14 Commits

Author SHA1 Message Date
Zuul
824ec8b5ad Merge "Simplify internal_tls_enabled conditions" 2021-04-03 13:20:28 +00:00
ramishra
c9991c2e31 Use 'wallaby' heat_template_version
With I57047682cfa82ba6ca4affff54fab5216e9ba51c Heat has added
a new template version for wallaby. This would allow us to use
2-argument variant of the ``if`` function that would allow for
 e.g. conditional definition of resource properties and help
cleanup templates. If only two arguments are passed to ``if``
function, the entire enclosing item is removed when the condition
is false.

Change-Id: I25f981b60c6a66b39919adc38c02a051b6c51269
2021-03-31 17:35:12 +05:30
Michele Baldessari
5e4c17acfb Simplify internal_tls_enabled conditions
We do not need to add an if: internal_tls_enabled in a number of
ansible tasks. enabled_internal_tls is already defined as an ansible
fact in common/deploy-steps.j2:
enable_internal_tls: {get_param: EnableInternalTLS}

So when the service uses the enable_internal_tls condition and it points
to the EnableInternalTLS param, we can just use the ansible fact
directly. Note that if the enable_internal_tls condition points to
something else than the mere EnableInternalTLS we may not do this
cleanup.

Change-Id: Idb07cbc8fc3a4d73ff52c54d869310fd6c49b502
2021-03-27 13:42:35 +01:00
Carlos Goncalves
6e7e0ab48e Remove obsoleted generate_service_certificates
Remove traces of generate_service_certificates. It was removed during
Pike release cycle [1].

[1] https://review.opendev.org/c/openstack/puppet-tripleo/+/444891

Change-Id: Ib203b52547433ff73141df66641528c389b50361
2021-03-16 19:50:14 +01:00
Grzegorz Grasza
e329ca915e Generate certificates using ansible role
This is using linux-system-roles.certificate ansible role,
which replaces puppet-certmonger for submitting certificate
requests to certmonger. Each service is configured through
it's heat template.

Partial-Implements: blueprint ansible-certmonger
Depends-On: https://review.rdoproject.org/r/31713
Change-Id: Ib868465c20d97c62cbcb214bfc62d949bd6efc62
2021-03-10 16:28:22 +01:00
ramishra
7f195ff9a8 Remove DefaultPasswords interface
This was mainly there as an legacy interface which was
for internal use. Now that we pull the passwords from
the existing environment and don't use it, we can drop
this.

Reduces a number of heat resources.

Change-Id: If83d0f3d72a229d737a45b2fd37507dc11a04649
2021-02-12 11:38:44 +05:30
Raildo
9760977529 Adding key_size option on the certificate creation
Adding the ability to specifies the private key size
used when creating the certificate. We have defined the
default value the same as we have before 2048 bits.
Also, it'll be able to override the key_size value
per service.

Depends-on: I4da96f2164cf1d136f9471f1d6251bdd8cfd2d0b
Change-Id: Ic2edabb7f1bd0caf4a5550d03f60fab7c8354d65
2020-12-17 20:22:52 -03:00
Zuul
3c6d6f6e25 Merge "Rename ApacheMaxMaxClients property to ApacheMaxRequestWorkers" 2020-04-17 20:32:40 +00:00
David Hill
b009c9c239 Rename ApacheMaxMaxClients property to ApacheMaxRequestWorkers
Remove ApacheMaxMaxClients property to set apache::mod::prefork::maxclients
and add ApacheMaxRequestWorkers to set apache::mod::prefork::maxrequestworkers
as the current setting ApacheMaxRequestWorkers sets maxclients and this
is confusing.  This was due to maxclients being renamed to maxrequestworkers
in the apache configuration so was legacy naming.

Change-Id: I4e0e1beb733ae1c41d74d488481230026611c6c0
Closes-bug: #1871643
2020-04-10 09:12:16 -04:00
Grzegorz Grasza
a22c04c576 Skip both tenant and management networks when generating certs
Without this change we were unable to deploy TLS Everywhere with
management network. This is because the service principal is not
created due to VIP being set to false in network_data.yaml

Closes-Bug: #1861097
Resolves: rhbz#1777605
Change-Id: I43fd5f67c1a0be6eaa1752575349e64329cada4a
2020-04-08 14:33:25 +02:00
Chandan Kumar (raukadah)
c1269a6475 Revert "Wire-in Apache MPM module parameters and switch it"
This reverts commit 09cfcc1464dce0eb7c05caf42375290bbaae4199.

Change-Id: Ife71b124fa404050fcbcb2e041590a295076d6d9
2019-08-02 10:34:07 +00:00
Bogdan Dobrelya
09cfcc1464 Wire-in Apache MPM module parameters and switch it
Allow to configure Apache MPM module for the containerized API/WSGI'ish
services running Apache as a backend. Change the default from 'prefork'
to 'event', which is a low level change and should provide no sensible
upgrade impact. This alleviates the related heartbeats threading issue
arising with the monkey-patched eventlet.

Merge the missing ApacheServiceBase config settings for Octavia API,
Horizon and Ironix PXE. This is needed to apply the base Apache
service hiera settings, including MPM module switches, for those
as well.

Related-bug: #1829062

Change-Id: Ia65af7a9d6ae106a61ec52912bebba72830d5f28
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
2019-07-31 10:18:46 +02:00
Keigo Noha
423ecead86 Disable a directory listing of /icons in httpd.
In OpenStack, httpd doesn't need to allow a directory listing to icons
directory. This fix sets 'None' to Options for icons directories of
all httpd servers.

Change-Id: I7c34901d6f3bb7f4c4bb2494b760bcd0cbcd97b2
Signed-off-by: Keigo Noha <knoha@redhat.com>
2019-04-01 14:14:47 +09:00
Emilien Macchi
fc65d197c7 Move apache service under deployment directory
Move the apache service undercloud the deployment directory.

Change-Id: Iead4f910390cb75f56f96da2d24889a461275c9d
Related-Blueprint: services-yaml-flattening
2019-03-26 08:04:42 -04:00