diff options
author | Damien Ciabrini <dciabrin@redhat.com> | 2017-08-07 20:26:33 +0000 |
---|---|---|
committer | Damien Ciabrini <dciabrin@redhat.com> | 2017-08-09 22:05:21 +0000 |
commit | 1f695f183ae114650d222ab7434bdeb2587a82aa (patch) | |
tree | faf848eb27a9016ea9b12cd256af9041ae76c932 /manifests | |
parent | 4600841dbcc0ee970256a6e2f35056c3e624bf98 (diff) |
Enable TLS configuration for containerized HAProxy
In non-containerized deployments, HAProxy can be configured to use TLS
for proxying internal services.
Fix the creation of the of the haproxy bundle resource to enable TLS
when configured. The keys and certs files, as well as the crl file are
all passed as configuration files and must be copied by Kolla at
container startup.
Change-Id: I4b72739446c63f0f0ac9f859314a4d6746e20255
Partial-Bug: #1709563
Diffstat (limited to 'manifests')
-rw-r--r-- | manifests/profile/pacemaker/haproxy_bundle.pp | 115 |
1 files changed, 97 insertions, 18 deletions
diff --git a/manifests/profile/pacemaker/haproxy_bundle.pp b/manifests/profile/pacemaker/haproxy_bundle.pp index b785ea7..1b9a191 100644 --- a/manifests/profile/pacemaker/haproxy_bundle.pp +++ b/manifests/profile/pacemaker/haproxy_bundle.pp @@ -30,10 +30,34 @@ # (Optional) Whether load balancing is enabled for this cluster # Defaults to hiera('enable_load_balancer', true) # +# [*ca_bundle*] +# (Optional) The path to the CA file that will be used for the TLS +# configuration. It's only used if internal TLS is enabled. +# Defaults to hiera('tripleo::haproxy::ca_bundle', undef) +# +# [*crl_file*] +# (Optional) The path to the file that contains the certificate +# revocation list. It's only used if internal TLS is enabled. +# Defaults to hiera('tripleo::haproxy::crl_file', undef) +# # [*deployed_ssl_cert_path*] # (Optional) The filepath of the certificate as it will be stored in # the controller. -# Defaults to '/etc/pki/tls/private/overcloud_endpoint.pem' +# Defaults to hiera('tripleo::haproxy::service_certificate', undef) +# +# [*enable_internal_tls*] +# (Optional) Whether TLS in the internal network is enabled or not. +# Defaults to hiera('enable_internal_tls', false) +# +# [*internal_certs_directory*] +# (Optional) Directory the holds the certificates to be used when +# when TLS is enabled in the internal network +# Defaults to undef +# +# [*internal_keys_directory*] +# (Optional) Directory the holds the certificates to be used when +# when TLS is enabled in the internal network +# Defaults to undef # # [*step*] # (Optional) The current step in deployment. See tripleo-heat-templates @@ -45,12 +69,17 @@ # Defaults to hiera('pcs_tries', 20) # class tripleo::profile::pacemaker::haproxy_bundle ( - $haproxy_docker_image = hiera('tripleo::profile::pacemaker::haproxy::haproxy_docker_image', undef), - $bootstrap_node = hiera('haproxy_short_bootstrap_node_name'), - $enable_load_balancer = hiera('enable_load_balancer', true), - $deployed_ssl_cert_path = '/etc/pki/tls/private/overcloud_endpoint.pem', - $step = Integer(hiera('step')), - $pcs_tries = hiera('pcs_tries', 20), + $haproxy_docker_image = hiera('tripleo::profile::pacemaker::haproxy::haproxy_docker_image', undef), + $bootstrap_node = hiera('haproxy_short_bootstrap_node_name'), + $enable_load_balancer = hiera('enable_load_balancer', true), + $ca_bundle = hiera('tripleo::haproxy::ca_bundle', undef), + $crl_file = hiera('tripleo::haproxy::crl_file', undef), + $enable_internal_tls = hiera('enable_internal_tls', false), + $internal_certs_directory = undef, + $internal_keys_directory = undef, + $deployed_ssl_cert_path = hiera('tripleo::haproxy::service_certificate', undef), + $step = Integer(hiera('step')), + $pcs_tries = hiera('pcs_tries', 20), ) { include ::tripleo::profile::base::haproxy @@ -90,14 +119,8 @@ class tripleo::profile::pacemaker::haproxy_bundle ( $haproxy_nodes = hiera('haproxy_short_node_names') $haproxy_nodes_count = count($haproxy_nodes) - pacemaker::resource::bundle { 'haproxy-bundle': - image => $haproxy_docker_image, - replicas => $haproxy_nodes_count, - location_rule => $haproxy_location_rule, - container_options => 'network=host', - options => '--user=root --log-driver=journald -e KOLLA_CONFIG_STRATEGY=COPY_ALWAYS', - run_command => '/bin/bash /usr/local/bin/kolla_start', - storage_maps => { + + $storage_maps = { 'haproxy-cfg-files' => { 'source-dir' => '/var/lib/kolla/config_files/haproxy.json', 'target-dir' => '/var/lib/kolla/config_files/config.json', @@ -143,12 +166,68 @@ class tripleo::profile::pacemaker::haproxy_bundle ( 'target-dir' => '/dev/log', 'options' => 'rw', }, - 'haproxy-cert' => { + }; + + if $deployed_ssl_cert_path { + $cert_storage_maps = { + 'haproxy-cert' => { 'source-dir' => $deployed_ssl_cert_path, - 'target-dir' => $deployed_ssl_cert_path, + 'target-dir' => "/var/lib/kolla/config_files/src-tls${deployed_ssl_cert_path}", 'options' => 'ro', }, - }, + } + } else { + $cert_storage_maps = {} + } + + if $enable_internal_tls { + $haproxy_storage_maps = { + 'haproxy-pki-certs' => { + 'source-dir' => $internal_certs_directory, + 'target-dir' => "/var/lib/kolla/config_files/src-tls${internal_certs_directory}", + 'options' => 'ro', + }, + 'haproxy-pki-keys' => { + 'source-dir' => $internal_keys_directory, + 'target-dir' => "/var/lib/kolla/config_files/src-tls${internal_keys_directory}", + 'options' => 'ro', + }, + } + if $ca_bundle { + $ca_storage_maps = { + 'haproxy-pki-ca-file' => { + 'source-dir' => $ca_bundle, + 'target-dir' => "/var/lib/kolla/config_files/src-tls${ca_bundle}", + 'options' => 'ro', + }, + } + } else { + $ca_storage_maps = {} + } + if $crl_file { + $crl_storage_maps = { + 'haproxy-pki-crl-file' => { + 'source-dir' => $crl_file, + 'target-dir' => $crl_file, + 'options' => 'ro', + }, + } + } else { + $crl_storage_maps = {} + } + $storage_maps_internal_tls = merge($haproxy_storage_maps, $ca_storage_maps, $crl_storage_maps) + } else { + $storage_maps_internal_tls = {} + } + + pacemaker::resource::bundle { 'haproxy-bundle': + image => $haproxy_docker_image, + replicas => $haproxy_nodes_count, + location_rule => $haproxy_location_rule, + container_options => 'network=host', + options => '--user=root --log-driver=journald -e KOLLA_CONFIG_STRATEGY=COPY_ALWAYS', + run_command => '/bin/bash /usr/local/bin/kolla_start', + storage_maps => merge($storage_maps, $cert_storage_maps, $storage_maps_internal_tls), } $control_vip = hiera('controller_virtual_ip') tripleo::pacemaker::haproxy_with_vip { 'haproxy_and_control_vip': |