Age | Commit message (Collapse) | Author | Files | Lines |
|
This moves the certificate request bits to simplify the profile and move
the logic to the HAProxy/certmonger specific manifest.
This is a small iteration on the effort to separate the certificate
retrieval to its own manifest since this part won't be containerized
yet.
Change-Id: Ibb01cd9a59049e4728615cb4f37e5bfac5800a92
|
|
In some cases, for instance, when updating from a non-SSL setup in
HAProxy to an SSL setup, we don't reload haproxy's configuration.
This is problematic since we need HAProxy to serve the certificates
and the new endpoints.
This forces the reload when puppet notices changes.
Change-Id: Ie1dd809e6beef33fadad48de55e488219fb7d686
Closes-Bug: #1636921
|
|
The service profile in HAProxy has the capability of creating
certificates based on a map. The idea is to standardize this, as
some of those certificates should match certain networks the services
are listening on (with the exception of the external network which is
handled differently and the tenant network which doesn't need a
certificate). So, based on which network a certain service is
listening on, we fetch the appropriate certificate.
bp tls-via-certmonger
Change-Id: I89001ae32f46c9682aecc118753ef6cd647baa62
|
|
Installing the undercloud with generate_service_certificate=True
fails if HAProxy is not pre-installed. This is due to missing
dependency setting on our puppet manifests. We need to specify that
the PEM file needs to be written only if the haproxy user and group
exist (which comes from the package) and that the haproxy frontend
configuration needs to be notified if there are changes in the
certificates.
Change-Id: Iba3030e4489eb31f9c07ab49913687d8b595a91b
Closes-Bug: #1623805
|
|
If the configuration for the HAProxy class or any of the frontend
endpoints has changed, we explicitly execute a reload on HA setups.
This is useful since on updates of HA setups we set pacemaker on
maintenance mode, and thus we are unable to refresh HAProxy's
configuration; The aforementioned detail is problematic, since some
puppet configurations rely on HAProxy taking into account the
configuration. An example of this is changing a port in the endpoint
map or enabling SSL.
Change-Id: I7f26257fb43146afebca928f5498ee2174178063
|
|
As we are staring to manually check overcloud services
the first step is to check that the puppet profiles
are all aligned.
Changes applied:
No logic added or removed in this submission.
Removed unused parameters.
Align header comments structure.
All profiles parameters sorted following:
"Mandatory params first sorted alphabetically
then optional params sorted alphabetically."
Note: Following submissions will check pacemaker,
cinder, mistral and redis services in the base profiles
as some of them has the $pacemaker_master parameter
defaulted to true.
Change-Id: I2f91c3f6baa33f74b5625789eec83233179a9655
|
|
Before haproxy tries to use the TLS certificates it should already
trust the CA. So it's necessary for the local CA-related manifest to
notify the ::tripleo::haproxy class.
This works for newly set deployments. deployments that have already
ran the ca-trust section will already trust the CA and thus won't
need that part.
Change-Id: I32ded4e33abffd51f220fb8a7dc6263aace72acd
|
|
This gives the option to generate the service certificate(s) that
HAProxy will use. This will be used for both the overcloud and the
undercloud.
bp tls-via-certmonger
Change-Id: I3d0b729d0bad5252c1ae8852109c3a70c0c6ba7d
|
|
Deprecate loadbalancer profiles so we have a profile for HAproxy and
another for keepalived.
Once THT uses the new profiles, we'll remove loadbalancer profiles here.
Change-Id: I8aa9045fc80205485abab723968b26084f60bf71
|