heat_template_version: wallaby

description: >
  Apache service configured with Puppet. Note this is typically included
  automatically via other services which run via Apache.

parameters:
  ApacheMaxRequestWorkers:
    default: 256
    description: Maximum number of simultaneously processed requests.
    type: number
  ApacheServerLimit:
    default: 256
    description: Maximum number of Apache processes.
    type: number
  ServiceData:
    default: {}
    description: Dictionary packing service data
    type: json
  ServiceNetMap:
    default: {}
    description: Mapping of service_name -> network name. Typically set
                 via parameter_defaults in the resource registry.  This
                 mapping overrides those in ServiceNetMapDefaults.
    type: json
  RoleName:
    default: ''
    description: Role name on which the service is applied
    type: string
  RoleParameters:
    default: {}
    description: Parameters specific to the role
    type: json
  EndpointMap:
    default: {}
    description: Mapping of service endpoint -> protocol. Typically set
                 via parameter_defaults in the resource registry.
    type: json
  EnableInternalTLS:
    type: boolean
    default: false
  InternalTLSCAFile:
    default: '/etc/ipa/ca.crt'
    type: string
    description: Specifies the default CA cert to use if TLS is used for
                 services in the internal network.
  CertificateKeySize:
    type: string
    default: '2048'
    description: Specifies the private key size used when creating the
                 certificate.
  ApacheCertificateKeySize:
    type: string
    default: ''
    description: Override the private key size used when creating the
                 certificate for this service

conditions:

  internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
  key_size_override_unset: {equals: [{get_param: ApacheCertificateKeySize}, '']}

resources:

  ApacheNetworks:
    type: OS::Heat::Value
    properties:
      value:
        # NOTE(xek) Get unique network names to create certificates.
        # We skip the tenant and management network (vip != false)
        # since we don't generate certificates for those.
        - ctlplane
{%- for network in networks if network.enabled|default(true) and network.vip|default(false) %}
        - {{network.name_lower}}
{%- endfor %}
{% raw -%}
outputs:
  role_data:
    description: Role data for the Apache role.
    value:
      service_name: apache
      config_settings:
        map_merge:
          -
            # for the given network; replacement examples (eg. for internal_api):
            # internal_api -> IP
            # internal_api_uri -> [IP]
            # internal_api_subnet - > IP/CIDR
            apache::ip:
              str_replace:
                template:
                  "%{hiera('$NETWORK')}"
                params:
                  $NETWORK: {get_param: [ServiceNetMap, ApacheNetwork]}
            apache::default_vhost: false
            apache::trace_enable: 'Off'
            apache::server_signature: 'Off'
            apache::server_tokens: 'Prod'
            apache::mod::prefork::maxrequestworkers: { get_param: ApacheMaxRequestWorkers }
            apache::mod::prefork::serverlimit: { get_param: ApacheServerLimit }
            apache::mod::remoteip::proxy_ips:
              get_param:
                - ServiceData
                - net_cidr_map
                - {get_param: [ServiceNetMap, ApacheNetwork]}
            apache::mod::alias::icons_options: 'None'
          - if:
            - internal_tls_enabled
            -
              apache::mod::ssl::ssl_ca: {get_param: InternalTLSCAFile}
              apache::mod::ssl::ssl_protocol: ['all', '-SSLv2', '-SSLv3', '-TLSv1']
              apache_certificates_specs:
                map_merge:
                  repeat:
                    template:
                      httpd-NETWORK:
                        service_certificate: '/etc/pki/tls/certs/httpd/httpd-NETWORK.crt'
                        service_key: '/etc/pki/tls/private/httpd/httpd-NETWORK.key'
                    for_each:
                      NETWORK: {get_attr: [ApacheNetworks, value]}
            - {}
      metadata_settings:
        if:
          - internal_tls_enabled
          -
            repeat:
              template:
                - service: HTTP
                  network: $NETWORK
                  type: node
              for_each:
                $NETWORK: {get_attr: [ApacheNetworks, value]}
          - null
      upgrade_tasks: []
      deploy_steps_tasks:
        - name: Certificate generation
          when:
            - step|int == 1
            - enable_internal_tls
          block:
            - name: Create dirs for certificates and keys
              file:
                path: "{{ item }}"
                state: directory
                serole: object_r
                setype: cert_t
                seuser: system_u
              with_items:
                - '/etc/pki/tls/certs/httpd'
                - '/etc/pki/tls/private/httpd'
            - include_role:
                name: linux-system-roles.certificate
              vars:
                certificate_requests:
                  repeat:
                    template:
                      name: httpd-NETWORK
                      dns: "{{fqdn_NETWORK}}"
                      principal: "HTTP/{{fqdn_NETWORK}}@{{idm_realm}}"
                      run_after: |
                        cp /etc/pki/tls/certs/httpd-NETWORK.crt /etc/pki/tls/certs/httpd/httpd-NETWORK.crt
                        cp /etc/pki/tls/private/httpd-NETWORK.key /etc/pki/tls/private/httpd/httpd-NETWORK.key
                        pkill -USR1 httpd
                      key_size:
                        if:
                          - key_size_override_unset
                          - {get_param: CertificateKeySize}
                          - {get_param: ApacheCertificateKeySize}
                      ca: ipa
                    for_each:
                      NETWORK: {get_attr: [ApacheNetworks, value]}
{%- endraw %}