flatten haproxy service configuration

This change combines the previous puppet and docker files into a single
file that performs the docker service installation and configuration.

With this patch the baremetal version of haproxy services has been removed.

Change-Id: Id55ae44a7b1b5f08b40170f7406e14973fa93639
Related-Blueprint: services-yaml-flattening

ci/environments/multinode-3nodes-registry.yaml

@@ -4,7 +4,7 @@ resource_registry:
   OS::TripleO::Services::Core: multinode-core.yaml
   OS::TripleO::Services::OsloMessagingRpc: ../../docker/services/pacemaker/rpc-rabbitmq.yaml
   OS::TripleO::Services::OsloMessagingNotify: ../../docker/services/messaging/notify-rabbitmq-shared.yaml
-  OS::TripleO::Services::HAproxy: ../../docker/services/pacemaker/haproxy.yaml
+  OS::TripleO::Services::HAproxy: ../../deployment/haproxy/haproxy-pacemaker-puppet.yaml
   OS::TripleO::Services::Pacemaker: ../../puppet/services/pacemaker.yaml
   OS::TripleO::Services::PacemakerRemote: ../../puppet/services/pacemaker_remote.yaml
   OS::TripleO::Services::Clustercheck: ../../docker/services/pacemaker/clustercheck.yaml

ci/environments/scenario000-multinode-containers.yaml

@@ -7,7 +7,7 @@ resource_registry:
 
   OS::TripleO::Services::OsloMessagingRpc: ../../docker/services/pacemaker/rpc-rabbitmq.yaml
   OS::TripleO::Services::OsloMessagingNotify: ../../docker/services/messaging/notify-rabbitmq-shared.yaml
-  OS::TripleO::Services::HAproxy: ../../docker/services/pacemaker/haproxy.yaml
+  OS::TripleO::Services::HAproxy: ../../deployment/haproxy/haproxy-pacemaker-puppet.yaml
   OS::TripleO::Services::Pacemaker: ../../puppet/services/pacemaker.yaml
   OS::TripleO::Services::PacemakerRemote: ../../puppet/services/pacemaker_remote.yaml
   OS::TripleO::Services::Clustercheck: ../../docker/services/pacemaker/clustercheck.yaml

ci/environments/scenario001-multinode-containers.yaml

@@ -10,7 +10,7 @@ resource_registry:
   OS::TripleO::Services::MetricsQdr: ../../docker/services/metrics/qdr.yaml
   OS::TripleO::Services::OsloMessagingRpc: ../../docker/services/pacemaker/rpc-rabbitmq.yaml
   OS::TripleO::Services::OsloMessagingNotify: ../../docker/services/messaging/notify-rabbitmq-shared.yaml
-  OS::TripleO::Services::HAproxy: ../../docker/services/pacemaker/haproxy.yaml
+  OS::TripleO::Services::HAproxy: ../../deployment/haproxy/haproxy-pacemaker-puppet.yaml
   OS::TripleO::Services::Pacemaker: ../../puppet/services/pacemaker.yaml
   OS::TripleO::Services::PacemakerRemote: ../../puppet/services/pacemaker_remote.yaml
   OS::TripleO::Services::Clustercheck: ../../docker/services/pacemaker/clustercheck.yaml

ci/environments/scenario001-standalone.yaml

@@ -22,7 +22,7 @@ resource_registry:
   OS::TripleO::Services::MetricsQdr: ../../docker/services/metrics/qdr.yaml
   OS::TripleO::Services::OsloMessagingRpc: ../../docker/services/pacemaker/rpc-rabbitmq.yaml
   OS::TripleO::Services::OsloMessagingNotify: ../../docker/services/messaging/notify-rabbitmq-shared.yaml
-  OS::TripleO::Services::HAproxy: ../../docker/services/pacemaker/haproxy.yaml
+  OS::TripleO::Services::HAproxy: ../../deployment/haproxy/haproxy-pacemaker-puppet.yaml
   OS::TripleO::Services::Pacemaker: ../../puppet/services/pacemaker.yaml
   OS::TripleO::Services::PacemakerRemote: ../../puppet/services/pacemaker_remote.yaml
   OS::TripleO::Services::Clustercheck: ../../docker/services/pacemaker/clustercheck.yaml

ci/environments/scenario002-multinode-containers.yaml

@@ -8,7 +8,7 @@ resource_registry:
   OS::TripleO::Services::OsloMessagingRpc: ../../docker/services/pacemaker/rpc-rabbitmq.yaml
   OS::TripleO::Services::OsloMessagingNotify: ../../docker/services/messaging/notify-rabbitmq-shared.yaml
   OS::TripleO::Services::Redis: ../../docker/services/pacemaker/database/redis.yaml
-  OS::TripleO::Services::HAproxy: ../../docker/services/pacemaker/haproxy.yaml
+  OS::TripleO::Services::HAproxy: ../../deployment/haproxy/haproxy-pacemaker-puppet.yaml
   OS::TripleO::Services::Pacemaker: ../../puppet/services/pacemaker.yaml
   OS::TripleO::Services::PacemakerRemote: ../../puppet/services/pacemaker_remote.yaml
   OS::TripleO::Services::Clustercheck: ../../docker/services/pacemaker/clustercheck.yaml

