docker/services/haproxy.yaml

   1 heat_template_version: pike
   2
   3 description: >
   4   OpenStack containerized HAproxy service
   5
   6 parameters:
   7   DockerHAProxyImage:
   8     description: image
   9     type: string
  10   DockerHAProxyConfigImage:
  11     description: The container image to use for the haproxy config_volume
  12     type: string
  13   ServiceData:
  14     default: {}
  15     description: Dictionary packing service data
  16     type: json
  17   ServiceNetMap:
  18     default: {}
  19     description: Mapping of service_name -> network name. Typically set
  20                  via parameter_defaults in the resource registry.  This
  21                  mapping overrides those in ServiceNetMapDefaults.
  22     type: json
  23   DefaultPasswords:
  24     default: {}
  25     type: json
  26   EndpointMap:
  27     default: {}
  28     description: Mapping of service endpoint -> protocol. Typically set
  29                  via parameter_defaults in the resource registry.
  30     type: json
  31   HAProxyStatsPassword:
  32     description: Password for HAProxy stats endpoint
  33     hidden: true
  34     type: string
  35   HAProxyStatsUser:
  36     description: User for HAProxy stats endpoint
  37     default: admin
  38     type: string
  39   HAProxySyslogAddress:
  40     default: /dev/log
  41     description: Syslog address where HAproxy will send its log
  42     type: string
  43   DeployedSSLCertificatePath:
  44     default: '/etc/pki/tls/private/overcloud_endpoint.pem'
  45     description: >
  46         The filepath of the certificate as it will be stored in the controller.
  47     type: string
  48   RedisPassword:
  49     description: The password for the redis service account.
  50     type: string
  51     hidden: true
  52   MonitoringSubscriptionHaproxy:
  53     default: 'overcloud-haproxy'
  54     type: string
  55   RoleName:
  56     default: ''
  57     description: Role name on which the service is applied
  58     type: string
  59   RoleParameters:
  60     default: {}
  61     description: Parameters specific to the role
  62     type: json
  63   EnableInternalTLS:
  64     type: boolean
  65     default: false
  66   InternalTLSCAFile:
  67     default: '/etc/ipa/ca.crt'
  68     type: string
  69     description: Specifies the default CA cert to use if TLS is used for
  70                  services in the internal network.
  71
  72 conditions:
  73
  74   internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
  75
  76 resources:
  77
  78   ContainersCommon:
  79     type: ./containers-common.yaml
  80
  81   HAProxyBase:
  82     type: ../../puppet/services/haproxy.yaml
  83     properties:
  84       EndpointMap: {get_param: EndpointMap}
  85       ServiceData: {get_param: ServiceData}
  86       ServiceNetMap: {get_param: ServiceNetMap}
  87       DefaultPasswords: {get_param: DefaultPasswords}
  88       RoleName: {get_param: RoleName}
  89       RoleParameters: {get_param: RoleParameters}
  90
  91 outputs:
  92   role_data:
  93     description: Role data for the HAproxy role.
