a3dd023773
This change ensures that firewall rules for haproxy endpoints are enabled properly even when haproxy and api services are running in different nodes. With this change, firewall rule for ssl endpoints are removed from base firewall rules because these ports are used by haproxy and not used by api services. Also, the adhoc implementation to run firewall configurations first is refactored by the new host_firewall_tasks key. This allows us to implement tasks to configure firewall in the corresponding resource template. Closes-Bug: #1961799 Depends-on: https://review.opendev.org/831547 Change-Id: I07ceab077f9a900f7e2e35af8acd3e7a337ed01a
94 lines
3.1 KiB
YAML
94 lines
3.1 KiB
YAML
heat_template_version: wallaby
|
|
|
|
description: >
|
|
Configures apache to serve container images on a host.
|
|
|
|
parameters:
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. Use
|
|
parameter_merge_strategies to merge it with the defaults.
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
LocalContainerRegistry:
|
|
default: ''
|
|
description: The IP address used to bind the local container registry
|
|
type: string
|
|
|
|
conditions:
|
|
local_container_registry_is_empty: {equals : [{get_param: LocalContainerRegistry}, '']}
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the image serve registry service
|
|
value:
|
|
service_name: docker_registry
|
|
firewall_rules:
|
|
'155 docker-registry':
|
|
dport:
|
|
- 8787
|
|
firewall_frontend_rules:
|
|
'100 docker_registry_haproxy_frontend':
|
|
dport:
|
|
- 8787
|
|
firewall_ssl_frontend_rules:
|
|
'100 docker_registry_haproxy_frontend_ssl':
|
|
dport:
|
|
- 13787
|
|
host_prep_tasks:
|
|
- name: authorize httpd to listen on registry ports
|
|
community.general.seport:
|
|
ports:
|
|
- '8787'
|
|
- '13787'
|
|
proto: tcp
|
|
setype: http_port_t
|
|
state: present
|
|
- name: Install, Configure and Run Apache to serve container images
|
|
block:
|
|
- set_fact:
|
|
container_registry_host:
|
|
if:
|
|
- local_container_registry_is_empty
|
|
- {get_param: [EndpointMap, DockerRegistryInternal, host]}
|
|
- {get_param: LocalContainerRegistry}
|
|
container_registry_port: {get_param: [EndpointMap, DockerRegistryInternal, port]}
|
|
- include_role:
|
|
name: tripleo_image_serve
|
|
upgrade_tasks:
|
|
- name: Uninstall docker-distribution
|
|
when: step|int == 3
|
|
block:
|
|
- name: check if docker-distribution is installed
|
|
command: /usr/bin/rpm -q docker-distribution
|
|
failed_when: false
|
|
register: docker_distribution_installed
|
|
check_mode: false
|
|
- name: Stop, disable docker-distribution
|
|
systemd:
|
|
enabled: false
|
|
state: stopped
|
|
name: docker-distribution
|
|
when: docker_distribution_installed.rc == 0
|
|
- name: Uninstall docker-distribution
|
|
package: name=docker-distribution state=absent
|
|
when: docker_distribution_installed.rc == 0
|
|
# TODO(sbaker) migrate docker-distribution data to image-serve
|