diff --git a/ci/environments/multinode-3nodes-registry.yaml b/ci/environments/multinode-3nodes-registry.yaml index 751e01eca5..c5f5c6f1f3 100644 --- a/ci/environments/multinode-3nodes-registry.yaml +++ b/ci/environments/multinode-3nodes-registry.yaml @@ -4,7 +4,7 @@ resource_registry: OS::TripleO::Services::Core: multinode-core.yaml OS::TripleO::Services::OsloMessagingRpc: ../../docker/services/pacemaker/rpc-rabbitmq.yaml OS::TripleO::Services::OsloMessagingNotify: ../../docker/services/messaging/notify-rabbitmq-shared.yaml - OS::TripleO::Services::HAproxy: ../../docker/services/pacemaker/haproxy.yaml + OS::TripleO::Services::HAproxy: ../../deployment/haproxy/haproxy-pacemaker-puppet.yaml OS::TripleO::Services::Pacemaker: ../../puppet/services/pacemaker.yaml OS::TripleO::Services::PacemakerRemote: ../../puppet/services/pacemaker_remote.yaml OS::TripleO::Services::Clustercheck: ../../docker/services/pacemaker/clustercheck.yaml diff --git a/ci/environments/scenario000-multinode-containers.yaml b/ci/environments/scenario000-multinode-containers.yaml index cf5812152b..93d4f25774 100644 --- a/ci/environments/scenario000-multinode-containers.yaml +++ b/ci/environments/scenario000-multinode-containers.yaml @@ -7,7 +7,7 @@ resource_registry: OS::TripleO::Services::OsloMessagingRpc: ../../docker/services/pacemaker/rpc-rabbitmq.yaml OS::TripleO::Services::OsloMessagingNotify: ../../docker/services/messaging/notify-rabbitmq-shared.yaml - OS::TripleO::Services::HAproxy: ../../docker/services/pacemaker/haproxy.yaml + OS::TripleO::Services::HAproxy: ../../deployment/haproxy/haproxy-pacemaker-puppet.yaml OS::TripleO::Services::Pacemaker: ../../puppet/services/pacemaker.yaml OS::TripleO::Services::PacemakerRemote: ../../puppet/services/pacemaker_remote.yaml OS::TripleO::Services::Clustercheck: ../../docker/services/pacemaker/clustercheck.yaml diff --git a/ci/environments/scenario001-multinode-containers.yaml b/ci/environments/scenario001-multinode-containers.yaml index c8426fd1e8..b9ac04c279 100644 --- a/ci/environments/scenario001-multinode-containers.yaml +++ b/ci/environments/scenario001-multinode-containers.yaml @@ -10,7 +10,7 @@ resource_registry: OS::TripleO::Services::MetricsQdr: ../../docker/services/metrics/qdr.yaml OS::TripleO::Services::OsloMessagingRpc: ../../docker/services/pacemaker/rpc-rabbitmq.yaml OS::TripleO::Services::OsloMessagingNotify: ../../docker/services/messaging/notify-rabbitmq-shared.yaml - OS::TripleO::Services::HAproxy: ../../docker/services/pacemaker/haproxy.yaml + OS::TripleO::Services::HAproxy: ../../deployment/haproxy/haproxy-pacemaker-puppet.yaml OS::TripleO::Services::Pacemaker: ../../puppet/services/pacemaker.yaml OS::TripleO::Services::PacemakerRemote: ../../puppet/services/pacemaker_remote.yaml OS::TripleO::Services::Clustercheck: ../../docker/services/pacemaker/clustercheck.yaml diff --git a/ci/environments/scenario001-standalone.yaml b/ci/environments/scenario001-standalone.yaml index a61605b545..0cf034ca2c 100644 --- a/ci/environments/scenario001-standalone.yaml +++ b/ci/environments/scenario001-standalone.yaml @@ -22,7 +22,7 @@ resource_registry: OS::TripleO::Services::MetricsQdr: ../../docker/services/metrics/qdr.yaml OS::TripleO::Services::OsloMessagingRpc: ../../docker/services/pacemaker/rpc-rabbitmq.yaml OS::TripleO::Services::OsloMessagingNotify: ../../docker/services/messaging/notify-rabbitmq-shared.yaml - OS::TripleO::Services::HAproxy: ../../docker/services/pacemaker/haproxy.yaml + OS::TripleO::Services::HAproxy: ../../deployment/haproxy/haproxy-pacemaker-puppet.yaml OS::TripleO::Services::Pacemaker: ../../puppet/services/pacemaker.yaml OS::TripleO::Services::PacemakerRemote: ../../puppet/services/pacemaker_remote.yaml OS::TripleO::Services::Clustercheck: ../../docker/services/pacemaker/clustercheck.yaml diff --git a/ci/environments/scenario002-multinode-containers.yaml b/ci/environments/scenario002-multinode-containers.yaml index 2d7cce88af..ca42c4b569 100644 --- a/ci/environments/scenario002-multinode-containers.yaml +++ b/ci/environments/scenario002-multinode-containers.yaml @@ -8,7 +8,7 @@ resource_registry: OS::TripleO::Services::OsloMessagingRpc: ../../docker/services/pacemaker/rpc-rabbitmq.yaml OS::TripleO::Services::OsloMessagingNotify: ../../docker/services/messaging/notify-rabbitmq-shared.yaml OS::TripleO::Services::Redis: ../../docker/services/pacemaker/database/redis.yaml - OS::TripleO::Services::HAproxy: ../../docker/services/pacemaker/haproxy.yaml + OS::TripleO::Services::HAproxy: ../../deployment/haproxy/haproxy-pacemaker-puppet.yaml OS::TripleO::Services::Pacemaker: ../../puppet/services/pacemaker.yaml OS::TripleO::Services::PacemakerRemote: ../../puppet/services/pacemaker_remote.yaml OS::TripleO::Services::Clustercheck: ../../docker/services/pacemaker/clustercheck.yaml diff --git a/ci/environments/scenario002-standalone.yaml b/ci/environments/scenario002-standalone.yaml index 347ac3661d..cea5463538 100644 --- a/ci/environments/scenario002-standalone.yaml +++ b/ci/environments/scenario002-standalone.yaml @@ -20,7 +20,7 @@ resource_registry: OS::TripleO::Services::OsloMessagingRpc: ../../docker/services/pacemaker/rpc-rabbitmq.yaml OS::TripleO::Services::OsloMessagingNotify: ../../docker/services/messaging/notify-rabbitmq-shared.yaml OS::TripleO::Services::Redis: ../../docker/services/pacemaker/database/redis.yaml - OS::TripleO::Services::HAproxy: ../../docker/services/pacemaker/haproxy.yaml + OS::TripleO::Services::HAproxy: ../../deployment/haproxy/haproxy-pacemaker-puppet.yaml OS::TripleO::Services::Pacemaker: ../../puppet/services/pacemaker.yaml OS::TripleO::Services::PacemakerRemote: ../../puppet/services/pacemaker_remote.yaml OS::TripleO::Services::Clustercheck: ../../docker/services/pacemaker/clustercheck.yaml diff --git a/ci/environments/scenario003-multinode-containers.yaml b/ci/environments/scenario003-multinode-containers.yaml index 4bc41e1c3c..211da2f804 100644 --- a/ci/environments/scenario003-multinode-containers.yaml +++ b/ci/environments/scenario003-multinode-containers.yaml @@ -9,7 +9,7 @@ resource_registry: OS::TripleO::Services::MistralEventEngine: ../../docker/services/mistral-event-engine.yaml OS::TripleO::Services::OsloMessagingRpc: ../../docker/services/messaging/rpc-qdrouterd.yaml OS::TripleO::Services::OsloMessagingNotify: ../../docker/services/pacemaker/notify-rabbitmq.yaml - OS::TripleO::Services::HAproxy: ../../docker/services/pacemaker/haproxy.yaml + OS::TripleO::Services::HAproxy: ../../deployment/haproxy/haproxy-pacemaker-puppet.yaml OS::TripleO::Services::Pacemaker: ../../puppet/services/pacemaker.yaml OS::TripleO::Services::PacemakerRemote: ../../puppet/services/pacemaker_remote.yaml OS::TripleO::Services::Clustercheck: ../../docker/services/pacemaker/clustercheck.yaml diff --git a/ci/environments/scenario003-standalone.yaml b/ci/environments/scenario003-standalone.yaml index 30ae5b6522..32accc7413 100644 --- a/ci/environments/scenario003-standalone.yaml +++ b/ci/environments/scenario003-standalone.yaml @@ -14,7 +14,7 @@ resource_registry: OS::TripleO::Services::MistralEventEngine: ../../docker/services/mistral-event-engine.yaml OS::TripleO::Services::OsloMessagingRpc: ../../docker/services/messaging/rpc-qdrouterd.yaml OS::TripleO::Services::OsloMessagingNotify: ../../docker/services/pacemaker/notify-rabbitmq.yaml - OS::TripleO::Services::HAproxy: ../../docker/services/pacemaker/haproxy.yaml + OS::TripleO::Services::HAproxy: ../../deployment/haproxy/haproxy-pacemaker-puppet.yaml OS::TripleO::Services::Pacemaker: ../../puppet/services/pacemaker.yaml OS::TripleO::Services::PacemakerRemote: ../../puppet/services/pacemaker_remote.yaml OS::TripleO::Services::Clustercheck: ../../docker/services/pacemaker/clustercheck.yaml diff --git a/ci/environments/scenario004-multinode-containers.yaml b/ci/environments/scenario004-multinode-containers.yaml index fead63ab53..92fff64f3f 100644 --- a/ci/environments/scenario004-multinode-containers.yaml +++ b/ci/environments/scenario004-multinode-containers.yaml @@ -23,7 +23,7 @@ resource_registry: # These enable Pacemaker OS::TripleO::Services::OsloMessagingRpc: ../../docker/services/pacemaker/rpc-rabbitmq.yaml OS::TripleO::Services::OsloMessagingNotify: ../../docker/services/messaging/notify-rabbitmq-shared.yaml - OS::TripleO::Services::HAproxy: ../../docker/services/pacemaker/haproxy.yaml + OS::TripleO::Services::HAproxy: ../../deployment/haproxy/haproxy-pacemaker-puppet.yaml OS::TripleO::Services::Pacemaker: ../../puppet/services/pacemaker.yaml OS::TripleO::Services::PacemakerRemote: ../../puppet/services/pacemaker_remote.yaml OS::TripleO::Services::Clustercheck: ../../docker/services/pacemaker/clustercheck.yaml diff --git a/ci/environments/scenario004-standalone.yaml b/ci/environments/scenario004-standalone.yaml index 7100f40782..26745ebde4 100644 --- a/ci/environments/scenario004-standalone.yaml +++ b/ci/environments/scenario004-standalone.yaml @@ -19,7 +19,7 @@ resource_registry: OS::TripleO::Services::ManilaBackendCephFs: ../../puppet/services/manila-backend-cephfs.yaml OS::TripleO::Services::OsloMessagingRpc: ../../docker/services/pacemaker/rpc-rabbitmq.yaml OS::TripleO::Services::OsloMessagingNotify: ../../docker/services/messaging/notify-rabbitmq-shared.yaml - OS::TripleO::Services::HAproxy: ../../docker/services/pacemaker/haproxy.yaml + OS::TripleO::Services::HAproxy: ../../deployment/haproxy/haproxy-pacemaker-puppet.yaml OS::TripleO::Services::Pacemaker: ../../puppet/services/pacemaker.yaml OS::TripleO::Services::PacemakerRemote: ../../puppet/services/pacemaker_remote.yaml OS::TripleO::Services::Clustercheck: ../../docker/services/pacemaker/clustercheck.yaml diff --git a/ci/environments/scenario010-multinode-containers.yaml b/ci/environments/scenario010-multinode-containers.yaml index 8256031526..0c49ddf599 100644 --- a/ci/environments/scenario010-multinode-containers.yaml +++ b/ci/environments/scenario010-multinode-containers.yaml @@ -5,7 +5,7 @@ resource_registry: OS::TripleO::Services::CephMon: ../../docker/services/ceph-ansible/ceph-mon.yaml OS::TripleO::Services::CephOSD: ../../docker/services/ceph-ansible/ceph-osd.yaml OS::TripleO::Services::CephClient: ../../docker/services/ceph-ansible/ceph-client.yaml - OS::TripleO::Services::HAproxy: ../../docker/services/pacemaker/haproxy.yaml + OS::TripleO::Services::HAproxy: ../../deployment/haproxy/haproxy-pacemaker-puppet.yaml OS::TripleO::Services::Pacemaker: ../../puppet/services/pacemaker.yaml OS::TripleO::Services::PacemakerRemote: ../../puppet/services/pacemaker_remote.yaml OS::TripleO::Services::Clustercheck: ../../docker/services/pacemaker/clustercheck.yaml diff --git a/ci/environments/scenario012-multinode-containers.yaml b/ci/environments/scenario012-multinode-containers.yaml index 09ebf06d4c..d635e36431 100644 --- a/ci/environments/scenario012-multinode-containers.yaml +++ b/ci/environments/scenario012-multinode-containers.yaml @@ -8,7 +8,7 @@ resource_registry: # These enable Pacemaker OS::TripleO::Services::OsloMessagingRpc: ../../docker/services/pacemaker/rpc-rabbitmq.yaml OS::TripleO::Services::OsloMessagingNotify: ../../docker/services/messaging/notify-rabbitmq-shared.yaml - OS::TripleO::Services::HAproxy: ../../docker/services/pacemaker/haproxy.yaml + OS::TripleO::Services::HAproxy: ../../deployment/haproxy/haproxy-pacemaker-puppet.yaml OS::TripleO::Services::Pacemaker: ../../puppet/services/pacemaker.yaml OS::TripleO::Services::PacemakerRemote: ../../puppet/services/pacemaker_remote.yaml OS::TripleO::Services::Clustercheck: ../../docker/services/pacemaker/clustercheck.yaml diff --git a/docker/services/haproxy.yaml b/deployment/haproxy/haproxy-container-puppet.yaml similarity index 79% rename from docker/services/haproxy.yaml rename to deployment/haproxy/haproxy-container-puppet.yaml index a05399f51f..702fe618ed 100644 --- a/docker/services/haproxy.yaml +++ b/deployment/haproxy/haproxy-container-puppet.yaml @@ -95,6 +95,19 @@ parameters: default: false description: Remove package if the service is being disabled during upgrade type: boolean + EnableLoadBalancer: + default: true + description: Whether to deploy a LoadBalancer, set to false when an external load balancer is used. + type: boolean + HAProxyStatsEnabled: + default: true + description: Whether or not to enable the HAProxy stats interface. + type: boolean + InternalTLSCRLPEMFile: + default: '/etc/pki/CA/crl/overcloud-crl.pem' + type: string + description: Specifies the default CRL PEM file to use for revocation if + TLS is used for services in the internal network. conditions: puppet_debug_enabled: {get_param: ConfigDebug} @@ -114,43 +127,75 @@ conditions: resources: ContainersCommon: - type: ./containers-common.yaml - - HAProxyBase: - type: ../../puppet/services/haproxy.yaml - properties: - EndpointMap: {get_param: EndpointMap} - ServiceData: {get_param: ServiceData} - ServiceNetMap: {get_param: ServiceNetMap} - DefaultPasswords: {get_param: DefaultPasswords} - RoleName: {get_param: RoleName} - RoleParameters: {get_param: RoleParameters} - HAProxySyslogAddress: {get_param: HAProxySyslogAddress} - HAProxySyslogFacility: {get_param: HAProxySyslogFacility} + type: ../../docker/services/containers-common.yaml HAProxyLogging: type: OS::TripleO::Services::Logging::HAProxy + HAProxyPublicTLS: + type: OS::TripleO::Services::HAProxyPublicTLS + properties: + ServiceData: {get_param: ServiceData} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + + HAProxyInternalTLS: + type: OS::TripleO::Services::HAProxyInternalTLS + properties: + ServiceData: {get_param: ServiceData} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + RoleName: {get_param: RoleName} + RoleParameters: {get_param: RoleParameters} + outputs: role_data: description: Role data for the HAproxy role. value: - service_name: {get_attr: [HAProxyBase, role_data, service_name]} + service_name: haproxy + monitoring_subscription: {get_param: MonitoringSubscriptionHaproxy} config_settings: map_merge: - - get_attr: [HAProxyBase, role_data, config_settings] - get_attr: [HAProxyLogging, config_settings] - tripleo::haproxy::haproxy_service_manage: false # NOTE(jaosorior): We disable the CRL since we have no way to restart haproxy # when this is updated tripleo::haproxy::crl_file: null - service_config_settings: {get_attr: [HAProxyBase, role_data, service_config_settings]} + - tripleo::haproxy::firewall_rules: + '107 haproxy stats': + dport: 1993 + tripleo::haproxy::haproxy_log_address: {get_param: HAProxySyslogAddress} + tripleo::haproxy::haproxy_log_facility: {get_param: HAProxySyslogFacility} + tripleo::haproxy::haproxy_stats_user: {get_param: HAProxyStatsUser} + tripleo::haproxy::haproxy_stats_password: {get_param: HAProxyStatsPassword} + tripleo::haproxy::redis_password: {get_param: RedisPassword} + tripleo::haproxy::crl_file: {get_param: InternalTLSCRLPEMFile} + tripleo::haproxy::haproxy_stats: {get_param: HAProxyStatsEnabled} + enable_load_balancer: {get_param: EnableLoadBalancer} + tripleo::profile::base::haproxy::certificates_specs: + map_merge: + - get_attr: [HAProxyPublicTLS, role_data, certificates_specs] + - get_attr: [HAProxyInternalTLS, role_data, certificates_specs] + - if: + - public_tls_enabled + - tripleo::haproxy::service_certificate: {get_param: DeployedSSLCertificatePath} + - {} + - if: + - internal_tls_enabled + - tripleo::haproxy::ca_bundle: {get_param: InternalTLSCAFile} + - null + - get_attr: [HAProxyPublicTLS, role_data, config_settings] + - get_attr: [HAProxyInternalTLS, role_data, config_settings] # BEGIN DOCKER SETTINGS puppet_config: config_volume: haproxy puppet_tags: haproxy_config - step_config: - "class {'::tripleo::profile::base::haproxy': manage_firewall => false}" + step_config: | + class {'::tripleo::profile::base::haproxy': manage_firewall => false} config_image: {get_param: DockerHAProxyConfigImage} volumes: list_concat: @@ -254,7 +299,7 @@ outputs: fi exit $rc vars: - puppet_execute: {get_attr: [HAProxyBase, role_data, step_config]} + puppet_execute: include ::tripleo::profile::base::haproxy puppet_tags: 'tripleo::firewall::rule' puppet_modulepath: '/etc/puppet/modules:/opt/stack/puppet-modules:/usr/share/openstack-puppet/modules' puppet_debug: @@ -286,7 +331,7 @@ outputs: containers_to_rm: - haproxy host_prep_tasks: - - {get_attr: [HAProxyBase, role_data, host_prep_tasks]} + - {get_attr: [HAProxyPublicTLS, role_data, host_prep_tasks]} - name: Check if rsyslog exists shell: systemctl is-active rsyslog register: rsyslog_config @@ -324,4 +369,6 @@ outputs: /var/log/containers/haproxy. ignore_errors: true metadata_settings: - get_attr: [HAProxyBase, role_data, metadata_settings] + list_concat: + - {get_attr: [HAProxyPublicTLS, role_data, metadata_settings]} + - {get_attr: [HAProxyInternalTLS, role_data, metadata_settings]} diff --git a/puppet/services/haproxy-internal-tls-certmonger.j2.yaml b/deployment/haproxy/haproxy-internal-tls-certmonger.j2.yaml similarity index 100% rename from puppet/services/haproxy-internal-tls-certmonger.j2.yaml rename to deployment/haproxy/haproxy-internal-tls-certmonger.j2.yaml diff --git a/docker/services/pacemaker/haproxy.yaml b/deployment/haproxy/haproxy-pacemaker-puppet.yaml similarity index 96% rename from docker/services/pacemaker/haproxy.yaml rename to deployment/haproxy/haproxy-pacemaker-puppet.yaml index f7d9ea926c..47b7a7c951 100644 --- a/docker/services/pacemaker/haproxy.yaml +++ b/deployment/haproxy/haproxy-pacemaker-puppet.yaml @@ -123,28 +123,31 @@ conditions: resources: ContainersCommon: - type: ../containers-common.yaml + type: ../../docker/services/containers-common.yaml HAProxyBase: - type: ../../../puppet/services/pacemaker/haproxy.yaml + type: ./haproxy-container-puppet.yaml properties: - EndpointMap: {get_param: EndpointMap} ServiceData: {get_param: ServiceData} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} - HAProxySyslogAddress: {get_param: HAProxySyslogAddress} - HAProxySyslogFacility: {get_param: HAProxySyslogFacility} outputs: role_data: description: Role data for the HAproxy role. value: - service_name: {get_attr: [HAProxyBase, role_data, service_name]} + service_name: haproxy + monitoring_subscription: {get_attr: [HAProxyBase, role_data, monitoring_subscription]} config_settings: map_merge: - get_attr: [HAProxyBase, role_data, config_settings] + - tripleo::haproxy::haproxy_service_manage: false + tripleo::haproxy::mysql_clustercheck: true + tripleo::haproxy::haproxy_log_address: {get_param: HAProxySyslogAddress} + tripleo::haproxy::haproxy_log_facility: {get_param: HAProxySyslogFacility} - haproxy_docker: true tripleo::profile::pacemaker::haproxy_bundle::haproxy_docker_image: &haproxy_image {get_param: DockerHAProxyImage} tripleo::profile::pacemaker::haproxy_bundle::container_backend: {get_param: ContainerCli} @@ -174,7 +177,6 @@ outputs: data: {get_param: DockerHAProxyImage} expression: $.data.rightSplit(separator => ":", maxSplits => 1)[0] - 'pcmklatest' - service_config_settings: {get_attr: [HAProxyBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS puppet_config: config_volume: haproxy @@ -333,7 +335,7 @@ outputs: /var/log/containers/haproxy. ignore_errors: true metadata_settings: - get_attr: [HAProxyBase, role_data, metadata_settings] + {get_attr: [HAProxyBase, role_data, metadata_settings]} deploy_steps_tasks: - name: HAproxy tag container image for pacemaker when: step|int == 1 @@ -357,7 +359,7 @@ outputs: fi exit $rc vars: - puppet_execute: {get_attr: [HAProxyBase, role_data, step_config]} + puppet_execute: include ::tripleo::profile::pacemaker::haproxy puppet_tags: 'tripleo::firewall::rule' puppet_modulepath: '/etc/puppet/modules:/opt/stack/puppet-modules:/usr/share/openstack-puppet/modules' puppet_debug: @@ -485,7 +487,7 @@ outputs: block: - name: Check cluster resource status pacemaker_resource: - resource: {get_attr: [HAProxyBase, role_data, service_name]} + resource: haproxy state: started check_mode: true ignore_errors: true @@ -494,7 +496,7 @@ outputs: block: - name: Disable the haproxy cluster resource. pacemaker_resource: - resource: {get_attr: [HAProxyBase, role_data, service_name]} + resource: haproxy state: disable wait_for_resource: true register: output @@ -502,7 +504,7 @@ outputs: until: output.rc == 0 - name: Delete the stopped haproxy cluster resource. pacemaker_resource: - resource: {get_attr: [HAProxyBase, role_data, service_name]} + resource: haproxy state: delete wait_for_resource: true register: output diff --git a/puppet/services/haproxy-public-tls-certmonger.yaml b/deployment/haproxy/haproxy-public-tls-certmonger.yaml similarity index 100% rename from puppet/services/haproxy-public-tls-certmonger.yaml rename to deployment/haproxy/haproxy-public-tls-certmonger.yaml diff --git a/puppet/services/haproxy-public-tls-inject.yaml b/deployment/haproxy/haproxy-public-tls-inject.yaml similarity index 100% rename from puppet/services/haproxy-public-tls-inject.yaml rename to deployment/haproxy/haproxy-public-tls-inject.yaml diff --git a/environments/baremetal-services.yaml b/environments/baremetal-services.yaml index a5eb6ab40a..2ca0a20836 100644 --- a/environments/baremetal-services.yaml +++ b/environments/baremetal-services.yaml @@ -20,10 +20,10 @@ resource_registry: OS::TripleO::Services::GnocchiApi: ../puppet/services/gnocchi-api.yaml OS::TripleO::Services::GnocchiMetricd: ../puppet/services/gnocchi-metricd.yaml OS::TripleO::Services::GnocchiStatsd: ../puppet/services/gnocchi-statsd.yaml - OS::TripleO::Services::HAproxy: ../puppet/services/haproxy.yaml OS::TripleO::Services::HeatApi: ../deployment/heat/heat-api-container-puppet.yaml OS::TripleO::Services::HeatApiCfn: ../deployment/heat/heat-api-cfn-container-puppet.yaml OS::TripleO::Services::HeatEngine: ../deployment/heat/heat-engine-container-puppet.yaml + OS::TripleO::Services::HAproxy: ../deployment/haproxy/haproxy-container-puppet.yaml OS::TripleO::Services::Horizon: ../puppet/services/horizon.yaml OS::TripleO::Services::Iscsid: ../puppet/services/iscsid.yaml OS::TripleO::Services::Keystone: ../deployment/keystone/keystone-container-puppet.yaml diff --git a/environments/docker-ha.yaml b/environments/docker-ha.yaml index 95096971ea..c1a4a23d5b 100644 --- a/environments/docker-ha.yaml +++ b/environments/docker-ha.yaml @@ -16,7 +16,7 @@ resource_registry: # HA Containers managed by pacemaker OS::TripleO::Services::CinderVolume: ../deployment/cinder/cinder-volume-pacemaker-puppet.yaml OS::TripleO::Services::Clustercheck: ../docker/services/pacemaker/clustercheck.yaml - OS::TripleO::Services::HAproxy: ../docker/services/pacemaker/haproxy.yaml + OS::TripleO::Services::HAproxy: ../deployment/haproxy/haproxy-pacemaker-puppet.yaml OS::TripleO::Services::MySQL: ../docker/services/pacemaker/database/mysql.yaml OS::TripleO::Services::OsloMessagingRpc: ../docker/services/pacemaker/rpc-rabbitmq.yaml OS::TripleO::Services::OsloMessagingNotify: ../docker/services/messaging/notify-rabbitmq-shared.yaml diff --git a/environments/nonha-arch.yaml b/environments/nonha-arch.yaml index c10f2ea067..1568274eb8 100644 --- a/environments/nonha-arch.yaml +++ b/environments/nonha-arch.yaml @@ -3,7 +3,7 @@ resource_registry: OS::TripleO::Services::CinderVolume: ../deployment/cinder/cinder-volume-container-puppet.yaml OS::TripleO::Services::RabbitMQ: ../docker/services/rabbitmq.yaml - OS::TripleO::Services::HAproxy: ../docker/services/haproxy.yaml + OS::TripleO::Services::HAproxy: ../deployment/haproxy/haproxy-container-puppet.yaml OS::TripleO::Services::Redis: ../docker/services/database/redis.yaml OS::TripleO::Services::MySQL: ../docker/services/database/mysql.yaml OS::TripleO::Services::Keepalived: ../docker/services/keepalived.yaml diff --git a/environments/openshift.yaml b/environments/openshift.yaml index c654ecce85..b4b509b63f 100644 --- a/environments/openshift.yaml +++ b/environments/openshift.yaml @@ -1,6 +1,6 @@ resource_registry: OS::TripleO::Services::Docker: ../deployment/docker/docker-baremetal-ansible.yaml - OS::TripleO::Services::HAproxy: ../docker/services/haproxy.yaml + OS::TripleO::Services::HAproxy: ../deployment/haproxy/haproxy-container-puppet.yaml OS::TripleO::Services::Keepalived: ../deployment/keepalived/keepalived-container-puppet.yaml OS::TripleO::Services::OpenShift::Infra: ../extraconfig/services/openshift-infra.yaml OS::TripleO::Services::OpenShift::Master: ../extraconfig/services/openshift-master.yaml diff --git a/environments/public-tls-undercloud.yaml b/environments/public-tls-undercloud.yaml index cb8c174734..1851b79543 100644 --- a/environments/public-tls-undercloud.yaml +++ b/environments/public-tls-undercloud.yaml @@ -3,4 +3,4 @@ parameter_defaults: PublicSSLCertificateAutogenerated: true resource_registry: - OS::TripleO::Services::HAProxyPublicTLS: ../puppet/services/haproxy-public-tls-certmonger.yaml + OS::TripleO::Services::HAProxyPublicTLS: ../deployment/haproxy/haproxy-public-tls-certmonger.yaml diff --git a/environments/services-baremetal/undercloud-haproxy.yaml b/environments/services-baremetal/undercloud-haproxy.yaml index 84d447a766..407aa66a50 100644 --- a/environments/services-baremetal/undercloud-haproxy.yaml +++ b/environments/services-baremetal/undercloud-haproxy.yaml @@ -1,2 +1,2 @@ resource_registry: - OS::TripleO::Services::UndercloudHAProxy: ../../puppet/services/haproxy.yaml + OS::TripleO::Services::UndercloudHAProxy: ../../deployment/haproxy/haproxy-container-puppet.yaml diff --git a/environments/services/haproxy-public-tls-certmonger.yaml b/environments/services/haproxy-public-tls-certmonger.yaml index f87615e11c..53ce380b1c 100644 --- a/environments/services/haproxy-public-tls-certmonger.yaml +++ b/environments/services/haproxy-public-tls-certmonger.yaml @@ -1,7 +1,7 @@ # A Heat environment file which can be used to enable a # a TLS for HAProxy via certmonger resource_registry: - OS::TripleO::Services::HAProxyPublicTLS: ../../puppet/services/haproxy-public-tls-certmonger.yaml + OS::TripleO::Services::HAProxyPublicTLS: ../../deployment/haproxy/haproxy-public-tls-certmonger.yaml parameter_defaults: PublicSSLCertificateAutogenerated: true diff --git a/environments/services/undercloud-haproxy.yaml b/environments/services/undercloud-haproxy.yaml index a2cb5b7582..9eb72fc655 100644 --- a/environments/services/undercloud-haproxy.yaml +++ b/environments/services/undercloud-haproxy.yaml @@ -1,4 +1,4 @@ # DEPRECATED. This file will be removed in the Stein release as it is no longer # needed resource_registry: - OS::TripleO::Services::HAproxy: ../../docker/services/haproxy.yaml + OS::TripleO::Services::HAproxy: ../../deployment/haproxy/haproxy-container-puppet.yaml diff --git a/environments/ssl/enable-internal-tls.yaml b/environments/ssl/enable-internal-tls.yaml index 6591be5190..df7dc00f41 100644 --- a/environments/ssl/enable-internal-tls.yaml +++ b/environments/ssl/enable-internal-tls.yaml @@ -36,5 +36,5 @@ parameter_defaults: resource_registry: OS::TripleO::ServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals.yaml OS::TripleO::Services::CertmongerUser: ../../puppet/services/certmonger-user.yaml - OS::TripleO::Services::HAProxyInternalTLS: ../../puppet/services/haproxy-internal-tls-certmonger.yaml + OS::TripleO::Services::HAProxyInternalTLS: ../../deployment/haproxy/haproxy-internal-tls-certmonger.yaml OS::TripleO::Services::TLSProxyBase: ../../puppet/services/apache.yaml diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml index 51085105f6..b296cd14cb 100644 --- a/overcloud-resource-registry-puppet.j2.yaml +++ b/overcloud-resource-registry-puppet.j2.yaml @@ -176,8 +176,8 @@ resource_registry: OS::TripleO::Services::OsloMessagingNotify: docker/services/messaging/notify-rabbitmq-shared.yaml OS::TripleO::Services::RabbitMQ: OS::Heat::None OS::TripleO::Services::Qdr: OS::Heat::None - OS::TripleO::Services::HAproxy: docker/services/haproxy.yaml - OS::TripleO::Services::HAProxyPublicTLS: puppet/services/haproxy-public-tls-inject.yaml + OS::TripleO::Services::HAproxy: deployment/haproxy/haproxy-container-puppet.yaml + OS::TripleO::Services::HAProxyPublicTLS: deployment/haproxy/haproxy-public-tls-inject.yaml OS::TripleO::Services::HAProxyInternalTLS: OS::Heat::None OS::TripleO::Services::Iscsid: docker/services/iscsid.yaml OS::TripleO::Services::Keepalived: deployment/keepalived/keepalived-container-puppet.yaml diff --git a/puppet/services/haproxy.yaml b/puppet/services/haproxy.yaml deleted file mode 100644 index caa41cd6c2..0000000000 --- a/puppet/services/haproxy.yaml +++ /dev/null @@ -1,175 +0,0 @@ -heat_template_version: rocky - -description: > - HAproxy service configured with Puppet - -parameters: - ServiceData: - default: {} - description: Dictionary packing service data - type: json - ServiceNetMap: - default: {} - description: Mapping of service_name -> network name. Typically set - via parameter_defaults in the resource registry. This - mapping overrides those in ServiceNetMapDefaults. - type: json - DefaultPasswords: - default: {} - type: json - RoleName: - default: '' - description: Role name on which the service is applied - type: string - RoleParameters: - default: {} - description: Parameters specific to the role - type: json - EndpointMap: - default: {} - description: Mapping of service endpoint -> protocol. Typically set - via parameter_defaults in the resource registry. - type: json - EnableLoadBalancer: - default: true - description: Whether to deploy a LoadBalancer, set to false when an external load balancer is used. - type: boolean - HAProxyStatsPassword: - description: Password for HAProxy stats endpoint - hidden: true - type: string - HAProxyStatsUser: - description: User for HAProxy stats endpoint - default: admin - type: string - HAProxySyslogAddress: - default: /dev/log - description: Syslog address where HAproxy will send its log - type: string - HAProxySyslogFacility: - default: local0 - description: Syslog facility HAProxy will use for its logs - type: string - HAProxyStatsEnabled: - default: true - description: Whether or not to enable the HAProxy stats interface. - type: boolean - RedisPassword: - description: The password for the redis service account. - type: string - hidden: true - MonitoringSubscriptionHaproxy: - default: 'overcloud-haproxy' - type: string - SSLCertificate: - default: '' - description: > - The content of the SSL certificate (without Key) in PEM format. - type: string - PublicSSLCertificateAutogenerated: - default: false - description: > - Whether the public SSL certificate was autogenerated or not. - type: boolean - EnablePublicTLS: - default: true - description: > - Whether to enable TLS on the public interface or not. - type: boolean - DeployedSSLCertificatePath: - default: '/etc/pki/tls/private/overcloud_endpoint.pem' - description: > - The filepath of the certificate as it will be stored in the controller. - type: string - EnableInternalTLS: - type: boolean - default: false - InternalTLSCAFile: - default: '/etc/ipa/ca.crt' - type: string - description: Specifies the default CA cert to use if TLS is used for - services in the internal network. - InternalTLSCRLPEMFile: - default: '/etc/pki/CA/crl/overcloud-crl.pem' - type: string - description: Specifies the default CRL PEM file to use for revocation if - TLS is used for services in the internal network. - -conditions: - - public_tls_enabled: - and: - - {get_param: EnablePublicTLS} - - or: - - not: - equals: - - {get_param: SSLCertificate} - - "" - - equals: - - {get_param: PublicSSLCertificateAutogenerated} - - true - internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} - -resources: - - HAProxyPublicTLS: - type: OS::TripleO::Services::HAProxyPublicTLS - properties: - ServiceData: {get_param: ServiceData} - ServiceNetMap: {get_param: ServiceNetMap} - DefaultPasswords: {get_param: DefaultPasswords} - EndpointMap: {get_param: EndpointMap} - RoleName: {get_param: RoleName} - RoleParameters: {get_param: RoleParameters} - - HAProxyInternalTLS: - type: OS::TripleO::Services::HAProxyInternalTLS - properties: - ServiceData: {get_param: ServiceData} - ServiceNetMap: {get_param: ServiceNetMap} - DefaultPasswords: {get_param: DefaultPasswords} - EndpointMap: {get_param: EndpointMap} - RoleName: {get_param: RoleName} - RoleParameters: {get_param: RoleParameters} - -outputs: - role_data: - description: Role data for the HAproxy role. - value: - service_name: haproxy - monitoring_subscription: {get_param: MonitoringSubscriptionHaproxy} - config_settings: - map_merge: - - tripleo::haproxy::firewall_rules: - '107 haproxy stats': - dport: 1993 - tripleo::haproxy::haproxy_log_address: {get_param: HAProxySyslogAddress} - tripleo::haproxy::haproxy_log_facility: {get_param: HAProxySyslogFacility} - tripleo::haproxy::haproxy_stats_user: {get_param: HAProxyStatsUser} - tripleo::haproxy::haproxy_stats_password: {get_param: HAProxyStatsPassword} - tripleo::haproxy::redis_password: {get_param: RedisPassword} - tripleo::haproxy::crl_file: {get_param: InternalTLSCRLPEMFile} - tripleo::haproxy::haproxy_stats: {get_param: HAProxyStatsEnabled} - enable_load_balancer: {get_param: EnableLoadBalancer} - tripleo::profile::base::haproxy::certificates_specs: - map_merge: - - get_attr: [HAProxyPublicTLS, role_data, certificates_specs] - - get_attr: [HAProxyInternalTLS, role_data, certificates_specs] - - if: - - public_tls_enabled - - tripleo::haproxy::service_certificate: {get_param: DeployedSSLCertificatePath} - - {} - - if: - - internal_tls_enabled - - tripleo::haproxy::ca_bundle: {get_param: InternalTLSCAFile} - - null - - get_attr: [HAProxyPublicTLS, role_data, config_settings] - - get_attr: [HAProxyInternalTLS, role_data, config_settings] - step_config: | - include ::tripleo::profile::base::haproxy - upgrade_tasks: [] - host_prep_tasks: {get_attr: [HAProxyPublicTLS, role_data, host_prep_tasks]} - metadata_settings: - list_concat: - - {get_attr: [HAProxyPublicTLS, role_data, metadata_settings]} - - {get_attr: [HAProxyInternalTLS, role_data, metadata_settings]} diff --git a/puppet/services/pacemaker/haproxy.yaml b/puppet/services/pacemaker/haproxy.yaml deleted file mode 100644 index 9c65179e8f..0000000000 --- a/puppet/services/pacemaker/haproxy.yaml +++ /dev/null @@ -1,70 +0,0 @@ -heat_template_version: rocky - -description: > - HAproxy service with Pacemaker configured with Puppet - -parameters: - ServiceData: - default: {} - description: Dictionary packing service data - type: json - ServiceNetMap: - default: {} - description: Mapping of service_name -> network name. Typically set - via parameter_defaults in the resource registry. This - mapping overrides those in ServiceNetMapDefaults. - type: json - DefaultPasswords: - default: {} - type: json - RoleName: - default: '' - description: Role name on which the service is applied - type: string - RoleParameters: - default: {} - description: Parameters specific to the role - type: json - EndpointMap: - default: {} - description: Mapping of service endpoint -> protocol. Typically set - via parameter_defaults in the resource registry. - type: json - HAProxySyslogFacility: - default: local0 - description: Syslog facility HAProxy will use for its logs - type: string - HAProxySyslogAddress: - default: /dev/log - description: Syslog address where HAproxy will send its log - type: string - -resources: - LoadbalancerServiceBase: - type: ../haproxy.yaml - properties: - ServiceData: {get_param: ServiceData} - ServiceNetMap: {get_param: ServiceNetMap} - DefaultPasswords: {get_param: DefaultPasswords} - EndpointMap: {get_param: EndpointMap} - RoleName: {get_param: RoleName} - RoleParameters: {get_param: RoleParameters} - -outputs: - role_data: - description: Role data for the HAproxy with pacemaker role. - value: - service_name: haproxy - monitoring_subscription: {get_attr: [LoadbalancerServiceBase, role_data, monitoring_subscription]} - config_settings: - map_merge: - - get_attr: [LoadbalancerServiceBase, role_data, config_settings] - - tripleo::haproxy::haproxy_service_manage: false - tripleo::haproxy::mysql_clustercheck: true - tripleo::haproxy::haproxy_log_address: {get_param: HAProxySyslogAddress} - tripleo::haproxy::haproxy_log_facility: {get_param: HAProxySyslogFacility} - step_config: | - include ::tripleo::profile::pacemaker::haproxy - host_prep_tasks: {get_attr: [LoadbalancerServiceBase, role_data, host_prep_tasks]} - metadata_settings: - get_attr: [LoadbalancerServiceBase, role_data, metadata_settings] diff --git a/releasenotes/notes/drop-baremetal-haproxy-5e2f0f3c9b8da664.yaml b/releasenotes/notes/drop-baremetal-haproxy-5e2f0f3c9b8da664.yaml new file mode 100644 index 0000000000..4c7444af75 --- /dev/null +++ b/releasenotes/notes/drop-baremetal-haproxy-5e2f0f3c9b8da664.yaml @@ -0,0 +1,4 @@ +--- +upgrade: + - | + Installing haproxy services on baremetal is no longer supported. diff --git a/sample-env-generator/ssl.yaml b/sample-env-generator/ssl.yaml index 1adb50b723..e07e999b52 100644 --- a/sample-env-generator/ssl.yaml +++ b/sample-env-generator/ssl.yaml @@ -7,7 +7,7 @@ environments: For these values to take effect, one of the tls-endpoints-*.yaml environments must also be used. files: - puppet/services/haproxy-public-tls-inject.yaml: + deployment/haproxy/haproxy-public-tls-inject.yaml: parameters: all puppet/services/horizon.yaml: parameters: @@ -58,7 +58,7 @@ environments: resource_registry: # FIXME(bogdando): switch it, once it is containerized OS::TripleO::Services::CertmongerUser: ../../puppet/services/certmonger-user.yaml - OS::TripleO::Services::HAProxyInternalTLS: ../../puppet/services/haproxy-internal-tls-certmonger.yaml + OS::TripleO::Services::HAProxyInternalTLS: ../../deployment/haproxy/haproxy-internal-tls-certmonger.yaml # We use apache as a TLS proxy # FIXME(bogdando): switch it, once it is containerized OS::TripleO::Services::TLSProxyBase: ../../puppet/services/apache.yaml @@ -465,13 +465,13 @@ environments: network/endpoints/endpoint_map.yaml: parameters: - EndpointMap - docker/services/haproxy.yaml: + deployment/haproxy/haproxy-container-puppet.yaml: parameters: - EnablePublicTLS - docker/services/pacemaker/haproxy.yaml: + deployment/haproxy/haproxy-pacemaker-puppet.yaml: parameters: - EnablePublicTLS - puppet/services/haproxy.yaml: + deployment/haproxy/haproxy-container-puppet.yaml: parameters: - EnablePublicTLS sample_values: