tripleo-heat-templates/deployment/haproxy/haproxy-container-puppet.yaml
Jose Luis Franco Arza d1035703b7 Force removal of docker container in tripleo-docker-rm.
The tripleo-docker-rm role has been replaced by tripleo-container-rm [0].
This role will identify the docker engine via the container_cli variable
and perform a deletion of that container. However, these tasks inside the
post_upgrade_tasks section were thought to remove the old docker containers
after upgrading from rocky to stein, in which podman starts to be the
container engine by default.

For that reason, we need to ensure that the container engine in which the
containers are removed is docker, as otherwise we will be removing the
podman container and the deployment steps will fail.

Closes-Bug: #1836531
[0] - 2135446a35

Depends-On: https://review.opendev.org/#/c/671698/
Change-Id: Ib139a1d77f71fc32a49c9878d1b4a6d07564e9dc
2019-07-19 12:37:35 +00:00

370 lines
14 KiB
YAML

heat_template_version: rocky
description: >
OpenStack containerized HAproxy service
parameters:
ContainerHAProxyImage:
description: image
type: string
ContainerHAProxyConfigImage:
description: The container image to use for the haproxy config_volume
type: string
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
HAProxyStatsPassword:
description: Password for HAProxy stats endpoint
hidden: true
type: string
HAProxyStatsUser:
description: User for HAProxy stats endpoint
default: admin
type: string
HAProxySyslogAddress:
default: /dev/log
description: Syslog address where HAproxy will send its log
type: string
HAProxySyslogFacility:
default: local0
description: Syslog facility HAProxy will use for its logs
type: string
SSLCertificate:
default: ''
description: >
The content of the SSL certificate (without Key) in PEM format.
type: string
PublicSSLCertificateAutogenerated:
default: false
description: >
Whether the public SSL certificate was autogenerated or not.
type: boolean
EnablePublicTLS:
default: true
description: >
Whether to enable TLS on the public interface or not.
type: boolean
DeployedSSLCertificatePath:
default: '/etc/pki/tls/private/overcloud_endpoint.pem'
description: >
The filepath of the certificate as it will be stored in the controller.
type: string
RedisPassword:
description: The password for the redis service account.
type: string
hidden: true
MonitoringSubscriptionHaproxy:
default: 'overcloud-haproxy'
type: string
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EnableInternalTLS:
type: boolean
default: false
InternalTLSCAFile:
default: '/etc/ipa/ca.crt'
type: string
description: Specifies the default CA cert to use if TLS is used for
services in the internal network.
ConfigDebug:
default: false
description: Whether to run config management (e.g. Puppet) in debug mode.
type: boolean
EnableLoadBalancer:
default: true
description: Whether to deploy a LoadBalancer, set to false when an external load balancer is used.
type: boolean
HAProxyStatsEnabled:
default: true
description: Whether or not to enable the HAProxy stats interface.
type: boolean
InternalTLSCRLPEMFile:
default: '/etc/pki/CA/crl/overcloud-crl.pem'
type: string
description: Specifies the default CRL PEM file to use for revocation if
TLS is used for services in the internal network.
conditions:
puppet_debug_enabled: {get_param: ConfigDebug}
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
public_tls_enabled:
and:
- {get_param: EnablePublicTLS}
- or:
- not:
equals:
- {get_param: SSLCertificate}
- ""
- equals:
- {get_param: PublicSSLCertificateAutogenerated}
- true
resources:
ContainersCommon:
type: ../containers-common.yaml
HAProxyLogging:
type: OS::TripleO::Services::Logging::HAProxy
HAProxyPublicTLS:
type: OS::TripleO::Services::HAProxyPublicTLS
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
HAProxyInternalTLS:
type: OS::TripleO::Services::HAProxyInternalTLS
properties:
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
EndpointMap: {get_param: EndpointMap}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
outputs:
role_data:
description: Role data for the HAproxy role.
value:
service_name: haproxy
monitoring_subscription: {get_param: MonitoringSubscriptionHaproxy}
config_settings:
map_merge:
- get_attr: [HAProxyLogging, config_settings]
- tripleo::haproxy::haproxy_service_manage: false
# NOTE(jaosorior): We disable the CRL since we have no way to restart haproxy
# when this is updated
tripleo::haproxy::crl_file: null
- tripleo::haproxy::firewall_rules:
'107 haproxy stats':
dport: 1993
tripleo::haproxy::haproxy_log_address: {get_param: HAProxySyslogAddress}
tripleo::haproxy::haproxy_log_facility: {get_param: HAProxySyslogFacility}
tripleo::haproxy::haproxy_stats_user: {get_param: HAProxyStatsUser}
tripleo::haproxy::haproxy_stats_password: {get_param: HAProxyStatsPassword}
tripleo::haproxy::haproxy_stats_bind_address:
str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, HaproxyNetwork]}
tripleo::haproxy::redis_password: {get_param: RedisPassword}
tripleo::haproxy::crl_file: {get_param: InternalTLSCRLPEMFile}
tripleo::haproxy::haproxy_stats: {get_param: HAProxyStatsEnabled}
enable_load_balancer: {get_param: EnableLoadBalancer}
tripleo::profile::base::haproxy::certificates_specs:
map_merge:
- get_attr: [HAProxyPublicTLS, role_data, certificates_specs]
