1 heat_template_version: pike
4 OpenStack containerized HAproxy service
10 DockerHAProxyConfigImage:
11 description: The container image to use for the haproxy config_volume
15 description: Dictionary packing service data
19 description: Mapping of service_name -> network name. Typically set
20 via parameter_defaults in the resource registry. This
21 mapping overrides those in ServiceNetMapDefaults.
28 description: Mapping of service endpoint -> protocol. Typically set
29 via parameter_defaults in the resource registry.
32 description: Password for HAProxy stats endpoint
36 description: User for HAProxy stats endpoint
41 description: Syslog address where HAproxy will send its log
43 DeployedSSLCertificatePath:
44 default: '/etc/pki/tls/private/overcloud_endpoint.pem'
46 The filepath of the certificate as it will be stored in the controller.
49 description: The password for the redis service account.
52 MonitoringSubscriptionHaproxy:
53 default: 'overcloud-haproxy'
57 description: Role name on which the service is applied
61 description: Parameters specific to the role
67 default: '/etc/ipa/ca.crt'
69 description: Specifies the default CA cert to use if TLS is used for
70 services in the internal network.
74 internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
79 type: ./containers-common.yaml
82 type: ../../puppet/services/haproxy.yaml
84 EndpointMap: {get_param: EndpointMap}
85 ServiceData: {get_param: ServiceData}
86 ServiceNetMap: {get_param: ServiceNetMap}
87 DefaultPasswords: {get_param: DefaultPasswords}
88 RoleName: {get_param: RoleName}
89 RoleParameters: {get_param: RoleParameters}
93 description: Role data for the HAproxy role.
95 service_name: {get_attr: [HAProxyBase, role_data, service_name]}
98 - get_attr: [HAProxyBase, role_data, config_settings]
99 - tripleo::haproxy::haproxy_service_manage: false
100 # NOTE(jaosorior): We disable the CRL since we have no way to restart haproxy
101 # when this is updated
102 tripleo::haproxy::crl_file: null
103 step_config: &step_config
104 get_attr: [HAProxyBase, role_data, step_config]
105 service_config_settings: {get_attr: [HAProxyBase, role_data, service_config_settings]}
106 # BEGIN DOCKER SETTINGS
108 config_volume: haproxy
109 puppet_tags: haproxy_config
111 "class {'::tripleo::profile::base::haproxy': manage_firewall => false}"
112 config_image: {get_param: DockerHAProxyConfigImage}
117 - - {get_param: DeployedSSLCertificatePath}
118 - {get_param: DeployedSSLCertificatePath}
121 - internal_tls_enabled
122 - - /etc/pki/tls/certs/haproxy:/etc/pki/tls/certs/haproxy:ro
123 - /etc/pki/tls/private/haproxy:/etc/pki/tls/private/haproxy:ro
126 - - {get_param: InternalTLSCAFile}
127 - {get_param: InternalTLSCAFile}
131 /var/lib/kolla/config_files/haproxy.json:
132 command: /usr/sbin/haproxy-systemd-wrapper -f /etc/haproxy/haproxy.cfg
134 - source: "/var/lib/kolla/config_files/src/*"
137 preserve_properties: true
138 - source: "/var/lib/kolla/config_files/src-tls/*"
141 preserve_properties: true
144 - path: /etc/pki/tls/certs/haproxy
145 owner: haproxy:haproxy
152 image: {get_param: DockerHAProxyImage}
163 - - "cp -a /tmp/puppet-etc/* /etc/puppet; echo '{\"step\": 1}' > /etc/puppet/hieradata/docker.json"
164 - "FACTER_uuid=docker puppet apply --tags TAGS -v -e 'CONFIG'"
166 TAGS: 'tripleo::firewall::rule'
170 - {get_attr: [ContainersCommon, volumes]}
172 - /var/lib/kolla/config_files/haproxy.json:/var/lib/kolla/config_files/config.json:ro
173 - /var/lib/config-data/puppet-generated/haproxy/:/var/lib/kolla/config_files/src:ro
174 # puppet saves iptables rules in /etc/sysconfig
175 - /etc/sysconfig:/etc/sysconfig:rw
176 # saving rules require accessing /usr/libexec/iptables/iptables.init, just bind-mount
177 # the necessary bit and prevent systemd to try to reload the service in the container
178 - /usr/libexec/iptables:/usr/libexec/iptables:ro
179 - /usr/libexec/initscripts/legacy-actions:/usr/libexec/initscripts/legacy-actions:ro
180 - /etc/puppet:/tmp/puppet-etc:ro
181 - /usr/share/openstack-puppet/modules:/usr/share/openstack-puppet/modules:ro
183 - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
185 image: {get_param: DockerHAProxyImage}
190 - {get_attr: [ContainersCommon, volumes]}
192 - /var/lib/kolla/config_files/haproxy.json:/var/lib/kolla/config_files/config.json:ro
193 - /var/lib/config-data/puppet-generated/haproxy/:/var/lib/kolla/config_files/src:ro
196 - - {get_param: DeployedSSLCertificatePath}
197 - {get_param: DeployedSSLCertificatePath}
201 - internal_tls_enabled
202 - /etc/pki/tls/certs/haproxy:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/haproxy:ro
206 - internal_tls_enabled
207 - /etc/pki/tls/private/haproxy:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/haproxy:ro
210 - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
212 get_attr: [HAProxyBase, role_data, metadata_settings]