openstack/tripleo-heat-templates
Code Issues Proposed changes

Only set ca_bundle for HAProxy if internal TLS enabled & fix mounts

Browse Source 
* We don't use this setup if TLS everywhere is not enabled, so lets set it
  up as such. This prevents the HAProxy container managed by pacemaker of
  mounting this file.
* Also fix the docker service to exercise the if with proper syntax.

Co-Authored-By: Emilien Macchi <emilien@redhat.com>
Change-Id: Id8dff81c5af390446507bcef458a135fc2287186
This commit is contained in:
Juan Antonio Osorio Robles 2018-09-18 16:39:06 +03:00 committed by Emilien Macchi
parent 1bcbaf6a38
commit 5ca1aee232
2 changed files with 18 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
docker/services/haproxy.yaml
View File

@ -249,17 +249,16 @@ outputs:
- {get_param: DeployedSSLCertificatePath} - {get_param: DeployedSSLCertificatePath}
- 'ro' - 'ro'
- null - null
- - if:
if: - internal_tls_enabled
- internal_tls_enabled - - /etc/pki/tls/certs/haproxy:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/haproxy:ro
- - /etc/pki/tls/certs/haproxy:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/haproxy:ro - /etc/pki/tls/private/haproxy:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/haproxy:ro
- /etc/pki/tls/private/haproxy:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/haproxy:ro - list_join:
- list_join: - ':'
- ':' - - {get_param: InternalTLSCAFile}
- - {get_param: InternalTLSCAFile} - {get_param: InternalTLSCAFile}
- {get_param: InternalTLSCAFile} - 'ro'
- 'ro' - null
- null
environment: environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
upgrade_tasks: upgrade_tasks:

9
puppet/services/haproxy.yaml
View File

@ -77,6 +77,9 @@ parameters:
description: > description: >
The filepath of the certificate as it will be stored in the controller. The filepath of the certificate as it will be stored in the controller.
type: string type: string
EnableInternalTLS:
type: boolean
default: false
InternalTLSCAFile: InternalTLSCAFile:
default: '/etc/ipa/ca.crt' default: '/etc/ipa/ca.crt'
type: string type: string
@ -101,6 +104,7 @@ conditions:
- equals: - equals:
- {get_param: PublicSSLCertificateAutogenerated} - {get_param: PublicSSLCertificateAutogenerated}
- true - true
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
resources: resources:
@ -139,7 +143,6 @@ outputs:
tripleo::haproxy::haproxy_stats_user: {get_param: HAProxyStatsUser} tripleo::haproxy::haproxy_stats_user: {get_param: HAProxyStatsUser}
tripleo::haproxy::haproxy_stats_password: {get_param: HAProxyStatsPassword} tripleo::haproxy::haproxy_stats_password: {get_param: HAProxyStatsPassword}
tripleo::haproxy::redis_password: {get_param: RedisPassword} tripleo::haproxy::redis_password: {get_param: RedisPassword}
tripleo::haproxy::ca_bundle: {get_param: InternalTLSCAFile}
tripleo::haproxy::crl_file: {get_param: InternalTLSCRLPEMFile} tripleo::haproxy::crl_file: {get_param: InternalTLSCRLPEMFile}
tripleo::haproxy::haproxy_stats: {get_param: HAProxyStatsEnabled} tripleo::haproxy::haproxy_stats: {get_param: HAProxyStatsEnabled}
enable_load_balancer: {get_param: EnableLoadBalancer} enable_load_balancer: {get_param: EnableLoadBalancer}
@ -151,6 +154,10 @@ outputs:
- public_tls_enabled - public_tls_enabled
- tripleo::haproxy::service_certificate: {get_param: DeployedSSLCertificatePath} - tripleo::haproxy::service_certificate: {get_param: DeployedSSLCertificatePath}
- {} - {}
- if:
- internal_tls_enabled
- tripleo::haproxy::ca_bundle: {get_param: InternalTLSCAFile}
- null
- get_attr: [HAProxyPublicTLS, role_data, config_settings] - get_attr: [HAProxyPublicTLS, role_data, config_settings]
- get_attr: [HAProxyInternalTLS, role_data, config_settings] - get_attr: [HAProxyInternalTLS, role_data, config_settings]
step_config: | step_config: |