tripleo-heat-templates/puppet/services/apache.yaml
Carlos Camacho 0a0e2ee629 Update the template_version alias for all the templates to pike.
Master is now the development branch for pike
changing the release alias name.

Change-Id: I938e4a983e361aefcaa0bd9a4226c296c5823127
2017-05-19 09:58:07 +02:00

136 lines
4.7 KiB
YAML

heat_template_version: pike
description: >
Apache service configured with Puppet. Note this is typically included
automatically via other services which run via Apache.
parameters:
ApacheMaxRequestWorkers:
default: 256
description: Maximum number of simultaneously processed requests.
type: number
ApacheServerLimit:
default: 256
description: Maximum number of Apache processes.
type: number
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
EnableInternalTLS:
type: boolean
default: false
InternalTLSCAFile:
default: '/etc/ipa/ca.crt'
type: string
description: Specifies the default CA cert to use if TLS is used for
services in the internal network.
conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
resources:
ApacheNetworks:
type: OS::Heat::Value
properties:
value:
# NOTE(jaosorior) Get unique network names to create
# certificates for those. We skip the tenant network since
# we don't need a certificate for that, and the external
# is for HAProxy so it isn't used for apache either.
yaql:
expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant)
data:
map:
get_param: ServiceNetMap
outputs:
role_data:
description: Role data for the Apache role.
value:
service_name: apache
config_settings:
map_merge:
-
# for the given network; replacement examples (eg. for internal_api):
# internal_api -> IP
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
apache::ip: {get_param: [ServiceNetMap, ApacheNetwork]}
apache::default_vhost: false
apache::server_signature: 'Off'
apache::server_tokens: 'Prod'
apache_remote_proxy_ips_network:
str_replace:
template: "NETWORK_subnet"
params:
NETWORK: {get_param: [ServiceNetMap, ApacheNetwork]}
apache::mod::prefork::maxclients: { get_param: ApacheMaxRequestWorkers }
apache::mod::prefork::serverlimit: { get_param: ApacheServerLimit }
apache::mod::remoteip::proxy_ips:
- "%{hiera('apache_remote_proxy_ips_network')}"
- if:
- internal_tls_enabled
-
generate_service_certificates: true
apache::mod::ssl::ssl_ca: {get_param: InternalTLSCAFile}
tripleo::certmonger::apache_dirs::certificate_dir: '/etc/pki/tls/certs/httpd'
tripleo::certmonger::apache_dirs::key_dir: '/etc/pki/tls/private/httpd'
apache_certificates_specs:
map_merge:
repeat:
template:
httpd-NETWORK:
service_certificate: '/etc/pki/tls/certs/httpd/httpd-NETWORK.crt'
service_key: '/etc/pki/tls/private/httpd/httpd-NETWORK.key'
hostname: "%{hiera('fqdn_NETWORK')}"
principal: "HTTP/%{hiera('fqdn_NETWORK')}"
for_each:
NETWORK: {get_attr: [ApacheNetworks, value]}
- {}
metadata_settings:
if:
- internal_tls_enabled
-
repeat:
template:
- service: HTTP
network: $NETWORK
type: node
for_each:
$NETWORK: {get_attr: [ApacheNetworks, value]}
- null
upgrade_tasks:
- name: Check if httpd is deployed
command: systemctl is-enabled httpd
tags: common
ignore_errors: True
register: httpd_enabled
- name: "PreUpgrade step0,validation: Check service httpd is running"
shell: /usr/bin/systemctl show 'httpd' --property ActiveState | grep '\bactive\b'
when: httpd_enabled.rc == 0
tags: step0,validation
- name: Ensure mod_ssl package is installed
tags: step3
yum: name=mod_ssl state=latest