openstack/tripleo-heat-templates
Code Issues Proposed changes
71703077af
tripleo-heat-templates/puppet/services/apache.yaml
Carlos Camacho 927495fe3d Change template names to queens 
The new master branch should point now to queens instead of pike.

So, HOT templates should specify that they might contain features
for queens release [1]

[1]: https://docs.openstack.org/heat/latest/template_guide/hot_spec.html#queens

Change-Id: I7654d1c59db0c4508a9d7045f452612d22493004
2017-11-23 10:15:32 +01:00

139 lines
4.7 KiB
YAML
Raw Blame History

heat_template_version: queens
description: >
Apache service configured with Puppet. Note this is typically included
automatically via other services which run via Apache.
parameters:
ApacheMaxRequestWorkers:
default: 256
description: Maximum number of simultaneously processed requests.
type: number
ApacheServerLimit:
default: 256
description: Maximum number of Apache processes.
type: number
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
EnableInternalTLS:
type: boolean
default: false
InternalTLSCAFile:
default: '/etc/ipa/ca.crt'
type: string
description: Specifies the default CA cert to use if TLS is used for
services in the internal network.
conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
resources:
ApacheNetworks:
type: OS::Heat::Value
properties:
value:
# NOTE(jaosorior) Get unique network names to create
# certificates for those. We skip the tenant network since
# we don't need a certificate for that.
yaql:
expression: list($.data.map.items().map($1[1])).distinct().where($ != tenant)
data:
map:
get_param: ServiceNetMap
outputs:
role_data:
description: Role data for the Apache role.
value:
service_name: apache
config_settings:
map_merge:
-
# for the given network; replacement examples (eg. for internal_api):
# internal_api -> IP
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
apache::ip: {get_param: [ServiceNetMap, ApacheNetwork]}
apache::default_vhost: false
apache::server_signature: 'Off'
apache::server_tokens: 'Prod'
apache_remote_proxy_ips_network:
str_replace:
template: "NETWORK_subnet"
params:
NETWORK: {get_param: [ServiceNetMap, ApacheNetwork]}
apache::mod::prefork::maxclients: { get_param: ApacheMaxRequestWorkers }
apache::mod::prefork::serverlimit: { get_param: ApacheServerLimit }
apache::mod::remoteip::proxy_ips:
- "%{hiera('apache_remote_proxy_ips_network')}"
- if:
- internal_tls_enabled
-
generate_service_certificates: true
apache::mod::ssl::ssl_ca: {get_param: InternalTLSCAFile}
tripleo::certmonger::apache_dirs::certificate_dir: '/etc/pki/tls/certs/httpd'
tripleo::certmonger::apache_dirs::key_dir: '/etc/pki/tls/private/httpd'
apache_certificates_specs:
map_merge:
repeat:
template:
httpd-NETWORK:
service_certificate: '/etc/pki/tls/certs/httpd/httpd-NETWORK.crt'
service_key: '/etc/pki/tls/private/httpd/httpd-NETWORK.key'
hostname: "%{hiera('fqdn_NETWORK')}"
principal: "HTTP/%{hiera('fqdn_NETWORK')}"
for_each:
NETWORK: {get_attr: [ApacheNetworks, value]}
- {}
metadata_settings:
if:
- internal_tls_enabled
-
repeat:
template:
- service: HTTP
network: $NETWORK
type: node
for_each:
$NETWORK: {get_attr: [ApacheNetworks, value]}
- null
upgrade_tasks:
- name: Check if httpd is deployed
command: systemctl is-enabled httpd
tags: common
ignore_errors: True
register: httpd_enabled
- name: "PreUpgrade step0,validation: Check service httpd is running"
shell: /usr/bin/systemctl show 'httpd' --property ActiveState | grep '\bactive\b'
when: httpd_enabled.rc == 0
tags: step0,validation
- name: Ensure mod_ssl package is installed
tags: step3
yum: name=mod_ssl state=latest
View Git Blame Copy Permalink