Only set ca_bundle for HAProxy if internal TLS enabled & fix mounts

* We don't use this setup if TLS everywhere is not enabled, so lets set it
  up as such. This prevents the HAProxy container managed by pacemaker of
  mounting this file.
* Also fix the docker service to exercise the if with proper syntax.

Co-Authored-By: Emilien Macchi <emilien@redhat.com>
Change-Id: Id8dff81c5af390446507bcef458a135fc2287186
This commit is contained in:
Juan Antonio Osorio Robles 2018-09-18 16:39:06 +03:00 committed by Emilien Macchi
parent 1bcbaf6a38
commit 5ca1aee232
2 changed files with 18 additions and 12 deletions

View File

@ -249,17 +249,16 @@ outputs:
- {get_param: DeployedSSLCertificatePath}
- 'ro'
- null
-
if:
- internal_tls_enabled
- - /etc/pki/tls/certs/haproxy:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/haproxy:ro
- /etc/pki/tls/private/haproxy:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/haproxy:ro
- list_join:
- ':'
- - {get_param: InternalTLSCAFile}
- {get_param: InternalTLSCAFile}
- 'ro'
- null
- if:
- internal_tls_enabled
- - /etc/pki/tls/certs/haproxy:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/haproxy:ro
- /etc/pki/tls/private/haproxy:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/haproxy:ro
- list_join:
- ':'
- - {get_param: InternalTLSCAFile}
- {get_param: InternalTLSCAFile}
- 'ro'
- null
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
upgrade_tasks:

View File

@ -77,6 +77,9 @@ parameters:
description: >
The filepath of the certificate as it will be stored in the controller.
type: string
EnableInternalTLS:
type: boolean
default: false
InternalTLSCAFile:
default: '/etc/ipa/ca.crt'
type: string
@ -101,6 +104,7 @@ conditions:
- equals:
- {get_param: PublicSSLCertificateAutogenerated}
- true
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
resources:
@ -139,7 +143,6 @@ outputs:
tripleo::haproxy::haproxy_stats_user: {get_param: HAProxyStatsUser}
tripleo::haproxy::haproxy_stats_password: {get_param: HAProxyStatsPassword}
tripleo::haproxy::redis_password: {get_param: RedisPassword}
tripleo::haproxy::ca_bundle: {get_param: InternalTLSCAFile}
tripleo::haproxy::crl_file: {get_param: InternalTLSCRLPEMFile}
tripleo::haproxy::haproxy_stats: {get_param: HAProxyStatsEnabled}
enable_load_balancer: {get_param: EnableLoadBalancer}
@ -151,6 +154,10 @@ outputs:
- public_tls_enabled
- tripleo::haproxy::service_certificate: {get_param: DeployedSSLCertificatePath}
- {}
- if:
- internal_tls_enabled
- tripleo::haproxy::ca_bundle: {get_param: InternalTLSCAFile}
- null
- get_attr: [HAProxyPublicTLS, role_data, config_settings]
- get_attr: [HAProxyInternalTLS, role_data, config_settings]
step_config: |