openstack
/
tripleo-heat-templates
Code Issues Proposed changes

Merge "Simplify haproxy service templates"

This commit is contained in:
Zuul 2021-04-23 19:53:28 +00:00 committed by Gerrit Code Review
parent 8624fcfdf9 15ce9b6a25
commit f38a5b89d3
5 changed files with 30 additions and 63 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
deployment/haproxy/haproxy-container-puppet.yaml
View File

@ -111,7 +111,6 @@ parameters:
description: The tunnel timeout in seconds for the Zaqar API.
conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
public_tls_enabled:
and:
- {get_param: EnablePublicTLS}
@ -120,12 +119,9 @@ conditions:
equals:
- {get_param: SSLCertificate}
- ""
- equals:
- {get_param: PublicSSLCertificateAutogenerated}
- true
- {get_param: PublicSSLCertificateAutogenerated}
resources:
ContainersCommon:
type: ../containers-common.yaml
@ -182,14 +178,14 @@ outputs:
map_merge:
- get_attr: [HAProxyPublicTLS, role_data, certificates_specs]
- get_attr: [HAProxyInternalTLS, role_data, certificates_specs]
- if:
- public_tls_enabled
- tripleo::haproxy::service_certificate: {get_param: DeployedSSLCertificatePath}
- {}
- if:
- internal_tls_enabled
- tripleo::haproxy::ca_bundle: {get_param: InternalTLSCAFile}
- null
tripleo::haproxy::service_certificate:
if:
- public_tls_enabled
- {get_param: DeployedSSLCertificatePath}
tripleo::haproxy::ca_bundle:
if:
- {get_param: EnableInternalTLS}
- {get_param: InternalTLSCAFile}
- get_attr: [HAProxyPublicTLS, role_data, config_settings]
- get_attr: [HAProxyInternalTLS, role_data, config_settings]
# BEGIN DOCKER SETTINGS
@ -208,9 +204,8 @@ outputs:
- - {get_param: DeployedSSLCertificatePath}
- {get_param: DeployedSSLCertificatePath}
- 'ro,shared'
- null
- if:
- internal_tls_enabled
- {get_param: EnableInternalTLS}
- - /etc/pki/tls/certs/haproxy:/etc/pki/tls/certs/haproxy:ro,shared
- /etc/pki/tls/private/haproxy:/etc/pki/tls/private/haproxy:ro,shared
- list_join:
@ -223,7 +218,6 @@ outputs:
- - {get_param: InternalTLSCRLPEMDir}
- {get_param: InternalTLSCRLPEMDir}
- 'ro,shared'
- null
kolla_config:
/var/lib/kolla/config_files/haproxy.json:
# HAProxy 1.8 doesn't ship haproxy-systemd-wrapper, we have
@ -263,8 +257,7 @@ outputs:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [HAProxyLogging, volumes]}
-
- /var/lib/kolla/config_files/haproxy.json:/var/lib/kolla/config_files/config.json:ro
- - /var/lib/kolla/config_files/haproxy.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/haproxy:/var/lib/kolla/config_files/src:ro
- /var/lib/haproxy:/var/lib/haproxy:rw,z
- if:
@ -277,9 +270,8 @@ outputs:
- - /var/lib/kolla/config_files/src-tls/
- {get_param: DeployedSSLCertificatePath}
- 'ro,shared'
- null
- if:
- internal_tls_enabled
- {get_param: EnableInternalTLS}
- - /etc/pki/tls/certs/haproxy:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/haproxy:ro,shared
- /etc/pki/tls/private/haproxy:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/haproxy:ro,shared
- list_join:
@ -287,7 +279,6 @@ outputs:
- - {get_param: InternalTLSCRLPEMDir}
- {get_param: InternalTLSCRLPEMDir}
- 'ro'
- null
environment:
KOLLA_CONFIG_STRATEGY: COPY_ALWAYS
deploy_steps_tasks:
@ -341,11 +332,9 @@ outputs:
- if:
- public_tls_enabled
- get_attr: [HAProxyPublicTLS, role_data, deploy_steps_tasks]
- []
- if:
- internal_tls_enabled
- {get_param: EnableInternalTLS}
- get_attr: [HAProxyInternalTLS, role_data, deploy_steps_tasks]
- []
upgrade_tasks:
- name: ensure we have haproxy log dir with the correct setype
file:

14
deployment/haproxy/haproxy-edge-container-puppet.yaml
View File

@ -36,13 +36,7 @@ parameters:
type: boolean
default: false
conditions:
glance_api_proxy_enabled: {equals: [{get_param: EnableGlanceApiProxy}, true]}
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
resources:
HAProxyBase:
type: ./haproxy-container-puppet.yaml
properties:
@ -53,12 +47,11 @@ resources:
RoleParameters: {get_param: RoleParameters}
outputs:
glance_api_edge_uri:
description: URI of the glance-api service runing at the edge site.
value: &glance_api_edge_uri
if:
- internal_tls_enabled
- {get_param: EnableInternalTLS}
- str_replace:
template:
"https://%{hiera('fqdn_NETWORK')}:9292"
@ -91,7 +84,7 @@ outputs:
tripleo::haproxy::ec2_api_metadata: false
tripleo::haproxy::etcd: false
- if:
- glance_api_proxy_enabled
- {get_param: EnableGlanceApiProxy}
- tripleo::haproxy::glance_api: true
glance_api_vip:
str_replace:
@ -130,9 +123,8 @@ outputs:
map_merge:
- get_attr: [HAProxyBase, role_data, service_config_settings]
- if:
- glance_api_proxy_enabled
- {get_param: EnableGlanceApiProxy}
- cinder_volume:
cinder::glance::glance_api_servers: *glance_api_edge_uri
nova_compute:
nova::glance::endpoint_override: *glance_api_edge_uri
- {}

