7dea79a9e3
In the standalone config, there is no external network defined.
This leaves the hieradata cloud_name_external undefined, resulting in
an error when we are using the haproxy-public-tls-certmonger template
to create new public certs through haproxy.
Using the PublicNetwork allows us to get the right network for haproxy
in all cases to specify the network and fqdn to use for public certmonger
certificates.
Co-Authored-By: Grzegorz Grasza <xek@redhat.com>
Change-Id: I8778402bbb7a670c4aa95671c6017dff356238d4
(cherry picked from commit e5f51815c5
)
85 lines
2.9 KiB
YAML
85 lines
2.9 KiB
YAML
heat_template_version: rocky
|
|
|
|
description: >
|
|
HAProxy deployment with TLS enabled, powered by certmonger
|
|
|
|
parameters:
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
HAProxyInternalTLSCertsDirectory:
|
|
default: '/etc/pki/tls/certs/haproxy'
|
|
type: string
|
|
HAProxyInternalTLSKeysDirectory:
|
|
default: '/etc/pki/tls/private/haproxy'
|
|
type: string
|
|
DeployedSSLCertificatePath:
|
|
default: '/etc/pki/tls/private/overcloud_endpoint.pem'
|
|
description: >
|
|
The filepath of the certificate as it will be stored in the controller.
|
|
type: string
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the HAProxy public TLS via certmonger role.
|
|
value:
|
|
service_name: haproxy_public_tls_certmonger
|
|
config_settings:
|
|
generate_service_certificates: true
|
|
tripleo::haproxy::service_certificate: {get_param: DeployedSSLCertificatePath}
|
|
tripleo::certmonger::haproxy_dirs::certificate_dir:
|
|
get_param: HAProxyInternalTLSCertsDirectory
|
|
tripleo::certmonger::haproxy_dirs::key_dir:
|
|
get_param: HAProxyInternalTLSKeysDirectory
|
|
certificates_specs:
|
|
haproxy-external:
|
|
service_pem: {get_param: DeployedSSLCertificatePath}
|
|
service_certificate:
|
|
list_join:
|
|
- ''
|
|
- - {get_param: HAProxyInternalTLSCertsDirectory}
|
|
- '/overcloud-haproxy-external.crt'
|
|
service_key:
|
|
list_join:
|
|
- ''
|
|
- - {get_param: HAProxyInternalTLSKeysDirectory}
|
|
- '/overcloud-haproxy-external.key'
|
|
hostname:
|
|
str_replace:
|
|
template: "%{hiera('cloud_name_NETWORK')}"
|
|
params:
|
|
NETWORK: {get_param: [ServiceNetMap, PublicNetwork]}
|
|
principal:
|
|
str_replace:
|
|
template: "haproxy/%{hiera('cloud_name_NETWORK')}"
|
|
params:
|
|
NETWORK: {get_param: [ServiceNetMap, PublicNetwork]}
|
|
postsave_cmd: "/usr/bin/certmonger-haproxy-refresh.sh reload external"
|
|
metadata_settings:
|
|
- service: haproxy
|
|
network: {get_param: [ServiceNetMap, PublicNetwork]}
|
|
type: vip
|