Code Review / apex-tripleo-heat-templates.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: 1847a01)
Bind mount needed cert for haproxy
authorMartin André <m.andre@redhat.com>
Tue, 13 Jun 2017 13:35:16 +0000 (15:35 +0200)
committerMartin André <m.andre@redhat.com>
Fri, 30 Jun 2017 06:14:51 +0000 (08:14 +0200)
haproxy needs the deployed SSL cert file to function when TLS is
enabled.

It is also required for the docker-puppet haproxy container since the
haproxy puppet module uses a validate_cmd to check the generated config
file is valid that fails when the required SSL cert is not present.
There is no clean way to disable this feature [1] so we need to bind
mount the cert into the container.

[1] https://github.com/puppetlabs/puppetlabs-haproxy/blob/4753ea5b2506ee093e9b4c8af6e91201d476d426/manifests/config.pp#L53-L57

Change-Id: Id2df144b678769def204961236624091d4e5c457

docker/services/haproxy.yaml patch | blob | history

diff --git a/docker/services/haproxy.yaml b/docker/services/haproxy.yaml
index 242f075..5831fe8 100644 (file)
--- a/docker/services/haproxy.yaml
+++ b/docker/services/haproxy.yaml
@@ -42,6 +42,11 @@ parameters:
     default: /dev/log
     description: Syslog address where HAproxy will send its log
     type: string
+  DeployedSSLCertificatePath:
+    default: '/etc/pki/tls/private/overcloud_endpoint.pem'
+    description: >
+        The filepath of the certificate as it will be stored in the controller.
+    type: string
   RedisPassword:
     description: The password for Redis
     type: string
@@ -93,6 +98,12 @@ outputs:
           list_join:
             - '/'
             - [ {get_param: DockerNamespace}, {get_param: DockerHAProxyConfigImage} ]
+        volumes: &deployed_cert_mount
+          - list_join:
+            - ':'
+            - - {get_param: DeployedSSLCertificatePath}
+              - {get_param: DeployedSSLCertificatePath}
+              - 'ro'
       kolla_config:
         /var/lib/kolla/config_files/haproxy.json:
           command: haproxy -f /etc/haproxy/haproxy.cfg
@@ -109,6 +120,7 @@ outputs:
             volumes:
               list_concat:
                 - {get_attr: [ContainersCommon, volumes]}
+                - *deployed_cert_mount
                 -
                   - /var/lib/kolla/config_files/haproxy.json:/var/lib/kolla/config_files/config.json:ro
                   - /var/lib/config-data/haproxy/etc/:/etc/:ro