The default connection limits for backends is 2000
however, mariadb defaults to a max of 10000 conections,
therefore changing this limit to match the mariadb limit.

'haproxy_max_connections' also needs to be bumped
for this to work.

Change-Id: I5ded328485855f3f3d4390282040b0d89d08d997

Having all services in one giant haproxy file makes altering
configuration for a service both painful and dangerous. Each service
should be configured with a simple set of variables and rendered with a
single unified template.

Available are two new templates:

* haproxy_single_service_listen.cfg.j2: close to the original style, but
only one service per file
* haproxy_single_service_split.cfg.j2: using the newer haproxy syntax
for separated frontend and backend

For now the default will be the single listen block, for ease of
transition.

Change-Id: I6e237438fbc0aa3c89a3c8bd706a53b74e71904b

Since glance_api only start one container when using file
backend, the haproxy should follow this rule.

See: https://review.openstack.org/#/c/448654

Closes-Bug: #1722422

Change-Id: Id3519581e0f54509dacd24d0dd542c630342c771

While it is possible to implement countermeasures against some attacks
on TLS, migrating to a later version of TLS (TLS 1.2 is strongly
encouraged) is the only reliable method to protect against
the current protocol vulnerabilities.[1]

[1] https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls

Change-Id: I44f67e3a49bb00fea069d29c46b3e86404c7df0b

This patch extends the prometheus role for being able
to deploy the prometheus-alertmanager[0] container.

The variable enable_prometheus_alertmanager
decides if the container should be deployed and enabled.

If enabled, the following configuration and actions are performed:

- The alerting section on the prometheus-server configuration
is added pointing the prometheus-alertmanager host group as targets.

- HAProxy is configured to load-balance over the prometheus-alertmanager
host group. (external/internal).

Please note that a default (dummy) configuration is provided, that
allows the service to start, the operator should extend it via a node custom config

[0] https://github.com/openstack/kolla/tree/master/docker/prometheus/prometheus-alertmanager



Change-Id: I3a13342c67744a278cc8d52900a913c3ccc452ae
Closes-Bug: 1774725
Signed-off-by: Jorge Niedbalski <jorge.niedbalski@linaro.org>

the zun-wsproxy image is exists in kolla[0], but kolla-ansible
missing, this ps to add it.

[0]: https://github.com/openstack/kolla/tree/master/docker/zun/zun-wsproxy


Co-Authored-By: ZhijunWei <wzj334965317@outlook.com>

Change-Id: I89ef3463dfa5df8cf2d963ff0f0c7ddc382fc79b
Closes-Bug: #1765728

Some Murano applications require much longer time than default
1 hour to be deployed.

Change-Id: I395e9e3e8cccf70f316f313847648841822e639a
Closes-Bug: #1777670

Introduce new option "haproxy_defaults_balance" to set balance in
defaults section.

Change-Id: Iaf12717ffac94ac2308758bd8ec87f088af26b69
Closes-Bug: #1773178

Deploys the Monasca Log API with mod_wsgi + Apache.

Change-Id: I28f0aa31c59b0b6917be2b125b5f8a0d7a7035af
Partially-Implements: blueprint monasca-roles

Deploys the Monasca API with mod_wsgi + Apache.

Co-Authored-By: Mark Goddard <mark@stackhpc.com>

Partially-Implements: blueprint monasca-roles
Change-Id: I3e03762217fbef1fb0cbff6239abb109cbec226b

Depends-On: https://review.openstack.org/568529
Change-Id: I8084e4c8406c818589ca984afe5b5364c00b08ca

This patch enables 3 new configuration options for haproxy.cfg
global section.

  - haproxy_processes: number of haproxy processes (default:1).
  - haproxy_max_connections: number of concurrent connections (default:4000)
  - haproxy_process_cpu_map: enforces 1:1 mapping/affinity between
process and core. (default: no).

Closes-Bug: #1770060
Change-Id: I33fc499b083c7bcc548133498e44406a479389f1
Signed-off-by: Jorge Niedbalski <jorge.niedbalski@linaro.org>

This patch adds the ansible role to deploy the prometheus service which
can be used to collect performance metrics accross the environment

Partially-Implements: blueprint prometheus
Change-Id: I908b9c9dad63ab5c9b80be1e3a80a4fc8191cb9e

If SSL is enabled, api of multiple services returns
wrong external URL without https prefix.

Removal of condition for deletion of http  header.