ci/environments/scenario002-standalone.yaml

@@ -20,7 +20,7 @@ resource_registry:
   OS::TripleO::Services::OsloMessagingRpc: ../../docker/services/pacemaker/rpc-rabbitmq.yaml
   OS::TripleO::Services::OsloMessagingNotify: ../../docker/services/messaging/notify-rabbitmq-shared.yaml
   OS::TripleO::Services::Redis: ../../docker/services/pacemaker/database/redis.yaml
-  OS::TripleO::Services::HAproxy: ../../docker/services/pacemaker/haproxy.yaml
+  OS::TripleO::Services::HAproxy: ../../deployment/haproxy/haproxy-pacemaker-puppet.yaml
   OS::TripleO::Services::Pacemaker: ../../puppet/services/pacemaker.yaml
   OS::TripleO::Services::PacemakerRemote: ../../puppet/services/pacemaker_remote.yaml
   OS::TripleO::Services::Clustercheck: ../../docker/services/pacemaker/clustercheck.yaml

ci/environments/scenario003-multinode-containers.yaml

@@ -9,7 +9,7 @@ resource_registry:
   OS::TripleO::Services::MistralEventEngine: ../../docker/services/mistral-event-engine.yaml
   OS::TripleO::Services::OsloMessagingRpc: ../../docker/services/messaging/rpc-qdrouterd.yaml
   OS::TripleO::Services::OsloMessagingNotify: ../../docker/services/pacemaker/notify-rabbitmq.yaml
-  OS::TripleO::Services::HAproxy: ../../docker/services/pacemaker/haproxy.yaml
+  OS::TripleO::Services::HAproxy: ../../deployment/haproxy/haproxy-pacemaker-puppet.yaml
   OS::TripleO::Services::Pacemaker: ../../puppet/services/pacemaker.yaml
   OS::TripleO::Services::PacemakerRemote: ../../puppet/services/pacemaker_remote.yaml
   OS::TripleO::Services::Clustercheck: ../../docker/services/pacemaker/clustercheck.yaml

ci/environments/scenario003-standalone.yaml

@@ -14,7 +14,7 @@ resource_registry:
   OS::TripleO::Services::MistralEventEngine: ../../docker/services/mistral-event-engine.yaml
   OS::TripleO::Services::OsloMessagingRpc: ../../docker/services/messaging/rpc-qdrouterd.yaml
   OS::TripleO::Services::OsloMessagingNotify: ../../docker/services/pacemaker/notify-rabbitmq.yaml
-  OS::TripleO::Services::HAproxy: ../../docker/services/pacemaker/haproxy.yaml
+  OS::TripleO::Services::HAproxy: ../../deployment/haproxy/haproxy-pacemaker-puppet.yaml
   OS::TripleO::Services::Pacemaker: ../../puppet/services/pacemaker.yaml
   OS::TripleO::Services::PacemakerRemote: ../../puppet/services/pacemaker_remote.yaml
   OS::TripleO::Services::Clustercheck: ../../docker/services/pacemaker/clustercheck.yaml

ci/environments/scenario004-multinode-containers.yaml

@@ -23,7 +23,7 @@ resource_registry:
   # These enable Pacemaker
   OS::TripleO::Services::OsloMessagingRpc: ../../docker/services/pacemaker/rpc-rabbitmq.yaml
   OS::TripleO::Services::OsloMessagingNotify: ../../docker/services/messaging/notify-rabbitmq-shared.yaml
-  OS::TripleO::Services::HAproxy: ../../docker/services/pacemaker/haproxy.yaml
+  OS::TripleO::Services::HAproxy: ../../deployment/haproxy/haproxy-pacemaker-puppet.yaml
   OS::TripleO::Services::Pacemaker: ../../puppet/services/pacemaker.yaml
   OS::TripleO::Services::PacemakerRemote: ../../puppet/services/pacemaker_remote.yaml
   OS::TripleO::Services::Clustercheck: ../../docker/services/pacemaker/clustercheck.yaml

ci/environments/scenario004-standalone.yaml

@@ -19,7 +19,7 @@ resource_registry:
   OS::TripleO::Services::ManilaBackendCephFs: ../../puppet/services/manila-backend-cephfs.yaml
   OS::TripleO::Services::OsloMessagingRpc: ../../docker/services/pacemaker/rpc-rabbitmq.yaml
   OS::TripleO::Services::OsloMessagingNotify: ../../docker/services/messaging/notify-rabbitmq-shared.yaml
-  OS::TripleO::Services::HAproxy: ../../docker/services/pacemaker/haproxy.yaml
+  OS::TripleO::Services::HAproxy: ../../deployment/haproxy/haproxy-pacemaker-puppet.yaml
   OS::TripleO::Services::Pacemaker: ../../puppet/services/pacemaker.yaml
   OS::TripleO::Services::PacemakerRemote: ../../puppet/services/pacemaker_remote.yaml
   OS::TripleO::Services::Clustercheck: ../../docker/services/pacemaker/clustercheck.yaml

ci/environments/scenario010-multinode-containers.yaml

@@ -5,7 +5,7 @@ resource_registry:
   OS::TripleO::Services::CephMon: ../../docker/services/ceph-ansible/ceph-mon.yaml
   OS::TripleO::Services::CephOSD: ../../docker/services/ceph-ansible/ceph-osd.yaml
   OS::TripleO::Services::CephClient: ../../docker/services/ceph-ansible/ceph-client.yaml
-  OS::TripleO::Services::HAproxy: ../../docker/services/pacemaker/haproxy.yaml
+  OS::TripleO::Services::HAproxy: ../../deployment/haproxy/haproxy-pacemaker-puppet.yaml
   OS::TripleO::Services::Pacemaker: ../../puppet/services/pacemaker.yaml
   OS::TripleO::Services::PacemakerRemote: ../../puppet/services/pacemaker_remote.yaml
   OS::TripleO::Services::Clustercheck: ../../docker/services/pacemaker/clustercheck.yaml

ci/environments/scenario012-multinode-containers.yaml

@@ -8,7 +8,7 @@ resource_registry:
   # These enable Pacemaker
   OS::TripleO::Services::OsloMessagingRpc: ../../docker/services/pacemaker/rpc-rabbitmq.yaml
   OS::TripleO::Services::OsloMessagingNotify: ../../docker/services/messaging/notify-rabbitmq-shared.yaml
-  OS::TripleO::Services::HAproxy: ../../docker/services/pacemaker/haproxy.yaml
+  OS::TripleO::Services::HAproxy: ../../deployment/haproxy/haproxy-pacemaker-puppet.yaml
   OS::TripleO::Services::Pacemaker: ../../puppet/services/pacemaker.yaml
   OS::TripleO::Services::PacemakerRemote: ../../puppet/services/pacemaker_remote.yaml
   OS::TripleO::Services::Clustercheck: ../../docker/services/pacemaker/clustercheck.yaml

deployment/haproxy/haproxy-container-puppet.yaml

@@ -95,6 +95,19 @@ parameters:
     default: false
     description: Remove package if the service is being disabled during upgrade
     type: boolean
+  EnableLoadBalancer:
+    default: true
+    description: Whether to deploy a LoadBalancer, set to false when an external load balancer is used.
+    type: boolean
+  HAProxyStatsEnabled:
+    default: true
+    description: Whether or not to enable the HAProxy stats interface.
+    type: boolean
+  InternalTLSCRLPEMFile:
+    default: '/etc/pki/CA/crl/overcloud-crl.pem'
+    type: string
+    description: Specifies the default CRL PEM file to use for revocation if
+                 TLS is used for services in the internal network.
 
 conditions:
   puppet_debug_enabled: {get_param: ConfigDebug}
@@ -114,43 +127,75 @@ conditions:
 resources:
 
   ContainersCommon:
-    type: ./containers-common.yaml
-
-  HAProxyBase:
-    type: ../../puppet/services/haproxy.yaml
-    properties:
-      EndpointMap: {get_param: EndpointMap}
-      ServiceData: {get_param: ServiceData}
-      ServiceNetMap: {get_param: ServiceNetMap}
-      DefaultPasswords: {get_param: DefaultPasswords}
-      RoleName: {get_param: RoleName}
-      RoleParameters: {get_param: RoleParameters}
-      HAProxySyslogAddress: {get_param: HAProxySyslogAddress}
-      HAProxySyslogFacility: {get_param: HAProxySyslogFacility}
+    type: ../../docker/services/containers-common.yaml
 
