From 5ca1aee2327bafc8e9607617bc38ac77f9fb68c0 Mon Sep 17 00:00:00 2001 From: Juan Antonio Osorio Robles Date: Tue, 18 Sep 2018 16:39:06 +0300 Subject: [PATCH] Only set ca_bundle for HAProxy if internal TLS enabled & fix mounts * We don't use this setup if TLS everywhere is not enabled, so lets set it up as such. This prevents the HAProxy container managed by pacemaker of mounting this file. * Also fix the docker service to exercise the if with proper syntax. Co-Authored-By: Emilien Macchi Change-Id: Id8dff81c5af390446507bcef458a135fc2287186 --- docker/services/haproxy.yaml | 21 ++++++++++----------- puppet/services/haproxy.yaml | 9 ++++++++- 2 files changed, 18 insertions(+), 12 deletions(-) diff --git a/docker/services/haproxy.yaml b/docker/services/haproxy.yaml index 66af84ad1e..547913b113 100644 --- a/docker/services/haproxy.yaml +++ b/docker/services/haproxy.yaml @@ -249,17 +249,16 @@ outputs: - {get_param: DeployedSSLCertificatePath} - 'ro' - null - - - if: - - internal_tls_enabled - - - /etc/pki/tls/certs/haproxy:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/haproxy:ro - - /etc/pki/tls/private/haproxy:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/haproxy:ro - - list_join: - - ':' - - - {get_param: InternalTLSCAFile} - - {get_param: InternalTLSCAFile} - - 'ro' - - null + - if: + - internal_tls_enabled + - - /etc/pki/tls/certs/haproxy:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/haproxy:ro + - /etc/pki/tls/private/haproxy:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/haproxy:ro + - list_join: + - ':' + - - {get_param: InternalTLSCAFile} + - {get_param: InternalTLSCAFile} + - 'ro' + - null environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS upgrade_tasks: diff --git a/puppet/services/haproxy.yaml b/puppet/services/haproxy.yaml index 6f8bdb386e..859c1f132f 100644 --- a/puppet/services/haproxy.yaml +++ b/puppet/services/haproxy.yaml @@ -77,6 +77,9 @@ parameters: description: > The filepath of the certificate as it will be stored in the controller. type: string + EnableInternalTLS: + type: boolean + default: false InternalTLSCAFile: default: '/etc/ipa/ca.crt' type: string @@ -101,6 +104,7 @@ conditions: - equals: - {get_param: PublicSSLCertificateAutogenerated} - true + internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} resources: @@ -139,7 +143,6 @@ outputs: tripleo::haproxy::haproxy_stats_user: {get_param: HAProxyStatsUser} tripleo::haproxy::haproxy_stats_password: {get_param: HAProxyStatsPassword} tripleo::haproxy::redis_password: {get_param: RedisPassword} - tripleo::haproxy::ca_bundle: {get_param: InternalTLSCAFile} tripleo::haproxy::crl_file: {get_param: InternalTLSCRLPEMFile} tripleo::haproxy::haproxy_stats: {get_param: HAProxyStatsEnabled} enable_load_balancer: {get_param: EnableLoadBalancer} @@ -151,6 +154,10 @@ outputs: - public_tls_enabled - tripleo::haproxy::service_certificate: {get_param: DeployedSSLCertificatePath} - {} + - if: + - internal_tls_enabled + - tripleo::haproxy::ca_bundle: {get_param: InternalTLSCAFile} + - null - get_attr: [HAProxyPublicTLS, role_data, config_settings] - get_attr: [HAProxyInternalTLS, role_data, config_settings] step_config: |