aboutsummaryrefslogtreecommitdiffstats
path: root/docker/services/pacemaker
diff options
context:
space:
mode:
Diffstat (limited to 'docker/services/pacemaker')
-rw-r--r--docker/services/pacemaker/database/mysql.yaml64
-rw-r--r--docker/services/pacemaker/haproxy.yaml57
2 files changed, 115 insertions, 6 deletions
diff --git a/docker/services/pacemaker/database/mysql.yaml b/docker/services/pacemaker/database/mysql.yaml
index f12852f8..8ba7d723 100644
--- a/docker/services/pacemaker/database/mysql.yaml
+++ b/docker/services/pacemaker/database/mysql.yaml
@@ -32,6 +32,9 @@ parameters:
type: string
hidden: true
default: ''
+ MysqlClustercheckPassword:
+ type: string
+ hidden: true
RoleName:
default: ''
description: Role name on which the service is applied
@@ -40,6 +43,14 @@ parameters:
default: {}
description: Parameters specific to the role
type: json
+ EnableInternalTLS:
+ type: boolean
+ default: false
+ InternalTLSCAFile:
+ default: '/etc/ipa/ca.crt'
+ type: string
+ description: Specifies the default CA cert to use if TLS is used for
+ services in the internal network.
resources:
@@ -56,6 +67,10 @@ resources:
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
+conditions:
+
+ internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
+
outputs:
role_data:
description: Containerized service MySQL using composable services.
@@ -76,6 +91,13 @@ outputs:
- 4567
- 4568
- 9200
+ -
+ if:
+ - internal_tls_enabled
+ -
+ tripleo::profile::pacemaker::database::mysql_bundle::ca_file:
+ get_param: InternalTLSCAFile
+ - {}
step_config: ""
# BEGIN DOCKER SETTINGS #
puppet_config:
@@ -100,6 +122,20 @@ outputs:
dest: "/"
merge: true
preserve_properties: true
+ - source: "/var/lib/kolla/config_files/src-tls/*"
+ dest: "/"
+ merge: true
+ optional: true
+ preserve_properties: true
+ permissions:
+ - path: /etc/pki/tls/certs/mysql.crt
+ owner: mysql:mysql
+ perm: '0600'
+ optional: true
+ - path: /etc/pki/tls/private/mysql.key
+ owner: mysql:mysql
+ perm: '0600'
+ optional: true
docker_config:
step_1:
mysql_data_ownership:
@@ -118,7 +154,19 @@ outputs:
image: *mysql_image
net: host
# Kolla bootstraps aren't idempotent, explicitly checking if bootstrap was done
- command: ['bash', '-c', 'test -e /var/lib/mysql/mysql || kolla_start']
+ command:
+ - 'bash'
+ - '-ec'
+ -
+ list_join:
+ - "\n"
+ - - 'if [ -e /var/lib/mysql/mysql ]; then exit 0; fi'
+ - 'kolla_start'
+ - 'mysqld_safe --skip-networking --wsrep-on=OFF &'
+ - 'timeout ${DB_MAX_TIMEOUT} /bin/bash -c ''until mysqladmin -uroot -p"${DB_ROOT_PASSWORD}" ping 2>/dev/null; do sleep 1; done'''
+ - 'mysql -uroot -p"${DB_ROOT_PASSWORD}" -e "CREATE USER ''clustercheck''@''localhost'' IDENTIFIED BY ''${DB_CLUSTERCHECK_PASSWORD}'';"'
+ - 'mysql -uroot -p"${DB_ROOT_PASSWORD}" -e "GRANT PROCESS ON *.* TO ''clustercheck''@''localhost'' WITH GRANT OPTION;"'
+ - 'timeout ${DB_MAX_TIMEOUT} mysqladmin -uroot -p"${DB_ROOT_PASSWORD}" shutdown'
volumes: &mysql_volumes
list_concat:
- {get_attr: [ContainersCommon, volumes]}
@@ -131,6 +179,12 @@ outputs:
- KOLLA_BOOTSTRAP=True
# NOTE(mandre) skip wsrep cluster status check
- KOLLA_KUBERNETES=True
+ - DB_MAX_TIMEOUT=60
+ -
+ list_join:
+ - '='
+ - - 'DB_CLUSTERCHECK_PASSWORD'
+ - {get_param: MysqlClustercheckPassword}
-
list_join:
- '='
@@ -174,6 +228,8 @@ outputs:
file:
path: /var/lib/mysql
state: directory
+ metadata_settings:
+ get_attr: [MysqlPuppetBase, role_data, metadata_settings]
upgrade_tasks:
- name: get bootstrap nodeid
tags: common
@@ -199,3 +255,9 @@ outputs:
- name: Disable mysql service
tags: step2
service: name=mariadb enabled=no
+ - name: Remove clustercheck service from xinetd
+ tags: step2
+ file: state=absent path=/etc/xinetd.d/galera-monitor
+ - name: Restart xinetd service after clustercheck removal
+ tags: step2
+ service: name=xinetd state=restarted
diff --git a/docker/services/pacemaker/haproxy.yaml b/docker/services/pacemaker/haproxy.yaml
index 24155912..5ba54f85 100644
--- a/docker/services/pacemaker/haproxy.yaml
+++ b/docker/services/pacemaker/haproxy.yaml
@@ -41,6 +41,22 @@ parameters:
default: {}
description: Parameters specific to the role
type: json
+ InternalTLSCAFile:
+ default: '/etc/ipa/ca.crt'
+ type: string
+ description: Specifies the default CA cert to use if TLS is used for
+ services in the internal network.
