docker/services/pacemaker/haproxy.yaml

   1 heat_template_version: pike
   2
   3 description: >
   4   OpenStack containerized HAproxy service for pacemaker
   5
   6 parameters:
   7   DockerHAProxyImage:
   8     description: image
   9     type: string
  10   DockerHAProxyConfigImage:
  11     description: The container image to use for the haproxy config_volume
  12     type: string
  13   ServiceData:
  14     default: {}
  15     description: Dictionary packing service data
  16     type: json
  17   ServiceNetMap:
  18     default: {}
  19     description: Mapping of service_name -> network name. Typically set
  20                  via parameter_defaults in the resource registry.  This
  21                  mapping overrides those in ServiceNetMapDefaults.
  22     type: json
  23   DefaultPasswords:
  24     default: {}
  25     type: json
  26   EndpointMap:
  27     default: {}
  28     description: Mapping of service endpoint -> protocol. Typically set
  29                  via parameter_defaults in the resource registry.
  30     type: json
  31   DeployedSSLCertificatePath:
  32     default: '/etc/pki/tls/private/overcloud_endpoint.pem'
  33     description: >
  34         The filepath of the certificate as it will be stored in the controller.
  35     type: string
  36   RoleName:
  37     default: ''
  38     description: Role name on which the service is applied
  39     type: string
  40   RoleParameters:
  41     default: {}
  42     description: Parameters specific to the role
  43     type: json
  44   InternalTLSCAFile:
  45     default: '/etc/ipa/ca.crt'
  46     type: string
  47     description: Specifies the default CA cert to use if TLS is used for
  48                  services in the internal network.
  49   InternalTLSCRLPEMFile:
  50     default: '/etc/pki/CA/crl/overcloud-crl.pem'
  51     type: string
  52     description: Specifies the default CRL PEM file to use for revocation if
  53                  TLS is used for services in the internal network.
  54   HAProxyInternalTLSCertsDirectory:
  55     default: '/etc/pki/tls/certs/haproxy'
  56     type: string
  57   HAProxyInternalTLSKeysDirectory:
  58     default: '/etc/pki/tls/private/haproxy'
  59     type: string
  60
  61 resources:
  62
  63   HAProxyBase:
  64     type: ../../../puppet/services/pacemaker/haproxy.yaml
  65     properties:
  66       EndpointMap: {get_param: EndpointMap}
  67       ServiceData: {get_param: ServiceData}
  68       ServiceNetMap: {get_param: ServiceNetMap}
  69       DefaultPasswords: {get_param: DefaultPasswords}
  70       RoleName: {get_param: RoleName}
  71       RoleParameters: {get_param: RoleParameters}
  72
  73 outputs:
  74   role_data:
  75     description: Role data for the HAproxy role.
  76     value:
  77       service_name: {get_attr: [HAProxyBase, role_data, service_name]}
  78       config_settings:
  79         map_merge:
  80           - get_attr: [HAProxyBase, role_data, config_settings]
  81           - haproxy_docker: true
  82             tripleo::profile::pacemaker::haproxy_bundle::haproxy_docker_image: &haproxy_image {get_param: DockerHAProxyImage}
  83             # the list of directories that contain the certs to bind mount in the countainer
  84             # bind-mounting the directories rather than all the cert, key and pem files ensures
  85             # that docker won't create directories on the host when then pem files do not exist
  86             tripleo::profile::pacemaker::haproxy_bundle::tls_mapping: &tls_mapping
  87               - get_param: InternalTLSCAFile
  88               - get_param: HAProxyInternalTLSKeysDirectory
  89               - get_param: HAProxyInternalTLSCertsDirectory
  90               - get_param: DeployedSSLCertificatePath
  91             tripleo::profile::pacemaker::haproxy_bundle::internal_certs_directory: {get_param: HAProxyInternalTLSCertsDirectory}
  92             tripleo::profile::pacemaker::haproxy_bundle::internal_keys_directory: {get_param: HAProxyInternalTLSKeysDirectory}
  93             # disable the use CRL file until we can restart the container when the file expires
  94             tripleo::haproxy::crl_file: null
  95             tripleo::profile::pacemaker::haproxy_bundle::haproxy_docker_image: &haproxy_image_pcmklatest
  96               list_join:
  97                 - ':'
  98                 - - yaql:
  99                       data: {get_param: DockerHAProxyImage}
 100                       expression: $.data.rightSplit(separator => ":", maxSplits => 1)[0]
 101                   - 'pcmklatest'
 102       logging_source: {get_attr: [HAProxyBase, role_data, logging_source]}
 103       logging_groups: {get_attr: [HAProxyBase, role_data, logging_groups]}
 104       step_config: ""
 105       service_config_settings: {get_attr: [HAProxyBase, role_data, service_config_settings]}
 106       # BEGIN DOCKER SETTINGS
 107       puppet_config:
 108         config_volume: haproxy
 109         puppet_tags: haproxy_config
 110         step_config:
 111           list_join:
 112             - "\n"
 113             - - "exec {'wait-for-settle': command => '/bin/true' }"
 114               - "class tripleo::firewall(){}; define tripleo::firewall::rule( $port = undef, $dport = undef, $sport = undef, $proto = undef, $action = undef, $state = undef, $source = undef, $iniface = undef, $chain = undef, $destination = undef, $extras = undef){}"
 115               - "['pcmk_bundle', 'pcmk_resource', 'pcmk_property', 'pcmk_constraint', 'pcmk_resource_default'].each |String $val| { noop_resource($val) }"
 116               - 'include ::tripleo::profile::pacemaker::haproxy_bundle'
 117         config_image: {get_param: DockerHAProxyConfigImage}
 118         volumes: &deployed_cert_mount
 119           yaql:
 120             expression: $.data.select($+":"+$+":ro")
 121             data: *tls_mapping
 122       kolla_config:
 123         /var/lib/kolla/config_files/haproxy.json:
 124           command: /usr/sbin/haproxy-systemd-wrapper -f /etc/haproxy/haproxy.cfg
 125           config_files:
 126             - source: "/var/lib/kolla/config_files/src/*"
 127               dest: "/"
 128               merge: true
 129               preserve_properties: true
 130               optional: true
 131             - source: "/var/lib/kolla/config_files/src-tls/*"
 132               dest: "/"
 133               merge: true
 134               optional: true
 135               preserve_properties: true
 136           permissions:
 137             - path:
 138                 list_join:
 139                 - ''
 140                 - - {get_param: HAProxyInternalTLSCertsDirectory}
 141                   - '/*'
 142               owner: haproxy:haproxy
 143               perm: '0600'
 144               optional: true
 145             - path:
 146                 list_join:
 147                 - ''
 148                 - - {get_param: HAProxyInternalTLSKeysDirectory}
 149                   - '/*'
 150               owner: haproxy:haproxy
 151               perm: '0600'
 152               optional: true
 153       docker_config:
 154         step_1:
 155           haproxy_image_tag:
 156             start_order: 1
 157             detach: false
 158             net: host
 159             user: root
 160             command:
 161               - '/bin/bash'
 162               - '-c'
 163               - str_replace:
 164                   template:
 165                     "/usr/bin/docker tag 'HAPROXY_IMAGE' 'HAPROXY_IMAGE_PCMKLATEST'"
 166                   params:
 167                     HAPROXY_IMAGE: {get_param: DockerHAProxyImage}
 168                     HAPROXY_IMAGE_PCMKLATEST: *haproxy_image_pcmklatest
 169             image: {get_param: DockerHAProxyImage}
 170             volumes:
 171               - /etc/hosts:/etc/hosts:ro
 172               - /etc/localtime:/etc/localtime:ro
 173               - /dev/shm:/dev/shm:rw
 174               - /etc/sysconfig/docker:/etc/sysconfig/docker:ro
 175               - /usr/bin:/usr/bin:ro
 176               - /var/run/docker.sock:/var/run/docker.sock:rw
