diff --git a/environments/enable-internal-tls.yaml b/environments/enable-internal-tls.yaml index b16d451ab1..6331f4458d 100644 --- a/environments/enable-internal-tls.yaml +++ b/environments/enable-internal-tls.yaml @@ -12,7 +12,6 @@ resource_registry: OS::TripleO::Services::CertmongerUser: ../puppet/services/certmonger-user.yaml OS::TripleO::Services::HAProxyInternalTLS: ../puppet/services/haproxy-internal-tls-certmonger.yaml - OS::TripleO::Services::ApacheTLS: ../puppet/services/apache-internal-tls-certmonger.yaml OS::TripleO::Services::MySQLTLS: ../puppet/services/database/mysql-internal-tls-certmonger.yaml # We use apache as a TLS proxy diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml index 5debed5c79..1c9830de74 100644 --- a/overcloud-resource-registry-puppet.j2.yaml +++ b/overcloud-resource-registry-puppet.j2.yaml @@ -120,7 +120,6 @@ resource_registry: # services OS::TripleO::Services: puppet/services/services.yaml OS::TripleO::Services::Apache: puppet/services/apache.yaml - OS::TripleO::Services::ApacheTLS: OS::Heat::None OS::TripleO::Services::CACerts: puppet/services/ca-certs.yaml OS::TripleO::Services::CephMds: OS::Heat::None OS::TripleO::Services::CephMon: OS::Heat::None diff --git a/puppet/services/apache-internal-tls-certmonger.yaml b/puppet/services/apache-internal-tls-certmonger.yaml deleted file mode 100644 index 4c94f44075..0000000000 --- a/puppet/services/apache-internal-tls-certmonger.yaml +++ /dev/null @@ -1,75 +0,0 @@ -heat_template_version: ocata - -description: > - Apache service TLS configurations. - -parameters: - ServiceNetMap: - default: {} - description: Mapping of service_name -> network name. Typically set - via parameter_defaults in the resource registry. This - mapping overrides those in ServiceNetMapDefaults. - type: json - # The following parameters are not needed by the template but are - # required to pass the pep8 tests - DefaultPasswords: - default: {} - type: json - EndpointMap: - default: {} - description: Mapping of service endpoint -> protocol. Typically set - via parameter_defaults in the resource registry. - type: json - -resources: - - ApacheNetworks: - type: OS::Heat::Value - properties: - value: - # NOTE(jaosorior) Get unique network names to create - # certificates for those. We skip the tenant network since - # we don't need a certificate for that, and the external - # network will be handled in another template. - yaql: - expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant) - data: - map: - get_param: ServiceNetMap - -outputs: - role_data: - description: Role data for the Apache role. - value: - service_name: apache_internal_tls_certmonger - config_settings: - generate_service_certificates: true - apache_certificates_specs: - map_merge: - repeat: - template: - httpd-NETWORK: - service_certificate: '/etc/pki/tls/certs/httpd-NETWORK.crt' - service_key: '/etc/pki/tls/private/httpd-NETWORK.key' - hostname: "%{hiera('fqdn_NETWORK')}" - principal: "HTTP/%{hiera('fqdn_NETWORK')}" - for_each: - NETWORK: {get_attr: [ApacheNetworks, value]} - metadata_settings: - repeat: - template: - - service: HTTP - network: $NETWORK - type: node - for_each: - $NETWORK: {get_attr: [ApacheNetworks, value]} - upgrade_tasks: - - name: Check if httpd is deployed - command: systemctl is-enabled httpd - tags: common - ignore_errors: True - register: httpd_enabled - - name: "PreUpgrade step0,validation: Check service httpd is running" - shell: /usr/bin/systemctl show 'httpd' --property ActiveState | grep '\bactive\b' - when: httpd_enabled.rc == 0 - tags: step0,validation diff --git a/puppet/services/apache.yaml b/puppet/services/apache.yaml index 2d950151c3..9bd282f841 100644 --- a/puppet/services/apache.yaml +++ b/puppet/services/apache.yaml @@ -31,13 +31,25 @@ parameters: type: boolean default: false +conditions: + + internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} resources: - ApacheTLS: - type: OS::TripleO::Services::ApacheTLS + ApacheNetworks: + type: OS::Heat::Value properties: - ServiceNetMap: {get_param: ServiceNetMap} + value: + # NOTE(jaosorior) Get unique network names to create + # certificates for those. We skip the tenant network since + # we don't need a certificate for that, and the external + # is for HAProxy so it isn't used for apache either. + yaql: + expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant) + data: + map: + get_param: ServiceNetMap outputs: role_data: @@ -46,7 +58,6 @@ outputs: service_name: apache config_settings: map_merge: - - get_attr: [ApacheTLS, role_data, config_settings] - # for the given network; replacement examples (eg. for internal_api): # internal_api -> IP @@ -64,8 +75,31 @@ outputs: apache::mod::prefork::serverlimit: { get_param: ApacheServerLimit } apache::mod::remoteip::proxy_ips: - "%{hiera('apache_remote_proxy_ips_network')}" + - + generate_service_certificates: true + apache_certificates_specs: + map_merge: + repeat: + template: + httpd-NETWORK: + service_certificate: '/etc/pki/tls/certs/httpd-NETWORK.crt' + service_key: '/etc/pki/tls/private/httpd-NETWORK.key' + hostname: "%{hiera('fqdn_NETWORK')}" + principal: "HTTP/%{hiera('fqdn_NETWORK')}" + for_each: + NETWORK: {get_attr: [ApacheNetworks, value]} metadata_settings: - get_attr: [ApacheTLS, role_data, metadata_settings] + if: + - internal_tls_enabled + - + repeat: + template: + - service: HTTP + network: $NETWORK + type: node + for_each: + $NETWORK: {get_attr: [ApacheNetworks, value]} + - null upgrade_tasks: - name: Check if httpd is deployed command: systemctl is-enabled httpd