diff options
author | Martin André <m.andre@redhat.com> | 2017-07-10 13:25:17 +0200 |
---|---|---|
committer | Martin André <m.andre@redhat.com> | 2017-07-10 13:25:17 +0200 |
commit | b2de70fd8fc39be230002c701f2cb882ba87420e (patch) | |
tree | 8da440424edbfb54ebf22085e43549aea2e0e9ca | |
parent | 766de0cacb18171264d2a699ac48cacb8d35a152 (diff) |
Bind mount needed cert for haproxy for HA too
haproxy needs the deployed SSL cert file to function when TLS is
enabled.
It is also required for the docker-puppet haproxy container since the
haproxy puppet module uses a validate_cmd to check the generated config
file is valid that fails when the required SSL cert is not present.
There is no clean way to disable this feature [1] so we need to bind
mount the cert into the container.
This commit applies the same change that was applied in
Id2df144b678769def204961236624091d4e5c457 for the non-ha case.
[1] https://github.com/puppetlabs/puppetlabs-haproxy/blob/4753ea5b2506ee093e9b4c8af6e91201d476d426/manifests/config.pp#L53-L57
Change-Id: I93e1ee86197bcf271f18a62a27c2f350ed3966ea
Co-Authored-By: Damien Ciabrini <dciabrin@redhat.com>
-rw-r--r-- | docker/services/pacemaker/haproxy.yaml | 38 |
1 files changed, 26 insertions, 12 deletions
diff --git a/docker/services/pacemaker/haproxy.yaml b/docker/services/pacemaker/haproxy.yaml index 704ffab5..efede048 100644 --- a/docker/services/pacemaker/haproxy.yaml +++ b/docker/services/pacemaker/haproxy.yaml @@ -30,6 +30,11 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json + DeployedSSLCertificatePath: + default: '/etc/pki/tls/private/overcloud_endpoint.pem' + description: > + The filepath of the certificate as it will be stored in the controller. + type: string RoleName: default: '' description: Role name on which the service is applied @@ -81,6 +86,12 @@ outputs: list_join: - '/' - [ {get_param: DockerNamespace}, {get_param: DockerHAProxyConfigImage} ] + volumes: &deployed_cert_mount + - list_join: + - ':' + - - {get_param: DeployedSSLCertificatePath} + - {get_param: DeployedSSLCertificatePath} + - 'ro' kolla_config: /var/lib/kolla/config_files/haproxy.json: command: haproxy -f /etc/haproxy/haproxy.cfg @@ -110,17 +121,20 @@ outputs: - 'include ::tripleo::profile::pacemaker::haproxy_bundle' image: *haproxy_image volumes: - # puppet saves iptables rules in /etc/sysconfig - - /etc/sysconfig:/etc/sysconfig:rw - # saving rules require accessing /usr/libexec/iptables/iptables.init, just bind-mount - # the necessary bit and prevent systemd to try to reload the service in the container - - /usr/libexec/iptables:/usr/libexec/iptables:ro - - /usr/libexec/initscripts/legacy-actions:/usr/libexec/initscripts/legacy-actions:ro - - /etc/hosts:/etc/hosts:ro - - /etc/localtime:/etc/localtime:ro - - /etc/puppet:/tmp/puppet-etc:ro - - /usr/share/openstack-puppet/modules:/usr/share/openstack-puppet/modules:ro - - /etc/corosync/corosync.conf:/etc/corosync/corosync.conf:ro - - /dev/shm:/dev/shm:rw + list_concat: + - *deployed_cert_mount + - + # puppet saves iptables rules in /etc/sysconfig + - /etc/sysconfig:/etc/sysconfig:rw + # saving rules require accessing /usr/libexec/iptables/iptables.init, just bind-mount + # the necessary bit and prevent systemd to try to reload the service in the container + - /usr/libexec/iptables:/usr/libexec/iptables:ro + - /usr/libexec/initscripts/legacy-actions:/usr/libexec/initscripts/legacy-actions:ro + - /etc/hosts:/etc/hosts:ro + - /etc/localtime:/etc/localtime:ro + - /etc/puppet:/tmp/puppet-etc:ro + - /usr/share/openstack-puppet/modules:/usr/share/openstack-puppet/modules:ro + - /etc/corosync/corosync.conf:/etc/corosync/corosync.conf:ro + - /dev/shm:/dev/shm:rw metadata_settings: get_attr: [HAProxyBase, role_data, metadata_settings] |