 177             image: {get_param: DockerHAProxyImage}
 178         step_2:
 179           haproxy_init_bundle:
 180             start_order: 3
 181             detach: false
 182             net: host
 183             user: root
 184             privileged: true
 185             command:
 186               - '/bin/bash'
 187               - '-c'
 188               - str_replace:
 189                   template:
 190                     list_join:
 191                       - '; '
 192                       - - "cp -a /tmp/puppet-etc/* /etc/puppet; echo '{\"step\": 2}' > /etc/puppet/hieradata/docker.json"
 193                         - "FACTER_uuid=docker puppet apply --tags file,file_line,concat,augeas,TAGS -v -e 'CONFIG'"
 194                   params:
 195                     TAGS: 'tripleo::firewall::rule,pacemaker::resource::bundle,pacemaker::property,pacemaker::resource::ip,pacemaker::resource::ocf,pacemaker::constraint::order,pacemaker::constraint::colocation'
 196                     CONFIG:
 197                       list_join:
 198                         - ';'
 199                         - - 'include ::tripleo::profile::base::pacemaker'
 200                           - 'include ::tripleo::profile::pacemaker::haproxy_bundle'
 201             image: {get_param: DockerHAProxyImage}
 202             volumes:
 203               list_concat:
 204                 - *deployed_cert_mount
 205                 -
 206                   # puppet saves iptables rules in /etc/sysconfig
 207                   - /etc/sysconfig:/etc/sysconfig:rw
 208                   # saving rules require accessing /usr/libexec/iptables/iptables.init, just bind-mount
 209                   # the necessary bit and prevent systemd to try to reload the service in the container
 210                   - /usr/libexec/iptables:/usr/libexec/iptables:ro
 211                   - /usr/libexec/initscripts/legacy-actions:/usr/libexec/initscripts/legacy-actions:ro
 212                   - /etc/hosts:/etc/hosts:ro
 213                   - /etc/localtime:/etc/localtime:ro
 214                   - /etc/puppet:/tmp/puppet-etc:ro
 215                   - /usr/share/openstack-puppet/modules:/usr/share/openstack-puppet/modules:ro
 216                   - /etc/corosync/corosync.conf:/etc/corosync/corosync.conf:ro
 217                   - /dev/shm:/dev/shm:rw
 218       metadata_settings:
 219         get_attr: [HAProxyBase, role_data, metadata_settings]
 220       upgrade_tasks:
 221         - name: get bootstrap nodeid
 222           tags: common
 223           command: hiera -c /etc/puppet/hiera.yaml bootstrap_nodeid
 224           register: bootstrap_node
 225         - name: set is_bootstrap_node fact
 226           tags: common
 227           set_fact: is_bootstrap_node={{bootstrap_node.stdout|lower == ansible_hostname|lower}}
 228         - name: Check cluster resource status
 229           tags: step2
 230           pacemaker_resource:
 231             resource: {get_attr: [HAProxyBase, role_data, service_name]}
 232             state: started
 233             check_mode: true
 234           ignore_errors: true
 235           register: haproxy_res
 236         - name: Disable the haproxy cluster resource.
 237           tags: step2
 238           pacemaker_resource:
 239             resource: {get_attr: [HAProxyBase, role_data, service_name]}
 240             state: disable
 241             wait_for_resource: true
 242           register: output
 243           retries: 5
 244           until: output.rc == 0
 245           when: is_bootstrap_node and haproxy_res|succeeded
 246         - name: Delete the stopped haproxy cluster resource.
 247           tags: step2
 248           pacemaker_resource:
 249             resource: {get_attr: [HAProxyBase, role_data, service_name]}
 250             state: delete
 251             wait_for_resource: true
 252           register: output
 253           retries: 5
 254           until: output.rc == 0
 255           when: is_bootstrap_node and haproxy_res|succeeded