0a0e2ee629
Master is now the development branch for pike changing the release alias name. Change-Id: I938e4a983e361aefcaa0bd9a4226c296c5823127
136 lines
4.7 KiB
YAML
136 lines
4.7 KiB
YAML
heat_template_version: pike
|
|
|
|
description: >
|
|
Apache service configured with Puppet. Note this is typically included
|
|
automatically via other services which run via Apache.
|
|
|
|
parameters:
|
|
ApacheMaxRequestWorkers:
|
|
default: 256
|
|
description: Maximum number of simultaneously processed requests.
|
|
type: number
|
|
ApacheServerLimit:
|
|
default: 256
|
|
description: Maximum number of Apache processes.
|
|
type: number
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
InternalTLSCAFile:
|
|
default: '/etc/ipa/ca.crt'
|
|
type: string
|
|
description: Specifies the default CA cert to use if TLS is used for
|
|
services in the internal network.
|
|
|
|
conditions:
|
|
|
|
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
|
|
|
resources:
|
|
|
|
ApacheNetworks:
|
|
type: OS::Heat::Value
|
|
properties:
|
|
value:
|
|
# NOTE(jaosorior) Get unique network names to create
|
|
# certificates for those. We skip the tenant network since
|
|
# we don't need a certificate for that, and the external
|
|
# is for HAProxy so it isn't used for apache either.
|
|
yaql:
|
|
expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant)
|
|
data:
|
|
map:
|
|
get_param: ServiceNetMap
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the Apache role.
|
|
value:
|
|
service_name: apache
|
|
config_settings:
|
|
map_merge:
|
|
-
|
|
# for the given network; replacement examples (eg. for internal_api):
|
|
# internal_api -> IP
|
|
# internal_api_uri -> [IP]
|
|
# internal_api_subnet - > IP/CIDR
|
|
apache::ip: {get_param: [ServiceNetMap, ApacheNetwork]}
|
|
apache::default_vhost: false
|
|
apache::server_signature: 'Off'
|
|
apache::server_tokens: 'Prod'
|
|
apache_remote_proxy_ips_network:
|
|
str_replace:
|
|
template: "NETWORK_subnet"
|
|
params:
|
|
NETWORK: {get_param: [ServiceNetMap, ApacheNetwork]}
|
|
apache::mod::prefork::maxclients: { get_param: ApacheMaxRequestWorkers }
|
|
apache::mod::prefork::serverlimit: { get_param: ApacheServerLimit }
|
|
apache::mod::remoteip::proxy_ips:
|
|
- "%{hiera('apache_remote_proxy_ips_network')}"
|
|
- if:
|
|
- internal_tls_enabled
|
|
-
|
|
generate_service_certificates: true
|
|
apache::mod::ssl::ssl_ca: {get_param: InternalTLSCAFile}
|
|
tripleo::certmonger::apache_dirs::certificate_dir: '/etc/pki/tls/certs/httpd'
|
|
tripleo::certmonger::apache_dirs::key_dir: '/etc/pki/tls/private/httpd'
|
|
apache_certificates_specs:
|
|
map_merge:
|
|
repeat:
|
|
template:
|
|
httpd-NETWORK:
|
|
service_certificate: '/etc/pki/tls/certs/httpd/httpd-NETWORK.crt'
|
|
service_key: '/etc/pki/tls/private/httpd/httpd-NETWORK.key'
|
|
hostname: "%{hiera('fqdn_NETWORK')}"
|
|
principal: "HTTP/%{hiera('fqdn_NETWORK')}"
|
|
for_each:
|
|
NETWORK: {get_attr: [ApacheNetworks, value]}
|
|
- {}
|
|
metadata_settings:
|
|
if:
|
|
- internal_tls_enabled
|
|
-
|
|
repeat:
|
|
template:
|
|
- service: HTTP
|
|
network: $NETWORK
|
|
type: node
|
|
for_each:
|
|
$NETWORK: {get_attr: [ApacheNetworks, value]}
|
|
- null
|
|
upgrade_tasks:
|
|
- name: Check if httpd is deployed
|
|
command: systemctl is-enabled httpd
|
|
tags: common
|
|
ignore_errors: True
|
|
register: httpd_enabled
|
|
- name: "PreUpgrade step0,validation: Check service httpd is running"
|
|
shell: /usr/bin/systemctl show 'httpd' --property ActiveState | grep '\bactive\b'
|
|
when: httpd_enabled.rc == 0
|
|
tags: step0,validation
|
|
- name: Ensure mod_ssl package is installed
|
|
tags: step3
|
|
yum: name=mod_ssl state=latest
|