heat_template_version: rocky description: > OpenStack containerized HAproxy service parameters: DockerHAProxyImage: description: image type: string DockerHAProxyConfigImage: description: The container image to use for the haproxy config_volume type: string ServiceData: default: {} description: Dictionary packing service data type: json ServiceNetMap: default: {} description: Mapping of service_name -> network name. Typically set via parameter_defaults in the resource registry. This mapping overrides those in ServiceNetMapDefaults. type: json DefaultPasswords: default: {} type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json HAProxyStatsPassword: description: Password for HAProxy stats endpoint hidden: true type: string HAProxyStatsUser: description: User for HAProxy stats endpoint default: admin type: string HAProxySyslogAddress: default: /dev/log description: Syslog address where HAproxy will send its log type: string HAProxySyslogFacility: default: local0 description: Syslog facility HAProxy will use for its logs type: string SSLCertificate: default: '' description: > The content of the SSL certificate (without Key) in PEM format. type: string PublicSSLCertificateAutogenerated: default: false description: > Whether the public SSL certificate was autogenerated or not. type: boolean EnablePublicTLS: default: true description: > Whether to enable TLS on the public interface or not. type: boolean DeployedSSLCertificatePath: default: '/etc/pki/tls/private/overcloud_endpoint.pem' description: > The filepath of the certificate as it will be stored in the controller. type: string RedisPassword: description: The password for the redis service account. type: string hidden: true MonitoringSubscriptionHaproxy: default: 'overcloud-haproxy' type: string RoleName: default: '' description: Role name on which the service is applied type: string RoleParameters: default: {} description: Parameters specific to the role type: json EnableInternalTLS: type: boolean default: false InternalTLSCAFile: default: '/etc/ipa/ca.crt' type: string description: Specifies the default CA cert to use if TLS is used for services in the internal network. ConfigDebug: default: false description: Whether to run config management (e.g. Puppet) in debug mode. type: boolean EnableLoadBalancer: default: true description: Whether to deploy a LoadBalancer, set to false when an external load balancer is used. type: boolean HAProxyStatsEnabled: default: true description: Whether or not to enable the HAProxy stats interface. type: boolean InternalTLSCRLPEMFile: default: '/etc/pki/CA/crl/overcloud-crl.pem' type: string description: Specifies the default CRL PEM file to use for revocation if TLS is used for services in the internal network. conditions: puppet_debug_enabled: {get_param: ConfigDebug} internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} public_tls_enabled: and: - {get_param: EnablePublicTLS} - or: - not: equals: - {get_param: SSLCertificate} - "" - equals: - {get_param: PublicSSLCertificateAutogenerated} - true resources: ContainersCommon: type: ../containers-common.yaml HAProxyLogging: type: OS::TripleO::Services::Logging::HAProxy HAProxyPublicTLS: type: OS::TripleO::Services::HAProxyPublicTLS properties: ServiceData: {get_param: ServiceData} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} HAProxyInternalTLS: type: OS::TripleO::Services::HAProxyInternalTLS properties: ServiceData: {get_param: ServiceData} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} outputs: role_data: description: Role data for the HAproxy role. value: service_name: haproxy monitoring_subscription: {get_param: MonitoringSubscriptionHaproxy} config_settings: map_merge: - get_attr: [HAProxyLogging, config_settings] - tripleo::haproxy::haproxy_service_manage: false # NOTE(jaosorior): We disable the CRL since we have no way to restart haproxy # when this is updated tripleo::haproxy::crl_file: null - tripleo::haproxy::firewall_rules: '107 haproxy stats': dport: 1993 tripleo::haproxy::haproxy_log_address: {get_param: HAProxySyslogAddress} tripleo::haproxy::haproxy_log_facility: {get_param: HAProxySyslogFacility} tripleo::haproxy::haproxy_stats_user: {get_param: HAProxyStatsUser} tripleo::haproxy::haproxy_stats_password: {get_param: HAProxyStatsPassword} tripleo::haproxy::redis_password: {get_param: RedisPassword} tripleo::haproxy::crl_file: {get_param: InternalTLSCRLPEMFile} tripleo::haproxy::haproxy_stats: {get_param: HAProxyStatsEnabled} enable_load_balancer: {get_param: EnableLoadBalancer} tripleo::profile::base::haproxy::certificates_specs: map_merge: - get_attr: [HAProxyPublicTLS, role_data, certificates_specs] - get_attr: [HAProxyInternalTLS, role_data, certificates_specs] - if: - public_tls_enabled - tripleo::haproxy::service_certificate: {get_param: DeployedSSLCertificatePath} - {} - if: - internal_tls_enabled - tripleo::haproxy::ca_bundle: {get_param: InternalTLSCAFile} - null - get_attr: [HAProxyPublicTLS, role_data, config_settings] - get_attr: [HAProxyInternalTLS, role_data, config_settings] # BEGIN DOCKER SETTINGS puppet_config: config_volume: haproxy puppet_tags: haproxy_config step_config: | class {'::tripleo::profile::base::haproxy': manage_firewall => false} config_image: {get_param: DockerHAProxyConfigImage} volumes: list_concat: - if: - public_tls_enabled - - list_join: - ':' - - {get_param: DeployedSSLCertificatePath} - {get_param: DeployedSSLCertificatePath} - 'ro,shared' - null - if: - internal_tls_enabled - - /etc/pki/tls/certs/haproxy:/etc/pki/tls/certs/haproxy:ro,shared - /etc/pki/tls/private/haproxy:/etc/pki/tls/private/haproxy:ro,shared - list_join: - ':' - - {get_param: InternalTLSCAFile} - {get_param: InternalTLSCAFile} - 'ro,shared' - null kolla_config: /var/lib/kolla/config_files/haproxy.json: # HAProxy 1.8 doesn't ship haproxy-systemd-wrapper, we have # to use a new dedicated option for live config reload. # Note: we can't use quotes in kolla command, hence the workaround command: bash -c $* -- eval if [ -f /usr/sbin/haproxy-systemd-wrapper ]; then exec /usr/sbin/haproxy-systemd-wrapper -f /etc/haproxy/haproxy.cfg; else exec /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -Ws; fi config_files: - source: "/var/lib/kolla/config_files/src/*" dest: "/" merge: true preserve_properties: true - source: "/var/lib/kolla/config_files/src-tls/*" dest: "/" merge: true preserve_properties: true optional: true permissions: - path: /var/lib/haproxy owner: haproxy:haproxy recurse: true - path: /etc/pki/tls/certs/haproxy owner: haproxy:haproxy recurse: true optional: true container_config_scripts: {get_attr: [ContainersCommon, container_config_scripts]} docker_config: step_1: map_merge: - get_attr: [HAProxyLogging, docker_config, step_1] - haproxy: start_order: 1 image: {get_param: DockerHAProxyImage} net: host restart: always security_opt: label=disable volumes: list_concat: - {get_attr: [ContainersCommon, volumes]} - {get_attr: [HAProxyLogging, volumes]} - - /var/lib/kolla/config_files/haproxy.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/puppet-generated/haproxy/:/var/lib/kolla/config_files/src:ro - /var/lib/haproxy:/var/lib/haproxy:rw,z - if: - public_tls_enabled - - list_join: - ':' - - {get_param: DeployedSSLCertificatePath} - list_join: - '' - - /var/lib/kolla/config_files/src-tls/ - {get_param: DeployedSSLCertificatePath} - 'ro,shared' - null - if: - internal_tls_enabled - - /etc/pki/tls/certs/haproxy:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/haproxy:ro,shared - /etc/pki/tls/private/haproxy:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/haproxy:ro,shared - list_join: - ':' - - {get_param: InternalTLSCAFile} - {get_param: InternalTLSCAFile} - 'ro' - null environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS deploy_steps_tasks: - name: Run puppet on the host to apply IPtables rules when: step|int == 1 shell: | set +e export FACTER_step=1 puppet apply {{ puppet_debug }} --detailed-exitcodes --summarize --color=false \ --modulepath {{ puppet_modulepath }} --tags {{ puppet_tags }} -e {{ puppet_execute }} rc=$? set -e set +ux if [ $rc -eq 2 -o $rc -eq 0 ]; then exit 0 fi exit $rc vars: puppet_execute: include ::tripleo::profile::base::haproxy puppet_tags: 'tripleo::firewall::rule' puppet_modulepath: '/etc/puppet/modules:/opt/stack/puppet-modules:/usr/share/openstack-puppet/modules' puppet_debug: if: - puppet_debug_enabled - '--debug --verbose' - '' upgrade_tasks: - name: ensure we have haproxy log dir with the correct setype file: path: /var/log/containers/haproxy state: directory setype: var_log_t recurse: yes post_upgrade_tasks: - when: step|int == 1 import_role: name: tripleo-docker-rm vars: containers_to_rm: - haproxy host_prep_tasks: - {get_attr: [HAProxyPublicTLS, role_data, host_prep_tasks]} - name: Check if rsyslog exists shell: systemctl is-active rsyslog register: rsyslog_config - when: - rsyslog_config is changed - rsyslog_config.rc == 0 block: - name: Forward logging to haproxy.log file blockinfile: content: | if $syslogfacility-text == '{{facility}}' and $programname == 'haproxy' then -/var/log/containers/haproxy/haproxy.log & stop create: yes path: /etc/rsyslog.d/openstack-haproxy.conf vars: facility: {get_param: HAProxySyslogFacility} register: logconfig - name: restart rsyslog service after logging conf change service: name: rsyslog state: restarted when: logconfig is changed - name: create persistent directories file: path: "{{ item.path }}" state: directory setype: "{{ item.setype }}" with_items: - { 'path': /var/log/containers/haproxy, 'setype': var_log_t } - { 'path': /var/lib/haproxy, 'setype': svirt_sandbox_file_t } - { 'path': /var/log/haproxy, 'setype': svirt_sandbox_file_t } - name: haproxy logs readme copy: dest: /var/log/haproxy/readme.txt content: | Log files from the haproxy containers can be found under /var/log/containers/haproxy. ignore_errors: true metadata_settings: list_concat: - {get_attr: [HAProxyPublicTLS, role_data, metadata_settings]} - {get_attr: [HAProxyInternalTLS, role_data, metadata_settings]}