heat_template_version: pike

description: >
  HAproxy service configured with Puppet

parameters:
  ServiceData:
    default: {}
    description: Dictionary packing service data
    type: json
  ServiceNetMap:
    default: {}
    description: Mapping of service_name -> network name. Typically set
                 via parameter_defaults in the resource registry.  This
                 mapping overrides those in ServiceNetMapDefaults.
    type: json
  DefaultPasswords:
    default: {}
    type: json
  RoleName:
    default: ''
    description: Role name on which the service is applied
    type: string
  RoleParameters:
    default: {}
    description: Parameters specific to the role
    type: json
  EndpointMap:
    default: {}
    description: Mapping of service endpoint -> protocol. Typically set
                 via parameter_defaults in the resource registry.
    type: json
  EnableLoadBalancer:
    default: true
    description: Whether to deploy a LoadBalancer, set to false when an external load balancer is used.
    type: boolean
  HAProxyStatsPassword:
    description: Password for HAProxy stats endpoint
    hidden: true
    type: string
  HAProxyStatsUser:
    description: User for HAProxy stats endpoint
    default: admin
    type: string
  HAProxySyslogAddress:
    default: /dev/log
    description: Syslog address where HAproxy will send its log
    type: string
  HAProxyStatsEnabled:
    default: true
    description: Whether or not to enable the HAProxy stats interface.
    type: boolean
  RedisPassword:
    description: The password for the redis service account.
    type: string
    hidden: true
  MonitoringSubscriptionHaproxy:
    default: 'overcloud-haproxy'
    type: string
  SSLCertificate:
    default: ''
    description: >
      The content of the SSL certificate (without Key) in PEM format.
    type: string
  DeployedSSLCertificatePath:
    default: '/etc/pki/tls/private/overcloud_endpoint.pem'
    description: >
        The filepath of the certificate as it will be stored in the controller.
    type: string
  InternalTLSCAFile:
    default: '/etc/ipa/ca.crt'
    type: string
    description: Specifies the default CA cert to use if TLS is used for
                 services in the internal network.
  InternalTLSCRLPEMFile:
    default: '/etc/pki/CA/crl/overcloud-crl.pem'
    type: string
    description: Specifies the default CRL PEM file to use for revocation if
                 TLS is used for services in the internal network.

conditions:

  public_tls_enabled:
    not:
      equals:
      - {get_param: SSLCertificate}
      - ""

resources:

  HAProxyPublicTLS:
    type: OS::TripleO::Services::HAProxyPublicTLS
    properties:
      ServiceData: {get_param: ServiceData}
      ServiceNetMap: {get_param: ServiceNetMap}
      DefaultPasswords: {get_param: DefaultPasswords}
      EndpointMap: {get_param: EndpointMap}
      RoleName: {get_param: RoleName}
      RoleParameters: {get_param: RoleParameters}

  HAProxyInternalTLS:
    type: OS::TripleO::Services::HAProxyInternalTLS
    properties:
      ServiceData: {get_param: ServiceData}
      ServiceNetMap: {get_param: ServiceNetMap}
      DefaultPasswords: {get_param: DefaultPasswords}
      EndpointMap: {get_param: EndpointMap}
      RoleName: {get_param: RoleName}
      RoleParameters: {get_param: RoleParameters}

outputs:
  role_data:
    description: Role data for the HAproxy role.
    value:
      service_name: haproxy
      monitoring_subscription: {get_param: MonitoringSubscriptionHaproxy}
      config_settings:
        map_merge:
          - tripleo.haproxy.firewall_rules:
              '107 haproxy stats':
                dport: 1993
            tripleo::haproxy::haproxy_log_address: {get_param: HAProxySyslogAddress}
            tripleo::haproxy::haproxy_stats_user: {get_param: HAProxyStatsUser}
            tripleo::haproxy::haproxy_stats_password: {get_param: HAProxyStatsPassword}
            tripleo::haproxy::redis_password: {get_param: RedisPassword}
            tripleo::haproxy::ca_bundle: {get_param: InternalTLSCAFile}
            tripleo::haproxy::crl_file: {get_param: InternalTLSCRLPEMFile}
            tripleo::haproxy::haproxy_stats: {get_param: HAProxyStatsEnabled}
            enable_load_balancer: {get_param: EnableLoadBalancer}
            tripleo::profile::base::haproxy::certificates_specs:
              map_merge:
                - get_attr: [HAProxyPublicTLS, role_data, certificates_specs]
                - get_attr: [HAProxyInternalTLS, role_data, certificates_specs]
          - if:
              - public_tls_enabled
              - tripleo::haproxy::service_certificate: {get_param: DeployedSSLCertificatePath}
              - {}
          - get_attr: [HAProxyPublicTLS, role_data, config_settings]
          - get_attr: [HAProxyInternalTLS, role_data, config_settings]
      step_config: |
        include ::tripleo::profile::base::haproxy
      upgrade_tasks:
        - name: Check if haproxy is deployed
          command: systemctl is-enabled haproxy
          tags: common
          ignore_errors: True
          register: haproxy_enabled
        - name: "PreUpgrade step0,validation: Check service haproxy is running"
          shell: /usr/bin/systemctl show 'haproxy' --property ActiveState | grep '\bactive\b'
          when: haproxy_enabled.rc == 0
          tags: step0,validation
        - name: Stop haproxy service
          tags: step2
          when: haproxy_enabled.rc == 0
          service: name=haproxy state=stopped
        - name: Start haproxy service
          tags: step4 # Needed at step 4 for mysql
          when: haproxy_enabled.rc == 0
          service: name=haproxy state=started
      metadata_settings:
        list_concat:
          - {get_attr: [HAProxyPublicTLS, role_data, metadata_settings]}
          - {get_attr: [HAProxyInternalTLS, role_data, metadata_settings]}