X-Git-Url: https://gerrit.opnfv.org/gerrit/gitweb?a=blobdiff_plain;f=puppet%2Fservices%2Fhaproxy.yaml;h=6b2d028f2c2858ee03c5f8ef373b08def3dde389;hb=refs%2Fheads%2Fmaster;hp=5bdc3b88a77f167d494406bfe5b54d5c6e155a76;hpb=41f0472c22b68f461ab2c97752fbf0aa8b8d98cc;p=apex-tripleo-heat-templates.git diff --git a/puppet/services/haproxy.yaml b/puppet/services/haproxy.yaml index 5bdc3b88..6b2d028f 100644 --- a/puppet/services/haproxy.yaml +++ b/puppet/services/haproxy.yaml @@ -4,6 +4,10 @@ description: > HAproxy service configured with Puppet parameters: + ServiceData: + default: {} + description: Dictionary packing service data + type: json ServiceNetMap: default: {} description: Mapping of service_name -> network name. Typically set @@ -26,6 +30,10 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json + EnableLoadBalancer: + default: true + description: Whether to deploy a LoadBalancer, set to false when an external load balancer is used. + type: boolean HAProxyStatsPassword: description: Password for HAProxy stats endpoint hidden: true @@ -43,12 +51,22 @@ parameters: description: Whether or not to enable the HAProxy stats interface. type: boolean RedisPassword: - description: The password for Redis + description: The password for the redis service account. type: string hidden: true MonitoringSubscriptionHaproxy: default: 'overcloud-haproxy' type: string + SSLCertificate: + default: '' + description: > + The content of the SSL certificate (without Key) in PEM format. + type: string + DeployedSSLCertificatePath: + default: '/etc/pki/tls/private/overcloud_endpoint.pem' + description: > + The filepath of the certificate as it will be stored in the controller. + type: string InternalTLSCAFile: default: '/etc/ipa/ca.crt' type: string @@ -60,11 +78,20 @@ parameters: description: Specifies the default CRL PEM file to use for revocation if TLS is used for services in the internal network. +conditions: + + public_tls_enabled: + not: + equals: + - {get_param: SSLCertificate} + - "" + resources: HAProxyPublicTLS: type: OS::TripleO::Services::HAProxyPublicTLS properties: + ServiceData: {get_param: ServiceData} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} @@ -74,6 +101,7 @@ resources: HAProxyInternalTLS: type: OS::TripleO::Services::HAProxyInternalTLS properties: + ServiceData: {get_param: ServiceData} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} @@ -88,8 +116,6 @@ outputs: monitoring_subscription: {get_param: MonitoringSubscriptionHaproxy} config_settings: map_merge: - - get_attr: [HAProxyPublicTLS, role_data, config_settings] - - get_attr: [HAProxyInternalTLS, role_data, config_settings] - tripleo.haproxy.firewall_rules: '107 haproxy stats': dport: 1993 @@ -100,10 +126,17 @@ outputs: tripleo::haproxy::ca_bundle: {get_param: InternalTLSCAFile} tripleo::haproxy::crl_file: {get_param: InternalTLSCRLPEMFile} tripleo::haproxy::haproxy_stats: {get_param: HAProxyStatsEnabled} + enable_load_balancer: {get_param: EnableLoadBalancer} tripleo::profile::base::haproxy::certificates_specs: map_merge: - get_attr: [HAProxyPublicTLS, role_data, certificates_specs] - get_attr: [HAProxyInternalTLS, role_data, certificates_specs] + - if: + - public_tls_enabled + - tripleo::haproxy::service_certificate: {get_param: DeployedSSLCertificatePath} + - {} + - get_attr: [HAProxyPublicTLS, role_data, config_settings] + - get_attr: [HAProxyInternalTLS, role_data, config_settings] step_config: | include ::tripleo::profile::base::haproxy upgrade_tasks: