From b9ab64afa48e01efa4b5d420f69d82421ebb7df4 Mon Sep 17 00:00:00 2001 From: abdallahyas Date: Thu, 23 Jan 2020 09:42:43 +0000 Subject: [PATCH] Fix the mounting issues for the TLS everywhere deployment This patch adds the CRL directory to the haproxy in case of TLS everywhere deployment. NOTE: The queens backport doesn't contain duplicate mountpoint fixes which only apply to train. Closes-Bug: #1860641 Resolves: rhbz#1698058 Change-Id: I7d18befc51a4afb404b39ebdd8b1ccab4dfdf744 (cherry picked from commit c155ea701efced6fbd3384989bc2bceb3349fc26) --- docker/services/haproxy.yaml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/docker/services/haproxy.yaml b/docker/services/haproxy.yaml index 7b7b132272..eb79632c06 100644 --- a/docker/services/haproxy.yaml +++ b/docker/services/haproxy.yaml @@ -82,6 +82,10 @@ parameters: type: string description: Specifies the default CA cert to use if TLS is used for services in the internal network. + InternalTLSCRLPEMDir: + default: '/etc/pki/CA/crl/' + type: string + description: The directory of the CRL PEM file to be mounted. ConfigDebug: default: false description: Whether to run config management (e.g. Puppet) in debug mode. @@ -162,6 +166,11 @@ outputs: - - {get_param: InternalTLSCAFile} - {get_param: InternalTLSCAFile} - 'ro' + - list_join: + - ':' + - - {get_param: InternalTLSCRLPEMDir} + - {get_param: InternalTLSCRLPEMDir} + - 'ro' - null kolla_config: /var/lib/kolla/config_files/haproxy.json: @@ -247,8 +256,8 @@ outputs: - /etc/pki/tls/private/haproxy:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/haproxy:ro - list_join: - ':' - - - {get_param: InternalTLSCAFile} - - {get_param: InternalTLSCAFile} + - - {get_param: InternalTLSCRLPEMDir} + - {get_param: InternalTLSCRLPEMDir} - 'ro' - null environment: