docker/services/haproxy.yaml

   1 heat_template_version: pike
   2
   3 description: >
   4   OpenStack containerized HAproxy service
   5
   6 parameters:
   7   DockerHAProxyImage:
   8     description: image
   9     type: string
  10   DockerHAProxyConfigImage:
  11     description: The container image to use for the haproxy config_volume
  12     type: string
  13   ServiceData:
  14     default: {}
  15     description: Dictionary packing service data
  16     type: json
  17   ServiceNetMap:
  18     default: {}
  19     description: Mapping of service_name -> network name. Typically set
  20                  via parameter_defaults in the resource registry.  This
  21                  mapping overrides those in ServiceNetMapDefaults.
  22     type: json
  23   DefaultPasswords:
  24     default: {}
  25     type: json
  26   EndpointMap:
  27     default: {}
  28     description: Mapping of service endpoint -> protocol. Typically set
  29                  via parameter_defaults in the resource registry.
  30     type: json
  31   HAProxyStatsPassword:
  32     description: Password for HAProxy stats endpoint
  33     hidden: true
  34     type: string
  35   HAProxyStatsUser:
  36     description: User for HAProxy stats endpoint
  37     default: admin
  38     type: string
  39   HAProxySyslogAddress:
  40     default: /dev/log
  41     description: Syslog address where HAproxy will send its log
  42     type: string
  43   DeployedSSLCertificatePath:
  44     default: '/etc/pki/tls/private/overcloud_endpoint.pem'
  45     description: >
  46         The filepath of the certificate as it will be stored in the controller.
  47     type: string
  48   RedisPassword:
  49     description: The password for the redis service account.
  50     type: string
  51     hidden: true
  52   MonitoringSubscriptionHaproxy:
  53     default: 'overcloud-haproxy'
  54     type: string
  55   RoleName:
  56     default: ''
  57     description: Role name on which the service is applied
  58     type: string
  59   RoleParameters:
  60     default: {}
  61     description: Parameters specific to the role
  62     type: json
  63   EnableInternalTLS:
  64     type: boolean
  65     default: false
  66   InternalTLSCAFile:
  67     default: '/etc/ipa/ca.crt'
  68     type: string
  69     description: Specifies the default CA cert to use if TLS is used for
  70                  services in the internal network.
  71
  72 conditions:
  73
  74   internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
  75
  76 resources:
  77
  78   ContainersCommon:
  79     type: ./containers-common.yaml
  80
  81   HAProxyBase:
  82     type: ../../puppet/services/haproxy.yaml
  83     properties:
  84       EndpointMap: {get_param: EndpointMap}
  85       ServiceData: {get_param: ServiceData}
  86       ServiceNetMap: {get_param: ServiceNetMap}
  87       DefaultPasswords: {get_param: DefaultPasswords}
  88       RoleName: {get_param: RoleName}
  89       RoleParameters: {get_param: RoleParameters}
  90
  91 outputs:
  92   role_data:
  93     description: Role data for the HAproxy role.
  94     value:
  95       service_name: {get_attr: [HAProxyBase, role_data, service_name]}
  96       config_settings:
  97         map_merge:
  98           - get_attr: [HAProxyBase, role_data, config_settings]
  99           - tripleo::haproxy::haproxy_daemon: false
 100             tripleo::haproxy::haproxy_service_manage: false
 101             # NOTE(jaosorior): We disable the CRL since we have no way to restart haproxy
 102             # when this is updated
 103             tripleo::haproxy::crl_file: null
 104       step_config: &step_config
 105         get_attr: [HAProxyBase, role_data, step_config]
 106       service_config_settings: {get_attr: [HAProxyBase, role_data, service_config_settings]}
 107       # BEGIN DOCKER SETTINGS
 108       puppet_config:
 109         config_volume: haproxy
 110         puppet_tags: haproxy_config
 111         step_config:
 112           "class {'::tripleo::profile::base::haproxy': manage_firewall => false}"
 113         config_image: {get_param: DockerHAProxyConfigImage}
 114         volumes:
 115           list_concat:
 116           - - list_join:
 117               - ':'
 118               - - {get_param: DeployedSSLCertificatePath}
 119                 - {get_param: DeployedSSLCertificatePath}
 120                 - 'ro'
 121           - if:
 122             - internal_tls_enabled
 123             - - /etc/pki/tls/certs/haproxy:/etc/pki/tls/certs/haproxy:ro
 124               - /etc/pki/tls/private/haproxy:/etc/pki/tls/private/haproxy:ro
 125               - list_join:
 126                   - ':'
 127                   - - {get_param: InternalTLSCAFile}
 128                     - {get_param: InternalTLSCAFile}
 129                     - 'ro'
 130             - null
 131       kolla_config:
 132         /var/lib/kolla/config_files/haproxy.json:
 133           command: haproxy -f /etc/haproxy/haproxy.cfg
 134           config_files:
 135             - source: "/var/lib/kolla/config_files/src/*"
 136               dest: "/"
 137               merge: true
 138               preserve_properties: true
 139             - source: "/var/lib/kolla/config_files/src-tls/*"
 140               dest: "/"
 141               merge: true
 142               preserve_properties: true
 143               optional: true
 144           permissions:
 145             - path: /etc/pki/tls/certs/haproxy
 146               owner: haproxy:haproxy
 147               recurse: true
 148               optional: true
 149       docker_config:
 150         step_1:
 151           haproxy_firewall:
 152             detach: false
 153             image: {get_param: DockerHAProxyImage}
 154             net: host
 155             user: root
 156             privileged: true
 157             command:
 158               - '/bin/bash'
 159               - '-c'
 160               - str_replace:
 161                   template:
 162                     list_join:
 163                       - '; '
 164                       - - "cp -a /tmp/puppet-etc/* /etc/puppet; echo '{\"step\": 1}' > /etc/puppet/hieradata/docker.json"
 165                         - "FACTER_uuid=docker puppet apply --tags TAGS -v -e 'CONFIG'"
 166                   params:
 167                     TAGS: 'tripleo::firewall::rule'
 168                     CONFIG: *step_config
 169             volumes:
 170               list_concat:
 171                 - {get_attr: [ContainersCommon, volumes]}
 172                 -
 173                   - /var/lib/kolla/config_files/haproxy.json:/var/lib/kolla/config_files/config.json:ro
 174                   - /var/lib/config-data/puppet-generated/haproxy/:/var/lib/kolla/config_files/src:ro
 175                   # puppet saves iptables rules in /etc/sysconfig
 176                   - /etc/sysconfig:/etc/sysconfig:rw
 177                   # saving rules require accessing /usr/libexec/iptables/iptables.init, just bind-mount
 178                   # the necessary bit and prevent systemd to try to reload the service in the container
 179                   - /usr/libexec/iptables:/usr/libexec/iptables:ro
 180                   - /usr/libexec/initscripts/legacy-actions:/usr/libexec/initscripts/legacy-actions:ro
 181                   - /etc/puppet:/tmp/puppet-etc:ro
 182                   - /usr/share/openstack-puppet/modules:/usr/share/openstack-puppet/modules:ro
 183             environment:
 184               - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
 185           haproxy:
 186             image: {get_param: DockerHAProxyImage}
 187             net: host
 188             restart: always
 189             volumes:
 190               list_concat:
 191                 - {get_attr: [ContainersCommon, volumes]}
 192                 -
 193                   - /var/lib/kolla/config_files/haproxy.json:/var/lib/kolla/config_files/config.json:ro
 194                   - /var/lib/config-data/puppet-generated/haproxy/:/var/lib/kolla/config_files/src:ro
 195                   - list_join:
 196                     - ':'
 197                     - - {get_param: DeployedSSLCertificatePath}
 198                       - {get_param: DeployedSSLCertificatePath}
 199                       - 'ro'
 200                   -
 201                     if:
 202                       - internal_tls_enabled
 203                       - /etc/pki/tls/certs/haproxy:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/haproxy:ro
 204                       - ''
 205                   -
 206                     if:
 207                       - internal_tls_enabled
 208                       - /etc/pki/tls/private/haproxy:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/haproxy:ro
 209                       - ''
 210             environment:
 211               - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
 212       metadata_settings:
 213         get_attr: [HAProxyBase, role_data, metadata_settings]