Enable TLS configuration for containerized HAProxy
In non-containerized deployments, HAProxy can be configured to use TLS for proxying internal services. Fix the creation of the of the haproxy bundle resource to enable TLS when configured. The keys and certs files are all passed as configuration files and must be copied by Kolla at container startup. For the time being, disable the use of the CRL file until we find a means of restarting the containerized HAProxy service when that file expires. Change-Id: If307e3357dccb7e96bdb80c9c06d66a09b55f3bd Depends-On: I4b72739446c63f0f0ac9f859314a4d6746e20255 Closes-Bug: #1709563
This commit is contained in:
parent
5bf7d6582b
commit
e41139aab0
|
@ -41,6 +41,22 @@ parameters:
|
|||
default: {}
|
||||
description: Parameters specific to the role
|
||||
type: json
|
||||
InternalTLSCAFile:
|
||||
default: '/etc/ipa/ca.crt'
|
||||
type: string
|
||||
description: Specifies the default CA cert to use if TLS is used for
|
||||
services in the internal network.
|
||||
InternalTLSCRLPEMFile:
|
||||
default: '/etc/pki/CA/crl/overcloud-crl.pem'
|
||||
type: string
|
||||
description: Specifies the default CRL PEM file to use for revocation if
|
||||
TLS is used for services in the internal network.
|
||||
HAProxyInternalTLSCertsDirectory:
|
||||
default: '/etc/pki/tls/certs/haproxy'
|
||||
type: string
|
||||
HAProxyInternalTLSKeysDirectory:
|
||||
default: '/etc/pki/tls/private/haproxy'
|
||||
type: string
|
||||
|
||||
resources:
|
||||
|
||||
|
@ -65,6 +81,17 @@ outputs:
|
|||
- tripleo::haproxy::haproxy_daemon: false
|
||||
haproxy_docker: true
|
||||
tripleo::profile::pacemaker::haproxy_bundle::haproxy_docker_image: &haproxy_image {get_param: DockerHAProxyImage}
|
||||
# the list of directories that contain the certs to bind mount in the countainer
|
||||
# bind-mounting the directories rather than all the cert, key and pem files ensures
|
||||
# that docker won't create directories on the host when then pem files do not exist
|
||||
tripleo::profile::pacemaker::haproxy_bundle::tls_mapping: &tls_mapping
|
||||
- get_param: InternalTLSCAFile
|
||||
- get_param: HAProxyInternalTLSKeysDirectory
|
||||
- get_param: HAProxyInternalTLSCertsDirectory
|
||||
tripleo::profile::pacemaker::haproxy_bundle::internal_certs_directory: {get_param: HAProxyInternalTLSCertsDirectory}
|
||||
tripleo::profile::pacemaker::haproxy_bundle::internal_keys_directory: {get_param: HAProxyInternalTLSKeysDirectory}
|
||||
# disable the use CRL file until we can restart the container when the file expires
|
||||
tripleo::haproxy::crl_file: null
|
||||
step_config: ""
|
||||
service_config_settings: {get_attr: [HAProxyBase, role_data, service_config_settings]}
|
||||
# BEGIN DOCKER SETTINGS
|
||||
|
@ -80,11 +107,9 @@ outputs:
|
|||
- 'include ::tripleo::profile::pacemaker::haproxy_bundle'
|
||||
config_image: {get_param: DockerHAProxyConfigImage}
|
||||
volumes: &deployed_cert_mount
|
||||
- list_join:
|
||||
- ':'
|
||||
- - {get_param: DeployedSSLCertificatePath}
|
||||
- {get_param: DeployedSSLCertificatePath}
|
||||
- 'ro'
|
||||
yaql:
|
||||
expression: $.data.select($+":"+$+":ro")
|
||||
data: *tls_mapping
|
||||
kolla_config:
|
||||
/var/lib/kolla/config_files/haproxy.json:
|
||||
command: haproxy -f /etc/haproxy/haproxy.cfg
|
||||
|
@ -94,6 +119,28 @@ outputs:
|
|||
merge: true
|
||||
preserve_properties: true
|
||||
optional: true
|
||||
- source: "/var/lib/kolla/config_files/src-tls/*"
|
||||
dest: "/"
|
||||
merge: true
|
||||
optional: true
|
||||
preserve_properties: true
|
||||
permissions:
|
||||
- path:
|
||||
list_join:
|
||||
- ''
|
||||
- - {get_param: HAProxyInternalTLSCertsDirectory}
|
||||
- '/*'
|
||||
owner: haproxy:haproxy
|
||||
perm: '0600'
|
||||
optional: true
|
||||
- path:
|
||||
list_join:
|
||||
- ''
|
||||
- - {get_param: HAProxyInternalTLSKeysDirectory}
|
||||
- '/*'
|
||||
owner: haproxy:haproxy
|
||||
perm: '0600'
|
||||
optional: true
|
||||
docker_config:
|
||||
step_2:
|
||||
haproxy_init_bundle:
|
||||
|
|
Loading…
Reference in New Issue