From f64c86de1ddec947b7c5cf9d262346d7f0d8fce4 Mon Sep 17 00:00:00 2001 From: Dincer Celik Date: Tue, 5 Nov 2019 11:29:24 +0300 Subject: [PATCH] [haproxy] Adds http/2 support to HAProxy This change introduces haproxy_enable_http2 to let operators enable http/2 on HAProxy frontends when kolla_enable_tls_external is enabled. Change-Id: I2e00d3e9193a3052d43a228915ea249794490afe Closes-Bug: #1850924 --- ansible/group_vars/all.yml | 2 ++ .../templates/haproxy_single_service_split.cfg.j2 | 2 ++ .../reference/high-availability/haproxy-guide.rst | 10 ++++++++++ .../add-haproxy-http2-support-3a8575889cabe064.yaml | 4 ++++ 4 files changed, 18 insertions(+) create mode 100644 releasenotes/notes/add-haproxy-http2-support-3a8575889cabe064.yaml diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml index c9a2085a3b..60c6e87e72 100644 --- a/ansible/group_vars/all.yml +++ b/ansible/group_vars/all.yml @@ -939,6 +939,8 @@ rabbitmq_datadir_volume: "rabbitmq" #################### haproxy_user: "openstack" haproxy_enable_external_vip: "{{ 'no' if kolla_same_external_internal_vip | bool else 'yes' }}" +haproxy_enable_http2: "yes" +haproxy_http2_protocol: "alpn h2,http/1.1" kolla_enable_tls_internal: "no" kolla_enable_tls_external: "{{ kolla_enable_tls_internal if kolla_same_external_internal_vip | bool else 'no' }}" kolla_certificates_dir: "{{ node_config }}/certificates" diff --git a/ansible/roles/haproxy-config/templates/haproxy_single_service_split.cfg.j2 b/ansible/roles/haproxy-config/templates/haproxy_single_service_split.cfg.j2 index c795ce267d..96b18f8e5a 100644 --- a/ansible/roles/haproxy-config/templates/haproxy_single_service_split.cfg.j2 +++ b/ansible/roles/haproxy-config/templates/haproxy_single_service_split.cfg.j2 @@ -1,6 +1,8 @@ #jinja2: lstrip_blocks: True {%- set external_tls_bind_info = 'ssl crt /etc/haproxy/haproxy.pem' if kolla_enable_tls_external|bool else '' %} +{%- set external_tls_bind_info = "%s %s" % (external_tls_bind_info, haproxy_http2_protocol) if kolla_enable_tls_external|bool and haproxy_enable_http2|bool else external_tls_bind_info %} {%- set internal_tls_bind_info = 'ssl crt /etc/haproxy/haproxy-internal.pem' if kolla_enable_tls_internal|bool else '' %} +{%- set internal_tls_bind_info = "%s %s" % (internal_tls_bind_info, haproxy_http2_protocol) if kolla_enable_tls_internal|bool and haproxy_enable_http2|bool else external_tls_bind_info %} {%- macro userlist_macro(service_name, auth_user, auth_pass) %} userlist {{ service_name }}-user diff --git a/doc/source/reference/high-availability/haproxy-guide.rst b/doc/source/reference/high-availability/haproxy-guide.rst index 973391d6d1..418ad534fb 100644 --- a/doc/source/reference/high-availability/haproxy-guide.rst +++ b/doc/source/reference/high-availability/haproxy-guide.rst @@ -82,3 +82,13 @@ To set weight of backend per service, modify inventory file as below: server1 haproxy_nova_api_weight=10 server2 haproxy_nova_api_weight=2 haproxy_keystone_internal_weight=10 server3 haproxy_keystone_admin_weight=50 + +HTTP/2 Support +--------------- + +HAProxy with HTTP/2 frontend support is enabled by default. It may be +disabled by setting the following in ``/etc/kolla/globals.yml``: + +.. code-block:: yaml + + haproxy_enable_http2: "no" diff --git a/releasenotes/notes/add-haproxy-http2-support-3a8575889cabe064.yaml b/releasenotes/notes/add-haproxy-http2-support-3a8575889cabe064.yaml new file mode 100644 index 0000000000..c188f3eaec --- /dev/null +++ b/releasenotes/notes/add-haproxy-http2-support-3a8575889cabe064.yaml @@ -0,0 +1,4 @@ +--- +features: + - | + Adds http/2 support to HAProxy frontends.