1 heat_template_version: pike
4 OpenStack containerized HAproxy service
10 DockerHAProxyConfigImage:
11 description: The container image to use for the haproxy config_volume
15 description: Dictionary packing service data
19 description: Mapping of service_name -> network name. Typically set
20 via parameter_defaults in the resource registry. This
21 mapping overrides those in ServiceNetMapDefaults.
28 description: Mapping of service endpoint -> protocol. Typically set
29 via parameter_defaults in the resource registry.
32 description: Password for HAProxy stats endpoint
36 description: User for HAProxy stats endpoint
41 description: Syslog address where HAproxy will send its log
43 DeployedSSLCertificatePath:
44 default: '/etc/pki/tls/private/overcloud_endpoint.pem'
46 The filepath of the certificate as it will be stored in the controller.
49 description: The password for the redis service account.
52 MonitoringSubscriptionHaproxy:
53 default: 'overcloud-haproxy'
57 description: Role name on which the service is applied
61 description: Parameters specific to the role
67 default: '/etc/ipa/ca.crt'
69 description: Specifies the default CA cert to use if TLS is used for
70 services in the internal network.
74 internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
79 type: ./containers-common.yaml
82 type: ../../puppet/services/haproxy.yaml
84 EndpointMap: {get_param: EndpointMap}
85 ServiceData: {get_param: ServiceData}
86 ServiceNetMap: {get_param: ServiceNetMap}
87 DefaultPasswords: {get_param: DefaultPasswords}
88 RoleName: {get_param: RoleName}
89 RoleParameters: {get_param: RoleParameters}
93 description: Role data for the HAproxy role.
95 service_name: {get_attr: [HAProxyBase, role_data, service_name]}
98 - get_attr: [HAProxyBase, role_data, config_settings]
99 - tripleo::haproxy::haproxy_daemon: false
100 tripleo::haproxy::haproxy_service_manage: false
101 # NOTE(jaosorior): We disable the CRL since we have no way to restart haproxy
102 # when this is updated
103 tripleo::haproxy::crl_file: null
104 step_config: &step_config
105 get_attr: [HAProxyBase, role_data, step_config]
106 service_config_settings: {get_attr: [HAProxyBase, role_data, service_config_settings]}
107 # BEGIN DOCKER SETTINGS
109 config_volume: haproxy
110 puppet_tags: haproxy_config
112 "class {'::tripleo::profile::base::haproxy': manage_firewall => false}"
113 config_image: {get_param: DockerHAProxyConfigImage}
118 - - {get_param: DeployedSSLCertificatePath}
119 - {get_param: DeployedSSLCertificatePath}
122 - internal_tls_enabled
123 - - /etc/pki/tls/certs/haproxy:/etc/pki/tls/certs/haproxy:ro
124 - /etc/pki/tls/private/haproxy:/etc/pki/tls/private/haproxy:ro
127 - - {get_param: InternalTLSCAFile}
128 - {get_param: InternalTLSCAFile}
132 /var/lib/kolla/config_files/haproxy.json:
133 command: haproxy -f /etc/haproxy/haproxy.cfg
135 - source: "/var/lib/kolla/config_files/src/*"
138 preserve_properties: true
139 - source: "/var/lib/kolla/config_files/src-tls/*"
142 preserve_properties: true
145 - path: /etc/pki/tls/certs/haproxy
146 owner: haproxy:haproxy
153 image: {get_param: DockerHAProxyImage}
164 - - "cp -a /tmp/puppet-etc/* /etc/puppet; echo '{\"step\": 1}' > /etc/puppet/hieradata/docker.json"
165 - "FACTER_uuid=docker puppet apply --tags TAGS -v -e 'CONFIG'"
167 TAGS: 'tripleo::firewall::rule'
171 - {get_attr: [ContainersCommon, volumes]}
173 - /var/lib/kolla/config_files/haproxy.json:/var/lib/kolla/config_files/config.json:ro
174 - /var/lib/config-data/puppet-generated/haproxy/:/var/lib/kolla/config_files/src:ro
175 # puppet saves iptables rules in /etc/sysconfig
176 - /etc/sysconfig:/etc/sysconfig:rw
177 # saving rules require accessing /usr/libexec/iptables/iptables.init, just bind-mount
178 # the necessary bit and prevent systemd to try to reload the service in the container
179 - /usr/libexec/iptables:/usr/libexec/iptables:ro
180 - /usr/libexec/initscripts/legacy-actions:/usr/libexec/initscripts/legacy-actions:ro
181 - /etc/puppet:/tmp/puppet-etc:ro
182 - /usr/share/openstack-puppet/modules:/usr/share/openstack-puppet/modules:ro
184 - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
186 image: {get_param: DockerHAProxyImage}
191 - {get_attr: [ContainersCommon, volumes]}
193 - /var/lib/kolla/config_files/haproxy.json:/var/lib/kolla/config_files/config.json:ro
194 - /var/lib/config-data/puppet-generated/haproxy/:/var/lib/kolla/config_files/src:ro
197 - - {get_param: DeployedSSLCertificatePath}
198 - {get_param: DeployedSSLCertificatePath}
202 - internal_tls_enabled
203 - /etc/pki/tls/certs/haproxy:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/haproxy:ro
207 - internal_tls_enabled
208 - /etc/pki/tls/private/haproxy:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/haproxy:ro
211 - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
213 get_attr: [HAProxyBase, role_data, metadata_settings]