+ InternalTLSCRLPEMFile:
+ default: '/etc/pki/CA/crl/overcloud-crl.pem'
+ type: string
+ description: Specifies the default CRL PEM file to use for revocation if
+ TLS is used for services in the internal network.
+ HAProxyInternalTLSCertsDirectory:
+ default: '/etc/pki/tls/certs/haproxy'
+ type: string
+ HAProxyInternalTLSKeysDirectory:
+ default: '/etc/pki/tls/private/haproxy'
+ type: string
resources:
@@ -65,6 +81,17 @@ outputs:
- tripleo::haproxy::haproxy_daemon: false
haproxy_docker: true
tripleo::profile::pacemaker::haproxy_bundle::haproxy_docker_image: &haproxy_image {get_param: DockerHAProxyImage}
+ # the list of directories that contain the certs to bind mount in the countainer
+ # bind-mounting the directories rather than all the cert, key and pem files ensures
+ # that docker won't create directories on the host when then pem files do not exist
+ tripleo::profile::pacemaker::haproxy_bundle::tls_mapping: &tls_mapping
+ - get_param: InternalTLSCAFile
+ - get_param: HAProxyInternalTLSKeysDirectory
+ - get_param: HAProxyInternalTLSCertsDirectory
+ tripleo::profile::pacemaker::haproxy_bundle::internal_certs_directory: {get_param: HAProxyInternalTLSCertsDirectory}
+ tripleo::profile::pacemaker::haproxy_bundle::internal_keys_directory: {get_param: HAProxyInternalTLSKeysDirectory}
+ # disable the use CRL file until we can restart the container when the file expires
+ tripleo::haproxy::crl_file: null
step_config: ""
service_config_settings: {get_attr: [HAProxyBase, role_data, service_config_settings]}
# BEGIN DOCKER SETTINGS
@@ -80,11 +107,9 @@ outputs:
- 'include ::tripleo::profile::pacemaker::haproxy_bundle'
config_image: {get_param: DockerHAProxyConfigImage}
volumes: &deployed_cert_mount
- - list_join:
- - ':'
- - - {get_param: DeployedSSLCertificatePath}
- - {get_param: DeployedSSLCertificatePath}
- - 'ro'
+ yaql:
+ expression: $.data.select($+":"+$+":ro")
+ data: *tls_mapping
kolla_config:
/var/lib/kolla/config_files/haproxy.json:
command: haproxy -f /etc/haproxy/haproxy.cfg
@@ -94,6 +119,28 @@ outputs:
merge: true
preserve_properties: true
optional: true
+ - source: "/var/lib/kolla/config_files/src-tls/*"
+ dest: "/"
+ merge: true
+ optional: true
+ preserve_properties: true
+ permissions:
+ - path:
+ list_join:
+ - ''
+ - - {get_param: HAProxyInternalTLSCertsDirectory}
+ - '/*'
+ owner: haproxy:haproxy
+ perm: '0600'
+ optional: true
+ - path:
+ list_join:
+ - ''
+ - - {get_param: HAProxyInternalTLSKeysDirectory}
+ - '/*'
+ owner: haproxy:haproxy
+ perm: '0600'
+ optional: true
docker_config:
step_2:
haproxy_init_bundle: