Merge pull request #2239 from guangyee/SOC-10551

Use source load balancing for OpenID Connect (SOC-10551)
crowbar · Sep 17, 2019 · 940794f · 940794f
2 parents b4ebc08 + 5b06f3d
commit 940794f
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/chef/cookbooks/keystone/recipes/ha.rb b/chef/cookbooks/keystone/recipes/ha.rb
@@ -15,10 +15,24 @@
 
 include_recipe "crowbar-pacemaker::haproxy"
 
+# NOTE(gyee): for features such as OpenID Connect and SAML-based federation,
+# where client interaction with Keystone is stateful and the state information
+# is persisted in the Keystone instance's local cache, we must use source
+# load balancing so that the client is talking to the same Keystone instance
+# for the duration of the session. By default, the balancing algorithm is an
+# empty string.
+balancing_algorithm =
+  if node[:keystone][:federation][:openidc][:enabled]
+    "source"
+  else
+    ""
+  end
+
 haproxy_loadbalancer "keystone-service" do
   address node[:keystone][:api][:api_host]
   port node[:keystone][:api][:service_port]
   use_ssl (node[:keystone][:api][:protocol] == "https")
+  balance balancing_algorithm
   servers CrowbarPacemakerHelper.haproxy_servers_for_service(node, "keystone", "keystone-server", "service_port")
   action :nothing
 end.run_action(:create)