Enable TLS for containerized haproxy

This bind mounts the certificates if TLS is enabled in the internal network. It also disables the CRL usage since we can't restart haproxy at the rate that the CRL is updated. This will be addressed later and is a known limitation of using containerized haproxy (there's the same issue in the HA scenario). To address the different UID that the certs and keys will have, I added an extra step that changes the ownership of these files; though this only gets included if TLS in the internal network is enabled. bp tls-via-certmonger-containers Depends-On: I2078da7757ff3af1d05d36315fcebd54bb4ca3ec Change-Id: Ic6ca88ee7b6b256ae6182e60e07498a8a793d66a
2017-08-02 10:34:02 +03:00 · 2017-08-02 10:34:02 +03:00 · 1b119110c0
parent 5144634d9b
commit 1b119110c0
2 changed files with 58 additions and 8 deletions
--- a/docker/services/haproxy.yaml
+++ b/docker/services/haproxy.yaml
@ -60,6 +60,18 @@ parameters:
    default: {}
    description: Parameters specific to the role
    type: json
+  EnableInternalTLS:
+    type: boolean
+    default: false
+  InternalTLSCAFile:
+    default: '/etc/ipa/ca.crt'
+    type: string
+    description: Specifies the default CA cert to use if TLS is used for
+                 services in the internal network.
+
+conditions:
+
+  internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}

 resources:

@ -86,6 +98,9 @@ outputs:
          - get_attr: [HAProxyBase, role_data, config_settings]
          - tripleo::haproxy::haproxy_daemon: false
            tripleo::haproxy::haproxy_service_manage: false
+            # NOTE(jaosorior): We disable the CRL since we have no way to restart haproxy
+            # when this is updated
+            tripleo::haproxy::crl_file: null
      step_config: &step_config
        get_attr: [HAProxyBase, role_data, step_config]
      service_config_settings: {get_attr: [HAProxyBase, role_data, service_config_settings]}
@ -96,12 +111,23 @@ outputs:
        step_config:
          "class {'::tripleo::profile::base::haproxy': manage_firewall => false}"
        config_image: {get_param: DockerHAProxyConfigImage}
-        volumes: &deployed_cert_mount
-          - list_join:
-            - ':'
-            - - {get_param: DeployedSSLCertificatePath}
-              - {get_param: DeployedSSLCertificatePath}
-              - 'ro'
+        volumes:
+          list_concat:
+          - - list_join:
+              - ':'
+              - - {get_param: DeployedSSLCertificatePath}
+                - {get_param: DeployedSSLCertificatePath}
+                - 'ro'
+          - if:
+            - internal_tls_enabled
+            - - /etc/pki/tls/certs/haproxy:/etc/pki/tls/certs/haproxy:ro
+              - /etc/pki/tls/private/haproxy:/etc/pki/tls/private/haproxy:ro
+              - list_join:
+                  - ':'
+                  - - {get_param: InternalTLSCAFile}
+                    - {get_param: InternalTLSCAFile}
+                    - 'ro'
+            - null
      kolla_config:
        /var/lib/kolla/config_files/haproxy.json:
          command: haproxy -f /etc/haproxy/haproxy.cfg
@ -110,6 +136,16 @@ outputs:
              dest: "/"
              merge: true
              preserve_properties: true
+            - source: "/var/lib/kolla/config_files/src-tls/*"
+              dest: "/"
+              merge: true
+              preserve_properties: true
+              optional: true
+          permissions:
+            - path: /etc/pki/tls/certs/haproxy
+              owner: haproxy:haproxy
+              recurse: true
+              optional: true
      docker_config:
        step_1:
          haproxy_firewall:
@ -133,7 +169,6 @@ outputs:
            volumes:
              list_concat:
                - {get_attr: [ContainersCommon, volumes]}
-                - *deployed_cert_mount
                -
                  - /var/lib/kolla/config_files/haproxy.json:/var/lib/kolla/config_files/config.json:ro
                  - /var/lib/config-data/puppet-generated/haproxy/:/var/lib/kolla/config_files/src:ro
@ -154,10 +189,24 @@ outputs:
            volumes:
              list_concat:
                - {get_attr: [ContainersCommon, volumes]}
-                - *deployed_cert_mount
                -
                  - /var/lib/kolla/config_files/haproxy.json:/var/lib/kolla/config_files/config.json:ro
                  - /var/lib/config-data/puppet-generated/haproxy/:/var/lib/kolla/config_files/src:ro
+                  - list_join:
+                    - ':'
+                    - - {get_param: DeployedSSLCertificatePath}
+                      - {get_param: DeployedSSLCertificatePath}
+                      - 'ro'
+                  -
+                    if:
+                      - internal_tls_enabled
+                      - /etc/pki/tls/certs/haproxy:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/haproxy:ro
+                      - ''
+                  -
+                    if:
+                      - internal_tls_enabled
+                      - /etc/pki/tls/private/haproxy:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/haproxy:ro
+                      - ''
            environment:
              - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
      metadata_settings:
--- a/environments/docker-services-tls-everywhere.yaml
+++ b/environments/docker-services-tls-everywhere.yaml
@ -41,3 +41,4 @@ resource_registry:
  OS::TripleO::Services::SwiftProxy: ../docker/services/swift-proxy.yaml
  OS::TripleO::Services::SwiftRingBuilder: ../docker/services/swift-ringbuilder.yaml
  OS::TripleO::Services::SwiftStorage: ../docker/services/swift-storage.yaml
+  OS::TripleO::Services::HAproxy: ../docker/services/haproxy.yaml