summaryrefslogtreecommitdiffstats
path: root/manifests/profile/base/haproxy.pp
AgeCommit message (Collapse)AuthorFilesLines
2017-07-27Prevent haproxy to run iptables during docker-puppet configurationDamien Ciabrini1-0/+7
When docker-puppet runs module tripleo::haproxy to generate haproxy configuration file, and tripleo::firewall::manage_firewall is true, iptables is called to set up firewall rules for the proxied services and fails due to lack of NET_ADMIN capability. Make the generation of firewall rule configurable by exposing a new argument to the puppet module. That way, firewall management can be temporarily disabled when being run through docker-puppet. Change-Id: I2d6274d061039a9793ad162ed8e750bd87bf71e9 Partial-Bug: #1697921
2017-06-14Ensure hiera step value is an integerSteve Baker1-1/+1
The step is typically set with the hieradata setting an integer value: {"step": 1} However it would be useful for the value to be a string so that substitutions are possible, for example: {"step": "%{::step}"} This change ensures the step parameter defaults to an integer by calling Integer(hiera('step')) This change was made by manually removing the undef defaults from fluentd.pp, uchiwa.pp, and sensu.pp then bulk updating with: find ./ -type f -print0 |xargs -0 sed -i "s/= hiera('step')/= Integer(hiera('step'))/" Change-Id: I8a47ca53a7dea8391103abcb8960a97036a6f5b3
2017-03-26Remove certificate request bits from service profilesJuan Antonio Osorio Robles1-16/+0
This is now the job of the certmonger_user profile. So these bits are not needed anymore in the service profiles. Change-Id: Iaa3137d7d13d5e707f587d3905a5a32598c08800 Depends-On: Ibf58dfd7d783090e927de6629e487f968f7e05b6
2017-03-13HAProxy: Refactor certificate retrieval bitsJuan Antonio Osorio Robles1-21/+1
This moves the certificate request bits to simplify the profile and move the logic to the HAProxy/certmonger specific manifest. This is a small iteration on the effort to separate the certificate retrieval to its own manifest since this part won't be containerized yet. Change-Id: Ibb01cd9a59049e4728615cb4f37e5bfac5800a92
2016-10-26Reload haproxy if any configuration changes on HAJuan Antonio Osorio Robles1-1/+1
In some cases, for instance, when updating from a non-SSL setup in HAProxy to an SSL setup, we don't reload haproxy's configuration. This is problematic since we need HAProxy to serve the certificates and the new endpoints. This forces the reload when puppet notices changes. Change-Id: Ie1dd809e6beef33fadad48de55e488219fb7d686 Closes-Bug: #1636921
2016-10-05Fetch internal certificates for HAProxy based on networkJuan Antonio Osorio Robles1-1/+3
The service profile in HAProxy has the capability of creating certificates based on a map. The idea is to standardize this, as some of those certificates should match certain networks the services are listening on (with the exception of the external network which is handled differently and the tenant network which doesn't need a certificate). So, based on which network a certain service is listening on, we fetch the appropriate certificate. bp tls-via-certmonger Change-Id: I89001ae32f46c9682aecc118753ef6cd647baa62
2016-09-15Fix dependencies for HAProxy when certmonger is usedJuan Antonio Osorio Robles1-0/+3
Installing the undercloud with generate_service_certificate=True fails if HAProxy is not pre-installed. This is due to missing dependency setting on our puppet manifests. We need to specify that the PEM file needs to be written only if the haproxy user and group exist (which comes from the package) and that the haproxy frontend configuration needs to be notified if there are changes in the certificates. Change-Id: Iba3030e4489eb31f9c07ab49913687d8b595a91b Closes-Bug: #1623805
2016-08-29Reload HAProxy on refreshJuan Antonio Osorio Robles1-0/+14
If the configuration for the HAProxy class or any of the frontend endpoints has changed, we explicitly execute a reload on HA setups. This is useful since on updates of HA setups we set pacemaker on maintenance mode, and thus we are unable to refresh HAProxy's configuration; The aforementioned detail is problematic, since some puppet configurations rely on HAProxy taking into account the configuration. An example of this is changing a port in the endpoint map or enabling SSL. Change-Id: I7f26257fb43146afebca928f5498ee2174178063
2016-08-08Fix parameters and headers inconsistency in the puppet manifests.Carlos Camacho1-25/+24
As we are staring to manually check overcloud services the first step is to check that the puppet profiles are all aligned. Changes applied: No logic added or removed in this submission. Removed unused parameters. Align header comments structure. All profiles parameters sorted following: "Mandatory params first sorted alphabetically then optional params sorted alphabetically." Note: Following submissions will check pacemaker, cinder, mistral and redis services in the base profiles as some of them has the $pacemaker_master parameter defaulted to true. Change-Id: I2f91c3f6baa33f74b5625789eec83233179a9655
2016-08-01Run local CA trust before haproxy deploymentJuan Antonio Osorio Robles1-1/+3
Before haproxy tries to use the TLS certificates it should already trust the CA. So it's necessary for the local CA-related manifest to notify the ::tripleo::haproxy class. This works for newly set deployments. deployments that have already ran the ca-trust section will already trust the CA and thus won't need that part. Change-Id: I32ded4e33abffd51f220fb8a7dc6263aace72acd
2016-07-22Generate HAProxy certificates in base profileJuan Antonio Osorio Robles1-2/+48
This gives the option to generate the service certificate(s) that HAProxy will use. This will be used for both the overcloud and the undercloud. bp tls-via-certmonger Change-Id: I3d0b729d0bad5252c1ae8852109c3a70c0c6ba7d
2016-06-04Deprecate loabalancer profilesEmilien Macchi1-0/+42
Deprecate loadbalancer profiles so we have a profile for HAproxy and another for keepalived. Once THT uses the new profiles, we'll remove loadbalancer profiles here. Change-Id: I8aa9045fc80205485abab723968b26084f60bf71