Merge "Simplify apache service conditions"
This commit is contained in:
commit
54b18352b2
|
@ -56,12 +56,10 @@ parameters:
|
|||
certificate for this service
|
||||
|
||||
conditions:
|
||||
|
||||
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
||||
key_size_override_unset: {equals: [{get_param: ApacheCertificateKeySize}, '']}
|
||||
key_size_override_set:
|
||||
not: {equals: [{get_param: ApacheCertificateKeySize}, '']}
|
||||
|
||||
resources:
|
||||
|
||||
ApacheNetworks:
|
||||
type: OS::Heat::Value
|
||||
properties:
|
||||
|
@ -73,7 +71,7 @@ resources:
|
|||
{%- for network in networks if network.enabled|default(true) and network.vip|default(false) %}
|
||||
- {{network.name_lower}}
|
||||
{%- endfor %}
|
||||
{% raw -%}
|
||||
|
||||
outputs:
|
||||
role_data:
|
||||
description: Role data for the Apache role.
|
||||
|
@ -81,12 +79,11 @@ outputs:
|
|||
service_name: apache
|
||||
config_settings:
|
||||
map_merge:
|
||||
-
|
||||
# for the given network; replacement examples (eg. for internal_api):
|
||||
# internal_api -> IP
|
||||
# internal_api_uri -> [IP]
|
||||
# internal_api_subnet - > IP/CIDR
|
||||
apache::ip:
|
||||
- apache::ip:
|
||||
str_replace:
|
||||
template:
|
||||
"%{hiera('$NETWORK')}"
|
||||
|
@ -105,9 +102,8 @@ outputs:
|
|||
- {get_param: [ServiceNetMap, ApacheNetwork]}
|
||||
apache::mod::alias::icons_options: 'None'
|
||||
- if:
|
||||
- internal_tls_enabled
|
||||
-
|
||||
apache::mod::ssl::ssl_ca: {get_param: InternalTLSCAFile}
|
||||
- {get_param: EnableInternalTLS}
|
||||
- apache::mod::ssl::ssl_ca: {get_param: InternalTLSCAFile}
|
||||
apache::mod::ssl::ssl_protocol: ['all', '-SSLv2', '-SSLv3', '-TLSv1']
|
||||
apache_certificates_specs:
|
||||
map_merge:
|
||||
|
@ -118,19 +114,16 @@ outputs:
|
|||
service_key: '/etc/pki/tls/private/httpd/httpd-NETWORK.key'
|
||||
for_each:
|
||||
NETWORK: {get_attr: [ApacheNetworks, value]}
|
||||
- {}
|
||||
metadata_settings:
|
||||
if:
|
||||
- internal_tls_enabled
|
||||
-
|
||||
repeat:
|
||||
- {get_param: EnableInternalTLS}
|
||||
- repeat:
|
||||
template:
|
||||
- service: HTTP
|
||||
network: $NETWORK
|
||||
type: node
|
||||
for_each:
|
||||
$NETWORK: {get_attr: [ApacheNetworks, value]}
|
||||
- null
|
||||
upgrade_tasks: []
|
||||
deploy_steps_tasks:
|
||||
- name: Certificate generation
|
||||
|
@ -140,7 +133,7 @@ outputs:
|
|||
block:
|
||||
- name: Create dirs for certificates and keys
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
path: "{% raw %}{{ item }}{% endraw %}"
|
||||
state: directory
|
||||
serole: object_r
|
||||
setype: cert_t
|
||||
|
@ -155,18 +148,17 @@ outputs:
|
|||
repeat:
|
||||
template:
|
||||
name: httpd-NETWORK
|
||||
dns: "{{fqdn_NETWORK}}"
|
||||
principal: "HTTP/{{fqdn_NETWORK}}@{{idm_realm}}"
|
||||
dns: "{% raw %}{{ fqdn_NETWORK }}{% endraw %}"
|
||||
principal: "{% raw %}HTTP/{{ fqdn_NETWORK }}@{{ idm_realm }}{% endraw %}"
|
||||
run_after: |
|
||||
cp /etc/pki/tls/certs/httpd-NETWORK.crt /etc/pki/tls/certs/httpd/httpd-NETWORK.crt
|
||||
cp /etc/pki/tls/private/httpd-NETWORK.key /etc/pki/tls/private/httpd/httpd-NETWORK.key
|
||||
pkill -USR1 httpd
|
||||
key_size:
|
||||
if:
|
||||
- key_size_override_unset
|
||||
- {get_param: CertificateKeySize}
|
||||
- key_size_override_set
|
||||
- {get_param: ApacheCertificateKeySize}
|
||||
- {get_param: CertificateKeySize}
|
||||
ca: ipa
|
||||
for_each:
|
||||
NETWORK: {get_attr: [ApacheNetworks, value]}
|
||||
{%- endraw %}
|
||||
|
|
Loading…
Reference in New Issue