tripleo-heat-templates/puppet/services/haproxy.yaml
Juan Antonio Osorio Robles 5ca1aee232 Only set ca_bundle for HAProxy if internal TLS enabled & fix mounts
* We don't use this setup if TLS everywhere is not enabled, so lets set it
  up as such. This prevents the HAProxy container managed by pacemaker of
  mounting this file.
* Also fix the docker service to exercise the if with proper syntax.

Co-Authored-By: Emilien Macchi <emilien@redhat.com>
Change-Id: Id8dff81c5af390446507bcef458a135fc2287186
2018-09-18 22:03:59 -04:00

192 lines
6.5 KiB
YAML

heat_template_version: rocky
description: >
HAproxy service configured with Puppet
parameters:
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
EnableLoadBalancer:
default: true
description: Whether to deploy a LoadBalancer, set to false when an external load balancer is used.
type: boolean
HAProxyStatsPassword:
description: Password for HAProxy stats endpoint
hidden: true
type: string
HAProxyStatsUser:
description: User for HAProxy stats endpoint
default: admin
type: string
HAProxySyslogAddress:
default: /dev/log
description: Syslog address where HAproxy will send its log
type: string
HAProxyStatsEnabled:
default: true
description: Whether or not to enable the HAProxy stats interface.
type: boolean
RedisPassword:
description: The password for the redis service account.
type: string
hidden: true
MonitoringSubscriptionHaproxy:
default: 'overcloud-haproxy'
type: string
SSLCertificate:
default: ''
description: >
The content of the SSL certificate (without Key) in PEM format.
type: string
PublicSSLCertificateAutogenerated:
default: false
description: >
Whether the public SSL certificate was autogenerated or not.
type: boolean
EnablePublicTLS:
default: true
description: >
Whether to enable TLS on the public interface or not.
type: boolean
DeployedSSLCertificatePath:
default: '/etc/pki/tls/private/overcloud_endpoint.pem'
description: >
The filepath of the certificate as it will be stored in the controller.
type: string
EnableInternalTLS:
type: boolean
default: false
InternalTLSCAFile:
default: '/etc/ipa/ca.crt'
type: string
description: Specifies the default CA cert to use if TLS is used for
services in the internal network.
InternalTLSCRLPEMFile:
default: '/etc/pki/CA/crl/overcloud-crl.pem'
type: string
description: Specifies the default CRL PEM file to use for revocation if
TLS is used for services in the internal network.
conditions:
public_tls_enabled:
and:
- {get_param: EnablePublicTLS}
- or:
- not:
equals:
- {get_param: SSLCertificate}
- ""
- equals:
- {get_param: PublicSSLCertificateAutogenerated}
- true
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
resources:
HAProxyPublicTLS:
type: OS::TripleO::Services::HAProxyPublicTLS
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
HAProxyInternalTLS:
type: OS::TripleO::Services::HAProxyInternalTLS
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
outputs:
role_data:
description: Role data for the HAproxy role.
value:
service_name: haproxy
monitoring_subscription: {get_param: MonitoringSubscriptionHaproxy}
config_settings:
map_merge:
- tripleo.haproxy.firewall_rules:
'107 haproxy stats':
dport: 1993
tripleo::haproxy::haproxy_log_address: {get_param: HAProxySyslogAddress}
tripleo::haproxy::haproxy_stats_user: {get_param: HAProxyStatsUser}
tripleo::haproxy::haproxy_stats_password: {get_param: HAProxyStatsPassword}
tripleo::haproxy::redis_password: {get_param: RedisPassword}
tripleo::haproxy::crl_file: {get_param: InternalTLSCRLPEMFile}
tripleo::haproxy::haproxy_stats: {get_param: HAProxyStatsEnabled}
enable_load_balancer: {get_param: EnableLoadBalancer}
tripleo::profile::base::haproxy::certificates_specs:
map_merge:
- get_attr: [HAProxyPublicTLS, role_data, certificates_specs]
- get_attr: [HAProxyInternalTLS, role_data, certificates_specs]
- if:
- public_tls_enabled
- tripleo::haproxy::service_certificate: {get_param: DeployedSSLCertificatePath}
- {}
- if:
- internal_tls_enabled
- tripleo::haproxy::ca_bundle: {get_param: InternalTLSCAFile}
- null
- get_attr: [HAProxyPublicTLS, role_data, config_settings]
- get_attr: [HAProxyInternalTLS, role_data, config_settings]
step_config: |
include ::tripleo::profile::base::haproxy
upgrade_tasks:
- name: Check if haproxy is deployed
command: systemctl is-enabled haproxy
tags: common
ignore_errors: True
register: haproxy_enabled
- name: "PreUpgrade step0,validation: Check service haproxy is running"
shell: /usr/bin/systemctl show 'haproxy' --property ActiveState | grep '\bactive\b'
when:
- step|int == 0
- haproxy_enabled.rc == 0
tags: validation
- name: Stop haproxy service
when:
- step|int == 2
- haproxy_enabled.rc == 0
service: name=haproxy state=stopped
- name: Start haproxy service
when:
- step|int == 4
- haproxy_enabled.rc == 0
service: name=haproxy state=started
host_prep_tasks: {get_attr: [HAProxyPublicTLS, role_data, host_prep_tasks]}
metadata_settings:
list_concat:
- {get_attr: [HAProxyPublicTLS, role_data, metadata_settings]}
- {get_attr: [HAProxyInternalTLS, role_data, metadata_settings]}