bbab8507fc
Deactivating selinux separation for now will allow haproxy to access its certificate without any issue. Change-Id: Ia00219337737dca87f745af5519effc04ce0a620
312 lines
12 KiB
YAML
312 lines
12 KiB
YAML
heat_template_version: rocky
|
|
|
|
description: >
|
|
OpenStack containerized HAproxy service
|
|
|
|
parameters:
|
|
DockerHAProxyImage:
|
|
description: image
|
|
type: string
|
|
DockerHAProxyConfigImage:
|
|
description: The container image to use for the haproxy config_volume
|
|
type: string
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
HAProxyStatsPassword:
|
|
description: Password for HAProxy stats endpoint
|
|
hidden: true
|
|
type: string
|
|
HAProxyStatsUser:
|
|
description: User for HAProxy stats endpoint
|
|
default: admin
|
|
type: string
|
|
HAProxySyslogAddress:
|
|
default: /dev/log
|
|
description: Syslog address where HAproxy will send its log
|
|
type: string
|
|
SSLCertificate:
|
|
default: ''
|
|
description: >
|
|
The content of the SSL certificate (without Key) in PEM format.
|
|
type: string
|
|
PublicSSLCertificateAutogenerated:
|
|
default: false
|
|
description: >
|
|
Whether the public SSL certificate was autogenerated or not.
|
|
type: boolean
|
|
EnablePublicTLS:
|
|
default: true
|
|
description: >
|
|
Whether to enable TLS on the public interface or not.
|
|
type: boolean
|
|
DeployedSSLCertificatePath:
|
|
default: '/etc/pki/tls/private/overcloud_endpoint.pem'
|
|
description: >
|
|
The filepath of the certificate as it will be stored in the controller.
|
|
type: string
|
|
RedisPassword:
|
|
description: The password for the redis service account.
|
|
type: string
|
|
hidden: true
|
|
MonitoringSubscriptionHaproxy:
|
|
default: 'overcloud-haproxy'
|
|
type: string
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
InternalTLSCAFile:
|
|
default: '/etc/ipa/ca.crt'
|
|
type: string
|
|
description: Specifies the default CA cert to use if TLS is used for
|
|
services in the internal network.
|
|
ConfigDebug:
|
|
default: false
|
|
description: Whether to run config management (e.g. Puppet) in debug mode.
|
|
type: boolean
|
|
UpgradeRemoveUnusedPackages:
|
|
default: false
|
|
description: Remove package if the service is being disabled during upgrade
|
|
type: boolean
|
|
|
|
conditions:
|
|
puppet_debug_enabled: {get_param: ConfigDebug}
|
|
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
|
public_tls_enabled:
|
|
and:
|
|
- {get_param: EnablePublicTLS}
|
|
- or:
|
|
- not:
|
|
equals:
|
|
- {get_param: SSLCertificate}
|
|
- ""
|
|
- equals:
|
|
- {get_param: PublicSSLCertificateAutogenerated}
|
|
- true
|
|
|
|
resources:
|
|
|
|
ContainersCommon:
|
|
type: ./containers-common.yaml
|
|
|
|
HAProxyBase:
|
|
type: ../../puppet/services/haproxy.yaml
|
|
properties:
|
|
EndpointMap: {get_param: EndpointMap}
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
DefaultPasswords: {get_param: DefaultPasswords}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
|
|
HAProxyLogging:
|
|
type: OS::TripleO::Services::Logging::HAProxy
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the HAproxy role.
|
|
value:
|
|
service_name: {get_attr: [HAProxyBase, role_data, service_name]}
|
|
config_settings:
|
|
map_merge:
|
|
- get_attr: [HAProxyBase, role_data, config_settings]
|
|
- get_attr: [HAProxyLogging, config_settings]
|
|
- tripleo::haproxy::haproxy_service_manage: false
|
|
# NOTE(jaosorior): We disable the CRL since we have no way to restart haproxy
|
|
# when this is updated
|
|
tripleo::haproxy::crl_file: null
|
|
logging_source: {get_attr: [HAProxyBase, role_data, logging_source]}
|
|
service_config_settings: {get_attr: [HAProxyBase, role_data, service_config_settings]}
|
|
# BEGIN DOCKER SETTINGS
|
|
puppet_config:
|
|
config_volume: haproxy
|
|
puppet_tags: haproxy_config
|
|
step_config:
|
|
"class {'::tripleo::profile::base::haproxy': manage_firewall => false}"
|
|
config_image: {get_param: DockerHAProxyConfigImage}
|
|
volumes:
|
|
list_concat:
|
|
- if:
|
|
- public_tls_enabled
|
|
- - list_join:
|
|
- ':'
|
|
- - {get_param: DeployedSSLCertificatePath}
|
|
- {get_param: DeployedSSLCertificatePath}
|
|
- 'ro,shared'
|
|
- null
|
|
- if:
|
|
- internal_tls_enabled
|
|
- - /etc/pki/tls/certs/haproxy:/etc/pki/tls/certs/haproxy:ro,shared
|
|
- /etc/pki/tls/private/haproxy:/etc/pki/tls/private/haproxy:ro,shared
|
|
- list_join:
|
|
- ':'
|
|
- - {get_param: InternalTLSCAFile}
|
|
- {get_param: InternalTLSCAFile}
|
|
- 'ro,shared'
|
|
- null
|
|
kolla_config:
|
|
/var/lib/kolla/config_files/haproxy.json:
|
|
command: /usr/sbin/haproxy-systemd-wrapper -f /etc/haproxy/haproxy.cfg
|
