        external_fqdn: "{{ grafana_external_fqdn }}"
+        port: "{{ grafana_server_public_port }}"
+        listen_port: "{{ grafana_server_listen_port }}"
 
 ####################
 # Database

diff --git a/ansible/roles/haproxy-config/tasks/main.yml b/ansible/roles/haproxy-config/tasks/main.yml
@@ -22,6 +22,36 @@
   notify:
     - Restart haproxy container
 
+- name: "Add configuration for {{ project_name }} when using single external frontend"
+  vars:
+    service: "{{ item.value }}"
+  blockinfile:
+    create: yes
+    path: "{{ node_config_directory }}/haproxy/external-frontend-map"
+    insertafter: EOF
+    marker: "# {mark} {{ item.key }}"
+    mode: "0660"
+    block: |
+      {%- set haproxy = service.haproxy | default({}) %}
+      {%- for haproxy_name, haproxy_service in haproxy.items() %}
+      {% set external = haproxy_service.external | default(false) | bool %}
+      {% set enabled = haproxy_service.enabled | default(false) | bool %}
+      {% set with_frontend = haproxy_service.with_frontend | default(true) | bool %}
+      {% set mode = haproxy_service.mode | default('http') %}
+      {%- if external and with_frontend and enabled and mode == 'http' %}
+      {{ haproxy_service.external_fqdn }} {{ haproxy_name }}_back
+      {% endif -%}
+      {%- endfor -%}
+  become: true
+  with_dict: "{{ project_services }}"
+  when:
+    - haproxy_single_external_frontend | bool
+    - service.enabled | bool
+    - service.haproxy is defined
+    - enable_haproxy | bool
+  notify:
+    - Restart haproxy container
+
 - name: "Configuring firewall for {{ project_name }}"
   firewalld:
     offline: "yes"

diff --git a/ansible/roles/haproxy-config/templates/haproxy_single_service_split.cfg.j2 b/ansible/roles/haproxy-config/templates/haproxy_single_service_split.cfg.j2
@@ -140,8 +140,10 @@ backend {{ service_name }}_back
 {{ userlist_macro(haproxy_name, auth_user, auth_pass) }}
         {% endif %}
         {% if with_frontend %}
+            {% if not (external|bool and haproxy_single_external_frontend|bool and mode == 'http') %}
 {{ frontend_macro(haproxy_name, haproxy_service.port, mode, external,
                   frontend_http_extra, frontend_tcp_extra) }}
+            {% endif %}
         {% endif %}
         {# Redirect (to https) is a special case, as it does not include a backend #}
         {% if with_backend and mode != 'redirect' %}

diff --git a/ansible/roles/heat/defaults/main.yml b/ansible/roles/heat/defaults/main.yml
@@ -20,7 +20,8 @@ heat_services:
         enabled: "{{ enable_heat }}"
         mode: "http"
         external: true
-        port: "{{ heat_api_port }}"
+        external_fqdn: "{{ heat_external_fqdn }}"
+        port: "{{ heat_api_public_port }}"
         listen_port: "{{ heat_api_listen_port }}"
         tls_backend: "{{ heat_enable_tls_backend }}"
   heat-api-cfn:
@@ -43,7 +44,8 @@ heat_services:
         enabled: "{{ enable_heat }}"
         mode: "http"
         external: true
-        port: "{{ heat_api_cfn_port }}"
+        external_fqdn: "{{ heat_cfn_external_fqdn }}"
+        port: "{{ heat_api_cfn_public_port }}"
         listen_port: "{{ heat_api_cfn_listen_port }}"
         tls_backend: "{{ heat_enable_tls_backend }}"
   heat-engine:
@@ -170,12 +172,12 @@ heat_engine_extra_volumes: "{{ heat_extra_volumes }}"
 ####################
 # OpenStack
 ####################
-heat_internal_endpoint: "{{ internal_protocol }}://{{ heat_internal_fqdn | put_address_in_context('url') }}:{{ heat_api_port }}/v1/%(tenant_id)s"
-heat_public_endpoint: "{{ public_protocol }}://{{ heat_external_fqdn | put_address_in_context('url') }}:{{ heat_api_port }}/v1/%(tenant_id)s"
+heat_internal_endpoint: "{{ heat_internal_fqdn | kolla_url(internal_protocol, heat_api_port, '/v1/%(tenant_id)s') }}"
+heat_public_endpoint: "{{ heat_external_fqdn | kolla_url(public_protocol, heat_api_public_port, '/v1/%(tenant_id)s') }}"
 
-heat_cfn_public_base_endpoint: "{{ public_protocol }}://{{ heat_cfn_external_fqdn | put_address_in_context('url') }}:{{ heat_api_cfn_port }}"
+heat_cfn_public_base_endpoint: "{{ heat_cfn_external_fqdn | kolla_url(public_protocol, heat_api_cfn_public_port) }}"
 
-heat_cfn_internal_endpoint: "{{ internal_protocol }}://{{ heat_cfn_internal_fqdn | put_address_in_context('url') }}:{{ heat_api_cfn_port }}/v1"
+heat_cfn_internal_endpoint: "{{ heat_cfn_internal_fqdn | kolla_url(internal_protocol, heat_api_cfn_port, '/v1') }}"
 heat_cfn_public_endpoint: "{{ heat_cfn_public_base_endpoint }}/v1"
 
 heat_logging_debug: "{{ openstack_logging_debug }}"

diff --git a/ansible/roles/horizon/defaults/main.yml b/ansible/roles/horizon/defaults/main.yml
@@ -53,6 +53,7 @@ horizon_services:
         enabled: "{{ enable_horizon }}"
         mode: "http"
         external: true
+        external_fqdn: "{{ horizon_external_fqdn }}"
         port: "{% if kolla_enable_tls_external | bool %}{{ horizon_tls_port }}{% else %}{{ horizon_port }}{% endif %}"
         listen_port: "{{ horizon_listen_port }}"
         frontend_http_extra:
@@ -64,6 +65,7 @@ horizon_services:
         enabled: "{{ enable_horizon | bool and kolla_enable_tls_external | bool }}"
         mode: "redirect"
         external: true
+        external_fqdn: "{{ horizon_external_fqdn }}"
         port: "{{ horizon_port }}"
         listen_port: "{{ horizon_listen_port }}"
       acme_client:

diff --git a/ansible/roles/ironic/defaults/main.yml b/ansible/roles/ironic/defaults/main.yml
@@ -20,7 +20,8 @@ ironic_services:
         enabled: "{{ enable_ironic }}"
         mode: "http"
         external: true
-        port: "{{ ironic_api_port }}"
+        external_fqdn: "{{ ironic_external_fqdn }}"
+        port: "{{ ironic_api_public_port }}"
         listen_port: "{{ ironic_api_listen_port }}"
         tls_backend: "{{ ironic_enable_tls_backend }}"
   ironic-conductor:
@@ -52,7 +53,8 @@ ironic_services:
         enabled: "{{ enable_ironic }}"
         mode: "http"
         external: true
-        port: "{{ ironic_inspector_port }}"
+        external_fqdn: "{{ ironic_inspector_external_fqdn }}"
+        port: "{{ ironic_inspector_public_port }}"
         listen_port: "{{ ironic_inspector_listen_port }}"
   ironic-tftp:
     container_name: ironic_tftp
@@ -259,8 +261,8 @@ ironic_dnsmasq_extra_volumes: "{{ ironic_extra_volumes }}"
 ####################
 ironic_inspector_keystone_user: "ironic-inspector"
 
-ironic_inspector_internal_endpoint: "{{ internal_protocol }}://{{ ironic_inspector_internal_fqdn | put_address_in_context('url') }}:{{ ironic_inspector_port }}"
-ironic_inspector_public_endpoint: "{{ public_protocol }}://{{ ironic_inspector_external_fqdn | put_address_in_context('url') }}:{{ ironic_inspector_port }}"
+ironic_inspector_internal_endpoint: "{{ ironic_inspector_internal_fqdn | kolla_url(internal_protocol, ironic_inspector_port) }}"
+ironic_inspector_public_endpoint: "{{ ironic_inspector_external_fqdn | kolla_url(public_protocol, ironic_inspector_public_port) }}"
 
 ironic_logging_debug: "{{ openstack_logging_debug }}"