1 heat_template_version: pike
4 OpenStack containerized HAproxy service
10 DockerHAProxyConfigImage:
11 description: The container image to use for the haproxy config_volume
15 description: Dictionary packing service data
19 description: Mapping of service_name -> network name. Typically set
20 via parameter_defaults in the resource registry. This
21 mapping overrides those in ServiceNetMapDefaults.
28 description: Mapping of service endpoint -> protocol. Typically set
29 via parameter_defaults in the resource registry.
32 description: Password for HAProxy stats endpoint
36 description: User for HAProxy stats endpoint
41 description: Syslog address where HAproxy will send its log
43 DeployedSSLCertificatePath:
44 default: '/etc/pki/tls/private/overcloud_endpoint.pem'
46 The filepath of the certificate as it will be stored in the controller.
49 description: The password for the redis service account.
52 MonitoringSubscriptionHaproxy:
53 default: 'overcloud-haproxy'
57 description: Role name on which the service is applied
61 description: Parameters specific to the role
67 default: '/etc/ipa/ca.crt'
69 description: Specifies the default CA cert to use if TLS is used for
70 services in the internal network.
74 internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
79 type: ./containers-common.yaml
82 type: ../../puppet/services/haproxy.yaml
84 EndpointMap: {get_param: EndpointMap}
85 ServiceData: {get_param: ServiceData}
86 ServiceNetMap: {get_param: ServiceNetMap}
87 DefaultPasswords: {get_param: DefaultPasswords}
88 RoleName: {get_param: RoleName}
89 RoleParameters: {get_param: RoleParameters}
93 description: Role data for the HAproxy role.
95 service_name: {get_attr: [HAProxyBase, role_data, service_name]}
98 - get_attr: [HAProxyBase, role_data, config_settings]
99 - tripleo::haproxy::haproxy_service_manage: false
100 # NOTE(jaosorior): We disable the CRL since we have no way to restart haproxy
101 # when this is updated
102 tripleo::haproxy::crl_file: null
103 logging_source: {get_attr: [HAProxyBase, role_data, logging_source]}
104 logging_groups: {get_attr: [HAProxyBase, role_data, logging_groups]}
105 step_config: &step_config
106 get_attr: [HAProxyBase, role_data, step_config]
107 service_config_settings: {get_attr: [HAProxyBase, role_data, service_config_settings]}
108 # BEGIN DOCKER SETTINGS
110 config_volume: haproxy
111 puppet_tags: haproxy_config
113 "class {'::tripleo::profile::base::haproxy': manage_firewall => false}"
114 config_image: {get_param: DockerHAProxyConfigImage}
119 - - {get_param: DeployedSSLCertificatePath}
120 - {get_param: DeployedSSLCertificatePath}
123 - internal_tls_enabled
124 - - /etc/pki/tls/certs/haproxy:/etc/pki/tls/certs/haproxy:ro
125 - /etc/pki/tls/private/haproxy:/etc/pki/tls/private/haproxy:ro
128 - - {get_param: InternalTLSCAFile}
129 - {get_param: InternalTLSCAFile}
133 /var/lib/kolla/config_files/haproxy.json:
134 command: /usr/sbin/haproxy-systemd-wrapper -f /etc/haproxy/haproxy.cfg
136 - source: "/var/lib/kolla/config_files/src/*"
139 preserve_properties: true
140 - source: "/var/lib/kolla/config_files/src-tls/*"
143 preserve_properties: true
146 - path: /etc/pki/tls/certs/haproxy
147 owner: haproxy:haproxy
154 image: {get_param: DockerHAProxyImage}
165 - - "cp -a /tmp/puppet-etc/* /etc/puppet; echo '{\"step\": 1}' > /etc/puppet/hieradata/docker.json"
166 - "FACTER_uuid=docker puppet apply --tags TAGS -v -e 'CONFIG'"
168 TAGS: 'tripleo::firewall::rule'
172 - {get_attr: [ContainersCommon, volumes]}
174 - /var/lib/kolla/config_files/haproxy.json:/var/lib/kolla/config_files/config.json:ro
175 - /var/lib/config-data/puppet-generated/haproxy/:/var/lib/kolla/config_files/src:ro
176 # puppet saves iptables rules in /etc/sysconfig
177 - /etc/sysconfig:/etc/sysconfig:rw
178 # saving rules require accessing /usr/libexec/iptables/iptables.init, just bind-mount
179 # the necessary bit and prevent systemd to try to reload the service in the container
180 - /usr/libexec/iptables:/usr/libexec/iptables:ro
181 - /usr/libexec/initscripts/legacy-actions:/usr/libexec/initscripts/legacy-actions:ro
182 - /etc/puppet:/tmp/puppet-etc:ro
183 - /usr/share/openstack-puppet/modules:/usr/share/openstack-puppet/modules:ro
185 - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
187 image: {get_param: DockerHAProxyImage}
192 - {get_attr: [ContainersCommon, volumes]}
194 - /var/lib/kolla/config_files/haproxy.json:/var/lib/kolla/config_files/config.json:ro
195 - /var/lib/config-data/puppet-generated/haproxy/:/var/lib/kolla/config_files/src:ro
198 - - {get_param: DeployedSSLCertificatePath}
199 - {get_param: DeployedSSLCertificatePath}
203 - internal_tls_enabled
204 - /etc/pki/tls/certs/haproxy:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/haproxy:ro
208 - internal_tls_enabled
209 - /etc/pki/tls/private/haproxy:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/haproxy:ro
212 - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
214 get_attr: [HAProxyBase, role_data, metadata_settings]