Simplify haproxy service templates
Change-Id: I9992a4d2b0e2d3efe4e1622cb8ae3023be30624b
This commit is contained in:
parent
d0842812c8
commit
15ce9b6a25
|
@ -111,7 +111,6 @@ parameters:
|
|||
description: The tunnel timeout in seconds for the Zaqar API.
|
||||
|
||||
conditions:
|
||||
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
||||
public_tls_enabled:
|
||||
and:
|
||||
- {get_param: EnablePublicTLS}
|
||||
|
@ -120,12 +119,9 @@ conditions:
|
|||
equals:
|
||||
- {get_param: SSLCertificate}
|
||||
- ""
|
||||
- equals:
|
||||
- {get_param: PublicSSLCertificateAutogenerated}
|
||||
- true
|
||||
- {get_param: PublicSSLCertificateAutogenerated}
|
||||
|
||||
resources:
|
||||
|
||||
ContainersCommon:
|
||||
type: ../containers-common.yaml
|
||||
|
||||
|
@ -182,14 +178,14 @@ outputs:
|
|||
map_merge:
|
||||
- get_attr: [HAProxyPublicTLS, role_data, certificates_specs]
|
||||
- get_attr: [HAProxyInternalTLS, role_data, certificates_specs]
|
||||
- if:
|
||||
- public_tls_enabled
|
||||
- tripleo::haproxy::service_certificate: {get_param: DeployedSSLCertificatePath}
|
||||
- {}
|
||||
- if:
|
||||
- internal_tls_enabled
|
||||
- tripleo::haproxy::ca_bundle: {get_param: InternalTLSCAFile}
|
||||
- null
|
||||
tripleo::haproxy::service_certificate:
|
||||
if:
|
||||
- public_tls_enabled
|
||||
- {get_param: DeployedSSLCertificatePath}
|
||||
tripleo::haproxy::ca_bundle:
|
||||
if:
|
||||
- {get_param: EnableInternalTLS}
|
||||
- {get_param: InternalTLSCAFile}
|
||||
- get_attr: [HAProxyPublicTLS, role_data, config_settings]
|
||||
- get_attr: [HAProxyInternalTLS, role_data, config_settings]
|
||||
# BEGIN DOCKER SETTINGS
|
||||
|
@ -208,9 +204,8 @@ outputs:
|
|||
- - {get_param: DeployedSSLCertificatePath}
|
||||
- {get_param: DeployedSSLCertificatePath}
|
||||
- 'ro,shared'
|
||||
- null
|
||||
- if:
|
||||
- internal_tls_enabled
|
||||
- {get_param: EnableInternalTLS}
|
||||
- - /etc/pki/tls/certs/haproxy:/etc/pki/tls/certs/haproxy:ro,shared
|
||||
- /etc/pki/tls/private/haproxy:/etc/pki/tls/private/haproxy:ro,shared
|
||||
- list_join:
|
||||
|
@ -223,7 +218,6 @@ outputs:
|
|||
- - {get_param: InternalTLSCRLPEMDir}
|
||||
- {get_param: InternalTLSCRLPEMDir}
|
||||
- 'ro,shared'
|
||||
- null
|
||||
kolla_config:
|
||||
/var/lib/kolla/config_files/haproxy.json:
|
||||
# HAProxy 1.8 doesn't ship haproxy-systemd-wrapper, we have
|
||||
|
@ -263,8 +257,7 @@ outputs:
|
|||
list_concat:
|
||||
- {get_attr: [ContainersCommon, volumes]}
|
||||
- {get_attr: [HAProxyLogging, volumes]}
|
||||
-
|
||||
- /var/lib/kolla/config_files/haproxy.json:/var/lib/kolla/config_files/config.json:ro
|
||||
- - /var/lib/kolla/config_files/haproxy.json:/var/lib/kolla/config_files/config.json:ro
|
||||
- /var/lib/config-data/puppet-generated/haproxy:/var/lib/kolla/config_files/src:ro
|
||||
- /var/lib/haproxy:/var/lib/haproxy:rw,z
|
||||
- if:
|
||||
|
@ -277,9 +270,8 @@ outputs:
|
|||
- - /var/lib/kolla/config_files/src-tls/
|
||||
- {get_param: DeployedSSLCertificatePath}
|
||||
- 'ro,shared'
|
||||
- null
|
||||
- if:
|
||||
- internal_tls_enabled
|
||||
- {get_param: EnableInternalTLS}
|
||||
- - /etc/pki/tls/certs/haproxy:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/haproxy:ro,shared
|
||||
- /etc/pki/tls/private/haproxy:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/haproxy:ro,shared
|
||||
- list_join:
|
||||
|
@ -287,7 +279,6 @@ outputs:
|
|||
- - {get_param: InternalTLSCRLPEMDir}
|
||||
- {get_param: InternalTLSCRLPEMDir}
|
||||
- 'ro'
|
||||
- null
|
||||
environment:
|
||||
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
|
||||
deploy_steps_tasks:
|
||||
|
@ -341,11 +332,9 @@ outputs:
|
|||
- if:
|
||||
- public_tls_enabled
|
||||
- get_attr: [HAProxyPublicTLS, role_data, deploy_steps_tasks]
|
||||
- []
|
||||
- if:
|
||||
- internal_tls_enabled
|
||||
- {get_param: EnableInternalTLS}
|
||||
- get_attr: [HAProxyInternalTLS, role_data, deploy_steps_tasks]
|
||||
- []
|
||||
upgrade_tasks:
|
||||
- name: ensure we have haproxy log dir with the correct setype
|
||||
file:
|
||||
|
|
|
@ -36,13 +36,7 @@ parameters:
|
|||
type: boolean
|
||||
default: false
|
||||
|
||||
conditions:
|
||||
|
||||
glance_api_proxy_enabled: {equals: [{get_param: EnableGlanceApiProxy}, true]}
|
||||
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
||||
|
||||
resources:
|
||||
|
||||
HAProxyBase:
|
||||
type: ./haproxy-container-puppet.yaml
|
||||
properties:
|
||||
|
@ -53,12 +47,11 @@ resources:
|
|||
RoleParameters: {get_param: RoleParameters}
|
||||
|
||||
outputs:
|
||||
|
||||
glance_api_edge_uri:
|
||||
description: URI of the glance-api service runing at the edge site.
|
||||
value: &glance_api_edge_uri
|
||||
if:
|
||||
- internal_tls_enabled
|
||||
- {get_param: EnableInternalTLS}
|
||||
- str_replace:
|
||||
template:
|
||||
"https://%{hiera('fqdn_NETWORK')}:9292"
|
||||
|
@ -91,7 +84,7 @@ outputs:
|
|||
tripleo::haproxy::ec2_api_metadata: false
|
||||
tripleo::haproxy::etcd: false
|
||||
- if:
|
||||
- glance_api_proxy_enabled
|
||||
- {get_param: EnableGlanceApiProxy}
|
||||
- tripleo::haproxy::glance_api: true
|
||||
glance_api_vip:
|
||||
str_replace:
|
||||
|
@ -130,9 +123,8 @@ outputs:
|
|||
map_merge:
|
||||
- get_attr: [HAProxyBase, role_data, service_config_settings]
|
||||
- if:
|
||||
- glance_api_proxy_enabled
|
||||
- {get_param: EnableGlanceApiProxy}
|
||||
- cinder_volume:
|
||||
cinder::glance::glance_api_servers: *glance_api_edge_uri
|
||||
nova_compute:
|
||||
nova::glance::endpoint_override: *glance_api_edge_uri
|
||||
- {}
|
||||
|
|
|
@ -45,11 +45,10 @@ parameters:
|
|||
certificate for this service
|
||||
|
||||
conditions:
|
||||
|
||||
key_size_override_unset: {equals: [{get_param: HAProxyCertificateKeySize}, '']}
|
||||
key_size_override_set:
|
||||
not: {equals: [{get_param: HAProxyCertificateKeySize}, '']}
|
||||
|
||||
resources:
|
||||
|
||||
HAProxyNetworks:
|
||||
type: OS::Heat::Value
|
||||
properties:
|
||||
|
@ -157,9 +156,9 @@ outputs:
|
|||
KEYSDIR: {get_param: HAProxyInternalTLSKeysDirectory}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- key_size_override_set
|
||||
- {get_param: HAProxyCertificateKeySize}
|
||||
- {get_param: CertificateKeySize}
|
||||
ca: ipa
|
||||
for_each:
|
||||
NETWORK: {get_attr: [HAProxyNetworks, value]}
|
||||
|
|
|
@ -107,7 +107,6 @@ parameters:
|
|||
perform configuration on a Heat stack-update.
|
||||
|
||||
conditions:
|
||||
puppet_debug_enabled: {get_param: ConfigDebug}
|
||||
public_tls_enabled:
|
||||
and:
|
||||
- {get_param: EnablePublicTLS}
|
||||
|
@ -116,16 +115,9 @@ conditions:
|
|||
equals:
|
||||
- {get_param: SSLCertificate}
|
||||
- ""
|
||||
- equals:
|
||||
- {get_param: PublicSSLCertificateAutogenerated}
|
||||
- true
|
||||
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
||||
docker_enabled: {equals: [{get_param: ContainerCli}, 'docker']}
|
||||
common_tag_enabled: {equals: [{get_param: ClusterCommonTag}, true]}
|
||||
common_tag_full: {equals: [{get_param: ClusterFullTag}, true]}
|
||||
- {get_param: PublicSSLCertificateAutogenerated}
|
||||
|
||||
resources:
|
||||
|
||||
ContainersCommon:
|
||||
type: ../containers-common.yaml
|
||||
|
||||
|
@ -179,13 +171,11 @@ outputs:
|
|||
- if:
|
||||
- public_tls_enabled
|
||||
- - get_param: DeployedSSLCertificatePath
|
||||
- null
|
||||
- if:
|
||||
- internal_tls_enabled
|
||||
- {get_param: EnableInternalTLS}
|
||||
- - get_param: InternalTLSCAFile
|
||||
- get_param: HAProxyInternalTLSKeysDirectory
|
||||
- get_param: HAProxyInternalTLSCertsDirectory
|
||||
- null
|
||||
# The init bundle users the container_puppet_apply_volumes list. That already contains InternalTLSCAFile
|
||||
# and newer podmans refuse to start with duplicated mountpoints. That is why we cannot use tls_mapping
|
||||
# but need a new mapping
|
||||
|
@ -194,24 +184,22 @@ outputs:
|
|||
- if:
|
||||
- public_tls_enabled
|
||||
- - get_param: DeployedSSLCertificatePath
|
||||
- null
|
||||
- if:
|
||||
- internal_tls_enabled
|
||||
- {get_param: EnableInternalTLS}
|
||||
- - get_param: HAProxyInternalTLSKeysDirectory
|
||||
- get_param: HAProxyInternalTLSCertsDirectory
|
||||
- null
|
||||
tripleo::profile::pacemaker::haproxy_bundle::internal_certs_directory: {get_param: HAProxyInternalTLSCertsDirectory}
|
||||
tripleo::profile::pacemaker::haproxy_bundle::internal_keys_directory: {get_param: HAProxyInternalTLSKeysDirectory}
|
||||
# disable the use CRL file until we can restart the container when the file expires
|
||||
tripleo::haproxy::crl_file: null
|
||||
tripleo::profile::pacemaker::haproxy_bundle::haproxy_docker_image: &haproxy_image_pcmklatest
|
||||
if:
|
||||
- common_tag_full
|
||||
- {get_param: ClusterFullTag}
|
||||
- "cluster.common.tag/haproxy:pcmklatest"
|
||||
- yaql:
|
||||
data:
|
||||
if:
|
||||
- common_tag_enabled
|
||||
- {get_param: ClusterCommonTag}
|
||||
- yaql:
|
||||
data: {get_param: ContainerHAProxyImage}
|
||||
expression: concat("cluster.common.tag/", $.data.rightSplit(separator => "/", maxSplits => 1)[1])
|
||||
|
@ -350,9 +338,8 @@ outputs:
|
|||
- get_attr: [HAProxyPublicTLS, role_data, deploy_steps_tasks]
|
||||
- []
|
||||
- if:
|
||||
- internal_tls_enabled
|
||||
- {get_param: EnableInternalTLS}
|
||||
- get_attr: [HAProxyInternalTLS, role_data, deploy_steps_tasks]
|
||||
- []
|
||||
update_tasks:
|
||||
- name: Tear-down non-HA haproxy container
|
||||
when:
|
||||
|
|
|
@ -62,8 +62,8 @@ parameters:
|
|||
description: Override the default HAProxy Certificate Principal
|
||||
|
||||
conditions:
|
||||
|
||||
key_size_override_unset: {equals: [{get_param: HAProxyCertificateKeySize}, '']}
|
||||
key_size_override_set:
|
||||
not: {equals: [{get_param: HAProxyCertificateKeySize}, '']}
|
||||
principal_override_set: {not: {equals: [{get_param: HAProxyCertificatePrincipal}, '']}}
|
||||
dnsnames_override_set: {not: {equals: [{get_param: HAProxyCertificateDNSNames}, []]}}
|
||||
|
||||
|
@ -189,7 +189,7 @@ outputs:
|
|||
PEMPATH: {get_param: DeployedSSLCertificatePath}
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- key_size_override_set
|
||||
- {get_param: HAProxyCertificateKeySize}
|
||||
- {get_param: CertificateKeySize}
|
||||
ca: "{{ (certmonger_ca == 'IPA' or idm_realm is defined) | ternary('ipa', 'self-sign') }}"
|
||||
|
|
Loading…
Reference in New Issue