   HAProxyLogging:
     type: OS::TripleO::Services::Logging::HAProxy
 
+  HAProxyPublicTLS:
+    type: OS::TripleO::Services::HAProxyPublicTLS
+    properties:
+      ServiceData: {get_param: ServiceData}
+      ServiceNetMap: {get_param: ServiceNetMap}
+      DefaultPasswords: {get_param: DefaultPasswords}
+      EndpointMap: {get_param: EndpointMap}
+      RoleName: {get_param: RoleName}
+      RoleParameters: {get_param: RoleParameters}
+
+  HAProxyInternalTLS:
+    type: OS::TripleO::Services::HAProxyInternalTLS
+    properties:
+      ServiceData: {get_param: ServiceData}
+      ServiceNetMap: {get_param: ServiceNetMap}
+      DefaultPasswords: {get_param: DefaultPasswords}
+      EndpointMap: {get_param: EndpointMap}
+      RoleName: {get_param: RoleName}
+      RoleParameters: {get_param: RoleParameters}
+
 outputs:
   role_data:
     description: Role data for the HAproxy role.
     value:
-      service_name: {get_attr: [HAProxyBase, role_data, service_name]}
+      service_name: haproxy
+      monitoring_subscription: {get_param: MonitoringSubscriptionHaproxy}
       config_settings:
         map_merge:
-          - get_attr: [HAProxyBase, role_data, config_settings]
           - get_attr: [HAProxyLogging, config_settings]
           - tripleo::haproxy::haproxy_service_manage: false
             # NOTE(jaosorior): We disable the CRL since we have no way to restart haproxy
             # when this is updated
             tripleo::haproxy::crl_file: null
-      service_config_settings: {get_attr: [HAProxyBase, role_data, service_config_settings]}
+          - tripleo::haproxy::firewall_rules:
+              '107 haproxy stats':
+                dport: 1993
+            tripleo::haproxy::haproxy_log_address: {get_param: HAProxySyslogAddress}
+            tripleo::haproxy::haproxy_log_facility: {get_param: HAProxySyslogFacility}
+            tripleo::haproxy::haproxy_stats_user: {get_param: HAProxyStatsUser}
+            tripleo::haproxy::haproxy_stats_password: {get_param: HAProxyStatsPassword}
+            tripleo::haproxy::redis_password: {get_param: RedisPassword}
+            tripleo::haproxy::crl_file: {get_param: InternalTLSCRLPEMFile}
+            tripleo::haproxy::haproxy_stats: {get_param: HAProxyStatsEnabled}
+            enable_load_balancer: {get_param: EnableLoadBalancer}
+            tripleo::profile::base::haproxy::certificates_specs:
+              map_merge:
+                - get_attr: [HAProxyPublicTLS, role_data, certificates_specs]
+                - get_attr: [HAProxyInternalTLS, role_data, certificates_specs]
+          - if:
+              - public_tls_enabled
+              - tripleo::haproxy::service_certificate: {get_param: DeployedSSLCertificatePath}
+              - {}
+          - if:
+              - internal_tls_enabled
+              - tripleo::haproxy::ca_bundle: {get_param: InternalTLSCAFile}
+              - null
+          - get_attr: [HAProxyPublicTLS, role_data, config_settings]
+          - get_attr: [HAProxyInternalTLS, role_data, config_settings]
       # BEGIN DOCKER SETTINGS
       puppet_config:
         config_volume: haproxy
         puppet_tags: haproxy_config
-        step_config:
-          "class {'::tripleo::profile::base::haproxy': manage_firewall => false}"
+        step_config: |
+          class {'::tripleo::profile::base::haproxy': manage_firewall => false}
         config_image: {get_param: DockerHAProxyConfigImage}
         volumes:
           list_concat:
@@ -254,7 +299,7 @@ outputs:
             fi
             exit $rc
           vars:
-            puppet_execute: {get_attr: [HAProxyBase, role_data, step_config]}
+            puppet_execute: include ::tripleo::profile::base::haproxy
             puppet_tags: 'tripleo::firewall::rule'
             puppet_modulepath: '/etc/puppet/modules:/opt/stack/puppet-modules:/usr/share/openstack-puppet/modules'
             puppet_debug:
@@ -286,7 +331,7 @@ outputs:
             containers_to_rm:
               - haproxy
       host_prep_tasks:
-        - {get_attr: [HAProxyBase, role_data, host_prep_tasks]}
+        - {get_attr: [HAProxyPublicTLS, role_data, host_prep_tasks]}
         - name: Check if rsyslog exists
           shell: systemctl is-active rsyslog
           register: rsyslog_config
@@ -324,4 +369,6 @@ outputs:
               /var/log/containers/haproxy.
           ignore_errors: true
       metadata_settings:
-        get_attr: [HAProxyBase, role_data, metadata_settings]
+        list_concat:
+          - {get_attr: [HAProxyPublicTLS, role_data, metadata_settings]}
+          - {get_attr: [HAProxyInternalTLS, role_data, metadata_settings]}

deployment/haproxy/haproxy-pacemaker-puppet.yaml

@@ -123,28 +123,31 @@ conditions:
 resources:
 
   ContainersCommon:
-    type: ../containers-common.yaml
+    type: ../../docker/services/containers-common.yaml
 
   HAProxyBase:
-    type: ../../../puppet/services/pacemaker/haproxy.yaml
+    type: ./haproxy-container-puppet.yaml
     properties:
-      EndpointMap: {get_param: EndpointMap}
       ServiceData: {get_param: ServiceData}
       ServiceNetMap: {get_param: ServiceNetMap}
       DefaultPasswords: {get_param: DefaultPasswords}
+      EndpointMap: {get_param: EndpointMap}
       RoleName: {get_param: RoleName}
       RoleParameters: {get_param: RoleParameters}
-      HAProxySyslogAddress: {get_param: HAProxySyslogAddress}
-      HAProxySyslogFacility: {get_param: HAProxySyslogFacility}
 