|
config_files:
|
|
- source: "/var/lib/kolla/config_files/src/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
- source: "/var/lib/kolla/config_files/src-tls/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
optional: true
|
|
permissions:
|
|
- path: /var/lib/haproxy
|
|
owner: haproxy:haproxy
|
|
recurse: true
|
|
- path: /etc/pki/tls/certs/haproxy
|
|
owner: haproxy:haproxy
|
|
recurse: true
|
|
optional: true
|
|
docker_config_scripts: {get_attr: [ContainersCommon, docker_config_scripts]}
|
|
docker_config:
|
|
step_1:
|
|
map_merge:
|
|
- get_attr: [HAProxyLogging, docker_config, step_1]
|
|
- haproxy_firewall:
|
|
start_order: 1
|
|
detach: false
|
|
image: {get_param: DockerHAProxyImage}
|
|
net: host
|
|
user: root
|
|
privileged: true
|
|
command: # '/docker_puppet_apply.sh "STEP" "TAGS" "CONFIG" "DEBUG"'
|
|
list_concat:
|
|
- - '/docker_puppet_apply.sh'
|
|
- '1'
|
|
- 'tripleo::firewall::rule'
|
|
- {get_attr: [HAProxyBase, role_data, step_config]}
|
|
- if:
|
|
- puppet_debug_enabled
|
|
- - '--debug --verbose'
|
|
- - ''
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, docker_puppet_apply_volumes]}
|
|
- - /var/lib/kolla/config_files/haproxy.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/haproxy/:/var/lib/kolla/config_files/src:ro
|
|
# puppet saves iptables rules in /etc/sysconfig
|
|
- /etc/sysconfig:/etc/sysconfig:rw
|
|
# saving rules require accessing /usr/libexec/iptables/iptables.init, just bind-mount
|
|
# the necessary bit and prevent systemd to try to reload the service in the container
|
|
- /usr/libexec/iptables:/usr/libexec/iptables:ro
|
|
- /usr/libexec/initscripts/legacy-actions:/usr/libexec/initscripts/legacy-actions:ro
|
|
- /var/lib/haproxy:/var/lib/haproxy:rw
|
|
environment:
|
|
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
|
haproxy:
|
|
start_order: 1
|
|
image: {get_param: DockerHAProxyImage}
|
|
net: host
|
|
restart: always
|
|
security_opt: label=disable
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
- {get_attr: [HAProxyLogging, volumes]}
|
|
-
|
|
- /var/lib/kolla/config_files/haproxy.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/haproxy/:/var/lib/kolla/config_files/src:ro
|
|
- /var/lib/haproxy:/var/lib/haproxy:rw
|
|
- if:
|
|
- public_tls_enabled
|
|
- - list_join:
|
|
- ':'
|
|
- - {get_param: DeployedSSLCertificatePath}
|
|
- list_join:
|
|
- ''
|
|
- - /var/lib/kolla/config_files/src-tls/
|
|
- {get_param: DeployedSSLCertificatePath}
|
|
- 'ro,shared'
|
|
- null
|
|
- if:
|
|
- internal_tls_enabled
|
|
- - /etc/pki/tls/certs/haproxy:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/haproxy:ro,shared
|
|
- /etc/pki/tls/private/haproxy:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/haproxy:ro,shared
|
|
- list_join:
|
|
- ':'
|
|
- - {get_param: InternalTLSCAFile}
|
|
- {get_param: InternalTLSCAFile}
|
|
- 'ro'
|
|
- null
|
|
environment:
|
|
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
|
upgrade_tasks:
|
|
- when: step|int == 0
|
|
tags: common
|
|
block:
|
|
- name: Check if HAproxy is deployed
|
|
command: systemctl is-enabled --quiet haproxy
|
|
ignore_errors: True
|
|
register: haproxy_enabled_result
|
|
- name: Set fact haproxy_enabled
|
|
set_fact:
|
|
haproxy_enabled: "{{ haproxy_enabled_result.rc == 0 }}"
|
|
- name: "PreUpgrade step0,validation: Check service HAproxy is running"
|
|
command: systemctl is-active --quiet haproxy
|
|
tags: validation
|
|
when: haproxy_enabled|bool
|
|
- when: step|int == 2
|
|
block:
|
|
- name: Stop and disable haproxy service
|
|
when: haproxy_enabled|bool
|
|
service: name=haproxy state=stopped enabled=no
|
|
- when: step|int == 3
|
|
block:
|
|
- name: Set fact for removal of HAproxy package
|
|
set_fact:
|
|
remove_haproxy_package: {get_param: UpgradeRemoveUnusedPackages}
|
|
- name: Remove HAproxy package if operator requests it
|
|
package: name=haproxy state=removed
|
|
ignore_errors: True
|
|
when: remove_haproxy_package|bool
|
|
host_prep_tasks:
|
|
- {get_attr: [HAProxyBase, role_data, host_prep_tasks]}
|
|
- name: create persistent directories
|
|
file:
|
|
path: "{{ item.path }}"
|
|
state: directory
|
|
setype: "{{ item.setype }}"
|
|
with_items:
|
|
- { 'path': /var/log/containers/haproxy, 'setype': svirt_sandbox_file_t }
|
|
- { 'path': /var/lib/haproxy, 'setype': svirt_sandbox_file_t }
|
|
- name: haproxy logs readme
|
|
copy:
|
|
dest: /var/log/haproxy/readme.txt
|
|
content: |
|
|
Log files from the haproxy containers can be found under
|
|
/var/log/containers/haproxy.
|
|
ignore_errors: true
|
|
metadata_settings:
|
|
get_attr: [HAProxyBase, role_data, metadata_settings]
|