  94     value:
  95       service_name: {get_attr: [HAProxyBase, role_data, service_name]}
  96       config_settings:
  97         map_merge:
  98           - get_attr: [HAProxyBase, role_data, config_settings]
  99           - tripleo::haproxy::haproxy_service_manage: false
 100             # NOTE(jaosorior): We disable the CRL since we have no way to restart haproxy
 101             # when this is updated
 102             tripleo::haproxy::crl_file: null
 103       step_config: &step_config
 104         get_attr: [HAProxyBase, role_data, step_config]
 105       service_config_settings: {get_attr: [HAProxyBase, role_data, service_config_settings]}
 106       # BEGIN DOCKER SETTINGS
 107       puppet_config:
 108         config_volume: haproxy
 109         puppet_tags: haproxy_config
 110         step_config:
 111           "class {'::tripleo::profile::base::haproxy': manage_firewall => false}"
 112         config_image: {get_param: DockerHAProxyConfigImage}
 113         volumes:
 114           list_concat:
 115           - - list_join:
 116               - ':'
 117               - - {get_param: DeployedSSLCertificatePath}
 118                 - {get_param: DeployedSSLCertificatePath}
 119                 - 'ro'
 120           - if:
 121             - internal_tls_enabled
 122             - - /etc/pki/tls/certs/haproxy:/etc/pki/tls/certs/haproxy:ro
 123               - /etc/pki/tls/private/haproxy:/etc/pki/tls/private/haproxy:ro
 124               - list_join:
 125                   - ':'
 126                   - - {get_param: InternalTLSCAFile}
 127                     - {get_param: InternalTLSCAFile}
 128                     - 'ro'
 129             - null
 130       kolla_config:
 131         /var/lib/kolla/config_files/haproxy.json:
 132           command: /usr/sbin/haproxy-systemd-wrapper -f /etc/haproxy/haproxy.cfg
 133           config_files:
 134             - source: "/var/lib/kolla/config_files/src/*"
 135               dest: "/"
 136               merge: true
 137               preserve_properties: true
 138             - source: "/var/lib/kolla/config_files/src-tls/*"
 139               dest: "/"
 140               merge: true
 141               preserve_properties: true
 142               optional: true
 143           permissions:
 144             - path: /etc/pki/tls/certs/haproxy
 145               owner: haproxy:haproxy
 146               recurse: true
 147               optional: true
 148       docker_config:
 149         step_1:
 150           haproxy_firewall:
 151             detach: false
 152             image: {get_param: DockerHAProxyImage}
 153             net: host
 154             user: root
 155             privileged: true
 156             command:
 157               - '/bin/bash'
 158               - '-c'
 159               - str_replace:
 160                   template:
 161                     list_join:
 162                       - '; '
 163                       - - "cp -a /tmp/puppet-etc/* /etc/puppet; echo '{\"step\": 1}' > /etc/puppet/hieradata/docker.json"
 164                         - "FACTER_uuid=docker puppet apply --tags TAGS -v -e 'CONFIG'"
 165                   params:
 166                     TAGS: 'tripleo::firewall::rule'
 167                     CONFIG: *step_config
 168             volumes:
 169               list_concat:
 170                 - {get_attr: [ContainersCommon, volumes]}
 171                 -
 172                   - /var/lib/kolla/config_files/haproxy.json:/var/lib/kolla/config_files/config.json:ro
 173                   - /var/lib/config-data/puppet-generated/haproxy/:/var/lib/kolla/config_files/src:ro
 174                   # puppet saves iptables rules in /etc/sysconfig
 175                   - /etc/sysconfig:/etc/sysconfig:rw
 176                   # saving rules require accessing /usr/libexec/iptables/iptables.init, just bind-mount
 177                   # the necessary bit and prevent systemd to try to reload the service in the container
 178                   - /usr/libexec/iptables:/usr/libexec/iptables:ro
 179                   - /usr/libexec/initscripts/legacy-actions:/usr/libexec/initscripts/legacy-actions:ro
 180                   - /etc/puppet:/tmp/puppet-etc:ro
 181                   - /usr/share/openstack-puppet/modules:/usr/share/openstack-puppet/modules:ro
 182             environment:
 183               - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
 184           haproxy:
 185             image: {get_param: DockerHAProxyImage}
 186             net: host
 187             restart: always
 188             volumes:
 189               list_concat:
 190                 - {get_attr: [ContainersCommon, volumes]}
 191                 -
 192                   - /var/lib/kolla/config_files/haproxy.json:/var/lib/kolla/config_files/config.json:ro
 193                   - /var/lib/config-data/puppet-generated/haproxy/:/var/lib/kolla/config_files/src:ro
 194                   - list_join:
 195                     - ':'
 196                     - - {get_param: DeployedSSLCertificatePath}
 197                       - {get_param: DeployedSSLCertificatePath}
 198                       - 'ro'
 199                   -
 200                     if:
 201                       - internal_tls_enabled
 202                       - /etc/pki/tls/certs/haproxy:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/haproxy:ro
 203                       - ''
 204                   -
 205                     if:
 206                       - internal_tls_enabled
 207                       - /etc/pki/tls/private/haproxy:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/haproxy:ro
 208                       - ''
 209             environment:
 210               - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
 211       metadata_settings:
 212         get_attr: [HAProxyBase, role_data, metadata_settings]