openstack/tripleo-heat-templates
Code Issues Proposed changes
a269c1a5a6
tripleo-heat-templates/puppet/services/apache.j2.yaml
Juan Antonio Osorio Robles 514f99c575 TLS everywhere: Set post-save command for httpd 
The default command wasn't working, so here we set one that will
actually work.

httpd is a fairly simple instance, since the certs are mounted from the
directory (and not the individual certs). So there is no need to copy
anything to the container or do any post-processing. All we need to do
is tell httpd to load the new certs.

Related-Bug: #1811401
Depends-On: I642f48aa0e66ca57de2ecee921c798747ba41e1a
Change-Id: I862f0d15f769167c8b5d27cf302b7087b8fad0ab
2019-01-29 05:51:29 +00:00

134 lines
4.4 KiB
YAML
Raw Blame History

heat_template_version: rocky
description: >
Apache service configured with Puppet. Note this is typically included
automatically via other services which run via Apache.
parameters:
ApacheMaxRequestWorkers:
default: 256
description: Maximum number of simultaneously processed requests.
type: number
ApacheServerLimit:
default: 256
description: Maximum number of Apache processes.
type: number
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
EnableInternalTLS:
type: boolean
default: false
InternalTLSCAFile:
default: '/etc/ipa/ca.crt'
type: string
description: Specifies the default CA cert to use if TLS is used for
services in the internal network.
conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
resources:
ApacheNetworks:
type: OS::Heat::Value
properties:
value:
# NOTE(jaosorior) Get unique network names to create
# certificates for those. We skip the tenant network since
# we don't need a certificate for that.
- ctlplane
{%- for network in networks if network.enabled|default(true) %}
{%- if network.name_lower != 'tenant' %}
- {{network.name_lower}}
{%- endif %}
{%- endfor %}
outputs:
role_data:
description: Role data for the Apache role.
value:
service_name: apache
config_settings:
map_merge:
-
# for the given network; replacement examples (eg. for internal_api):
# internal_api -> IP
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
apache::ip:
str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, ApacheNetwork]}
apache::default_vhost: false
apache::trace_enable: 'Off'
apache::server_signature: 'Off'
apache::server_tokens: 'Prod'
apache::mod::prefork::maxclients: { get_param: ApacheMaxRequestWorkers }
apache::mod::prefork::serverlimit: { get_param: ApacheServerLimit }
apache::mod::remoteip::proxy_ips:
get_param:
- ServiceData
- net_cidr_map
- {get_param: [ServiceNetMap, ApacheNetwork]}
- if:
- internal_tls_enabled
-
generate_service_certificates: true
apache::mod::ssl::ssl_ca: {get_param: InternalTLSCAFile}
apache::mod::ssl::ssl_protocol: ['all', '-SSLv2', '-SSLv3', '-TLSv1']
tripleo::certmonger::apache_dirs::certificate_dir: '/etc/pki/tls/certs/httpd'
tripleo::certmonger::apache_dirs::key_dir: '/etc/pki/tls/private/httpd'
apache_certificates_specs:
map_merge:
repeat:
template:
httpd-NETWORK:
service_certificate: '/etc/pki/tls/certs/httpd/httpd-NETWORK.crt'
service_key: '/etc/pki/tls/private/httpd/httpd-NETWORK.key'
hostname: "%{hiera('fqdn_NETWORK')}"
principal: "HTTP/%{hiera('fqdn_NETWORK')}"
postsave_cmd: "pkill -USR1 httpd"
for_each:
NETWORK: {get_attr: [ApacheNetworks, value]}
- {}
metadata_settings:
if:
- internal_tls_enabled
-
repeat:
template:
- service: HTTP
network: $NETWORK
type: node
for_each:
$NETWORK: {get_attr: [ApacheNetworks, value]}
- null
upgrade_tasks: []
View Git Blame Copy Permalink