aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMartin André <m.andre@redhat.com>2017-07-10 13:25:17 +0200
committerMartin André <m.andre@redhat.com>2017-07-10 13:25:17 +0200
commitb2de70fd8fc39be230002c701f2cb882ba87420e (patch)
tree8da440424edbfb54ebf22085e43549aea2e0e9ca
parent766de0cacb18171264d2a699ac48cacb8d35a152 (diff)
Bind mount needed cert for haproxy for HA too
haproxy needs the deployed SSL cert file to function when TLS is enabled. It is also required for the docker-puppet haproxy container since the haproxy puppet module uses a validate_cmd to check the generated config file is valid that fails when the required SSL cert is not present. There is no clean way to disable this feature [1] so we need to bind mount the cert into the container. This commit applies the same change that was applied in Id2df144b678769def204961236624091d4e5c457 for the non-ha case. [1] https://github.com/puppetlabs/puppetlabs-haproxy/blob/4753ea5b2506ee093e9b4c8af6e91201d476d426/manifests/config.pp#L53-L57 Change-Id: I93e1ee86197bcf271f18a62a27c2f350ed3966ea Co-Authored-By: Damien Ciabrini <dciabrin@redhat.com>
-rw-r--r--docker/services/pacemaker/haproxy.yaml38
1 files changed, 26 insertions, 12 deletions
diff --git a/docker/services/pacemaker/haproxy.yaml b/docker/services/pacemaker/haproxy.yaml
index 704ffab5..efede048 100644
--- a/docker/services/pacemaker/haproxy.yaml
+++ b/docker/services/pacemaker/haproxy.yaml
@@ -30,6 +30,11 @@ parameters:
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
+ DeployedSSLCertificatePath:
+ default: '/etc/pki/tls/private/overcloud_endpoint.pem'
+ description: >
+ The filepath of the certificate as it will be stored in the controller.
+ type: string
RoleName:
default: ''
description: Role name on which the service is applied
@@ -81,6 +86,12 @@ outputs:
list_join:
- '/'
- [ {get_param: DockerNamespace}, {get_param: DockerHAProxyConfigImage} ]
+ volumes: &deployed_cert_mount
+ - list_join:
+ - ':'
+ - - {get_param: DeployedSSLCertificatePath}
+ - {get_param: DeployedSSLCertificatePath}
+ - 'ro'
kolla_config:
/var/lib/kolla/config_files/haproxy.json:
command: haproxy -f /etc/haproxy/haproxy.cfg
@@ -110,17 +121,20 @@ outputs:
- 'include ::tripleo::profile::pacemaker::haproxy_bundle'
image: *haproxy_image
volumes:
- # puppet saves iptables rules in /etc/sysconfig
- - /etc/sysconfig:/etc/sysconfig:rw
- # saving rules require accessing /usr/libexec/iptables/iptables.init, just bind-mount
- # the necessary bit and prevent systemd to try to reload the service in the container
- - /usr/libexec/iptables:/usr/libexec/iptables:ro
- - /usr/libexec/initscripts/legacy-actions:/usr/libexec/initscripts/legacy-actions:ro
- - /etc/hosts:/etc/hosts:ro
- - /etc/localtime:/etc/localtime:ro
- - /etc/puppet:/tmp/puppet-etc:ro
- - /usr/share/openstack-puppet/modules:/usr/share/openstack-puppet/modules:ro
- - /etc/corosync/corosync.conf:/etc/corosync/corosync.conf:ro
- - /dev/shm:/dev/shm:rw
+ list_concat:
+ - *deployed_cert_mount
+ -
+ # puppet saves iptables rules in /etc/sysconfig
+ - /etc/sysconfig:/etc/sysconfig:rw
+ # saving rules require accessing /usr/libexec/iptables/iptables.init, just bind-mount
+ # the necessary bit and prevent systemd to try to reload the service in the container
+ - /usr/libexec/iptables:/usr/libexec/iptables:ro
+ - /usr/libexec/initscripts/legacy-actions:/usr/libexec/initscripts/legacy-actions:ro
+ - /etc/hosts:/etc/hosts:ro
+ - /etc/localtime:/etc/localtime:ro
+ - /etc/puppet:/tmp/puppet-etc:ro
+ - /usr/share/openstack-puppet/modules:/usr/share/openstack-puppet/modules:ro
+ - /etc/corosync/corosync.conf:/etc/corosync/corosync.conf:ro
+ - /dev/shm:/dev/shm:rw
metadata_settings:
get_attr: [HAProxyBase, role_data, metadata_settings]