Heat templates for deploying OpenStack
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 

164 lines
5.9 KiB

heat_template_version: wallaby
description: >
Apache service configured with Puppet. Note this is typically included
automatically via other services which run via Apache.
parameters:
ApacheMaxRequestWorkers:
default: 256
description: Maximum number of simultaneously processed requests.
type: number
ApacheServerLimit:
default: 256
description: Maximum number of Apache processes.
type: number
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
EnableInternalTLS:
type: boolean
default: false
InternalTLSCAFile:
default: '/etc/ipa/ca.crt'
type: string
description: Specifies the default CA cert to use if TLS is used for
services in the internal network.
CertificateKeySize:
type: string
default: '2048'
description: Specifies the private key size used when creating the
certificate.
ApacheCertificateKeySize:
type: string
default: ''
description: Override the private key size used when creating the
certificate for this service
conditions:
key_size_override_set:
not: {equals: [{get_param: ApacheCertificateKeySize}, '']}
resources:
ApacheNetworks:
type: OS::Heat::Value
properties:
value:
# NOTE(xek) Get unique network names to create certificates.
# We skip the tenant and management network (vip != false)
# since we don't generate certificates for those.
- ctlplane
{%- for network in networks if network.enabled|default(true) and network.vip|default(false) %}
- {{network.name_lower}}
{%- endfor %}
outputs:
role_data:
description: Role data for the Apache role.
value:
service_name: apache
config_settings:
map_merge:
# for the given network; replacement examples (eg. for internal_api):
# internal_api -> IP
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
- apache::ip:
str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, ApacheNetwork]}
apache::default_vhost: false
apache::trace_enable: 'Off'
apache::server_signature: 'Off'
apache::server_tokens: 'Prod'
apache::mod::prefork::maxrequestworkers: { get_param: ApacheMaxRequestWorkers }
apache::mod::prefork::serverlimit: { get_param: ApacheServerLimit }
apache::mod::remoteip::proxy_ips:
get_param:
- ServiceData
- net_cidr_map
- {get_param: [ServiceNetMap, ApacheNetwork]}
apache::mod::alias::icons_options: 'None'
- if:
- {get_param: EnableInternalTLS}
- apache::mod::ssl::ssl_ca: {get_param: InternalTLSCAFile}
apache::mod::ssl::ssl_protocol: ['all', '-SSLv2', '-SSLv3', '-TLSv1']
apache_certificates_specs:
map_merge:
repeat:
template:
httpd-NETWORK:
service_certificate: '/etc/pki/tls/certs/httpd/httpd-NETWORK.crt'
service_key: '/etc/pki/tls/private/httpd/httpd-NETWORK.key'
for_each:
NETWORK: {get_attr: [ApacheNetworks, value]}
metadata_settings:
if:
- {get_param: EnableInternalTLS}
- repeat:
template:
- service: HTTP
network: $NETWORK
type: node
for_each:
$NETWORK: {get_attr: [ApacheNetworks, value]}
upgrade_tasks: []
deploy_steps_tasks:
- name: Certificate generation
when:
- step|int == 1
- enable_internal_tls
block:
- name: Create dirs for certificates and keys
file:
path: "{% raw %}{{ item }}{% endraw %}"
state: directory
serole: object_r
setype: cert_t
seuser: system_u
with_items:
- '/etc/pki/tls/certs/httpd'
- '/etc/pki/tls/private/httpd'
- include_role:
name: linux-system-roles.certificate
vars:
certificate_requests:
repeat:
template:
name: httpd-NETWORK
dns: "{% raw %}{{ fqdn_NETWORK }}{% endraw %}"
principal: "{% raw %}HTTP/{{ fqdn_NETWORK }}@{{ idm_realm }}{% endraw %}"
run_after: |
cp /etc/pki/tls/certs/httpd-NETWORK.crt /etc/pki/tls/certs/httpd/httpd-NETWORK.crt
cp /etc/pki/tls/private/httpd-NETWORK.key /etc/pki/tls/private/httpd/httpd-NETWORK.key
pkill -USR1 httpd
key_size:
if:
- key_size_override_set
- {get_param: ApacheCertificateKeySize}
- {get_param: CertificateKeySize}
ca: ipa
for_each:
NETWORK: {get_attr: [ApacheNetworks, value]}