summaryrefslogtreecommitdiffstats
path: root/manifests/profile/base/haproxy.pp
AgeCommit message (Collapse)AuthorFilesLines
2017-03-13HAProxy: Refactor certificate retrieval bitsJuan Antonio Osorio Robles1-21/+1
This moves the certificate request bits to simplify the profile and move the logic to the HAProxy/certmonger specific manifest. This is a small iteration on the effort to separate the certificate retrieval to its own manifest since this part won't be containerized yet. Change-Id: Ibb01cd9a59049e4728615cb4f37e5bfac5800a92
2016-10-26Reload haproxy if any configuration changes on HAJuan Antonio Osorio Robles1-1/+1
In some cases, for instance, when updating from a non-SSL setup in HAProxy to an SSL setup, we don't reload haproxy's configuration. This is problematic since we need HAProxy to serve the certificates and the new endpoints. This forces the reload when puppet notices changes. Change-Id: Ie1dd809e6beef33fadad48de55e488219fb7d686 Closes-Bug: #1636921
2016-10-05Fetch internal certificates for HAProxy based on networkJuan Antonio Osorio Robles1-1/+3
The service profile in HAProxy has the capability of creating certificates based on a map. The idea is to standardize this, as some of those certificates should match certain networks the services are listening on (with the exception of the external network which is handled differently and the tenant network which doesn't need a certificate). So, based on which network a certain service is listening on, we fetch the appropriate certificate. bp tls-via-certmonger Change-Id: I89001ae32f46c9682aecc118753ef6cd647baa62
2016-09-15Fix dependencies for HAProxy when certmonger is usedJuan Antonio Osorio Robles1-0/+3
Installing the undercloud with generate_service_certificate=True fails if HAProxy is not pre-installed. This is due to missing dependency setting on our puppet manifests. We need to specify that the PEM file needs to be written only if the haproxy user and group exist (which comes from the package) and that the haproxy frontend configuration needs to be notified if there are changes in the certificates. Change-Id: Iba3030e4489eb31f9c07ab49913687d8b595a91b Closes-Bug: #1623805
2016-08-29Reload HAProxy on refreshJuan Antonio Osorio Robles1-0/+14
If the configuration for the HAProxy class or any of the frontend endpoints has changed, we explicitly execute a reload on HA setups. This is useful since on updates of HA setups we set pacemaker on maintenance mode, and thus we are unable to refresh HAProxy's configuration; The aforementioned detail is problematic, since some puppet configurations rely on HAProxy taking into account the configuration. An example of this is changing a port in the endpoint map or enabling SSL. Change-Id: I7f26257fb43146afebca928f5498ee2174178063
2016-08-08Fix parameters and headers inconsistency in the puppet manifests.Carlos Camacho1-25/+24
As we are staring to manually check overcloud services the first step is to check that the puppet profiles are all aligned. Changes applied: No logic added or removed in this submission. Removed unused parameters. Align header comments structure. All profiles parameters sorted following: "Mandatory params first sorted alphabetically then optional params sorted alphabetically." Note: Following submissions will check pacemaker, cinder, mistral and redis services in the base profiles as some of them has the $pacemaker_master parameter defaulted to true. Change-Id: I2f91c3f6baa33f74b5625789eec83233179a9655
2016-08-01Run local CA trust before haproxy deploymentJuan Antonio Osorio Robles1-1/+3
Before haproxy tries to use the TLS certificates it should already trust the CA. So it's necessary for the local CA-related manifest to notify the ::tripleo::haproxy class. This works for newly set deployments. deployments that have already ran the ca-trust section will already trust the CA and thus won't need that part. Change-Id: I32ded4e33abffd51f220fb8a7dc6263aace72acd
2016-07-22Generate HAProxy certificates in base profileJuan Antonio Osorio Robles1-2/+48
This gives the option to generate the service certificate(s) that HAProxy will use. This will be used for both the overcloud and the undercloud. bp tls-via-certmonger Change-Id: I3d0b729d0bad5252c1ae8852109c3a70c0c6ba7d
2016-06-04Deprecate loabalancer profilesEmilien Macchi1-0/+42
Deprecate loadbalancer profiles so we have a profile for HAproxy and another for keepalived. Once THT uses the new profiles, we'll remove loadbalancer profiles here. Change-Id: I8aa9045fc80205485abab723968b26084f60bf71