summaryrefslogtreecommitdiffstats
path: root/docker/services
diff options
context:
space:
mode:
authorDamien Ciabrini <dciabrin@redhat.com>2017-08-07 20:38:19 +0000
committerDamien Ciabrini <dciabrin@redhat.com>2017-08-09 22:06:54 +0000
commite41139aab0f10062a26c4acc591d32288729df20 (patch)
tree80d43ace1ee8e48e0b50332f64a6d409eb85f2f7 /docker/services
parent5bf7d6582b2346a9c1671430ebead6c358508863 (diff)
Enable TLS configuration for containerized HAProxy
In non-containerized deployments, HAProxy can be configured to use TLS for proxying internal services. Fix the creation of the of the haproxy bundle resource to enable TLS when configured. The keys and certs files are all passed as configuration files and must be copied by Kolla at container startup. For the time being, disable the use of the CRL file until we find a means of restarting the containerized HAProxy service when that file expires. Change-Id: If307e3357dccb7e96bdb80c9c06d66a09b55f3bd Depends-On: I4b72739446c63f0f0ac9f859314a4d6746e20255 Closes-Bug: #1709563
Diffstat (limited to 'docker/services')
-rw-r--r--docker/services/pacemaker/haproxy.yaml57
1 files changed, 52 insertions, 5 deletions
diff --git a/docker/services/pacemaker/haproxy.yaml b/docker/services/pacemaker/haproxy.yaml
index 24155912..5ba54f85 100644
--- a/docker/services/pacemaker/haproxy.yaml
+++ b/docker/services/pacemaker/haproxy.yaml
@@ -41,6 +41,22 @@ parameters:
default: {}
description: Parameters specific to the role
type: json
+ InternalTLSCAFile:
+ default: '/etc/ipa/ca.crt'
+ type: string
+ description: Specifies the default CA cert to use if TLS is used for
+ services in the internal network.
+ InternalTLSCRLPEMFile:
+ default: '/etc/pki/CA/crl/overcloud-crl.pem'
+ type: string
+ description: Specifies the default CRL PEM file to use for revocation if
+ TLS is used for services in the internal network.
+ HAProxyInternalTLSCertsDirectory:
+ default: '/etc/pki/tls/certs/haproxy'
+ type: string
+ HAProxyInternalTLSKeysDirectory:
+ default: '/etc/pki/tls/private/haproxy'
+ type: string
resources:
@@ -65,6 +81,17 @@ outputs:
- tripleo::haproxy::haproxy_daemon: false
haproxy_docker: true
tripleo::profile::pacemaker::haproxy_bundle::haproxy_docker_image: &haproxy_image {get_param: DockerHAProxyImage}
+ # the list of directories that contain the certs to bind mount in the countainer
+ # bind-mounting the directories rather than all the cert, key and pem files ensures
+ # that docker won't create directories on the host when then pem files do not exist
+ tripleo::profile::pacemaker::haproxy_bundle::tls_mapping: &tls_mapping
+ - get_param: InternalTLSCAFile
+ - get_param: HAProxyInternalTLSKeysDirectory
+ - get_param: HAProxyInternalTLSCertsDirectory
+ tripleo::profile::pacemaker::haproxy_bundle::internal_certs_directory: {get_param: HAProxyInternalTLSCertsDirectory}
+ tripleo::profile::pacemaker::haproxy_bundle::internal_keys_directory: {get_param: HAProxyInternalTLSKeysDirectory}
+ # disable the use CRL file until we can restart the container when the file expires
+ tripleo::haproxy::crl_file: null
step_config: ""
service_config_settings: {get_attr: [HAProxyBase, role_data, service_config_settings]}
# BEGIN DOCKER SETTINGS
@@ -80,11 +107,9 @@ outputs:
- 'include ::tripleo::profile::pacemaker::haproxy_bundle'
config_image: {get_param: DockerHAProxyConfigImage}
volumes: &deployed_cert_mount
- - list_join:
- - ':'
- - - {get_param: DeployedSSLCertificatePath}
- - {get_param: DeployedSSLCertificatePath}
- - 'ro'
+ yaql:
+ expression: $.data.select($+":"+$+":ro")
+ data: *tls_mapping
kolla_config:
/var/lib/kolla/config_files/haproxy.json:
command: haproxy -f /etc/haproxy/haproxy.cfg
@@ -94,6 +119,28 @@ outputs:
merge: true
preserve_properties: true
optional: true
+ - source: "/var/lib/kolla/config_files/src-tls/*"
+ dest: "/"
+ merge: true
+ optional: true
+ preserve_properties: true
+ permissions:
+ - path:
+ list_join:
+ - ''
+ - - {get_param: HAProxyInternalTLSCertsDirectory}
+ - '/*'
+ owner: haproxy:haproxy
+ perm: '0600'
+ optional: true
+ - path:
+ list_join:
+ - ''
+ - - {get_param: HAProxyInternalTLSKeysDirectory}
+ - '/*'
+ owner: haproxy:haproxy
+ perm: '0600'
+ optional: true
docker_config:
step_2:
haproxy_init_bundle: