From e41139aab0f10062a26c4acc591d32288729df20 Mon Sep 17 00:00:00 2001 From: Damien Ciabrini Date: Mon, 7 Aug 2017 20:38:19 +0000 Subject: Enable TLS configuration for containerized HAProxy In non-containerized deployments, HAProxy can be configured to use TLS for proxying internal services. Fix the creation of the of the haproxy bundle resource to enable TLS when configured. The keys and certs files are all passed as configuration files and must be copied by Kolla at container startup. For the time being, disable the use of the CRL file until we find a means of restarting the containerized HAProxy service when that file expires. Change-Id: If307e3357dccb7e96bdb80c9c06d66a09b55f3bd Depends-On: I4b72739446c63f0f0ac9f859314a4d6746e20255 Closes-Bug: #1709563 --- docker/services/pacemaker/haproxy.yaml | 57 +++++++++++++++++++++++++++++++--- 1 file changed, 52 insertions(+), 5 deletions(-) (limited to 'docker') diff --git a/docker/services/pacemaker/haproxy.yaml b/docker/services/pacemaker/haproxy.yaml index 24155912..5ba54f85 100644 --- a/docker/services/pacemaker/haproxy.yaml +++ b/docker/services/pacemaker/haproxy.yaml @@ -41,6 +41,22 @@ parameters: default: {} description: Parameters specific to the role type: json + InternalTLSCAFile: + default: '/etc/ipa/ca.crt' + type: string + description: Specifies the default CA cert to use if TLS is used for + services in the internal network. + InternalTLSCRLPEMFile: + default: '/etc/pki/CA/crl/overcloud-crl.pem' + type: string + description: Specifies the default CRL PEM file to use for revocation if + TLS is used for services in the internal network. + HAProxyInternalTLSCertsDirectory: + default: '/etc/pki/tls/certs/haproxy' + type: string + HAProxyInternalTLSKeysDirectory: + default: '/etc/pki/tls/private/haproxy' + type: string resources: @@ -65,6 +81,17 @@ outputs: - tripleo::haproxy::haproxy_daemon: false haproxy_docker: true tripleo::profile::pacemaker::haproxy_bundle::haproxy_docker_image: &haproxy_image {get_param: DockerHAProxyImage} + # the list of directories that contain the certs to bind mount in the countainer + # bind-mounting the directories rather than all the cert, key and pem files ensures + # that docker won't create directories on the host when then pem files do not exist + tripleo::profile::pacemaker::haproxy_bundle::tls_mapping: &tls_mapping + - get_param: InternalTLSCAFile + - get_param: HAProxyInternalTLSKeysDirectory + - get_param: HAProxyInternalTLSCertsDirectory + tripleo::profile::pacemaker::haproxy_bundle::internal_certs_directory: {get_param: HAProxyInternalTLSCertsDirectory} + tripleo::profile::pacemaker::haproxy_bundle::internal_keys_directory: {get_param: HAProxyInternalTLSKeysDirectory} + # disable the use CRL file until we can restart the container when the file expires + tripleo::haproxy::crl_file: null step_config: "" service_config_settings: {get_attr: [HAProxyBase, role_data, service_config_settings]} # BEGIN DOCKER SETTINGS @@ -80,11 +107,9 @@ outputs: - 'include ::tripleo::profile::pacemaker::haproxy_bundle' config_image: {get_param: DockerHAProxyConfigImage} volumes: &deployed_cert_mount - - list_join: - - ':' - - - {get_param: DeployedSSLCertificatePath} - - {get_param: DeployedSSLCertificatePath} - - 'ro' + yaql: + expression: $.data.select($+":"+$+":ro") + data: *tls_mapping kolla_config: /var/lib/kolla/config_files/haproxy.json: command: haproxy -f /etc/haproxy/haproxy.cfg @@ -94,6 +119,28 @@ outputs: merge: true preserve_properties: true optional: true + - source: "/var/lib/kolla/config_files/src-tls/*" + dest: "/" + merge: true + optional: true + preserve_properties: true + permissions: + - path: + list_join: + - '' + - - {get_param: HAProxyInternalTLSCertsDirectory} + - '/*' + owner: haproxy:haproxy + perm: '0600' + optional: true + - path: + list_join: + - '' + - - {get_param: HAProxyInternalTLSKeysDirectory} + - '/*' + owner: haproxy:haproxy + perm: '0600' + optional: true docker_config: step_2: haproxy_init_bundle: -- cgit 1.2.3-korg