docker/services/haproxy.yaml

   1 heat_template_version: pike
   2
   3 description: >
   4   OpenStack containerized HAproxy service
   5
   6 parameters:
   7   DockerHAProxyImage:
   8     description: image
   9     type: string
  10   DockerHAProxyConfigImage:
  11     description: The container image to use for the haproxy config_volume
  12     type: string
  13   ServiceData:
  14     default: {}
  15     description: Dictionary packing service data
  16     type: json
  17   ServiceNetMap:
  18     default: {}
  19     description: Mapping of service_name -> network name. Typically set
  20                  via parameter_defaults in the resource registry.  This
  21                  mapping overrides those in ServiceNetMapDefaults.
  22     type: json
  23   DefaultPasswords:
  24     default: {}
  25     type: json
  26   EndpointMap:
  27     default: {}
  28     description: Mapping of service endpoint -> protocol. Typically set
  29                  via parameter_defaults in the resource registry.
  30     type: json
  31   HAProxyStatsPassword:
  32     description: Password for HAProxy stats endpoint
  33     hidden: true
  34     type: string
  35   HAProxyStatsUser:
  36     description: User for HAProxy stats endpoint
  37     default: admin
  38     type: string
  39   HAProxySyslogAddress:
  40     default: /dev/log
  41     description: Syslog address where HAproxy will send its log
  42     type: string
  43   DeployedSSLCertificatePath:
  44     default: '/etc/pki/tls/private/overcloud_endpoint.pem'
  45     description: >
  46         The filepath of the certificate as it will be stored in the controller.
  47     type: string
  48   RedisPassword:
  49     description: The password for the redis service account.
  50     type: string
  51     hidden: true
  52   MonitoringSubscriptionHaproxy:
  53     default: 'overcloud-haproxy'
  54     type: string
  55   RoleName:
  56     default: ''
  57     description: Role name on which the service is applied
  58     type: string
  59   RoleParameters:
  60     default: {}
  61     description: Parameters specific to the role
  62     type: json
  63   EnableInternalTLS:
  64     type: boolean
  65     default: false
  66   InternalTLSCAFile:
  67     default: '/etc/ipa/ca.crt'
  68     type: string
  69     description: Specifies the default CA cert to use if TLS is used for
  70                  services in the internal network.
  71
  72 conditions:
  73
  74   internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
  75
  76 resources:
  77
  78   ContainersCommon:
  79     type: ./containers-common.yaml
  80
  81   HAProxyBase:
  82     type: ../../puppet/services/haproxy.yaml
  83     properties:
  84       EndpointMap: {get_param: EndpointMap}
  85       ServiceData: {get_param: ServiceData}
  86       ServiceNetMap: {get_param: ServiceNetMap}
  87       DefaultPasswords: {get_param: DefaultPasswords}
  88       RoleName: {get_param: RoleName}
  89       RoleParameters: {get_param: RoleParameters}
  90
  91 outputs:
  92   role_data:
  93     description: Role data for the HAproxy role.
  94     value:
  95       service_name: {get_attr: [HAProxyBase, role_data, service_name]}
  96       config_settings:
  97         map_merge:
  98           - get_attr: [HAProxyBase, role_data, config_settings]
  99           - tripleo::haproxy::haproxy_service_manage: false
 100             # NOTE(jaosorior): We disable the CRL since we have no way to restart haproxy
 101             # when this is updated
 102             tripleo::haproxy::crl_file: null
 103       logging_source: {get_attr: [HAProxyBase, role_data, logging_source]}
 104       logging_groups: {get_attr: [HAProxyBase, role_data, logging_groups]}
 105       step_config: &step_config
 106         get_attr: [HAProxyBase, role_data, step_config]
 107       service_config_settings: {get_attr: [HAProxyBase, role_data, service_config_settings]}
 108       # BEGIN DOCKER SETTINGS
 109       puppet_config:
 110         config_volume: haproxy
 111         puppet_tags: haproxy_config
 112         step_config:
 113           "class {'::tripleo::profile::base::haproxy': manage_firewall => false}"
 114         config_image: {get_param: DockerHAProxyConfigImage}
 115         volumes:
 116           list_concat:
 117           - - list_join:
 118               - ':'
 119               - - {get_param: DeployedSSLCertificatePath}
 120                 - {get_param: DeployedSSLCertificatePath}
 121                 - 'ro'
 122           - if:
 123             - internal_tls_enabled
 124             - - /etc/pki/tls/certs/haproxy:/etc/pki/tls/certs/haproxy:ro
 125               - /etc/pki/tls/private/haproxy:/etc/pki/tls/private/haproxy:ro
 126               - list_join:
 127                   - ':'
 128                   - - {get_param: InternalTLSCAFile}
 129                     - {get_param: InternalTLSCAFile}
 130                     - 'ro'
 131             - null
 132       kolla_config:
 133         /var/lib/kolla/config_files/haproxy.json:
 134           command: /usr/sbin/haproxy-systemd-wrapper -f /etc/haproxy/haproxy.cfg
 135           config_files:
 136             - source: "/var/lib/kolla/config_files/src/*"
 137               dest: "/"
 138               merge: true
 139               preserve_properties: true
 140             - source: "/var/lib/kolla/config_files/src-tls/*"
 141               dest: "/"
 142               merge: true
 143               preserve_properties: true
 144               optional: true
 145           permissions:
 146             - path: /etc/pki/tls/certs/haproxy
 147               owner: haproxy:haproxy
 148               recurse: true
 149               optional: true
 150       docker_config:
 151         step_1:
 152           haproxy_firewall:
 153             detach: false
 154             image: {get_param: DockerHAProxyImage}
 155             net: host
 156             user: root
 157             privileged: true
 158             command:
 159               - '/bin/bash'
 160               - '-c'
 161               - str_replace:
 162                   template:
 163                     list_join:
 164                       - '; '
 165                       - - "cp -a /tmp/puppet-etc/* /etc/puppet; echo '{\"step\": 1}' > /etc/puppet/hieradata/docker.json"
 166                         - "FACTER_uuid=docker puppet apply --tags TAGS -v -e 'CONFIG'"
 167                   params:
 168                     TAGS: 'tripleo::firewall::rule'
 169                     CONFIG: *step_config
 170             volumes:
 171               list_concat:
 172                 - {get_attr: [ContainersCommon, volumes]}
 173                 -
 174                   - /var/lib/kolla/config_files/haproxy.json:/var/lib/kolla/config_files/config.json:ro
 175                   - /var/lib/config-data/puppet-generated/haproxy/:/var/lib/kolla/config_files/src:ro
 176                   # puppet saves iptables rules in /etc/sysconfig
 177                   - /etc/sysconfig:/etc/sysconfig:rw
 178                   # saving rules require accessing /usr/libexec/iptables/iptables.init, just bind-mount
 179                   # the necessary bit and prevent systemd to try to reload the service in the container
 180                   - /usr/libexec/iptables:/usr/libexec/iptables:ro
 181                   - /usr/libexec/initscripts/legacy-actions:/usr/libexec/initscripts/legacy-actions:ro
 182                   - /etc/puppet:/tmp/puppet-etc:ro
 183                   - /usr/share/openstack-puppet/modules:/usr/share/openstack-puppet/modules:ro
 184             environment:
 185               - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
 186           haproxy:
 187             image: {get_param: DockerHAProxyImage}
 188             net: host
 189             restart: always
 190             volumes:
 191               list_concat:
 192                 - {get_attr: [ContainersCommon, volumes]}
 193                 -
 194                   - /var/lib/kolla/config_files/haproxy.json:/var/lib/kolla/config_files/config.json:ro
 195                   - /var/lib/config-data/puppet-generated/haproxy/:/var/lib/kolla/config_files/src:ro
 196                   - list_join:
 197                     - ':'
 198                     - - {get_param: DeployedSSLCertificatePath}
 199                       - {get_param: DeployedSSLCertificatePath}
 200                       - 'ro'
 201                   -
 202                     if:
 203                       - internal_tls_enabled
 204                       - /etc/pki/tls/certs/haproxy:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/haproxy:ro
 205                       - ''
 206                   -
 207                     if:
 208                       - internal_tls_enabled
 209                       - /etc/pki/tls/private/haproxy:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/haproxy:ro
 210                       - ''
 211             environment:
 212               - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
 213       metadata_settings:
 214         get_attr: [HAProxyBase, role_data, metadata_settings]