Merge "Only set ca_bundle for HAProxy if internal TLS enabled & fix mounts"

2018-09-20 11:49:06 +00:00 · 2018-09-20 11:49:06 +00:00 · 38368d51dd
commit 38368d51dd
parent fa8b4bb955 5ca1aee232
2 changed files with 18 additions and 12 deletions
--- a/docker/services/haproxy.yaml
+++ b/docker/services/haproxy.yaml
@ -248,17 +248,16 @@ outputs:
                                - {get_param: DeployedSSLCertificatePath}
                          - 'ro'
                    - null
-                  -
-                    if:
-                      - internal_tls_enabled
-                      - - /etc/pki/tls/certs/haproxy:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/haproxy:ro
-                        - /etc/pki/tls/private/haproxy:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/haproxy:ro
-                        - list_join:
-                            - ':'
-                            - - {get_param: InternalTLSCAFile}
-                              - {get_param: InternalTLSCAFile}
-                              - 'ro'
-                      - null
+                  - if:
+                    - internal_tls_enabled
+                    - - /etc/pki/tls/certs/haproxy:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/haproxy:ro
+                      - /etc/pki/tls/private/haproxy:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/haproxy:ro
+                      - list_join:
+                          - ':'
+                          - - {get_param: InternalTLSCAFile}
+                            - {get_param: InternalTLSCAFile}
+                            - 'ro'
+                    - null
              environment:
                - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
      upgrade_tasks:
--- a/puppet/services/haproxy.yaml
+++ b/puppet/services/haproxy.yaml
@ -77,6 +77,9 @@ parameters:
    description: >
        The filepath of the certificate as it will be stored in the controller.
    type: string
+  EnableInternalTLS:
+    type: boolean
+    default: false
  InternalTLSCAFile:
    default: '/etc/ipa/ca.crt'
    type: string
@ -101,6 +104,7 @@ conditions:
      - equals:
          - {get_param: PublicSSLCertificateAutogenerated}
          - true
+  internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}

 resources:

@ -139,7 +143,6 @@ outputs:
            tripleo::haproxy::haproxy_stats_user: {get_param: HAProxyStatsUser}
            tripleo::haproxy::haproxy_stats_password: {get_param: HAProxyStatsPassword}
            tripleo::haproxy::redis_password: {get_param: RedisPassword}
-            tripleo::haproxy::ca_bundle: {get_param: InternalTLSCAFile}
            tripleo::haproxy::crl_file: {get_param: InternalTLSCRLPEMFile}
            tripleo::haproxy::haproxy_stats: {get_param: HAProxyStatsEnabled}
            enable_load_balancer: {get_param: EnableLoadBalancer}
@ -151,6 +154,10 @@ outputs:
              - public_tls_enabled
              - tripleo::haproxy::service_certificate: {get_param: DeployedSSLCertificatePath}
              - {}
+          - if:
+              - internal_tls_enabled
+              - tripleo::haproxy::ca_bundle: {get_param: InternalTLSCAFile}
+              - null
          - get_attr: [HAProxyPublicTLS, role_data, config_settings]
          - get_attr: [HAProxyInternalTLS, role_data, config_settings]
      step_config: |