From 39568b17ad87b7e85a8734d1413e4c8eba90b102 Mon Sep 17 00:00:00 2001
From: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Date: Mon, 10 Apr 2017 16:09:51 +0300
Subject: etcd: Make HAProxy terminate TLS connections

When TLS is enabled for the internal network, HAProxy needs to handle
etcd's TLS termination. Else it will use plain text.

bp secure-etcd

Change-Id: I20651240edcff0953741d4e8e01fa9a7ab185863
---
 manifests/haproxy.pp | 31 ++++++++++++++-----------------
 1 file changed, 14 insertions(+), 17 deletions(-)

(limited to 'manifests/haproxy.pp')

diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp
index 87c4909..a32c8d9 100644
--- a/manifests/haproxy.pp
+++ b/manifests/haproxy.pp
@@ -428,6 +428,10 @@
 #  (optional) Specify the network ec2_api_metadata is running on.
 #  Defaults to hiera('ec2_api_network', undef)
 #
+# [*etcd_network*]
+#  (optional) Specify the network etcd is running on.
+#  Defaults to hiera('etcd_network', undef)
+#
 # [*opendaylight_network*]
 #  (optional) Specify the network opendaylight is running on.
 #  Defaults to hiera('opendaylight_api_network', undef)
@@ -623,6 +627,7 @@ class tripleo::haproxy (
   $ovn_dbs_network             = hiera('ovn_dbs_network', undef),
   $ec2_api_network             = hiera('ec2_api_network', undef),
   $ec2_api_metadata_network    = hiera('ec2_api_network', undef),
+  $etcd_network                = hiera('etcd_network', undef),
   $sahara_network              = hiera('sahara_api_network', undef),
   $swift_proxy_server_network  = hiera('swift_proxy_network', undef),
   $tacker_network              = hiera('tacker_api_network', undef),
@@ -651,6 +656,7 @@ class tripleo::haproxy (
     contrail_webui_https_port => 8143,
     docker_registry_port => 8787,
     docker_registry_ssl_port => 13787,
+    etcd_port => 2379,
     glance_api_port => 9292,
     glance_api_ssl_port => 13292,
     gnocchi_api_port => 8041,
@@ -791,11 +797,6 @@ class tripleo::haproxy (
     "${redis_vip}:6379" => $haproxy_listen_bind_param,
   }
 
-  $etcd_vip = hiera('etcd_vip', $controller_virtual_ip)
-  $etcd_bind_opts = {
-    "${etcd_vip}:2379" => $haproxy_listen_bind_param,
-  }
-
   class { '::haproxy':
     service_manage   => $haproxy_service_manage,
     global_options   => {
@@ -1346,19 +1347,15 @@ class tripleo::haproxy (
   }
 
   if $etcd {
-    haproxy::listen { 'etcd':
-      bind             => $etcd_bind_opts,
-      options          => {
+    ::tripleo::haproxy::endpoint { 'etcd':
+      internal_ip     => hiera('etcd_vip', $controller_virtual_ip),
+      service_port    => $ports[etcd_port],
+      ip_addresses    => hiera('etcd_node_ips', $controller_hosts_real),
+      server_names    => hiera('etcd_node_names', $controller_hosts_names_real),
+      service_network => $etcd_network,
+      listen_options  => {
         'balance' => 'source',
-      },
-      collect_exported => false,
-    }
-    haproxy::balancermember { 'etcd':
-      listening_service => 'etcd',
-      ports             => '2379',
-      ipaddresses       => hiera('etcd_node_ips', $controller_hosts_real),
-      server_names      => hiera('etcd_node_names', $controller_hosts_names_real),
-      options           => $haproxy_member_options,
+      }
     }
   }
 
-- 
cgit 1.2.3-korg