6a340758cd
This is associated with the haproxy service, so set the hieradata there instead. This is needed so we can render the controller role template via j2, and also if anyone ever wants to run haproxy on some role other then the Controller. Change-Id: I82b992afe42f6da7788f6efca2366863c3bf68f7 Partially-Implements: blueprint composable-networks
136 lines
4.9 KiB
YAML
136 lines
4.9 KiB
YAML
heat_template_version: pike
|
|
|
|
description: >
|
|
HAproxy service configured with Puppet
|
|
|
|
parameters:
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
EnableLoadBalancer:
|
|
default: true
|
|
description: Whether to deploy a LoadBalancer, set to false when an external load balancer is used.
|
|
type: boolean
|
|
HAProxyStatsPassword:
|
|
description: Password for HAProxy stats endpoint
|
|
hidden: true
|
|
type: string
|
|
HAProxyStatsUser:
|
|
description: User for HAProxy stats endpoint
|
|
default: admin
|
|
type: string
|
|
HAProxySyslogAddress:
|
|
default: /dev/log
|
|
description: Syslog address where HAproxy will send its log
|
|
type: string
|
|
HAProxyStatsEnabled:
|
|
default: true
|
|
description: Whether or not to enable the HAProxy stats interface.
|
|
type: boolean
|
|
RedisPassword:
|
|
description: The password for Redis
|
|
type: string
|
|
hidden: true
|
|
MonitoringSubscriptionHaproxy:
|
|
default: 'overcloud-haproxy'
|
|
type: string
|
|
InternalTLSCAFile:
|
|
default: '/etc/ipa/ca.crt'
|
|
type: string
|
|
description: Specifies the default CA cert to use if TLS is used for
|
|
services in the internal network.
|
|
InternalTLSCRLPEMFile:
|
|
default: '/etc/pki/CA/crl/overcloud-crl.pem'
|
|
type: string
|
|
description: Specifies the default CRL PEM file to use for revocation if
|
|
TLS is used for services in the internal network.
|
|
|
|
resources:
|
|
|
|
HAProxyPublicTLS:
|
|
type: OS::TripleO::Services::HAProxyPublicTLS
|
|
properties:
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
DefaultPasswords: {get_param: DefaultPasswords}
|
|
EndpointMap: {get_param: EndpointMap}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
|
|
HAProxyInternalTLS:
|
|
type: OS::TripleO::Services::HAProxyInternalTLS
|
|
properties:
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
DefaultPasswords: {get_param: DefaultPasswords}
|
|
EndpointMap: {get_param: EndpointMap}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the HAproxy role.
|
|
value:
|
|
service_name: haproxy
|
|
monitoring_subscription: {get_param: MonitoringSubscriptionHaproxy}
|
|
config_settings:
|
|
map_merge:
|
|
- get_attr: [HAProxyPublicTLS, role_data, config_settings]
|
|
- get_attr: [HAProxyInternalTLS, role_data, config_settings]
|
|
- tripleo.haproxy.firewall_rules:
|
|
'107 haproxy stats':
|
|
dport: 1993
|
|
tripleo::haproxy::haproxy_log_address: {get_param: HAProxySyslogAddress}
|
|
tripleo::haproxy::haproxy_stats_user: {get_param: HAProxyStatsUser}
|
|
tripleo::haproxy::haproxy_stats_password: {get_param: HAProxyStatsPassword}
|
|
tripleo::haproxy::redis_password: {get_param: RedisPassword}
|
|
tripleo::haproxy::ca_bundle: {get_param: InternalTLSCAFile}
|
|
tripleo::haproxy::crl_file: {get_param: InternalTLSCRLPEMFile}
|
|
tripleo::haproxy::haproxy_stats: {get_param: HAProxyStatsEnabled}
|
|
enable_load_balancer: {get_param: EnableLoadBalancer}
|
|
tripleo::profile::base::haproxy::certificates_specs:
|
|
map_merge:
|
|
- get_attr: [HAProxyPublicTLS, role_data, certificates_specs]
|
|
- get_attr: [HAProxyInternalTLS, role_data, certificates_specs]
|
|
step_config: |
|
|
include ::tripleo::profile::base::haproxy
|
|
upgrade_tasks:
|
|
- name: Check if haproxy is deployed
|
|
command: systemctl is-enabled haproxy
|
|
tags: common
|
|
ignore_errors: True
|
|
register: haproxy_enabled
|
|
- name: "PreUpgrade step0,validation: Check service haproxy is running"
|
|
shell: /usr/bin/systemctl show 'haproxy' --property ActiveState | grep '\bactive\b'
|
|
when: haproxy_enabled.rc == 0
|
|
tags: step0,validation
|
|
- name: Stop haproxy service
|
|
tags: step2
|
|
when: haproxy_enabled.rc == 0
|
|
service: name=haproxy state=stopped
|
|
- name: Start haproxy service
|
|
tags: step4 # Needed at step 4 for mysql
|
|
when: haproxy_enabled.rc == 0
|
|
service: name=haproxy state=started
|
|
metadata_settings:
|
|
list_concat:
|
|
- {get_attr: [HAProxyPublicTLS, role_data, metadata_settings]}
|
|
- {get_attr: [HAProxyInternalTLS, role_data, metadata_settings]}
|