Adds Support for Broker API High-Availability

danehans · danehans · commit 799b22f71b32 · 2014-05-03T01:56:46.000+04:00
Previously, only a single broker could be deployed.  This patch
adds support for using HAProxy and Keepalived to load-balance
multiple brokers for high-availability and scalability.
diff --git a/Modulefile b/Modulefile
@@ -11,4 +11,6 @@ dependency 'rharrison/lokkit', '>=0.2.0'
 dependency 'puppetlabs/ntp', '>=0.1.0'
 dependency 'puppetlabs/stdlib', '>=2.6.0'
 dependency 'blentz/selinux_types', '>=0.1.0'
+dependency 'puppetlabs/haproxy', '>=0.4.1'
+dependency 'arioch/keepalived', '>=0.0.10'
 dependency 'duritong/sysctl', '>=0.0.1'
diff --git a/README.asciidoc b/README.asciidoc
@@ -108,11 +108,12 @@ $ d.register_application "appname", "namespace", "node_fqdn"
 
 Choose from the following roles to be configured on this node.
 
-* broker     - Installs the broker and console.
-* node       - Installs the node and cartridges.
-* msgserver  - Installs ActiveMQ message broker.
-* datastore  - Installs MongoDB (not sharded/replicated)
-* nameserver - Installs a BIND dns server configured with a TSIG key for updates.
+* broker        - Installs the broker and console.
+* node          - Installs the node and cartridges.
+* msgserver     - Installs ActiveMQ message broker.
+* datastore     - Installs MongoDB (not sharded/replicated)
+* nameserver    - Installs a BIND dns server configured with a TSIG key for updates.
+* load_balancer - Installs HAProxy and Keepalived for Broker API high-availability.
 
 Default: ['broker','node','msgserver','datastore','nameserver']
 
@@ -233,6 +234,40 @@ for the nameserver IP if none is given.
 
 Default: the current IP (at install)
 
+==== broker_cluster_members
+An array of broker hostnames that will be load-balanced for high-availability.
+
+Default: undef
+
+==== broker_cluster_ip_addresses
+An array of Broker IP addresses within the load-balanced cluster.
+
+Default: undef
+
+==== broker_virtual_ip_address
+The virtual IP address that will front-end the Broker cluster.
+
+Default: undef
+
+==== broker_virtual_hostname
+The hostame that represents the Broker API cluster.  This name is associated
+to broker_virtual_ip_address and added to Named for DNS resolution.
+
+Default: "broker.${domain}"
+
+==== load_balancer_master
+Sets the state of the load-balancer.  Valid options are true or false.
+true sets the load-balancer as the active listener for the Broker cluster
+Virtual IP address. Only 1 load_balancer_master is allowed within a Broker cluster.
+
+Default: false
+
+==== load_balancer_auth_password
+The password used to secure communication between the load-balancers
+within a Broker cluster.
+
+Default: 'changeme'
+
 ==== node_ip_addr
 This is used for the node to give a public IP, if different from the
 one on its NIC.
diff --git a/configure_origin.pp.broker_ha_example b/configure_origin.pp.broker_ha_example
@@ -0,0 +1,39 @@
+class { 'openshift_origin' :
+  # Components to install on this host:
+  roles			        => ['broker','nameserver','msgserver','datastore','load_balancer'],
+
+  # Broker API Load-Balancer Configuration
+  broker_cluster_members        => [<BROKER1_HOSTNAME>,<BROKER2_HOSTNAME>,<BROKER3_HOSTNAME>],
+  broker_cluster_ip_addresses   => [<BROKER1_IP_ADDR>, <BROKER2_IP_ADDR>, <BROKER3_IP_ADDR>], # Array of Broker Servers
+  broker_virtual_ip_address     => '<BROKER_VIRTUAL_IP>',
+  load_balancer_master          => true, # Only 1 master in a cluster
+  
+  # BIND / nameserver config
+  # This is the key for updating the OpenShift BIND server
+  bind_key                      => '<DNSSEC_BIND_KEY>',
+  # The domain under which applications should be created.
+  domain                        => 'example.com',
+  # Apps would be nameserver <app>-<namespace>.example.com
+  # This also creates hostnames for local components under our domain
+  register_host_with_nameserver => true,
+  # Forward requests for other domains (to Google by default)
+  conf_nameserver_upstream_dns  => ['<UPSTREAM_DNS_IP>'],
+
+  # NTP Servers for OpenShift hosts to sync time
+  ntp_servers                   => ['<NTP_SERVER_FQDN> iburst'],
+
+  # The FQDNs of the OpenShift component hosts
+  broker_hostname               => '<BROKER_HOSTNAME>.example.com',
+  nameserver_hostname           => '<BROKER_HOSTNAME>.example.com',
+  datastore_hostname            => '<BROKER_HOSTNAME>.example.com',
+  msgserver_hostname            => '<BROKER_HOSTNAME>.example.com',
+
+  # Auth OpenShift users created with htpasswd tool in /etc/openshift/htpasswd
+  broker_auth_plugin            => 'htpasswd',
+  # Username and password for initial openshift user
+  openshift_user1               => 'openshift',
+  openshift_password1           => 'password',
+
+  #Enable development mode for more verbose logs
+  development_mode              => true,
+}
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -21,13 +21,16 @@
 # === Parameters
 # [*roles*]
 #   Choose from the following roles to be configured on this node.
-#     * broker     - Installs the broker and console.
-#     * node       - Installs the node and cartridges.
-#     * msgserver  - Installs ActiveMQ message broker.
-#     * datastore  - Installs MongoDB (not sharded/replicated)
-#     * nameserver - Installs a BIND dns server configured with a TSIG key for updates.
+#     * broker        - Installs the broker and console.
+#     * node          - Installs the node and cartridges.
+#     * msgserver     - Installs ActiveMQ message broker.
+#     * datastore     - Installs MongoDB (not sharded/replicated)
+#     * nameserver    - Installs a BIND dns server configured with a TSIG key for updates.
+#     * load_balancer - Installs HAProxy and Keepalived for Broker API high-availability.
 #   Default: ['broker','node','msgserver','datastore','nameserver']
 #
+#   Note: Multiple servers are required when using the load_balancer role.
+# 
 # [*install_method*]
 #   Choose from the following ways to provide packages:
 #     none - install sources are already set up when the script executes (default)
@@ -150,6 +153,34 @@
 #   This is used for the node to record its broker. Also is the default
 #   for the nameserver IP if none is given.
 #
+# [*broker_cluster_members*]
+#   Default: undef
+#   An array of broker hostnames that will be load-balanced for high-availability.
+#
+# [*broker_cluster_ip_addresses*]
+#   Default: undef
+#   An array of Broker IP addresses within the load-balanced cluster.
+#
+# [*broker_virtual_ip_address*]
+#   Default: undef
+#   The virtual IP address that will front-end the Broker cluster.
+#
+# [*broker_virtual_hostname*]
+#   Default: "broker.${domain}"
+#   The hostame that represents the Broker API cluster.  This name is associated
+#   to broker_virtual_ip_address and added to Named for DNS resolution.
+#
+# [*load_balancer_master*]
+#   Default: false
+#   Sets the state of the load-balancer.  Valid options are true or false.
+#   true sets load_balancer_master as the active listener for the Broker Cluster
+#   Virtual IP address.
+#
+# [*load_balancer_auth_password*]
+#   Default: 'changeme'
+#   The password used to secure communication between the load-balancers
+#   within a Broker cluster.
+# 
 # [*node_ip_addr*]
 #   Default: the current IP (at install)
 #   This is used for the node to give a public IP, if different from the
@@ -497,6 +528,12 @@
   $aws_secret_key                       = '',
   $aws_zone_id                          = '',
   $broker_ip_addr                       = $ipaddress,
+  $broker_cluster_members               = undef,
+  $broker_cluster_ip_addresses          = undef,
+  $broker_virtual_ip_address            = undef,
+  $broker_virtual_hostname              = "broker.${domain}",
+  $load_balancer_master                 = false,
+  $load_balancer_auth_password          = 'changeme',
   $node_ip_addr                         = $ipaddress,
   $configure_ntp                        = true,
   $ntp_servers                          = ['time.apple.com iburst', 'pool.ntp.org iburst', 'clock.redhat.com iburst'],
@@ -563,6 +600,9 @@
     if member( $roles, 'datastore' ) {
       Class['openshift_origin::role::nameserver'] -> Class['openshift_origin::role::datastore']
     }
+    if member( $roles, 'load_balancer' ) {
+      Class['openshift_origin::role::nameserver'] -> Class['openshift_origin::role::load_balancer']
+    }
   }
 
   # Anchors for containing the implementation class
@@ -594,6 +634,11 @@
       require => Class['openshift_origin::update_conf_files']
     }
   }
+  if member( $roles, 'load_balancer' ) {
+    class{ 'openshift_origin::role::load_balancer':
+      require => Class['openshift_origin::update_conf_files']
+    }
+  }
 
   class{ 'openshift_origin::update_conf_files': }
 
diff --git a/manifests/load_balancer.pp b/manifests/load_balancer.pp
@@ -0,0 +1,122 @@
+# Introduction
+# Class used to load-balance brokers in a
+# high-availability OpenShift deployment.
+#
+# Module Dependencies
+#  duritong/sysctl
+#  arioch/keepalived
+#  puppetlabs/haproxy
+#
+# Example Usage
+# class { 'openshift_origin' :
+#   broker_cluster_members      => ['broker01.example.com','broker02.example.com','broker03.example.com'],
+#   broker_cluster_ip_addresses => ['10.10.10.11','10.10.10.12','10.10.10.13'],
+#   broker_virtual_ip_address   => '10.10.10.10',
+#   broker_virtual_hostname     => 'broker.example.com',
+#   load_balancer_master        => true,
+# }
+#
+class openshift_origin::load_balancer(
+  $enable               = true,
+  $manage_service       = true,
+  $state_master         = $::openshift_origin::load_balancer_master,
+  $virtual_ipaddress    = $::openshift_origin::broker_virtual_ip_address,
+  $server_names         = $::openshift_origin::broker_cluster_members,
+  $ipaddresses          = $::openshift_origin::broker_cluster_ip_addresses,
+  $interface            = $::openshift_origin::conf_node_external_eth_dev,
+  $http_port            = '80',
+  $ssl_port             = '443',
+  $virtual_router_id    = '50',
+  $auth_pass            = $::openshift_origin::load_balancer_auth_password,
+
+) {
+
+  include keepalived
+
+  if 'broker' and 'load_balancer' in $::openshift_origin::roles {
+    Class[openshift_origin::plugins::frontend::apache] -> Class['haproxy']
+  }
+
+  if ($state_master == true) {
+    $priority = '101'
+  } else {
+    $priority = '100'
+  }
+
+  # Required by sysctl module
+  Exec { path => '/usr/bin:/usr/sbin:/bin:/sbin' }
+
+  sysctl::value { 'net.ipv4.ip_nonlocal_bind': 
+    value => '1',
+  }
+
+  keepalived::vrrp::instance { $virtual_router_id:
+    interface         => $interface,
+    priority          => $priority,
+    state             => $state_master,
+    virtual_ipaddress => [$virtual_ipaddress],
+    virtual_router_id => $virtual_router_id,
+    auth_type         => 'PASS',
+    auth_pass         => $auth_pass,
+    track_script      => ['haproxy'],
+  }
+
+  keepalived::vrrp::script { 'haproxy':
+    script => '/usr/bin/killall -0 haproxy',
+  }
+
+  class { 'haproxy':
+    manage_service   => $manage_service,
+    enable           => $enable,
+    defaults_options => {
+                         'log'     => 'global',
+                         'option'  => 'redispatch',
+                         'retries' => '3',
+                         'timeout' => [
+                                       'http-request 10s',
+                                       'queue 1m',
+                                       'connect 10s',
+                                       'client 1m',
+                                       'server 1m',
+                                       'check 10s',
+                                      ],
+                         'maxconn' => '8000',
+                        }
+  }
+
+  haproxy::listen { 'broker_http_cluster':
+    ipaddress => $virtual_ipaddress,
+    ports     => $http_port,
+    options   => {
+                  'option'  => ['tcpka', 'tcplog'],
+                  'mode'    => 'tcp',
+                  'balance' => 'source',
+                 },
+  }
+
+  haproxy::balancermember { 'http_brokers':
+    listening_service => 'broker_http_cluster',
+    server_names      => $server_names,
+    ipaddresses       => $ipaddresses,
+    ports             => $http_port,
+    options           => 'check inter 2000 rise 2 fall 5',
+  }
+
+  haproxy::listen { 'broker_ssl_cluster':
+    ipaddress => $virtual_ipaddress,
+    ports     => $ssl_port,
+    options   => {
+                  'option'  => ['tcpka', 'tcplog'],
+                  'mode'    => 'tcp',
+                  'balance' => 'source',
+                 },
+  }
+
+  haproxy::balancermember { 'ssl_brokers':
+    listening_service => 'broker_ssl_cluster',
+    server_names      => $server_names,
+    ipaddresses       => $ipaddresses,
+    ports             => $ssl_port,
+    options           => 'check inter 2000 rise 2 fall 5',
+  }
+}
diff --git a/manifests/plugins/frontend/apache.pp b/manifests/plugins/frontend/apache.pp
@@ -27,6 +27,23 @@
     $servername_conf_template = 'openshift_origin/plugins/frontend/apache/node_servername.conf.erb'
   }
 
+  if 'broker' and 'load_balancer' in $::openshift_origin::roles {
+    exec { 'httpd_conf':
+      path    => ['/bin/', '/sbin/', '/usr/bin/', '/usr/sbin/'],
+      command => "sed -ri \'s/Listen 80/Listen ${openshift_origin::broker_ip_addr}:80/\' /etc/httpd/conf/httpd.conf",
+      unless  => "grep \"Listen ${openshift_origin::broker_ip_addr}:80\" /etc/httpd/conf/httpd.conf",
+      require => Package['httpd'],
+      notify  => Service['httpd'],
+    }
+    exec { 'ssl_conf':
+      path    => ['/bin/', '/sbin/', '/usr/bin/', '/usr/sbin/'],
+      command => "sed -ri \'s/Listen 443/Listen ${openshift_origin::broker_ip_addr}:443/\' /etc/httpd/conf.d/ssl.conf",
+      unless  => "grep \"Listen ${openshift_origin::broker_ip_addr}:443\" /etc/httpd/conf.d/ssl.conf",
+      require => Package['httpd'],
+      notify  => Service['httpd'],
+    }
+  }
+
   service { 'httpd':
     ensure     => true,
     enable     => true,
diff --git a/manifests/role/load_balancer.pp b/manifests/role/load_balancer.pp
@@ -0,0 +1,8 @@
+class openshift_origin::role::load_balancer inherits openshift_origin::role {
+  include openshift_origin::load_balancer
+
+  openshift_origin::register_dns{ 'register virtual broker dns':
+    fqdn    => $::openshift_origin::broker_virtual_hostname,
+    require => Class['openshift_origin::load_balancer'],
+  }
+}
diff --git a/templates/register_dns.erb b/templates/register_dns.erb
@@ -4,3 +4,11 @@
   echo update add <%= scope.lookupvar('fqdn') %> 180 A <%= scope.lookupvar('::openshift_origin::node_ip_addr') %>
   echo send
 ) | nsupdate -y <%= scope.lookupvar('::openshift_origin::domain') %>:<%= scope.lookupvar('::openshift_origin::bind_key') %>
+<% if scope.lookupvar('::openshift_origin::load_balancer_master') and scope.lookupvar('::openshift_origin::broker_virtual_ip_address')%>
+(
+  echo server <%= scope.lookupvar('::openshift_origin::nameserver_ip_addr') %>
+  echo update delete <%= scope.lookupvar('::openshift_origin::broker_virtual_hostname') %> A
+  echo update add <%= scope.lookupvar('::openshift_origin::broker_virtual_hostname') %> 180 A <%= scope.lookupvar('::openshift_origin::broker_virtual_ip_address') %>
+  echo send
+) | nsupdate -y <%= scope.lookupvar('::openshift_origin::domain') %>:<%= scope.lookupvar('::openshift_origin::bind_key') %>
+<% end-%>