9
deployment/haproxy/haproxy-internal-tls-certmonger.j2.yaml
View File

@ -45,11 +45,10 @@ parameters:
certificate for this service
conditions:
key_size_override_unset: {equals: [{get_param: HAProxyCertificateKeySize}, '']}
key_size_override_set:
not: {equals: [{get_param: HAProxyCertificateKeySize}, '']}
resources:
HAProxyNetworks:
type: OS::Heat::Value
properties:
@ -157,9 +156,9 @@ outputs:
KEYSDIR: {get_param: HAProxyInternalTLSKeysDirectory}
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- key_size_override_set
- {get_param: HAProxyCertificateKeySize}
- {get_param: CertificateKeySize}
ca: ipa
for_each:
NETWORK: {get_attr: [HAProxyNetworks, value]}

25
deployment/haproxy/haproxy-pacemaker-puppet.yaml
View File

@ -107,7 +107,6 @@ parameters:
perform configuration on a Heat stack-update.
conditions:
puppet_debug_enabled: {get_param: ConfigDebug}
public_tls_enabled:
and:
- {get_param: EnablePublicTLS}
@ -116,16 +115,9 @@ conditions:
equals:
- {get_param: SSLCertificate}
- ""
- equals:
- {get_param: PublicSSLCertificateAutogenerated}
- true
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
docker_enabled: {equals: [{get_param: ContainerCli}, 'docker']}
common_tag_enabled: {equals: [{get_param: ClusterCommonTag}, true]}
common_tag_full: {equals: [{get_param: ClusterFullTag}, true]}
- {get_param: PublicSSLCertificateAutogenerated}
resources:
ContainersCommon:
type: ../containers-common.yaml
@ -179,13 +171,11 @@ outputs:
- if:
- public_tls_enabled
- - get_param: DeployedSSLCertificatePath
- null
- if:
- internal_tls_enabled
- {get_param: EnableInternalTLS}
- - get_param: InternalTLSCAFile
- get_param: HAProxyInternalTLSKeysDirectory
- get_param: HAProxyInternalTLSCertsDirectory
- null
# The init bundle users the container_puppet_apply_volumes list. That already contains InternalTLSCAFile
# and newer podmans refuse to start with duplicated mountpoints. That is why we cannot use tls_mapping
# but need a new mapping
@ -194,24 +184,22 @@ outputs:
- if:
- public_tls_enabled
- - get_param: DeployedSSLCertificatePath
- null
- if:
- internal_tls_enabled
- {get_param: EnableInternalTLS}
- - get_param: HAProxyInternalTLSKeysDirectory
- get_param: HAProxyInternalTLSCertsDirectory
- null
tripleo::profile::pacemaker::haproxy_bundle::internal_certs_directory: {get_param: HAProxyInternalTLSCertsDirectory}
tripleo::profile::pacemaker::haproxy_bundle::internal_keys_directory: {get_param: HAProxyInternalTLSKeysDirectory}
# disable the use CRL file until we can restart the container when the file expires
tripleo::haproxy::crl_file: null
tripleo::profile::pacemaker::haproxy_bundle::haproxy_docker_image: &haproxy_image_pcmklatest
if:
- common_tag_full
- {get_param: ClusterFullTag}
- "cluster.common.tag/haproxy:pcmklatest"
- yaql:
data:
if:
- common_tag_enabled
- {get_param: ClusterCommonTag}
- yaql:
data: {get_param: ContainerHAProxyImage}
expression: concat("cluster.common.tag/", $.data.rightSplit(separator => "/", maxSplits => 1)[1])
@ -350,9 +338,8 @@ outputs:
- get_attr: [HAProxyPublicTLS, role_data, deploy_steps_tasks]
- []
- if:
- internal_tls_enabled
- {get_param: EnableInternalTLS}
- get_attr: [HAProxyInternalTLS, role_data, deploy_steps_tasks]
- []
update_tasks:
- name: Tear-down non-HA haproxy container
when:

8
deployment/haproxy/haproxy-public-tls-certmonger.yaml
View File

@ -62,8 +62,8 @@ parameters:
description: Override the default HAProxy Certificate Principal
conditions:
key_size_override_unset: {equals: [{get_param: HAProxyCertificateKeySize}, '']}
key_size_override_set:
not: {equals: [{get_param: HAProxyCertificateKeySize}, '']}
principal_override_set: {not: {equals: [{get_param: HAProxyCertificatePrincipal}, '']}}
dnsnames_override_set: {not: {equals: [{get_param: HAProxyCertificateDNSNames}, []]}}
@ -189,7 +189,7 @@ outputs:
PEMPATH: {get_param: DeployedSSLCertificatePath}
key_size:
if:
- key_size_override_unset
- {get_param: CertificateKeySize}
- key_size_override_set
- {get_param: HAProxyCertificateKeySize}
- {get_param: CertificateKeySize}
ca: "{{ (certmonger_ca == 'IPA' or idm_realm is defined) | ternary('ipa', 'self-sign') }}"