From d53feb830bcbfa35722c0eac5937b5157628c827 Mon Sep 17 00:00:00 2001 From: Martin André Date: Tue, 13 Jun 2017 15:35:16 +0200 Subject: Bind mount needed cert for haproxy haproxy needs the deployed SSL cert file to function when TLS is enabled. It is also required for the docker-puppet haproxy container since the haproxy puppet module uses a validate_cmd to check the generated config file is valid that fails when the required SSL cert is not present. There is no clean way to disable this feature [1] so we need to bind mount the cert into the container. [1] https://github.com/puppetlabs/puppetlabs-haproxy/blob/4753ea5b2506ee093e9b4c8af6e91201d476d426/manifests/config.pp#L53-L57 Change-Id: Id2df144b678769def204961236624091d4e5c457 --- docker/services/haproxy.yaml | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'docker') diff --git a/docker/services/haproxy.yaml b/docker/services/haproxy.yaml index 242f0751..5831fe89 100644 --- a/docker/services/haproxy.yaml +++ b/docker/services/haproxy.yaml @@ -42,6 +42,11 @@ parameters: default: /dev/log description: Syslog address where HAproxy will send its log type: string + DeployedSSLCertificatePath: + default: '/etc/pki/tls/private/overcloud_endpoint.pem' + description: > + The filepath of the certificate as it will be stored in the controller. + type: string RedisPassword: description: The password for Redis type: string @@ -93,6 +98,12 @@ outputs: list_join: - '/' - [ {get_param: DockerNamespace}, {get_param: DockerHAProxyConfigImage} ] + volumes: &deployed_cert_mount + - list_join: + - ':' + - - {get_param: DeployedSSLCertificatePath} + - {get_param: DeployedSSLCertificatePath} + - 'ro' kolla_config: /var/lib/kolla/config_files/haproxy.json: command: haproxy -f /etc/haproxy/haproxy.cfg @@ -109,6 +120,7 @@ outputs: volumes: list_concat: - {get_attr: [ContainersCommon, volumes]} + - *deployed_cert_mount - - /var/lib/kolla/config_files/haproxy.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/config-data/haproxy/etc/:/etc/:ro -- cgit 1.2.3-korg