74e7e67459
This de-couples public TLS from controllers to now run wherever HAProxy is deployed. Partially-Implements: blueprint composable-networks Change-Id: I9e84a25a363899acf103015527787bdd8248949f
164 lines
5.7 KiB
YAML
164 lines
5.7 KiB
YAML
heat_template_version: pike
|
|
|
|
description: >
|
|
HAproxy service configured with Puppet
|
|
|
|
parameters:
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
EnableLoadBalancer:
|
|
default: true
|
|
description: Whether to deploy a LoadBalancer, set to false when an external load balancer is used.
|
|
type: boolean
|
|
HAProxyStatsPassword:
|
|
description: Password for HAProxy stats endpoint
|
|
hidden: true
|
|
type: string
|
|
HAProxyStatsUser:
|
|
description: User for HAProxy stats endpoint
|
|
default: admin
|
|
type: string
|
|
HAProxySyslogAddress:
|
|
default: /dev/log
|
|
description: Syslog address where HAproxy will send its log
|
|
type: string
|
|
HAProxyStatsEnabled:
|
|
default: true
|
|
description: Whether or not to enable the HAProxy stats interface.
|
|
type: boolean
|
|
RedisPassword:
|
|
description: The password for the redis service account.
|
|
type: string
|
|
hidden: true
|
|
MonitoringSubscriptionHaproxy:
|
|
default: 'overcloud-haproxy'
|
|
type: string
|
|
SSLCertificate:
|
|
default: ''
|
|
description: >
|
|
The content of the SSL certificate (without Key) in PEM format.
|
|
type: string
|
|
DeployedSSLCertificatePath:
|
|
default: '/etc/pki/tls/private/overcloud_endpoint.pem'
|
|
description: >
|
|
The filepath of the certificate as it will be stored in the controller.
|
|
type: string
|
|
InternalTLSCAFile:
|
|
default: '/etc/ipa/ca.crt'
|
|
type: string
|
|
description: Specifies the default CA cert to use if TLS is used for
|
|
services in the internal network.
|
|
InternalTLSCRLPEMFile:
|
|
default: '/etc/pki/CA/crl/overcloud-crl.pem'
|
|
type: string
|
|
description: Specifies the default CRL PEM file to use for revocation if
|
|
TLS is used for services in the internal network.
|
|
|
|
conditions:
|
|
|
|
public_tls_enabled:
|
|
not:
|
|
equals:
|
|
- {get_param: SSLCertificate}
|
|
- ""
|
|
|
|
resources:
|
|
|
|
HAProxyPublicTLS:
|
|
type: OS::TripleO::Services::HAProxyPublicTLS
|
|
properties:
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
DefaultPasswords: {get_param: DefaultPasswords}
|
|
EndpointMap: {get_param: EndpointMap}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
|
|
HAProxyInternalTLS:
|
|
type: OS::TripleO::Services::HAProxyInternalTLS
|
|
properties:
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
DefaultPasswords: {get_param: DefaultPasswords}
|
|
EndpointMap: {get_param: EndpointMap}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the HAproxy role.
|
|
value:
|
|
service_name: haproxy
|
|
monitoring_subscription: {get_param: MonitoringSubscriptionHaproxy}
|
|
config_settings:
|
|
map_merge:
|
|
- tripleo.haproxy.firewall_rules:
|
|
'107 haproxy stats':
|
|
dport: 1993
|
|
tripleo::haproxy::haproxy_log_address: {get_param: HAProxySyslogAddress}
|
|
tripleo::haproxy::haproxy_stats_user: {get_param: HAProxyStatsUser}
|
|
tripleo::haproxy::haproxy_stats_password: {get_param: HAProxyStatsPassword}
|
|
tripleo::haproxy::redis_password: {get_param: RedisPassword}
|
|
tripleo::haproxy::ca_bundle: {get_param: InternalTLSCAFile}
|
|
tripleo::haproxy::crl_file: {get_param: InternalTLSCRLPEMFile}
|
|
tripleo::haproxy::haproxy_stats: {get_param: HAProxyStatsEnabled}
|
|
enable_load_balancer: {get_param: EnableLoadBalancer}
|
|
tripleo::profile::base::haproxy::certificates_specs:
|
|
map_merge:
|
|
- get_attr: [HAProxyPublicTLS, role_data, certificates_specs]
|
|
- get_attr: [HAProxyInternalTLS, role_data, certificates_specs]
|
|
- if:
|
|
- public_tls_enabled
|
|
- tripleo::haproxy::service_certificate: {get_param: DeployedSSLCertificatePath}
|
|
- {}
|
|
- get_attr: [HAProxyPublicTLS, role_data, config_settings]
|
|
- get_attr: [HAProxyInternalTLS, role_data, config_settings]
|
|
step_config: |
|
|
include ::tripleo::profile::base::haproxy
|
|
upgrade_tasks:
|
|
- name: Check if haproxy is deployed
|
|
command: systemctl is-enabled haproxy
|
|
tags: common
|
|
ignore_errors: True
|
|
register: haproxy_enabled
|
|
- name: "PreUpgrade step0,validation: Check service haproxy is running"
|
|
shell: /usr/bin/systemctl show 'haproxy' --property ActiveState | grep '\bactive\b'
|
|
when: haproxy_enabled.rc == 0
|
|
tags: step0,validation
|
|
- name: Stop haproxy service
|
|
tags: step2
|
|
when: haproxy_enabled.rc == 0
|
|
service: name=haproxy state=stopped
|
|
- name: Start haproxy service
|
|
tags: step4 # Needed at step 4 for mysql
|
|
when: haproxy_enabled.rc == 0
|
|
service: name=haproxy state=started
|
|
metadata_settings:
|
|
list_concat:
|
|
- {get_attr: [HAProxyPublicTLS, role_data, metadata_settings]}
|
|
- {get_attr: [HAProxyInternalTLS, role_data, metadata_settings]}
|