openstack/tripleo-heat-templates
Code Issues Proposed changes

Conditionally mount the TLS-related certs on the haproxy container

Browse Source 
These were always mounted, which is an anti-pattern. In order to get the
podman deployment to work, these mounts need to be conditional.

Change-Id: I5f649eea4e6c50905a333f231b49e91b8b5bef0d
This commit is contained in:
Juan Antonio Osorio Robles 2018-09-19 18:07:27 +03:00 committed by Emilien Macchi
parent 5c53cb3727
commit 46ed8d8483
1 changed files with 15 additions and 4 deletions

19
docker/services/pacemaker/haproxy.yaml

@ -56,6 +56,9 @@ parameters:
default: {}
description: Parameters specific to the role
type: json
EnableInternalTLS:
type: boolean
default: false
InternalTLSCAFile:
default: '/etc/ipa/ca.crt'
type: string
@ -101,6 +104,7 @@ conditions:
- equals:
- {get_param: PublicSSLCertificateAutogenerated}
- true
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
resources:
@ -131,10 +135,17 @@ outputs:
# bind-mounting the directories rather than all the cert, key and pem files ensures
# that docker won't create directories on the host when then pem files do not exist
tripleo::profile::pacemaker::haproxy_bundle::tls_mapping: &tls_mapping
- get_param: InternalTLSCAFile
- get_param: HAProxyInternalTLSKeysDirectory
- get_param: HAProxyInternalTLSCertsDirectory
- get_param: DeployedSSLCertificatePath
list_concat:
- if:
- public_tls_enabled
- - get_param: HAProxyInternalTLSKeysDirectory
- get_param: HAProxyInternalTLSCertsDirectory
- get_param: DeployedSSLCertificatePath
- null
- if:
- internal_tls_enabled
- get_param: InternalTLSCAFile
- null
tripleo::profile::pacemaker::haproxy_bundle::internal_certs_directory: {get_param: HAProxyInternalTLSCertsDirectory}
tripleo::profile::pacemaker::haproxy_bundle::internal_keys_directory: {get_param: HAProxyInternalTLSKeysDirectory}
# disable the use CRL file until we can restart the container when the file expires