 outputs:
   role_data:
     description: Role data for the HAproxy role.
     value:
-      service_name: {get_attr: [HAProxyBase, role_data, service_name]}
+      service_name: haproxy
+      monitoring_subscription: {get_attr: [HAProxyBase, role_data, monitoring_subscription]}
       config_settings:
         map_merge:
           - get_attr: [HAProxyBase, role_data, config_settings]
+          - tripleo::haproxy::haproxy_service_manage: false
+            tripleo::haproxy::mysql_clustercheck: true
+            tripleo::haproxy::haproxy_log_address: {get_param: HAProxySyslogAddress}
+            tripleo::haproxy::haproxy_log_facility: {get_param: HAProxySyslogFacility}
           - haproxy_docker: true
             tripleo::profile::pacemaker::haproxy_bundle::haproxy_docker_image: &haproxy_image {get_param: DockerHAProxyImage}
             tripleo::profile::pacemaker::haproxy_bundle::container_backend: {get_param: ContainerCli}
@@ -174,7 +177,6 @@ outputs:
                       data: {get_param: DockerHAProxyImage}
                       expression: $.data.rightSplit(separator => ":", maxSplits => 1)[0]
                   - 'pcmklatest'
-      service_config_settings: {get_attr: [HAProxyBase, role_data, service_config_settings]}
       # BEGIN DOCKER SETTINGS
       puppet_config:
         config_volume: haproxy
@@ -333,7 +335,7 @@ outputs:
               /var/log/containers/haproxy.
           ignore_errors: true
       metadata_settings:
-        get_attr: [HAProxyBase, role_data, metadata_settings]
+        {get_attr: [HAProxyBase, role_data, metadata_settings]}
       deploy_steps_tasks:
         - name: HAproxy tag container image for pacemaker
           when: step|int == 1
@@ -357,7 +359,7 @@ outputs:
             fi
             exit $rc
           vars:
-            puppet_execute: {get_attr: [HAProxyBase, role_data, step_config]}
+            puppet_execute: include ::tripleo::profile::pacemaker::haproxy
             puppet_tags: 'tripleo::firewall::rule'
             puppet_modulepath: '/etc/puppet/modules:/opt/stack/puppet-modules:/usr/share/openstack-puppet/modules'
             puppet_debug:
@@ -485,7 +487,7 @@ outputs:
           block:
             - name: Check cluster resource status
               pacemaker_resource:
-                resource: {get_attr: [HAProxyBase, role_data, service_name]}
+                resource: haproxy
                 state: started
                 check_mode: true
               ignore_errors: true
@@ -494,7 +496,7 @@ outputs:
               block:
                 - name: Disable the haproxy cluster resource.
                   pacemaker_resource:
-                    resource: {get_attr: [HAProxyBase, role_data, service_name]}
+                    resource: haproxy
                     state: disable
                     wait_for_resource: true
                   register: output
@@ -502,7 +504,7 @@ outputs:
                   until: output.rc == 0
                 - name: Delete the stopped haproxy cluster resource.
                   pacemaker_resource:
-                    resource: {get_attr: [HAProxyBase, role_data, service_name]}
+                    resource: haproxy
                     state: delete
                     wait_for_resource: true
                   register: output

environments/baremetal-services.yaml

@@ -20,10 +20,10 @@ resource_registry:
   OS::TripleO::Services::GnocchiApi: ../puppet/services/gnocchi-api.yaml
   OS::TripleO::Services::GnocchiMetricd: ../puppet/services/gnocchi-metricd.yaml
   OS::TripleO::Services::GnocchiStatsd: ../puppet/services/gnocchi-statsd.yaml
-  OS::TripleO::Services::HAproxy: ../puppet/services/haproxy.yaml
   OS::TripleO::Services::HeatApi: ../deployment/heat/heat-api-container-puppet.yaml
   OS::TripleO::Services::HeatApiCfn: ../deployment/heat/heat-api-cfn-container-puppet.yaml
   OS::TripleO::Services::HeatEngine: ../deployment/heat/heat-engine-container-puppet.yaml
+  OS::TripleO::Services::HAproxy: ../deployment/haproxy/haproxy-container-puppet.yaml
   OS::TripleO::Services::Horizon: ../puppet/services/horizon.yaml
   OS::TripleO::Services::Iscsid: ../puppet/services/iscsid.yaml
   OS::TripleO::Services::Keystone: ../deployment/keystone/keystone-container-puppet.yaml

environments/docker-ha.yaml

@@ -16,7 +16,7 @@ resource_registry:
   # HA Containers managed by pacemaker
   OS::TripleO::Services::CinderVolume: ../deployment/cinder/cinder-volume-pacemaker-puppet.yaml
   OS::TripleO::Services::Clustercheck: ../docker/services/pacemaker/clustercheck.yaml
-  OS::TripleO::Services::HAproxy: ../docker/services/pacemaker/haproxy.yaml
+  OS::TripleO::Services::HAproxy: ../deployment/haproxy/haproxy-pacemaker-puppet.yaml
   OS::TripleO::Services::MySQL: ../docker/services/pacemaker/database/mysql.yaml
   OS::TripleO::Services::OsloMessagingRpc: ../docker/services/pacemaker/rpc-rabbitmq.yaml
   OS::TripleO::Services::OsloMessagingNotify: ../docker/services/messaging/notify-rabbitmq-shared.yaml

environments/nonha-arch.yaml

@@ -3,7 +3,7 @@
 resource_registry:
   OS::TripleO::Services::CinderVolume: ../deployment/cinder/cinder-volume-container-puppet.yaml
   OS::TripleO::Services::RabbitMQ: ../docker/services/rabbitmq.yaml
-  OS::TripleO::Services::HAproxy: ../docker/services/haproxy.yaml
+  OS::TripleO::Services::HAproxy: ../deployment/haproxy/haproxy-container-puppet.yaml
   OS::TripleO::Services::Redis: ../docker/services/database/redis.yaml
   OS::TripleO::Services::MySQL: ../docker/services/database/mysql.yaml
   OS::TripleO::Services::Keepalived: ../docker/services/keepalived.yaml

environments/openshift.yaml

@@ -1,6 +1,6 @@
 resource_registry:
   OS::TripleO::Services::Docker: ../deployment/docker/docker-baremetal-ansible.yaml
-  OS::TripleO::Services::HAproxy: ../docker/services/haproxy.yaml
+  OS::TripleO::Services::HAproxy: ../deployment/haproxy/haproxy-container-puppet.yaml
   OS::TripleO::Services::Keepalived: ../deployment/keepalived/keepalived-container-puppet.yaml
   OS::TripleO::Services::OpenShift::Infra: ../extraconfig/services/openshift-infra.yaml
   OS::TripleO::Services::OpenShift::Master: ../extraconfig/services/openshift-master.yaml

environments/public-tls-undercloud.yaml

@@ -3,4 +3,4 @@ parameter_defaults:
   PublicSSLCertificateAutogenerated: true
 
 resource_registry:
-  OS::TripleO::Services::HAProxyPublicTLS: ../puppet/services/haproxy-public-tls-certmonger.yaml
+  OS::TripleO::Services::HAProxyPublicTLS: ../deployment/haproxy/haproxy-public-tls-certmonger.yaml

environments/services-baremetal/undercloud-haproxy.yaml

@@ -1,2 +1,2 @@
 resource_registry:
-  OS::TripleO::Services::UndercloudHAProxy: ../../puppet/services/haproxy.yaml
+  OS::TripleO::Services::UndercloudHAProxy: ../../deployment/haproxy/haproxy-container-puppet.yaml

environments/services/haproxy-public-tls-certmonger.yaml

@@ -1,7 +1,7 @@
 # A Heat environment file which can be used to enable a
 # a TLS for HAProxy via certmonger
 resource_registry:
-  OS::TripleO::Services::HAProxyPublicTLS: ../../puppet/services/haproxy-public-tls-certmonger.yaml
+  OS::TripleO::Services::HAProxyPublicTLS: ../../deployment/haproxy/haproxy-public-tls-certmonger.yaml
 
 parameter_defaults:
   PublicSSLCertificateAutogenerated: true

environments/services/undercloud-haproxy.yaml

@@ -1,4 +1,4 @@
 # DEPRECATED. This file will be removed in the Stein release as it is no longer
 # needed
 resource_registry:
-  OS::TripleO::Services::HAproxy: ../../docker/services/haproxy.yaml
+  OS::TripleO::Services::HAproxy: ../../deployment/haproxy/haproxy-container-puppet.yaml

environments/ssl/enable-internal-tls.yaml

@@ -36,5 +36,5 @@ parameter_defaults:
 resource_registry:
   OS::TripleO::ServiceServerMetadataHook: ../../extraconfig/nova_metadata/krb-service-principals.yaml
   OS::TripleO::Services::CertmongerUser: ../../puppet/services/certmonger-user.yaml
-  OS::TripleO::Services::HAProxyInternalTLS: ../../puppet/services/haproxy-internal-tls-certmonger.yaml
+  OS::TripleO::Services::HAProxyInternalTLS: ../../deployment/haproxy/haproxy-internal-tls-certmonger.yaml
   OS::TripleO::Services::TLSProxyBase: ../../puppet/services/apache.yaml

overcloud-resource-registry-puppet.j2.yaml

@@ -176,8 +176,8 @@ resource_registry:
   OS::TripleO::Services::OsloMessagingNotify: docker/services/messaging/notify-rabbitmq-shared.yaml
   OS::TripleO::Services::RabbitMQ: OS::Heat::None
   OS::TripleO::Services::Qdr: OS::Heat::None
-  OS::TripleO::Services::HAproxy: docker/services/haproxy.yaml
-  OS::TripleO::Services::HAProxyPublicTLS: puppet/services/haproxy-public-tls-inject.yaml
+  OS::TripleO::Services::HAproxy: deployment/haproxy/haproxy-container-puppet.yaml
+  OS::TripleO::Services::HAProxyPublicTLS: deployment/haproxy/haproxy-public-tls-inject.yaml
   OS::TripleO::Services::HAProxyInternalTLS: OS::Heat::None
   OS::TripleO::Services::Iscsid: docker/services/iscsid.yaml
   OS::TripleO::Services::Keepalived: deployment/keepalived/keepalived-container-puppet.yaml

puppet/services/haproxy.yaml

@@ -1,175 +0,0 @@
-heat_template_version: rocky
-
-description: >
-  HAproxy service configured with Puppet
-
-parameters:
-  ServiceData:
-    default: {}
-    description: Dictionary packing service data
-    type: json
-  ServiceNetMap:
-    default: {}
-    description: Mapping of service_name -> network name. Typically set
-                 via parameter_defaults in the resource registry.  This
-                 mapping overrides those in ServiceNetMapDefaults.
-    type: json
-  DefaultPasswords:
-    default: {}
-    type: json
-  RoleName:
-    default: ''
-    description: Role name on which the service is applied
-    type: string
-  RoleParameters:
-    default: {}
-    description: Parameters specific to the role
-    type: json
-  EndpointMap:
-    default: {}
-    description: Mapping of service endpoint -> protocol. Typically set
-                 via parameter_defaults in the resource registry.
-    type: json
-  EnableLoadBalancer:
-    default: true
-    description: Whether to deploy a LoadBalancer, set to false when an external load balancer is used.
-    type: boolean
-  HAProxyStatsPassword:
-    description: Password for HAProxy stats endpoint
-    hidden: true
-    type: string
-  HAProxyStatsUser:
-    description: User for HAProxy stats endpoint
-    default: admin
-    type: string
-  HAProxySyslogAddress:
-    default: /dev/log
-    description: Syslog address where HAproxy will send its log
-    type: string
-  HAProxySyslogFacility:
-    default: local0
-    description: Syslog facility HAProxy will use for its logs
-    type: string
-  HAProxyStatsEnabled:
-    default: true
-    description: Whether or not to enable the HAProxy stats interface.
-    type: boolean
-  RedisPassword:
-    description: The password for the redis service account.
-    type: string
-    hidden: true
-  MonitoringSubscriptionHaproxy:
-    default: 'overcloud-haproxy'
-    type: string
-  SSLCertificate:
-    default: ''
-    description: >
-      The content of the SSL certificate (without Key) in PEM format.
-    type: string
-  PublicSSLCertificateAutogenerated:
-    default: false
-    description: >
-      Whether the public SSL certificate was autogenerated or not.
-    type: boolean
-  EnablePublicTLS:
-    default: true
-    description: >
-      Whether to enable TLS on the public interface or not.
-    type: boolean
-  DeployedSSLCertificatePath:
-    default: '/etc/pki/tls/private/overcloud_endpoint.pem'
-    description: >
-        The filepath of the certificate as it will be stored in the controller.
-    type: string
-  EnableInternalTLS:
-    type: boolean
-    default: false
-  InternalTLSCAFile:
-    default: '/etc/ipa/ca.crt'
-    type: string
-    description: Specifies the default CA cert to use if TLS is used for
-                 services in the internal network.
-  InternalTLSCRLPEMFile:
-    default: '/etc/pki/CA/crl/overcloud-crl.pem'
-    type: string
-    description: Specifies the default CRL PEM file to use for revocation if
-                 TLS is used for services in the internal network.
-
-conditions:
-
-  public_tls_enabled:
-    and:
-    - {get_param: EnablePublicTLS}
-    - or:
-      - not:
-          equals:
-          - {get_param: SSLCertificate}
-          - ""
-      - equals:
-          - {get_param: PublicSSLCertificateAutogenerated}
-          - true
-  internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
-
-resources:
-
-  HAProxyPublicTLS:
-    type: OS::TripleO::Services::HAProxyPublicTLS
-    properties:
-      ServiceData: {get_param: ServiceData}
-      ServiceNetMap: {get_param: ServiceNetMap}
-      DefaultPasswords: {get_param: DefaultPasswords}
-      EndpointMap: {get_param: EndpointMap}
-      RoleName: {get_param: RoleName}
-      RoleParameters: {get_param: RoleParameters}
-
-  HAProxyInternalTLS:
-    type: OS::TripleO::Services::HAProxyInternalTLS
-    properties:
-      ServiceData: {get_param: ServiceData}
-      ServiceNetMap: {get_param: ServiceNetMap}
-      DefaultPasswords: {get_param: DefaultPasswords}
-      EndpointMap: {get_param: EndpointMap}
-      RoleName: {get_param: RoleName}
-      RoleParameters: {get_param: RoleParameters}
-
-outputs:
-  role_data:
-    description: Role data for the HAproxy role.
-    value:
-      service_name: haproxy
-      monitoring_subscription: {get_param: MonitoringSubscriptionHaproxy}
-      config_settings:
-        map_merge:
-          - tripleo::haproxy::firewall_rules:
-              '107 haproxy stats':
-                dport: 1993
-            tripleo::haproxy::haproxy_log_address: {get_param: HAProxySyslogAddress}
-            tripleo::haproxy::haproxy_log_facility: {get_param: HAProxySyslogFacility}
-            tripleo::haproxy::haproxy_stats_user: {get_param: HAProxyStatsUser}
-            tripleo::haproxy::haproxy_stats_password: {get_param: HAProxyStatsPassword}
-            tripleo::haproxy::redis_password: {get_param: RedisPassword}
-            tripleo::haproxy::crl_file: {get_param: InternalTLSCRLPEMFile}
-            tripleo::haproxy::haproxy_stats: {get_param: HAProxyStatsEnabled}
-            enable_load_balancer: {get_param: EnableLoadBalancer}
-            tripleo::profile::base::haproxy::certificates_specs:
-              map_merge:
-                - get_attr: [HAProxyPublicTLS, role_data, certificates_specs]
-                - get_attr: [HAProxyInternalTLS, role_data, certificates_specs]
-          - if:
-              - public_tls_enabled
-              - tripleo::haproxy::service_certificate: {get_param: DeployedSSLCertificatePath}
-              - {}
-          - if:
-              - internal_tls_enabled
-              - tripleo::haproxy::ca_bundle: {get_param: InternalTLSCAFile}
-              - null
-          - get_attr: [HAProxyPublicTLS, role_data, config_settings]
-          - get_attr: [HAProxyInternalTLS, role_data, config_settings]
-      step_config: |
-        include ::tripleo::profile::base::haproxy
-      upgrade_tasks: []
-      host_prep_tasks: {get_attr: [HAProxyPublicTLS, role_data, host_prep_tasks]}
-      metadata_settings:
-        list_concat:
-          - {get_attr: [HAProxyPublicTLS, role_data, metadata_settings]}
-          - {get_attr: [HAProxyInternalTLS, role_data, metadata_settings]}

puppet/services/pacemaker/haproxy.yaml

@@ -1,70 +0,0 @@
-heat_template_version: rocky
-
-description: >
-  HAproxy service with Pacemaker configured with Puppet
-
-parameters:
-  ServiceData:
-    default: {}
-    description: Dictionary packing service data
-    type: json
-  ServiceNetMap:
-    default: {}
-    description: Mapping of service_name -> network name. Typically set
-                 via parameter_defaults in the resource registry.  This
-                 mapping overrides those in ServiceNetMapDefaults.
-    type: json
-  DefaultPasswords:
-    default: {}
-    type: json
-  RoleName:
-    default: ''
-    description: Role name on which the service is applied
-    type: string
-  RoleParameters:
-    default: {}
-    description: Parameters specific to the role
-    type: json
-  EndpointMap:
-    default: {}
-    description: Mapping of service endpoint -> protocol. Typically set
-                 via parameter_defaults in the resource registry.
-    type: json
-  HAProxySyslogFacility:
-    default: local0
-    description: Syslog facility HAProxy will use for its logs
-    type: string
-  HAProxySyslogAddress:
-    default: /dev/log
-    description: Syslog address where HAproxy will send its log
-    type: string
-
-resources:
-  LoadbalancerServiceBase:
-    type: ../haproxy.yaml
-    properties:
-      ServiceData: {get_param: ServiceData}
-      ServiceNetMap: {get_param: ServiceNetMap}
-      DefaultPasswords: {get_param: DefaultPasswords}
-      EndpointMap: {get_param: EndpointMap}
-      RoleName: {get_param: RoleName}
-      RoleParameters: {get_param: RoleParameters}
-
-outputs:
-  role_data:
-    description: Role data for the HAproxy with pacemaker role.
-    value:
-      service_name: haproxy
-      monitoring_subscription: {get_attr: [LoadbalancerServiceBase, role_data, monitoring_subscription]}
-      config_settings:
-        map_merge:
-          - get_attr: [LoadbalancerServiceBase, role_data, config_settings]
-          - tripleo::haproxy::haproxy_service_manage: false
-            tripleo::haproxy::mysql_clustercheck: true
-            tripleo::haproxy::haproxy_log_address: {get_param: HAProxySyslogAddress}
-            tripleo::haproxy::haproxy_log_facility: {get_param: HAProxySyslogFacility}
-      step_config: |
-        include ::tripleo::profile::pacemaker::haproxy
-      host_prep_tasks: {get_attr: [LoadbalancerServiceBase, role_data, host_prep_tasks]}
-      metadata_settings:
-        get_attr: [LoadbalancerServiceBase, role_data, metadata_settings]

releasenotes/notes/drop-baremetal-haproxy-5e2f0f3c9b8da664.yaml

@@ -0,0 +1,4 @@
+---
+upgrade:
+  - |
+      Installing haproxy services on baremetal is no longer supported.

sample-env-generator/ssl.yaml

@@ -7,7 +7,7 @@ environments:
       For these values to take effect, one of the tls-endpoints-*.yaml
       environments must also be used.
     files:
-      puppet/services/haproxy-public-tls-inject.yaml:
+      deployment/haproxy/haproxy-public-tls-inject.yaml:
         parameters: all
       puppet/services/horizon.yaml:
         parameters:
@@ -58,7 +58,7 @@ environments:
     resource_registry:
       # FIXME(bogdando): switch it, once it is containerized
       OS::TripleO::Services::CertmongerUser: ../../puppet/services/certmonger-user.yaml
-      OS::TripleO::Services::HAProxyInternalTLS: ../../puppet/services/haproxy-internal-tls-certmonger.yaml
+      OS::TripleO::Services::HAProxyInternalTLS: ../../deployment/haproxy/haproxy-internal-tls-certmonger.yaml
       # We use apache as a TLS proxy
       # FIXME(bogdando): switch it, once it is containerized
       OS::TripleO::Services::TLSProxyBase: ../../puppet/services/apache.yaml
@@ -465,13 +465,13 @@ environments:
       network/endpoints/endpoint_map.yaml:
         parameters:
           - EndpointMap
-      docker/services/haproxy.yaml:
+      deployment/haproxy/haproxy-container-puppet.yaml:
         parameters:
           - EnablePublicTLS
-      docker/services/pacemaker/haproxy.yaml:
+      deployment/haproxy/haproxy-pacemaker-puppet.yaml:
         parameters:
           - EnablePublicTLS
-      puppet/services/haproxy.yaml:
+      deployment/haproxy/haproxy-container-puppet.yaml:
         parameters:
           - EnablePublicTLS
     sample_values: