openstack/tripleo-heat-templates
Code Issues Proposed changes

Merge "Mount the public TLS certificate for HAProxy on up(date|grade) on pacemaker"

Browse Source
This commit is contained in:
Zuul 2018-04-11 08:58:18 +00:00 committed by Gerrit Code Review
commit e9418e171c
2 changed files with 137 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

140
docker/services/pacemaker/haproxy.yaml
View File

@ -28,6 +28,16 @@ parameters:
description: Mapping of service endpoint -> protocol. Typically set description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry. via parameter_defaults in the resource registry.
type: json type: json
SSLCertificate:
default: ''
description: >
The content of the SSL certificate (without Key) in PEM format.
type: string
PublicSSLCertificateAutogenerated:
default: false
description: >
Whether the public SSL certificate was autogenerated or not.
type: boolean
DeployedSSLCertificatePath: DeployedSSLCertificatePath:
default: '/etc/pki/tls/private/overcloud_endpoint.pem' default: '/etc/pki/tls/private/overcloud_endpoint.pem'
description: > description: >
@ -64,6 +74,15 @@ parameters:
conditions: conditions:
puppet_debug_enabled: {get_param: ConfigDebug} puppet_debug_enabled: {get_param: ConfigDebug}
public_tls_enabled:
or:
- not:
equals:
- {get_param: SSLCertificate}
- ""
- equals:
- {get_param: PublicSSLCertificateAutogenerated}
- true
resources: resources:
@ -229,6 +248,58 @@ outputs:
metadata_settings: metadata_settings:
get_attr: [HAProxyBase, role_data, metadata_settings] get_attr: [HAProxyBase, role_data, metadata_settings]
update_tasks: update_tasks:
- name: Set HAProxy upgrade facts
block: &haproxy_update_upgrade_facts
- name: Check for haproxy Kolla configuration
stat:
path: /var/lib/config-data/puppet-generated/haproxy
register: haproxy_kolla_config
- name: Check if haproxy is already containerized
set_fact:
haproxy_containerized: "{{haproxy_kolla_config.stat.isdir | default(false)}}"
- name: get bootstrap nodeid
tags: common
command: hiera -c /etc/puppet/hiera.yaml bootstrap_nodeid
register: bootstrap_node
- name: set is_bootstrap_node fact
tags: common
set_fact: is_bootstrap_node={{bootstrap_node.stdout|lower == ansible_hostname|lower}}
- name: Mount TLS cert if needed
when:
- step|int == 1
- haproxy_containerized|bool
- is_bootstrap_node
block:
- name: Check haproxy public certificate configuration in pacemaker
command: cibadmin --query --xpath "//storage-mapping[@id='haproxy-cert']"
ignore_errors: true
register: haproxy_cert_mounted
- name: Disable the haproxy cluster resource
pacemaker_resource:
resource: haproxy-bundle
state: disable
wait_for_resource: true
register: output
retries: 5
until: output.rc == 0
# rc == 6 means the configuration doesn't exist in the CIB
when: haproxy_cert_mounted.rc == 6
- name: Set HAProxy public cert volume mount fact
set_fact:
haproxy_public_cert_path: {get_param: DeployedSSLCertificatePath}
haproxy_public_tls_enabled: {if: [public_tls_enabled, true, false]}
- name: Add a bind mount for public certificate in the haproxy bundle
command: pcs resource bundle update haproxy-bundle storage-map add id=haproxy-cert source-dir={{ haproxy_public_cert_path }} target-dir=/var/lib/kolla/config_files/src-tls/{{ haproxy_public_cert_path }} options=ro
when: haproxy_cert_mounted.rc == 6 and haproxy_public_tls_enabled|bool
- name: Enable the haproxy cluster resource
pacemaker_resource:
resource: haproxy-bundle
state: enable
wait_for_resource: true
register: output
retries: 5
until: output.rc == 0
when: haproxy_cert_mounted.rc == 6
- name: Haproxy fetch and retag container image for pacemaker - name: Haproxy fetch and retag container image for pacemaker
when: step|int == 2 when: step|int == 2
block: &haproxy_fetch_retag_container_tasks block: &haproxy_fetch_retag_container_tasks
@ -261,20 +332,8 @@ outputs:
- name: Get docker haproxy image - name: Get docker haproxy image
set_fact: set_fact:
docker_image_latest: *haproxy_image_pcmklatest docker_image_latest: *haproxy_image_pcmklatest
- name: Check for haproxy Kolla configuration - name: Set HAProxy upgrade facts
stat: block: *haproxy_update_upgrade_facts
path: /var/lib/config-data/puppet-generated/haproxy
register: haproxy_kolla_config
- name: Check if haproxy is already containerized
set_fact:
haproxy_containerized: "{{haproxy_kolla_config.stat.isdir | default(false)}}"
- name: get bootstrap nodeid
tags: common
command: hiera -c /etc/puppet/hiera.yaml bootstrap_nodeid
register: bootstrap_node
- name: set is_bootstrap_node fact
tags: common
set_fact: is_bootstrap_node={{bootstrap_node.stdout|lower == ansible_hostname|lower}}
- name: haproxy baremetal to container upgrade tasks - name: haproxy baremetal to container upgrade tasks
when: when:
- step|int == 1 - step|int == 1
@ -305,7 +364,7 @@ outputs:
register: output register: output
retries: 5 retries: 5
until: output.rc == 0 until: output.rc == 0
- name: Expose HAProxy stats socket on the host - name: Expose HAProxy stats socket on the host and mount TLS cert if needed
when: when:
- step|int == 1 - step|int == 1
- haproxy_containerized|bool - haproxy_containerized|bool
@ -315,28 +374,39 @@ outputs:
command: cibadmin --query --xpath "//storage-mapping[@id='haproxy-var-lib']" command: cibadmin --query --xpath "//storage-mapping[@id='haproxy-var-lib']"
ignore_errors: true ignore_errors: true
register: haproxy_stats_exposed register: haproxy_stats_exposed
- name: Change haproxy stats socket configuration in pacemaker - name: Check haproxy public certificate configuration in pacemaker
command: cibadmin --query --xpath "//storage-mapping[@id='haproxy-cert']"
ignore_errors: true
register: haproxy_cert_mounted
- name: Disable the haproxy cluster resource
pacemaker_resource:
resource: haproxy-bundle
state: disable
wait_for_resource: true
register: output
retries: 5
until: output.rc == 0
# rc == 6 means the configuration doesn't exist in the CIB # rc == 6 means the configuration doesn't exist in the CIB
when: haproxy_stats_exposed.rc == 6 or haproxy_cert_mounted.rc == 6
- name: Add a bind mount for stats socket in the haproxy bundle
command: pcs resource bundle update haproxy-bundle storage-map add id=haproxy-var-lib source-dir=/var/lib/haproxy target-dir=/var/lib/haproxy options=rw
when: haproxy_stats_exposed.rc == 6 when: haproxy_stats_exposed.rc == 6
block: - name: Set HAProxy public cert volume mount fact
- name: Disable the haproxy cluster resource set_fact:
pacemaker_resource: haproxy_public_cert_path: {get_param: DeployedSSLCertificatePath}
resource: haproxy-bundle haproxy_public_tls_enabled: {if: [public_tls_enabled, true, false]}
state: disable - name: Add a bind mount for public certificate in the haproxy bundle
wait_for_resource: true command: pcs resource bundle update haproxy-bundle storage-map add id=haproxy-cert source-dir={{ haproxy_public_cert_path }} target-dir=/var/lib/kolla/config_files/src-tls/{{ haproxy_public_cert_path }} options=ro
register: output when: haproxy_cert_mounted.rc == 6 and haproxy_public_tls_enabled|bool
retries: 5 - name: Enable the haproxy cluster resource
until: output.rc == 0 pacemaker_resource:
- name: Add a bind mount for stats socket in the haproxy bundle resource: haproxy-bundle
command: pcs resource bundle update haproxy-bundle storage-map add id=haproxy-var-lib source-dir=/var/lib/haproxy target-dir=/var/lib/haproxy options=rw state: enable
- name: Enable the haproxy cluster resource wait_for_resource: true
pacemaker_resource: register: output
resource: haproxy-bundle retries: 5
state: enable until: output.rc == 0
wait_for_resource: true when: haproxy_stats_exposed.rc == 6 or haproxy_cert_mounted.rc == 6
register: output
retries: 5
until: output.rc == 0
- name: Retag the pacemaker image if containerized - name: Retag the pacemaker image if containerized
when: when:
- step|int == 3 - step|int == 3

33
puppet/extraconfig/tls/tls-cert-inject.yaml
View File

@ -58,7 +58,10 @@ resources:
# If the HAProxy container tried to load this, it'll be a directory and # If the HAProxy container tried to load this, it'll be a directory and
# will make this fail. # will make this fail.
if [ -d ${cert_path} ]; then if [ -d ${cert_path} ]; then
rm -rf ${cert_path} rmdir ${cert_path}
HAPROXY_TLS_UPDATE_NEEDED=1
else
HAPROXY_TLS_UPDATE_NEEDED=0
fi fi
cat > ${cert_path} << EOF cat > ${cert_path} << EOF
${cert_chain_content} ${cert_chain_content}
@ -78,6 +81,34 @@ resources:
if [ "$haproxy_status" = "active" ]; then if [ "$haproxy_status" = "active" ]; then
systemctl reload haproxy systemctl reload haproxy
fi fi
pacemaker_status=$(systemctl is-active pacemaker)
# If we need an update and pacemaker is being used, we need to restart
# the pacemaker resource on the bootstrap node. We don't support the update
# in non-pacemaker cases.
if [[ $HAPROXY_TLS_UPDATE_NEEDED -eq 1 && "$pacemaker_status" == "active" ]]; then
BOOTSTRAPNODE=$(hiera -c /etc/puppet/hiera.yaml bootstrap_nodeid)
MY_HOSTNAME=$(hostname)
if [[ "$BOOTSTRAPNODE" == "$MY_HOSTNAME" ]]; then
# Triggers an update
HAPROXY_RESOURCE_NAME=$(pcs status | grep container | grep haproxy | sed 's/^.*container.*: \(.*\) .*/\1/')
if [[ -n "$HAPROXY_RESOURCE_NAME" ]]; then
pcs resource restart "$HAPROXY_RESOURCE_NAME"
fi
fi
elif [[ $HAPROXY_TLS_UPDATE_NEEDED -eq 0 ]]; then
# Handles reloading HAProxy and fetching a new certificate if
# necessary
HAPROXY_CONTAINER_ID=$(docker ps | grep haproxy | awk '{print $1}')
if [[ -n "$HAPROXY_CONTAINER_ID" ]]; then
if [[ "$pacemaker_status" == "active" ]]; then
# We copy the certificate from the mount point to the desired
# path
docker exec "$HAPROXY_CONTAINER_ID" cp /var/lib/kolla/config_files/src-tls${cert_path} ${cert_path}
fi
docker kill --signal=HUP "$HAPROXY_CONTAINER_ID"
fi
fi
ControllerTLSDeployment: ControllerTLSDeployment:
type: OS::Heat::SoftwareDeployment type: OS::Heat::SoftwareDeployment