Enable TLS for containerized haproxy
This bind mounts the certificates if TLS is enabled in the internal network. It also disables the CRL usage since we can't restart haproxy at the rate that the CRL is updated. This will be addressed later and is a known limitation of using containerized haproxy (there's the same issue in the HA scenario). To address the different UID that the certs and keys will have, I added an extra step that changes the ownership of these files; though this only gets included if TLS in the internal network is enabled. bp tls-via-certmonger-containers Depends-On: I2078da7757ff3af1d05d36315fcebd54bb4ca3ec Change-Id: Ic6ca88ee7b6b256ae6182e60e07498a8a793d66a
This commit is contained in:
parent
5144634d9b
commit
1b119110c0
@ -60,6 +60,18 @@ parameters:
|
|||||||
default: {}
|
default: {}
|
||||||
description: Parameters specific to the role
|
description: Parameters specific to the role
|
||||||
type: json
|
type: json
|
||||||
|
EnableInternalTLS:
|
||||||
|
type: boolean
|
||||||
|
default: false
|
||||||
|
InternalTLSCAFile:
|
||||||
|
default: '/etc/ipa/ca.crt'
|
||||||
|
type: string
|
||||||
|
description: Specifies the default CA cert to use if TLS is used for
|
||||||
|
services in the internal network.
|
||||||
|
|
||||||
|
conditions:
|
||||||
|
|
||||||
|
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
||||||
|
|
||||||
resources:
|
resources:
|
||||||
|
|
||||||
@ -86,6 +98,9 @@ outputs:
|
|||||||
- get_attr: [HAProxyBase, role_data, config_settings]
|
- get_attr: [HAProxyBase, role_data, config_settings]
|
||||||
- tripleo::haproxy::haproxy_daemon: false
|
- tripleo::haproxy::haproxy_daemon: false
|
||||||
tripleo::haproxy::haproxy_service_manage: false
|
tripleo::haproxy::haproxy_service_manage: false
|
||||||
|
# NOTE(jaosorior): We disable the CRL since we have no way to restart haproxy
|
||||||
|
# when this is updated
|
||||||
|
tripleo::haproxy::crl_file: null
|
||||||
step_config: &step_config
|
step_config: &step_config
|
||||||
get_attr: [HAProxyBase, role_data, step_config]
|
get_attr: [HAProxyBase, role_data, step_config]
|
||||||
service_config_settings: {get_attr: [HAProxyBase, role_data, service_config_settings]}
|
service_config_settings: {get_attr: [HAProxyBase, role_data, service_config_settings]}
|
||||||
@ -96,12 +111,23 @@ outputs:
|
|||||||
step_config:
|
step_config:
|
||||||
"class {'::tripleo::profile::base::haproxy': manage_firewall => false}"
|
"class {'::tripleo::profile::base::haproxy': manage_firewall => false}"
|
||||||
config_image: {get_param: DockerHAProxyConfigImage}
|
config_image: {get_param: DockerHAProxyConfigImage}
|
||||||
volumes: &deployed_cert_mount
|
volumes:
|
||||||
- list_join:
|
list_concat:
|
||||||
|
- - list_join:
|
||||||
- ':'
|
- ':'
|
||||||
- - {get_param: DeployedSSLCertificatePath}
|
- - {get_param: DeployedSSLCertificatePath}
|
||||||
- {get_param: DeployedSSLCertificatePath}
|
- {get_param: DeployedSSLCertificatePath}
|
||||||
- 'ro'
|
- 'ro'
|
||||||
|
- if:
|
||||||
|
- internal_tls_enabled
|
||||||
|
- - /etc/pki/tls/certs/haproxy:/etc/pki/tls/certs/haproxy:ro
|
||||||
|
- /etc/pki/tls/private/haproxy:/etc/pki/tls/private/haproxy:ro
|
||||||
|
- list_join:
|
||||||
|
- ':'
|
||||||
|
- - {get_param: InternalTLSCAFile}
|
||||||
|
- {get_param: InternalTLSCAFile}
|
||||||
|
- 'ro'
|
||||||
|
- null
|
||||||
kolla_config:
|
kolla_config:
|
||||||
/var/lib/kolla/config_files/haproxy.json:
|
/var/lib/kolla/config_files/haproxy.json:
|
||||||
command: haproxy -f /etc/haproxy/haproxy.cfg
|
command: haproxy -f /etc/haproxy/haproxy.cfg
|
||||||
@ -110,6 +136,16 @@ outputs:
|
|||||||
dest: "/"
|
dest: "/"
|
||||||
merge: true
|
merge: true
|
||||||
preserve_properties: true
|
preserve_properties: true
|
||||||
|
- source: "/var/lib/kolla/config_files/src-tls/*"
|
||||||
|
dest: "/"
|
||||||
|
merge: true
|
||||||
|
preserve_properties: true
|
||||||
|
optional: true
|
||||||
|
permissions:
|
||||||
|
- path: /etc/pki/tls/certs/haproxy
|
||||||
|
owner: haproxy:haproxy
|
||||||
|
recurse: true
|
||||||
|
optional: true
|
||||||
docker_config:
|
docker_config:
|
||||||
step_1:
|
step_1:
|
||||||
haproxy_firewall:
|
haproxy_firewall:
|
||||||
@ -133,7 +169,6 @@ outputs:
|
|||||||
volumes:
|
volumes:
|
||||||
list_concat:
|
list_concat:
|
||||||
- {get_attr: [ContainersCommon, volumes]}
|
- {get_attr: [ContainersCommon, volumes]}
|
||||||
- *deployed_cert_mount
|
|
||||||
-
|
-
|
||||||
- /var/lib/kolla/config_files/haproxy.json:/var/lib/kolla/config_files/config.json:ro
|
- /var/lib/kolla/config_files/haproxy.json:/var/lib/kolla/config_files/config.json:ro
|
||||||
- /var/lib/config-data/puppet-generated/haproxy/:/var/lib/kolla/config_files/src:ro
|
- /var/lib/config-data/puppet-generated/haproxy/:/var/lib/kolla/config_files/src:ro
|
||||||
@ -154,10 +189,24 @@ outputs:
|
|||||||
volumes:
|
volumes:
|
||||||
list_concat:
|
list_concat:
|
||||||
- {get_attr: [ContainersCommon, volumes]}
|
- {get_attr: [ContainersCommon, volumes]}
|
||||||
- *deployed_cert_mount
|
|
||||||
-
|
-
|
||||||
- /var/lib/kolla/config_files/haproxy.json:/var/lib/kolla/config_files/config.json:ro
|
- /var/lib/kolla/config_files/haproxy.json:/var/lib/kolla/config_files/config.json:ro
|
||||||
- /var/lib/config-data/puppet-generated/haproxy/:/var/lib/kolla/config_files/src:ro
|
- /var/lib/config-data/puppet-generated/haproxy/:/var/lib/kolla/config_files/src:ro
|
||||||
|
- list_join:
|
||||||
|
- ':'
|
||||||
|
- - {get_param: DeployedSSLCertificatePath}
|
||||||
|
- {get_param: DeployedSSLCertificatePath}
|
||||||
|
- 'ro'
|
||||||
|
-
|
||||||
|
if:
|
||||||
|
- internal_tls_enabled
|
||||||
|
- /etc/pki/tls/certs/haproxy:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/haproxy:ro
|
||||||
|
- ''
|
||||||
|
-
|
||||||
|
if:
|
||||||
|
- internal_tls_enabled
|
||||||
|
- /etc/pki/tls/private/haproxy:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/haproxy:ro
|
||||||
|
- ''
|
||||||
environment:
|
environment:
|
||||||
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
||||||
metadata_settings:
|
metadata_settings:
|
||||||
|
@ -41,3 +41,4 @@ resource_registry:
|
|||||||
OS::TripleO::Services::SwiftProxy: ../docker/services/swift-proxy.yaml
|
OS::TripleO::Services::SwiftProxy: ../docker/services/swift-proxy.yaml
|
||||||
OS::TripleO::Services::SwiftRingBuilder: ../docker/services/swift-ringbuilder.yaml
|
OS::TripleO::Services::SwiftRingBuilder: ../docker/services/swift-ringbuilder.yaml
|
||||||
OS::TripleO::Services::SwiftStorage: ../docker/services/swift-storage.yaml
|
OS::TripleO::Services::SwiftStorage: ../docker/services/swift-storage.yaml
|
||||||
|
OS::TripleO::Services::HAproxy: ../docker/services/haproxy.yaml
|
||||||
|
Loading…
Reference in New Issue
Block a user