Move HAProxy's public TLS logic from controller to service template
This de-couples public TLS from controllers to now run wherever HAProxy is deployed. Partially-Implements: blueprint composable-networks Change-Id: I9e84a25a363899acf103015527787bdd8248949f
This commit is contained in:
parent
5bf7d6582b
commit
74e7e67459
@ -563,7 +563,6 @@ resources:
|
|||||||
extraconfig: {get_param: ExtraConfig}
|
extraconfig: {get_param: ExtraConfig}
|
||||||
controller:
|
controller:
|
||||||
# Misc
|
# Misc
|
||||||
tripleo::haproxy::service_certificate: {get_attr: [NodeTLSData, deployed_ssl_certificate_path]}
|
|
||||||
tripleo::packages::enable_upgrade: {get_input: enable_package_upgrade}
|
tripleo::packages::enable_upgrade: {get_input: enable_package_upgrade}
|
||||||
fqdn_internal_api: {get_attr: [NetHostMap, value, internal_api, fqdn]}
|
fqdn_internal_api: {get_attr: [NetHostMap, value, internal_api, fqdn]}
|
||||||
fqdn_storage: {get_attr: [NetHostMap, value, storage, fqdn]}
|
fqdn_storage: {get_attr: [NetHostMap, value, storage, fqdn]}
|
||||||
|
@ -7,6 +7,7 @@ description: >
|
|||||||
parameters:
|
parameters:
|
||||||
# Can be overridden via parameter_defaults in the environment
|
# Can be overridden via parameter_defaults in the environment
|
||||||
SSLCertificate:
|
SSLCertificate:
|
||||||
|
default: ''
|
||||||
description: >
|
description: >
|
||||||
The content of the SSL certificate (without Key) in PEM format.
|
The content of the SSL certificate (without Key) in PEM format.
|
||||||
type: string
|
type: string
|
||||||
|
@ -513,9 +513,6 @@ resources:
|
|||||||
fqdn_management: {get_attr: [NetHostMap, value, management, fqdn]}
|
fqdn_management: {get_attr: [NetHostMap, value, management, fqdn]}
|
||||||
fqdn_ctlplane: {get_attr: [NetHostMap, value, ctlplane, fqdn]}
|
fqdn_ctlplane: {get_attr: [NetHostMap, value, ctlplane, fqdn]}
|
||||||
fqdn_external: {get_attr: [NetHostMap, value, external, fqdn]}
|
fqdn_external: {get_attr: [NetHostMap, value, external, fqdn]}
|
||||||
{%- if 'primary' in role.tags and 'controller' in role.tags %}
|
|
||||||
tripleo::haproxy::service_certificate: {get_attr: [NodeTLSData, deployed_ssl_certificate_path]}
|
|
||||||
{%- endif -%}
|
|
||||||
|
|
||||||
# Resource for site-specific injection of root certificate
|
# Resource for site-specific injection of root certificate
|
||||||
NodeTLSCAData:
|
NodeTLSCAData:
|
||||||
|
@ -57,6 +57,16 @@ parameters:
|
|||||||
MonitoringSubscriptionHaproxy:
|
MonitoringSubscriptionHaproxy:
|
||||||
default: 'overcloud-haproxy'
|
default: 'overcloud-haproxy'
|
||||||
type: string
|
type: string
|
||||||
|
SSLCertificate:
|
||||||
|
default: ''
|
||||||
|
description: >
|
||||||
|
The content of the SSL certificate (without Key) in PEM format.
|
||||||
|
type: string
|
||||||
|
DeployedSSLCertificatePath:
|
||||||
|
default: '/etc/pki/tls/private/overcloud_endpoint.pem'
|
||||||
|
description: >
|
||||||
|
The filepath of the certificate as it will be stored in the controller.
|
||||||
|
type: string
|
||||||
InternalTLSCAFile:
|
InternalTLSCAFile:
|
||||||
default: '/etc/ipa/ca.crt'
|
default: '/etc/ipa/ca.crt'
|
||||||
type: string
|
type: string
|
||||||
@ -68,6 +78,14 @@ parameters:
|
|||||||
description: Specifies the default CRL PEM file to use for revocation if
|
description: Specifies the default CRL PEM file to use for revocation if
|
||||||
TLS is used for services in the internal network.
|
TLS is used for services in the internal network.
|
||||||
|
|
||||||
|
conditions:
|
||||||
|
|
||||||
|
public_tls_enabled:
|
||||||
|
not:
|
||||||
|
equals:
|
||||||
|
- {get_param: SSLCertificate}
|
||||||
|
- ""
|
||||||
|
|
||||||
resources:
|
resources:
|
||||||
|
|
||||||
HAProxyPublicTLS:
|
HAProxyPublicTLS:
|
||||||
@ -98,8 +116,6 @@ outputs:
|
|||||||
monitoring_subscription: {get_param: MonitoringSubscriptionHaproxy}
|
monitoring_subscription: {get_param: MonitoringSubscriptionHaproxy}
|
||||||
config_settings:
|
config_settings:
|
||||||
map_merge:
|
map_merge:
|
||||||
- get_attr: [HAProxyPublicTLS, role_data, config_settings]
|
|
||||||
- get_attr: [HAProxyInternalTLS, role_data, config_settings]
|
|
||||||
- tripleo.haproxy.firewall_rules:
|
- tripleo.haproxy.firewall_rules:
|
||||||
'107 haproxy stats':
|
'107 haproxy stats':
|
||||||
dport: 1993
|
dport: 1993
|
||||||
@ -115,6 +131,12 @@ outputs:
|
|||||||
map_merge:
|
map_merge:
|
||||||
- get_attr: [HAProxyPublicTLS, role_data, certificates_specs]
|
- get_attr: [HAProxyPublicTLS, role_data, certificates_specs]
|
||||||
- get_attr: [HAProxyInternalTLS, role_data, certificates_specs]
|
- get_attr: [HAProxyInternalTLS, role_data, certificates_specs]
|
||||||
|
- if:
|
||||||
|
- public_tls_enabled
|
||||||
|
- tripleo::haproxy::service_certificate: {get_param: DeployedSSLCertificatePath}
|
||||||
|
- {}
|
||||||
|
- get_attr: [HAProxyPublicTLS, role_data, config_settings]
|
||||||
|
- get_attr: [HAProxyInternalTLS, role_data, config_settings]
|
||||||
step_config: |
|
step_config: |
|
||||||
include ::tripleo::profile::base::haproxy
|
include ::tripleo::profile::base::haproxy
|
||||||
upgrade_tasks:
|
upgrade_tasks:
|
||||||
|
Loading…
Reference in New Issue
Block a user