From 5b06f3db7444fdbd249f8f13b2539e8e384400d1 Mon Sep 17 00:00:00 2001 From: Guang Yee Date: Thu, 12 Sep 2019 11:26:28 -0700 Subject: [PATCH] Use source load balancing for OpenID Connect (SOC-10551) For features such as OpenID Connect and SAML-based federation, where client interaction with Keystone is stateful and the state information is persisted in the Keystone instance's local cache, we must use source load balancing so that the client is talking to the same Keystone instance for the duration of the session. --- chef/cookbooks/keystone/recipes/ha.rb | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/chef/cookbooks/keystone/recipes/ha.rb b/chef/cookbooks/keystone/recipes/ha.rb index e7666e9c81..ab0e6b0c33 100644 --- a/chef/cookbooks/keystone/recipes/ha.rb +++ b/chef/cookbooks/keystone/recipes/ha.rb @@ -15,10 +15,24 @@ include_recipe "crowbar-pacemaker::haproxy" +# NOTE(gyee): for features such as OpenID Connect and SAML-based federation, +# where client interaction with Keystone is stateful and the state information +# is persisted in the Keystone instance's local cache, we must use source +# load balancing so that the client is talking to the same Keystone instance +# for the duration of the session. By default, the balancing algorithm is an +# empty string. +balancing_algorithm = + if node[:keystone][:federation][:openidc][:enabled] + "source" + else + "" + end + haproxy_loadbalancer "keystone-service" do address node[:keystone][:api][:api_host] port node[:keystone][:api][:service_port] use_ssl (node[:keystone][:api][:protocol] == "https") + balance balancing_algorithm servers CrowbarPacemakerHelper.haproxy_servers_for_service(node, "keystone", "keystone-server", "service_port") action :nothing end.run_action(:create)