e4ee042a2a
We don't need upgrade_tasks that stop systemd services since all services are now containerized. However, we decided to keep the tasks that remove the rpms in case some of deployments didn't cleanup them in previous releases, they can still do it now. Change-Id: I6abdc9e37966cd818306f7af473958fd4662ccb5 Related-Bug: #1806733
299 lines
11 KiB
YAML
299 lines
11 KiB
YAML
heat_template_version: rocky
|
|
|
|
description: >
|
|
OpenStack containerized HAproxy service
|
|
|
|
parameters:
|
|
DockerHAProxyImage:
|
|
description: image
|
|
type: string
|
|
DockerHAProxyConfigImage:
|
|
description: The container image to use for the haproxy config_volume
|
|
type: string
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
HAProxyStatsPassword:
|
|
description: Password for HAProxy stats endpoint
|
|
hidden: true
|
|
type: string
|
|
HAProxyStatsUser:
|
|
description: User for HAProxy stats endpoint
|
|
default: admin
|
|
type: string
|
|
HAProxySyslogAddress:
|
|
default: /dev/log
|
|
description: Syslog address where HAproxy will send its log
|
|
type: string
|
|
SSLCertificate:
|
|
default: ''
|
|
description: >
|
|
The content of the SSL certificate (without Key) in PEM format.
|
|
type: string
|
|
PublicSSLCertificateAutogenerated:
|
|
default: false
|
|
description: >
|
|
Whether the public SSL certificate was autogenerated or not.
|
|
type: boolean
|
|
EnablePublicTLS:
|
|
default: true
|
|
description: >
|
|
Whether to enable TLS on the public interface or not.
|
|
type: boolean
|
|
DeployedSSLCertificatePath:
|
|
default: '/etc/pki/tls/private/overcloud_endpoint.pem'
|
|
description: >
|
|
The filepath of the certificate as it will be stored in the controller.
|
|
type: string
|
|
RedisPassword:
|
|
description: The password for the redis service account.
|
|
type: string
|
|
hidden: true
|
|
MonitoringSubscriptionHaproxy:
|
|
default: 'overcloud-haproxy'
|
|
type: string
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
InternalTLSCAFile:
|
|
default: '/etc/ipa/ca.crt'
|
|
type: string
|
|
description: Specifies the default CA cert to use if TLS is used for
|
|
services in the internal network.
|
|
ConfigDebug:
|
|
default: false
|
|
description: Whether to run config management (e.g. Puppet) in debug mode.
|
|
type: boolean
|
|
UpgradeRemoveUnusedPackages:
|
|
default: false
|
|
description: Remove package if the service is being disabled during upgrade
|
|
type: boolean
|
|
|
|
conditions:
|
|
puppet_debug_enabled: {get_param: ConfigDebug}
|
|
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
|
public_tls_enabled:
|
|
and:
|
|
- {get_param: EnablePublicTLS}
|
|
- or:
|
|
- not:
|
|
equals:
|
|
- {get_param: SSLCertificate}
|
|
- ""
|
|
- equals:
|
|
- {get_param: PublicSSLCertificateAutogenerated}
|
|
- true
|
|
|
|
resources:
|
|
|
|
ContainersCommon:
|
|
type: ./containers-common.yaml
|
|
|
|
HAProxyBase:
|
|
type: ../../puppet/services/haproxy.yaml
|
|
properties:
|
|
EndpointMap: {get_param: EndpointMap}
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
DefaultPasswords: {get_param: DefaultPasswords}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
|
|
HAProxyLogging:
|
|
type: OS::TripleO::Services::Logging::HAProxy
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the HAproxy role.
|
|
value:
|
|
service_name: {get_attr: [HAProxyBase, role_data, service_name]}
|
|
config_settings:
|
|
map_merge:
|
|
- get_attr: [HAProxyBase, role_data, config_settings]
|
|
- get_attr: [HAProxyLogging, config_settings]
|
|
- tripleo::haproxy::haproxy_service_manage: false
|
|
# NOTE(jaosorior): We disable the CRL since we have no way to restart haproxy
|
|
# when this is updated
|
|
tripleo::haproxy::crl_file: null
|
|
service_config_settings: {get_attr: [HAProxyBase, role_data, service_config_settings]}
|
|
# BEGIN DOCKER SETTINGS
|
|
puppet_config:
|
|
config_volume: haproxy
|
|
puppet_tags: haproxy_config
|
|
step_config:
|
|
"class {'::tripleo::profile::base::haproxy': manage_firewall => false}"
|
|
config_image: {get_param: DockerHAProxyConfigImage}
|
|
volumes:
|
|
list_concat:
|
|
- if:
|
|
- public_tls_enabled
|
|
- - list_join:
|
|
- ':'
|
|
- - {get_param: DeployedSSLCertificatePath}
|
|
- {get_param: DeployedSSLCertificatePath}
|
|
- 'ro,shared'
|
|
- null
|
|
- if:
|
|
- internal_tls_enabled
|
|
- - /etc/pki/tls/certs/haproxy:/etc/pki/tls/certs/haproxy:ro,shared
|
|
- /etc/pki/tls/private/haproxy:/etc/pki/tls/private/haproxy:ro,shared
|
|
- list_join:
|
|
- ':'
|
|
- - {get_param: InternalTLSCAFile}
|
|
- {get_param: InternalTLSCAFile}
|
|
- 'ro,shared'
|
|
- null
|
|
kolla_config:
|
|
/var/lib/kolla/config_files/haproxy.json:
|
|
command: /usr/sbin/haproxy-systemd-wrapper -f /etc/haproxy/haproxy.cfg
|
|
config_files:
|
|
- source: "/var/lib/kolla/config_files/src/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
- source: "/var/lib/kolla/config_files/src-tls/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
optional: true
|
|
permissions:
|
|
- path: /var/lib/haproxy
|
|
owner: haproxy:haproxy
|
|
recurse: true
|
|
- path: /etc/pki/tls/certs/haproxy
|
|
owner: haproxy:haproxy
|
|
recurse: true
|
|
optional: true
|
|
docker_config_scripts: {get_attr: [ContainersCommon, docker_config_scripts]}
|
|
docker_config:
|
|
step_1:
|
|
map_merge:
|
|
- get_attr: [HAProxyLogging, docker_config, step_1]
|
|
- haproxy_firewall:
|
|
start_order: 1
|
|
detach: false
|
|
image: {get_param: DockerHAProxyImage}
|
|
net: host
|
|
user: root
|
|
privileged: true
|
|
command: # '/docker_puppet_apply.sh "STEP" "TAGS" "CONFIG" "DEBUG"'
|
|
list_concat:
|
|
- - '/docker_puppet_apply.sh'
|
|
- '1'
|
|
- 'tripleo::firewall::rule'
|
|
- {get_attr: [HAProxyBase, role_data, step_config]}
|
|
- if:
|
|
- puppet_debug_enabled
|
|
- - '--debug --verbose'
|
|
- - ''
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, docker_puppet_apply_volumes]}
|
|
- - /var/lib/kolla/config_files/haproxy.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/haproxy/:/var/lib/kolla/config_files/src:ro
|
|
# puppet saves iptables rules in /etc/sysconfig
|
|
- /etc/sysconfig:/etc/sysconfig:rw
|
|
# saving rules require accessing /usr/libexec/iptables/iptables.init, just bind-mount
|
|
# the necessary bit and prevent systemd to try to reload the service in the container
|
|
- /usr/libexec/iptables:/usr/libexec/iptables:ro
|
|
- /usr/libexec/initscripts/legacy-actions:/usr/libexec/initscripts/legacy-actions:ro
|
|
- /var/lib/haproxy:/var/lib/haproxy:rw
|
|
environment:
|
|
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
|
haproxy:
|
|
start_order: 1
|
|
image: {get_param: DockerHAProxyImage}
|
|
net: host
|
|
restart: always
|
|
security_opt: label=disable
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
- {get_attr: [HAProxyLogging, volumes]}
|
|
-
|
|
- /var/lib/kolla/config_files/haproxy.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/haproxy/:/var/lib/kolla/config_files/src:ro
|
|
- /var/lib/haproxy:/var/lib/haproxy:rw
|
|
- if:
|
|
- public_tls_enabled
|
|
- - list_join:
|
|
- ':'
|
|
- - {get_param: DeployedSSLCertificatePath}
|
|
- list_join:
|
|
- ''
|
|
- - /var/lib/kolla/config_files/src-tls/
|
|
- {get_param: DeployedSSLCertificatePath}
|
|
- 'ro,shared'
|
|
- null
|
|
- if:
|
|
- internal_tls_enabled
|
|
- - /etc/pki/tls/certs/haproxy:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/haproxy:ro,shared
|
|
- /etc/pki/tls/private/haproxy:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/haproxy:ro,shared
|
|
- list_join:
|
|
- ':'
|
|
- - {get_param: InternalTLSCAFile}
|
|
- {get_param: InternalTLSCAFile}
|
|
- 'ro'
|
|
- null
|
|
environment:
|
|
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
|
upgrade_tasks:
|
|
- when: step|int == 3
|
|
block:
|
|
- name: Set fact for removal of HAproxy package
|
|
set_fact:
|
|
remove_haproxy_package: {get_param: UpgradeRemoveUnusedPackages}
|
|
- name: Remove HAproxy package if operator requests it
|
|
package: name=haproxy state=removed
|
|
ignore_errors: True
|
|
when: remove_haproxy_package|bool
|
|
post_upgrade_tasks:
|
|
- when: step|int == 1
|
|
import_role:
|
|
name: tripleo-docker-rm
|
|
vars:
|
|
containers_to_rm:
|
|
- haproxy
|
|
host_prep_tasks:
|
|
- {get_attr: [HAProxyBase, role_data, host_prep_tasks]}
|
|
- name: create persistent directories
|
|
file:
|
|
path: "{{ item.path }}"
|
|
state: directory
|
|
setype: "{{ item.setype }}"
|
|
with_items:
|
|
- { 'path': /var/log/containers/haproxy, 'setype': svirt_sandbox_file_t }
|
|
- { 'path': /var/lib/haproxy, 'setype': svirt_sandbox_file_t }
|
|
- name: haproxy logs readme
|
|
copy:
|
|
dest: /var/log/haproxy/readme.txt
|
|
content: |
|
|
Log files from the haproxy containers can be found under
|
|
/var/log/containers/haproxy.
|
|
ignore_errors: true
|
|
metadata_settings:
|
|
get_attr: [HAProxyBase, role_data, metadata_settings]
|