65ff578a7b
This change increases the base timeout value in Apache, from current 60 seconds to 90 seconds, because sometimes response can take more than 60 seconds when rpc_response_timeout (60s by default) is exceeded, and the actual response from service should be more informative than 504 response by apache. Closes-Bug: #1931656 Change-Id: I0200a01d8fc2a4476436a00f2cabfb74e4540123
171 lines
6.1 KiB
YAML
171 lines
6.1 KiB
YAML
heat_template_version: wallaby
|
|
|
|
description: >
|
|
Apache service configured with Puppet. Note this is typically included
|
|
automatically via other services which run via Apache.
|
|
|
|
parameters:
|
|
ApacheMaxRequestWorkers:
|
|
default: 256
|
|
description: Maximum number of simultaneously processed requests.
|
|
type: number
|
|
ApacheServerLimit:
|
|
default: 256
|
|
description: Maximum number of Apache processes.
|
|
type: number
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. Use
|
|
parameter_merge_strategies to merge it with the defaults.
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
InternalTLSCAFile:
|
|
default: '/etc/ipa/ca.crt'
|
|
type: string
|
|
description: Specifies the default CA cert to use if TLS is used for
|
|
services in the internal network.
|
|
CertificateKeySize:
|
|
type: string
|
|
default: '2048'
|
|
description: Specifies the private key size used when creating the
|
|
certificate.
|
|
ApacheCertificateKeySize:
|
|
type: string
|
|
default: ''
|
|
description: Override the private key size used when creating the
|
|
certificate for this service
|
|
ApacheTimeout:
|
|
type: number
|
|
default: 90
|
|
description: The timeout in seconds for Apache, which defines duration
|
|
Apache waits for I/O operations
|
|
|
|
conditions:
|
|
key_size_override_set:
|
|
not: {equals: [{get_param: ApacheCertificateKeySize}, '']}
|
|
|
|
resources:
|
|
ApacheNetworks:
|
|
type: OS::Heat::Value
|
|
properties:
|
|
value:
|
|
# NOTE(xek) Get unique network names to create certificates.
|
|
# We skip the tenant and management network (vip != false)
|
|
# since we don't generate certificates for those.
|
|
- ctlplane
|
|
{%- for network in networks if network.enabled|default(true) and network.vip|default(false) %}
|
|
- {{network.name_lower}}
|
|
{%- endfor %}
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the Apache role.
|
|
value:
|
|
service_name: apache
|
|
config_settings:
|
|
map_merge:
|
|
# for the given network; replacement examples (eg. for internal_api):
|
|
# internal_api -> IP
|
|
# internal_api_uri -> [IP]
|
|
# internal_api_subnet - > IP/CIDR
|
|
- apache::ip:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, ApacheNetwork]}
|
|
apache::default_vhost: false
|
|
apache::trace_enable: 'Off'
|
|
apache::server_signature: 'Off'
|
|
apache::server_tokens: 'Prod'
|
|
apache::timeout: {get_param: ApacheTimeout}
|
|
apache::mod::prefork::maxrequestworkers: { get_param: ApacheMaxRequestWorkers }
|
|
apache::mod::prefork::serverlimit: { get_param: ApacheServerLimit }
|
|
apache::mod::remoteip::proxy_ips:
|
|
get_param:
|
|
- ServiceData
|
|
- net_cidr_map
|
|
- {get_param: [ServiceNetMap, ApacheNetwork]}
|
|
apache::mod::alias::icons_options: 'None'
|
|
- if:
|
|
- {get_param: EnableInternalTLS}
|
|
- apache::mod::ssl::ssl_ca: {get_param: InternalTLSCAFile}
|
|
apache::mod::ssl::ssl_protocol: ['all', '-SSLv2', '-SSLv3', '-TLSv1']
|
|
apache_certificates_specs:
|
|
map_merge:
|
|
repeat:
|
|
template:
|
|
httpd-NETWORK:
|
|
service_certificate: '/etc/pki/tls/certs/httpd/httpd-NETWORK.crt'
|
|
service_key: '/etc/pki/tls/private/httpd/httpd-NETWORK.key'
|
|
for_each:
|
|
NETWORK: {get_attr: [ApacheNetworks, value]}
|
|
metadata_settings:
|
|
if:
|
|
- {get_param: EnableInternalTLS}
|
|
- repeat:
|
|
template:
|
|
- service: HTTP
|
|
network: $NETWORK
|
|
type: node
|
|
for_each:
|
|
$NETWORK: {get_attr: [ApacheNetworks, value]}
|
|
upgrade_tasks: []
|
|
deploy_steps_tasks:
|
|
- name: Certificate generation
|
|
when:
|
|
- step|int == 1
|
|
- enable_internal_tls
|
|
block:
|
|
- name: Create dirs for certificates and keys
|
|
file:
|
|
path: "{% raw %}{{ item }}{% endraw %}"
|
|
state: directory
|
|
serole: object_r
|
|
setype: cert_t
|
|
seuser: system_u
|
|
with_items:
|
|
- '/etc/pki/tls/certs/httpd'
|
|
- '/etc/pki/tls/private/httpd'
|
|
- include_role:
|
|
name: linux-system-roles.certificate
|
|
vars:
|
|
certificate_requests:
|
|
repeat:
|
|
template:
|
|
name: httpd-NETWORK
|
|
dns: "{% raw %}{{ fqdn_NETWORK }}{% endraw %}"
|
|
principal: "{% raw %}HTTP/{{ fqdn_NETWORK }}@{{ idm_realm }}{% endraw %}"
|
|
run_after: |
|
|
cp /etc/pki/tls/certs/httpd-NETWORK.crt /etc/pki/tls/certs/httpd/httpd-NETWORK.crt
|
|
cp /etc/pki/tls/private/httpd-NETWORK.key /etc/pki/tls/private/httpd/httpd-NETWORK.key
|
|
pkill -USR1 httpd
|
|
key_size:
|
|
if:
|
|
- key_size_override_set
|
|
- {get_param: ApacheCertificateKeySize}
|
|
- {get_param: CertificateKeySize}
|
|
ca: ipa
|
|
for_each:
|
|
NETWORK: {get_attr: [ApacheNetworks, value]}
|