927495fe3d
The new master branch should point now to queens instead of pike. So, HOT templates should specify that they might contain features for queens release [1] [1]: https://docs.openstack.org/heat/latest/template_guide/hot_spec.html#queens Change-Id: I7654d1c59db0c4508a9d7045f452612d22493004
249 lines
9.0 KiB
YAML
249 lines
9.0 KiB
YAML
heat_template_version: queens
|
|
|
|
description: >
|
|
OpenStack containerized HAproxy service
|
|
|
|
parameters:
|
|
DockerHAProxyImage:
|
|
description: image
|
|
type: string
|
|
DockerHAProxyConfigImage:
|
|
description: The container image to use for the haproxy config_volume
|
|
type: string
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
HAProxyStatsPassword:
|
|
description: Password for HAProxy stats endpoint
|
|
hidden: true
|
|
type: string
|
|
HAProxyStatsUser:
|
|
description: User for HAProxy stats endpoint
|
|
default: admin
|
|
type: string
|
|
HAProxySyslogAddress:
|
|
default: /dev/log
|
|
description: Syslog address where HAproxy will send its log
|
|
type: string
|
|
SSLCertificate:
|
|
default: ''
|
|
description: >
|
|
The content of the SSL certificate (without Key) in PEM format.
|
|
type: string
|
|
PublicSSLCertificateAutogenerated:
|
|
default: false
|
|
description: >
|
|
Whether the public SSL certificate was autogenerated or not.
|
|
type: boolean
|
|
DeployedSSLCertificatePath:
|
|
default: '/etc/pki/tls/private/overcloud_endpoint.pem'
|
|
description: >
|
|
The filepath of the certificate as it will be stored in the controller.
|
|
type: string
|
|
RedisPassword:
|
|
description: The password for the redis service account.
|
|
type: string
|
|
hidden: true
|
|
MonitoringSubscriptionHaproxy:
|
|
default: 'overcloud-haproxy'
|
|
type: string
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
InternalTLSCAFile:
|
|
default: '/etc/ipa/ca.crt'
|
|
type: string
|
|
description: Specifies the default CA cert to use if TLS is used for
|
|
services in the internal network.
|
|
|
|
conditions:
|
|
|
|
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
|
public_tls_enabled:
|
|
or:
|
|
- not:
|
|
equals:
|
|
- {get_param: SSLCertificate}
|
|
- ""
|
|
- equals:
|
|
- {get_param: PublicSSLCertificateAutogenerated}
|
|
- true
|
|
|
|
resources:
|
|
|
|
ContainersCommon:
|
|
type: ./containers-common.yaml
|
|
|
|
HAProxyBase:
|
|
type: ../../puppet/services/haproxy.yaml
|
|
properties:
|
|
EndpointMap: {get_param: EndpointMap}
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
DefaultPasswords: {get_param: DefaultPasswords}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
|
|
HAProxyLogging:
|
|
type: OS::TripleO::Services::Logging::HAProxy
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the HAproxy role.
|
|
value:
|
|
service_name: {get_attr: [HAProxyBase, role_data, service_name]}
|
|
config_settings:
|
|
map_merge:
|
|
- get_attr: [HAProxyBase, role_data, config_settings]
|
|
- get_attr: [HAProxyLogging, config_settings]
|
|
- tripleo::haproxy::haproxy_service_manage: false
|
|
# NOTE(jaosorior): We disable the CRL since we have no way to restart haproxy
|
|
# when this is updated
|
|
tripleo::haproxy::crl_file: null
|
|
logging_source: {get_attr: [HAProxyBase, role_data, logging_source]}
|
|
logging_groups: {get_attr: [HAProxyBase, role_data, logging_groups]}
|
|
service_config_settings: {get_attr: [HAProxyBase, role_data, service_config_settings]}
|
|
# BEGIN DOCKER SETTINGS
|
|
puppet_config:
|
|
config_volume: haproxy
|
|
puppet_tags: haproxy_config
|
|
step_config:
|
|
"class {'::tripleo::profile::base::haproxy': manage_firewall => false}"
|
|
config_image: {get_param: DockerHAProxyConfigImage}
|
|
volumes:
|
|
list_concat:
|
|
- if:
|
|
- public_tls_enabled
|
|
- - list_join:
|
|
- ':'
|
|
- - {get_param: DeployedSSLCertificatePath}
|
|
- {get_param: DeployedSSLCertificatePath}
|
|
- 'ro'
|
|
- null
|
|
- if:
|
|
- internal_tls_enabled
|
|
- - /etc/pki/tls/certs/haproxy:/etc/pki/tls/certs/haproxy:ro
|
|
- /etc/pki/tls/private/haproxy:/etc/pki/tls/private/haproxy:ro
|
|
- list_join:
|
|
- ':'
|
|
- - {get_param: InternalTLSCAFile}
|
|
- {get_param: InternalTLSCAFile}
|
|
- 'ro'
|
|
- null
|
|
kolla_config:
|
|
/var/lib/kolla/config_files/haproxy.json:
|
|
command: /usr/sbin/haproxy-systemd-wrapper -f /etc/haproxy/haproxy.cfg
|
|
config_files:
|
|
- source: "/var/lib/kolla/config_files/src/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
- source: "/var/lib/kolla/config_files/src-tls/*"
|
|
dest: "/"
|
|
merge: true
|
|
preserve_properties: true
|
|
optional: true
|
|
permissions:
|
|
- path: /etc/pki/tls/certs/haproxy
|
|
owner: haproxy:haproxy
|
|
recurse: true
|
|
optional: true
|
|
docker_config:
|
|
step_1:
|
|
map_merge:
|
|
- get_attr: [HAProxyLogging, docker_config, step_1]
|
|
- haproxy_firewall:
|
|
start_order: 0
|
|
detach: false
|
|
image: {get_param: DockerHAProxyImage}
|
|
net: host
|
|
user: root
|
|
privileged: true
|
|
command:
|
|
- '/bin/bash'
|
|
- '-c'
|
|
- str_replace:
|
|
template:
|
|
list_join:
|
|
- '; '
|
|
- - "cp -a /tmp/puppet-etc/* /etc/puppet; echo '{\"step\": 1}' > /etc/puppet/hieradata/docker.json"
|
|
- "FACTER_uuid=docker puppet apply --tags TAGS -v -e 'CONFIG'"
|
|
params:
|
|
TAGS: 'tripleo::firewall::rule'
|
|
CONFIG:
|
|
get_attr: [HAProxyBase, role_data, step_config]
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
-
|
|
- /var/lib/kolla/config_files/haproxy.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/haproxy/:/var/lib/kolla/config_files/src:ro
|
|
# puppet saves iptables rules in /etc/sysconfig
|
|
- /etc/sysconfig:/etc/sysconfig:rw
|
|
# saving rules require accessing /usr/libexec/iptables/iptables.init, just bind-mount
|
|
# the necessary bit and prevent systemd to try to reload the service in the container
|
|
- /usr/libexec/iptables:/usr/libexec/iptables:ro
|
|
- /usr/libexec/initscripts/legacy-actions:/usr/libexec/initscripts/legacy-actions:ro
|
|
- /etc/puppet:/tmp/puppet-etc:ro
|
|
- /usr/share/openstack-puppet/modules:/usr/share/openstack-puppet/modules:ro
|
|
environment:
|
|
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
|
haproxy:
|
|
start_order: 1
|
|
image: {get_param: DockerHAProxyImage}
|
|
net: host
|
|
restart: always
|
|
volumes:
|
|
list_concat:
|
|
- {get_attr: [ContainersCommon, volumes]}
|
|
- {get_attr: [HAProxyLogging, volumes]}
|
|
-
|
|
- /var/lib/kolla/config_files/haproxy.json:/var/lib/kolla/config_files/config.json:ro
|
|
- /var/lib/config-data/puppet-generated/haproxy/:/var/lib/kolla/config_files/src:ro
|
|
- if:
|
|
- public_tls_enabled
|
|
- - list_join:
|
|
- ':'
|
|
- - {get_param: DeployedSSLCertificatePath}
|
|
- {get_param: DeployedSSLCertificatePath}
|
|
- 'ro'
|
|
- null
|
|
-
|
|
if:
|
|
- internal_tls_enabled
|
|
- - /etc/pki/tls/certs/haproxy:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/haproxy:ro
|
|
- /etc/pki/tls/private/haproxy:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/haproxy:ro
|
|
- list_join:
|
|
- ':'
|
|
- - {get_param: InternalTLSCAFile}
|
|
- {get_param: InternalTLSCAFile}
|
|
- 'ro'
|
|
- null
|
|
environment:
|
|
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
|
metadata_settings:
|
|
get_attr: [HAProxyBase, role_data, metadata_settings]
|