Change-Id: I4264e04d0d6b9a3e11ef7dd7add6c5e166cf9fb4
Closes-Bug: #1749155
Closes-Bug: #1717491

This change allows access to InfluxDB via HAProxy on the internal
network.

If HA is required the Enterprise version of InfluxDB will need to
be installed. This could be implemented by customising the InfluxDB
Docker file.

There are other alternatives to HA, such as the InfluxDB Relay [1].
Support for this is considered to be outside of the scope of this
bugfix.

[1] https://docs.openstack.org/developer/performance-docs/
    methodologies/monitoring/influxha.html

Closes-Bug: #1751283
Change-Id: I4624efbd99c0cddd1361f2438866ad3a82e5557b

This commit provides operators with the ability to specify additional
options per HTTP or TCP listener stanza.

Change-Id: I66cc5372f2a686213b6748a8260cfe84f789ad8e
Implements: blueprint haproxy-listener-extra-options

timeout tunnel is use for WebSocket and CONNECT protocol. Need use a
larger number for it. Otherwise, novnc will be auto disconnected if no
action happend in a short time on browser.

Change-Id: If37623e8fda5260ab0b38d2203f5266777dba063
Closes-Bug: #1759774

Clients usually have sophisticated logic for handling
key redistribution on node failure; so going under the
covers and messing with that is bad (because then the
clients and their sophisticated logic is unaware of
what is going on).

Change-Id: Ica12240440d28f930b917d5d6202f4f9e6675b2a

In some data centers multicast traffic is prohibited. Additionally
VRRP id needs to be unique within broadcast domain when keepalived
operates in multicast mode, otherwise it fails to start.

However keepalived can be configured to use unicast traffic [1].
In unicast mode VRRP id doesn't make sense, but needs to be
the same among peers.

[1] http://manpages.ubuntu.com/manpages/zesty/man5/keepalived.conf.5.html



Change-Id: I692ecbb0aa750baf20c013b53b57f88b474b63cc
Signed-off-by: Pavel Glushchak <pglushchak@virtuozzo.com>

This PS does:
1) Let haproxy to be ODL websocket's frontend and listen on port 8185.
2) Add 10-rest-connector.xml config file template for ODL container.
3) ODL websocket backend listen only on api interface, port is also
8185.

Closes-Bug: #1745323

Change-Id: Id330d610c7cd8a239b0f77c8f5f47422d48b9977
Signed-off-by: Zhijiang Hu <hu.zhijiang@zte.com.cn>

Change-Id: I43db3048f92207da5ec3a2b9ed52b4c4083c3881
Closes-Bug: #1745128

otherwise, if the jinja2 blocks at the end of the line, it will remove
the last newline character and join two lines into one.

Change-Id: Ie710342fb034e477ff854eba3915dd845bddd257

This change allows the following use cases:

1. Using an already-configured MariaDB / MySQL server / Cluster
2. Using already-created DB users, without requiring root DB access.

Update: added external mariadb precheck

Change-Id: I78b0d178306d7c5293b0bf53e445f19f18b4b824
Implements: blueprint external-mariadb-support.
Closes-Bug: #1603121

Haproxy keeps restarting due memcached servers
are writen in a single line. adds a empty line
in the for so each server is in its line

Change-Id: I763a23de7f70e9ebe543b935b175e675ec774f9a

Memcached do not support cluster. Then make it work in active-standby
mode. This will be helpful to implement high available when using memcached
as tooz backend.

Change-Id: I13722111d8b8d5b066e9a85d4c8d1679704c8caa

Change-Id: I329307b226757144a493ff21c76125cae8468e91

So it turns out that without 'mode http' redirects and rewrites
will not happen, and we're relying on it for multiple things.

Switch neutron to use http-tunnel mode instead which seems to work,
we've had no errors in our setup.

See:
https://www.haproxy.org/download/1.5/doc/configuration.txt

Quoute:
" - tunnel        : only the first request and response are processed,
                      everything else is forwarded with no analysis."

Fixes: bba80acc
Change-Id: I0d9abe9731fba1e4deb64932e859f991648bb1ec

Add ansible role to deploy blazar
Add nova filters to allow use of blazar

Change-Id: I6742ddc9a4736f256491dd0cfd31904fa8eb5652
Implements: blueprint blazar-ansible-role

Co-Authored-By: caoyuan <cao.yuan@99cloud.net>
Co-Authored-By: Eduardo Gonzalez <dabarren@gmail.com>

Depends-on I7ffb991adbd05275e331401cd73fc84362084ebd
Change-Id: I85afeb5dfce0bf6350a444000bdb885c6fe079c9
Partially-implements: blueprint vitrage-roles

In some cases the http mode in haproxy causes issues with api calls
(We exeperienced this in production between horizon and neutron)

See:
https://ask.openstack.org/en/question/57958/keystone-through-haproxy/

Change-Id: Id2079c5a491ef8691e7ad8846a5fec99e49ec4ba

Close-Bug: 1734047

For ODL clustering, one should explicitly points switches to each
of the ODL instances. The openflowplugin logic will figure out
which controller should be the master, and which should be the
slave.

Kolla currently sets the manager to one of the specific ODL over
ptcp and another one through the VIP. The VIP is probably
forwarding the traffic to that same ODL so from ODL's perspective
it's getting two duplicated connection requests from the same OVS
which will cause re-connection problem.

This PS does:
1) Let OVS to connect to the individual IPs of each ODL node in
a ODL cluster instead of only connect to the representative over
VIP. Devstack is doing the same thing[1]. Further more, there is no
need for HAProxy to be frontend for ODL southbound.

2) Delete the unusd ptcp connection option.

[1] https://review.openstack.org/#/c/249484/



Change-Id: Ib57e6fbb5ce64a48be0506904d3c8397ed6f70d9
Signed-off-by: Zhijiang Hu <hu.zhijiang@zte.com.cn>

outward_rabbitmq is determined  using enable_outward_rabbitmq
property rather than current haproxy_enable_external_vip

Change-Id: Iee096ab50fd4d9f5f3fe05880d0e0a7842c59d0a
Closes-Bug: 1722854

This change adds enable_fluentd option and enables some other log shippers
to be integrated. When enable_fluentd is "no", syslog server is also disabled.
Then, this change also adds syslog parameters to use a syslog server
prepared by users.

Change-Id: I7c83ef7fe30a6b9ab7385bcee953ad07e96b0a83
Implements: blueprint fluentd-enable-option

Console access for HyperV VMs is now done via Kolla VIP.
The VIP will point to each HyperV compute node IP on which
FreeRDP-WebConnect is installed.

Closes-Bug: #1714249
Change-Id: I3a5d23425996a5c347ff21df3f99c3f63dd35173

This reverts commit 91321ac8.

The reasoning given in this commit is incorrect. Keystone/oslo.cache
uses memcached hosts based on a hashing of the key to determine which
memcached host to check. If you have different configured memcached
servers per keystone deployment you have a mis-configured deployment.

Any RESTapi should be capable of roundrobin load-balancing. I am not
familiar with the Murano case with uploading a package, but this change
also does not address Murano at all.

As far as Horizon goes, that hasn't had a problem with shared backends
since the beginning because we use memcached servers with a shared
secret key [1].

All this change has done is lowered the efficiency of loadbalancing
keystone.

[1] https://github.com/openstack/kolla-ansible/blob/master/ansible/roles/horizon/templates/local_settings.j2#L149

Change-Id: Ic0b550e7c96d67c39153933b527ab3edf7d90f27

Adds role for OpenDaylight deploy.

Change-Id: I1e697ea4d3f33aab4b0f55863a377b39eda8f609
Co-Authored-By: Mauricio Lima <mauriciolimab@gmail.com>
Co-Authored-By: Jiri Prokes <jirix.x.prokes@intel.com>
Co-Authored-By: Eduardo Gonzalez <dabarren@gmail.com>
Partially-Implements: blueprint opendaylight-support

kolla-kubernetes is using its own configuration generation[0], so it is
time for kolla-ansible to remove the related code to simplify the
logical.

[0] https://github.com/openstack/kolla-kubernetes/tree/master/ansible

Change-Id: I7bb0b7fe3b8eea906613e936d5e9d19f4f2e80bb
Implements: blueprint clean-k8s-config

* remove ceilometer-api and ceilometer-collector service
* use ceilometer-notification to publish message to proper backend
* remove useless ceilometer_database_type and ceilometer_event_type
  variables
* sync event_definitions.yaml, event_pipeline.yaml and pipeline.yaml
  file with upstream

Change-Id: Ib39053cb5f70bd11ee61d3f26d5b28accecd7190

timeout options are added to glance-api but not for glance_api_external,
it should be added there also.

Change-Id: Idbd3dabbe24a5c71e70154dfde96c5c70eeefc10
Partial-bug: 1675637

Haproxy fails to deploy if outward group is not
in inventory.
This change adds an optional outward setting for
haproxy

Change-Id: I351578582b1057bb48ac69859583a5db13f0bfb8