You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
164 lines
5.9 KiB
164 lines
5.9 KiB
heat_template_version: wallaby |
|
|
|
description: > |
|
Apache service configured with Puppet. Note this is typically included |
|
automatically via other services which run via Apache. |
|
|
|
parameters: |
|
ApacheMaxRequestWorkers: |
|
default: 256 |
|
description: Maximum number of simultaneously processed requests. |
|
type: number |
|
ApacheServerLimit: |
|
default: 256 |
|
description: Maximum number of Apache processes. |
|
type: number |
|
ServiceData: |
|
default: {} |
|
description: Dictionary packing service data |
|
type: json |
|
ServiceNetMap: |
|
default: {} |
|
description: Mapping of service_name -> network name. Typically set |
|
via parameter_defaults in the resource registry. This |
|
mapping overrides those in ServiceNetMapDefaults. |
|
type: json |
|
RoleName: |
|
default: '' |
|
description: Role name on which the service is applied |
|
type: string |
|
RoleParameters: |
|
default: {} |
|
description: Parameters specific to the role |
|
type: json |
|
EndpointMap: |
|
default: {} |
|
description: Mapping of service endpoint -> protocol. Typically set |
|
via parameter_defaults in the resource registry. |
|
type: json |
|
EnableInternalTLS: |
|
type: boolean |
|
default: false |
|
InternalTLSCAFile: |
|
default: '/etc/ipa/ca.crt' |
|
type: string |
|
description: Specifies the default CA cert to use if TLS is used for |
|
services in the internal network. |
|
CertificateKeySize: |
|
type: string |
|
default: '2048' |
|
description: Specifies the private key size used when creating the |
|
certificate. |
|
ApacheCertificateKeySize: |
|
type: string |
|
default: '' |
|
description: Override the private key size used when creating the |
|
certificate for this service |
|
|
|
conditions: |
|
key_size_override_set: |
|
not: {equals: [{get_param: ApacheCertificateKeySize}, '']} |
|
|
|
resources: |
|
ApacheNetworks: |
|
type: OS::Heat::Value |
|
properties: |
|
value: |
|
# NOTE(xek) Get unique network names to create certificates. |
|
# We skip the tenant and management network (vip != false) |
|
# since we don't generate certificates for those. |
|
- ctlplane |
|
{%- for network in networks if network.enabled|default(true) and network.vip|default(false) %} |
|
- {{network.name_lower}} |
|
{%- endfor %} |
|
|
|
outputs: |
|
role_data: |
|
description: Role data for the Apache role. |
|
value: |
|
service_name: apache |
|
config_settings: |
|
map_merge: |
|
# for the given network; replacement examples (eg. for internal_api): |
|
# internal_api -> IP |
|
# internal_api_uri -> [IP] |
|
# internal_api_subnet - > IP/CIDR |
|
- apache::ip: |
|
str_replace: |
|
template: |
|
"%{hiera('$NETWORK')}" |
|
params: |
|
$NETWORK: {get_param: [ServiceNetMap, ApacheNetwork]} |
|
apache::default_vhost: false |
|
apache::trace_enable: 'Off' |
|
apache::server_signature: 'Off' |
|
apache::server_tokens: 'Prod' |
|
apache::mod::prefork::maxrequestworkers: { get_param: ApacheMaxRequestWorkers } |
|
apache::mod::prefork::serverlimit: { get_param: ApacheServerLimit } |
|
apache::mod::remoteip::proxy_ips: |
|
get_param: |
|
- ServiceData |
|
- net_cidr_map |
|
- {get_param: [ServiceNetMap, ApacheNetwork]} |
|
apache::mod::alias::icons_options: 'None' |
|
- if: |
|
- {get_param: EnableInternalTLS} |
|
- apache::mod::ssl::ssl_ca: {get_param: InternalTLSCAFile} |
|
apache::mod::ssl::ssl_protocol: ['all', '-SSLv2', '-SSLv3', '-TLSv1'] |
|
apache_certificates_specs: |
|
map_merge: |
|
repeat: |
|
template: |
|
httpd-NETWORK: |
|
service_certificate: '/etc/pki/tls/certs/httpd/httpd-NETWORK.crt' |
|
service_key: '/etc/pki/tls/private/httpd/httpd-NETWORK.key' |
|
for_each: |
|
NETWORK: {get_attr: [ApacheNetworks, value]} |
|
metadata_settings: |
|
if: |
|
- {get_param: EnableInternalTLS} |
|
- repeat: |
|
template: |
|
- service: HTTP |
|
network: $NETWORK |
|
type: node |
|
for_each: |
|
$NETWORK: {get_attr: [ApacheNetworks, value]} |
|
upgrade_tasks: [] |
|
deploy_steps_tasks: |
|
- name: Certificate generation |
|
when: |
|
- step|int == 1 |
|
- enable_internal_tls |
|
block: |
|
- name: Create dirs for certificates and keys |
|
file: |
|
path: "{% raw %}{{ item }}{% endraw %}" |
|
state: directory |
|
serole: object_r |
|
setype: cert_t |
|
seuser: system_u |
|
with_items: |
|
- '/etc/pki/tls/certs/httpd' |
|
- '/etc/pki/tls/private/httpd' |
|
- include_role: |
|
name: linux-system-roles.certificate |
|
vars: |
|
certificate_requests: |
|
repeat: |
|
template: |
|
name: httpd-NETWORK |
|
dns: "{% raw %}{{ fqdn_NETWORK }}{% endraw %}" |
|
principal: "{% raw %}HTTP/{{ fqdn_NETWORK }}@{{ idm_realm }}{% endraw %}" |
|
run_after: | |
|
cp /etc/pki/tls/certs/httpd-NETWORK.crt /etc/pki/tls/certs/httpd/httpd-NETWORK.crt |
|
cp /etc/pki/tls/private/httpd-NETWORK.key /etc/pki/tls/private/httpd/httpd-NETWORK.key |
|
pkill -USR1 httpd |
|
key_size: |
|
if: |
|
- key_size_override_set |
|
- {get_param: ApacheCertificateKeySize} |
|
- {get_param: CertificateKeySize} |
|
ca: ipa |
|
for_each: |
|
NETWORK: {get_attr: [ApacheNetworks, value]}
|
|
|