- get_attr: [HAProxyInternalTLS, role_data, certificates_specs]
- if:
- public_tls_enabled
- tripleo::haproxy::service_certificate: {get_param: DeployedSSLCertificatePath}
- {}
- if:
- internal_tls_enabled
- tripleo::haproxy::ca_bundle: {get_param: InternalTLSCAFile}
- null
- get_attr: [HAProxyPublicTLS, role_data, config_settings]
- get_attr: [HAProxyInternalTLS, role_data, config_settings]
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: haproxy
puppet_tags: haproxy_config
step_config: |
class {'::tripleo::profile::base::haproxy': manage_firewall => false}
config_image: {get_param: ContainerHAProxyConfigImage}
volumes:
list_concat:
- if:
- public_tls_enabled
- - list_join:
- ':'
- - {get_param: DeployedSSLCertificatePath}
- {get_param: DeployedSSLCertificatePath}
- 'ro,shared'
- null
- if:
- internal_tls_enabled
- - /etc/pki/tls/certs/haproxy:/etc/pki/tls/certs/haproxy:ro,shared
- /etc/pki/tls/private/haproxy:/etc/pki/tls/private/haproxy:ro,shared
- list_join:
- ':'
- - {get_param: InternalTLSCAFile}
- {get_param: InternalTLSCAFile}
- 'ro,shared'
- null
kolla_config:
/var/lib/kolla/config_files/haproxy.json:
# HAProxy 1.8 doesn't ship haproxy-systemd-wrapper, we have
# to use a new dedicated option for live config reload.
# Note: we can't use quotes in kolla command, hence the workaround
command: bash -c $* -- eval if [ -f /usr/sbin/haproxy-systemd-wrapper ]; then exec /usr/sbin/haproxy-systemd-wrapper -f /etc/haproxy/haproxy.cfg; else exec /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -Ws; fi
config_files:
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
- source: "/var/lib/kolla/config_files/src-tls/*"
dest: "/"
merge: true
preserve_properties: true
optional: true
permissions:
- path: /var/lib/haproxy
owner: haproxy:haproxy
recurse: true
- path: /etc/pki/tls/certs/haproxy
owner: haproxy:haproxy
recurse: true
optional: true
container_config_scripts: {get_attr: [ContainersCommon, container_config_scripts]}
docker_config:
step_1:
map_merge:
- get_attr: [HAProxyLogging, docker_config, step_1]
- haproxy:
start_order: 1
image: {get_param: ContainerHAProxyImage}
net: host
restart: always
security_opt: label=disable
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [HAProxyLogging, volumes]}
-
- /var/lib/kolla/config_files/haproxy.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/haproxy/:/var/lib/kolla/config_files/src:ro
- /var/lib/haproxy:/var/lib/haproxy:rw,z
- if:
- public_tls_enabled
- - list_join:
- ':'
- - {get_param: DeployedSSLCertificatePath}
- list_join:
- ''
- - /var/lib/kolla/config_files/src-tls/
- {get_param: DeployedSSLCertificatePath}
- 'ro,shared'
- null
- if:
- internal_tls_enabled
- - /etc/pki/tls/certs/haproxy:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/haproxy:ro,shared
- /etc/pki/tls/private/haproxy:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/haproxy:ro,shared
- list_join:
- ':'
- - {get_param: InternalTLSCAFile}
- {get_param: InternalTLSCAFile}
- 'ro'
- null
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
deploy_steps_tasks:
- name: Run puppet on the host to apply IPtables rules
when: step|int == 1
shell: |
set +e
puppet apply {{ puppet_debug }} --detailed-exitcodes --summarize --color=false \
--modulepath '{{ puppet_modulepath }}' --tags '{{ puppet_tags }}' -e '{{ puppet_execute }}'
rc=$?
set -e
set +ux
if [ $rc -eq 2 -o $rc -eq 0 ]; then
exit 0
fi
exit $rc
vars:
puppet_execute: include ::tripleo::profile::base::haproxy
puppet_tags: tripleo::firewall::rule
puppet_modulepath: /etc/puppet/modules:/opt/stack/puppet-modules:/usr/share/openstack-puppet/modules
puppet_debug:
if:
- puppet_debug_enabled
- '--debug --verbose'
- ''
upgrade_tasks:
- name: ensure we have haproxy log dir with the correct setype
file:
path: /var/log/containers/haproxy
state: directory
setype: var_log_t
recurse: yes
post_upgrade_tasks:
- when: step|int == 1
import_role:
name: tripleo-docker-rm
vars:
containers_to_rm:
- haproxy
tripleo_container_cli: "docker"
host_prep_tasks:
- {get_attr: [HAProxyPublicTLS, role_data, host_prep_tasks]}
- name: Check if rsyslog exists
shell: systemctl is-active rsyslog
register: rsyslog_config
- when:
- rsyslog_config is changed
- rsyslog_config.rc == 0
block:
- name: Forward logging to haproxy.log file
blockinfile:
content: |
if $syslogfacility-text == '{{facility}}' and $programname == 'haproxy' then -/var/log/containers/haproxy/haproxy.log
& stop
create: yes
path: /etc/rsyslog.d/openstack-haproxy.conf
vars:
facility: {get_param: HAProxySyslogFacility}
register: logconfig
- name: restart rsyslog service after logging conf change
service:
name: rsyslog
state: restarted
when: logconfig is changed
- name: create persistent directories
file:
path: "{{ item.path }}"
state: directory
setype: "{{ item.setype }}"
with_items:
- { 'path': /var/log/containers/haproxy, 'setype': var_log_t }
- { 'path': /var/lib/haproxy, 'setype': svirt_sandbox_file_t }
- { 'path': /var/log/haproxy, 'setype': svirt_sandbox_file_t }
- name: haproxy logs readme
copy:
dest: /var/log/haproxy/readme.txt
content: |
Log files from the haproxy containers can be found under
/var/log/containers/haproxy.
ignore_errors: true
metadata_settings:
list_concat:
- {get_attr: [HAProxyPublicTLS, role_data, metadata_settings]}
- {get_attr: [HAProxyInternalTLS, role_data, metadata_settings]}