X-Git-Url: https://gerrit.opnfv.org/gerrit/gitweb?a=blobdiff_plain;f=docker%2Fservices%2Fhaproxy.yaml;h=2f0584ea2db18fd3c25967c5ad0ee4f78c997e21;hb=453f51f81a22b4cb5786e8352e55ff18d5929565;hp=242f0751d5e6c87faa12b6976acd617008a5b833;hpb=c22b2804b5998be928fcbfdff81dc27028189978;p=apex-tripleo-heat-templates.git

diff --git a/docker/services/haproxy.yaml b/docker/services/haproxy.yaml
index 242f0751..2f0584ea 100644
--- a/docker/services/haproxy.yaml
+++ b/docker/services/haproxy.yaml
@@ -4,18 +4,16 @@ description: >
   OpenStack containerized HAproxy service
 
 parameters:
-  DockerNamespace:
-    description: namespace
-    default: 'tripleoupstream'
-    type: string
   DockerHAProxyImage:
     description: image
-    default: 'centos-binary-haproxy:latest'
     type: string
   DockerHAProxyConfigImage:
     description: The container image to use for the haproxy config_volume
-    default: 'centos-binary-haproxy:latest'
     type: string
+  ServiceData:
+    default: {}
+    description: Dictionary packing service data
+    type: json
   ServiceNetMap:
     default: {}
     description: Mapping of service_name -> network name. Typically set
@@ -42,8 +40,13 @@ parameters:
     default: /dev/log
     description: Syslog address where HAproxy will send its log
     type: string
+  DeployedSSLCertificatePath:
+    default: '/etc/pki/tls/private/overcloud_endpoint.pem'
+    description: >
+        The filepath of the certificate as it will be stored in the controller.
+    type: string
   RedisPassword:
-    description: The password for Redis
+    description: The password for the redis service account.
     type: string
     hidden: true
   MonitoringSubscriptionHaproxy:
@@ -67,6 +70,7 @@ resources:
     type: ../../puppet/services/haproxy.yaml
     properties:
       EndpointMap: {get_param: EndpointMap}
+      ServiceData: {get_param: ServiceData}
       ServiceNetMap: {get_param: ServiceNetMap}
       DefaultPasswords: {get_param: DefaultPasswords}
       RoleName: {get_param: RoleName}
@@ -81,6 +85,7 @@ outputs:
         map_merge:
           - get_attr: [HAProxyBase, role_data, config_settings]
           - tripleo::haproxy::haproxy_daemon: false
+            tripleo::haproxy::haproxy_service_manage: false
       step_config: &step_config
         get_attr: [HAProxyBase, role_data, step_config]
       service_config_settings: {get_attr: [HAProxyBase, role_data, service_config_settings]}
@@ -88,30 +93,71 @@ outputs:
       puppet_config:
         config_volume: haproxy
         puppet_tags: haproxy_config
-        step_config: *step_config
-        config_image:
-          list_join:
-            - '/'
-            - [ {get_param: DockerNamespace}, {get_param: DockerHAProxyConfigImage} ]
+        step_config:
+          "class {'::tripleo::profile::base::haproxy': manage_firewall => false}"
+        config_image: {get_param: DockerHAProxyConfigImage}
+        volumes: &deployed_cert_mount
+          - list_join:
+            - ':'
+            - - {get_param: DeployedSSLCertificatePath}
+              - {get_param: DeployedSSLCertificatePath}
+              - 'ro'
       kolla_config:
         /var/lib/kolla/config_files/haproxy.json:
           command: haproxy -f /etc/haproxy/haproxy.cfg
+          config_files:
+            - source: "/var/lib/kolla/config_files/src/*"
+              dest: "/"
+              merge: true
+              preserve_properties: true
       docker_config:
         step_1:
+          haproxy_firewall:
+            detach: false
+            image: {get_param: DockerHAProxyImage}
+            net: host
+            user: root
+            privileged: true
+            command:
+              - '/bin/bash'
+              - '-c'
+              - str_replace:
+                  template:
+                    list_join:
+                      - '; '
+                      - - "cp -a /tmp/puppet-etc/* /etc/puppet; echo '{\"step\": 1}' > /etc/puppet/hieradata/docker.json"
+                        - "FACTER_uuid=docker puppet apply --tags TAGS -v -e 'CONFIG'"
+                  params:
+                    TAGS: 'tripleo::firewall::rule'
+                    CONFIG: *step_config
+            volumes:
+              list_concat:
+                - {get_attr: [ContainersCommon, volumes]}
+                - *deployed_cert_mount
+                -
+                  - /var/lib/kolla/config_files/haproxy.json:/var/lib/kolla/config_files/config.json:ro
+                  - /var/lib/config-data/puppet-generated/haproxy/:/var/lib/kolla/config_files/src:ro
+                  # puppet saves iptables rules in /etc/sysconfig
+                  - /etc/sysconfig:/etc/sysconfig:rw
+                  # saving rules require accessing /usr/libexec/iptables/iptables.init, just bind-mount
+                  # the necessary bit and prevent systemd to try to reload the service in the container
+                  - /usr/libexec/iptables:/usr/libexec/iptables:ro
+                  - /usr/libexec/initscripts/legacy-actions:/usr/libexec/initscripts/legacy-actions:ro
+                  - /etc/puppet:/tmp/puppet-etc:ro
+                  - /usr/share/openstack-puppet/modules:/usr/share/openstack-puppet/modules:ro
+            environment:
+              - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
           haproxy:
-            image:
-              list_join:
-                - '/'
-                - [ {get_param: DockerNamespace}, {get_param: DockerHAProxyImage} ]
+            image: {get_param: DockerHAProxyImage}
             net: host
-            privileged: false
             restart: always
             volumes:
               list_concat:
                 - {get_attr: [ContainersCommon, volumes]}
+                - *deployed_cert_mount
                 -
                   - /var/lib/kolla/config_files/haproxy.json:/var/lib/kolla/config_files/config.json:ro
-                  - /var/lib/config-data/haproxy/etc/:/etc/:ro
+                  - /var/lib/config-data/puppet-generated/haproxy/:/var/lib/kolla/config_files/src:ro
             environment:
               - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
       metadata_settings: