openstack/tripleo-heat-templates
Code Issues Proposed changes
f5394e7e2d
tripleo-heat-templates/puppet/services/apache.j2.yaml
Harald Jensås 8665a0d97b Make NetCidrMapValue contain list of cidrs in each net 
Prior to routed networks we only had one subnet per network.
With routed networks each network can have multiple subnets.
The NetCidrMapValue should contain a list storing the cidr
of each subnet for each network.

Ceph:
  list_join is used to make a comma separated list of
  cidrs for public_network, monitor_address_block,
  cluster_network and radosgw_address_block.

Partial: blueprint tripleo-routed-networks-templates
Depends-On: Ia8e219b30d4f8b199b882e95fe2834252a92c15a
Depends-On: I1ace0a02e6aa2610559fee0d8576e6f1bc98d699
Change-Id: I68e064d23ec5d43f59146d974cae604d2c5fdb52
2019-01-06 18:20:27 +01:00

137 lines
4.6 KiB
YAML
Raw Blame History

heat_template_version: rocky
description: >
Apache service configured with Puppet. Note this is typically included
automatically via other services which run via Apache.
parameters:
ApacheMaxRequestWorkers:
default: 256
description: Maximum number of simultaneously processed requests.
type: number
ApacheServerLimit:
default: 256
description: Maximum number of Apache processes.
type: number
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
EnableInternalTLS:
type: boolean
default: false
InternalTLSCAFile:
default: '/etc/ipa/ca.crt'
type: string
description: Specifies the default CA cert to use if TLS is used for
services in the internal network.
conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
resources:
ApacheNetworks:
type: OS::Heat::Value
properties:
value:
# NOTE(jaosorior) Get unique network names to create
# certificates for those. We skip the tenant network since
# we don't need a certificate for that.
- ctlplane
{%- for network in networks %}
{%- if network.name_lower != 'tenant' %}
- {{network.name_lower}}
{%- endif %}
{%- endfor %}
outputs:
role_data:
description: Role data for the Apache role.
value:
service_name: apache
config_settings:
map_merge:
-
# for the given network; replacement examples (eg. for internal_api):
# internal_api -> IP
# internal_api_uri -> [IP]
# internal_api_subnet - > IP/CIDR
apache::ip:
str_replace:
template:
"%{hiera('$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, ApacheNetwork]}
apache::default_vhost: false
apache::trace_enable: 'Off'
apache::server_signature: 'Off'
apache::server_tokens: 'Prod'
apache_remote_proxy_ips_network:
# TODO(hjensas): Replace with get_param: [ServiceData, net_cidr_map, {get_param: [ServiceNetMap, ApacheNetwork]}
str_replace:
template:
"%{hiera('$NETWORK_subnet')}"
params:
$NETWORK: {get_param: [ServiceNetMap, ApacheNetwork]}
apache::mod::prefork::maxclients: { get_param: ApacheMaxRequestWorkers }
apache::mod::prefork::serverlimit: { get_param: ApacheServerLimit }
apache::mod::remoteip::proxy_ips:
- "%{hiera('apache_remote_proxy_ips_network')}"
- if:
- internal_tls_enabled
-
generate_service_certificates: true
apache::mod::ssl::ssl_ca: {get_param: InternalTLSCAFile}
apache::mod::ssl::ssl_protocol: ['all', '-SSLv2', '-SSLv3', '-TLSv1']
tripleo::certmonger::apache_dirs::certificate_dir: '/etc/pki/tls/certs/httpd'
tripleo::certmonger::apache_dirs::key_dir: '/etc/pki/tls/private/httpd'
apache_certificates_specs:
map_merge:
repeat:
template:
httpd-NETWORK:
service_certificate: '/etc/pki/tls/certs/httpd/httpd-NETWORK.crt'
service_key: '/etc/pki/tls/private/httpd/httpd-NETWORK.key'
hostname: "%{hiera('fqdn_NETWORK')}"
principal: "HTTP/%{hiera('fqdn_NETWORK')}"
for_each:
NETWORK: {get_attr: [ApacheNetworks, value]}
- {}
metadata_settings:
if:
- internal_tls_enabled
-
repeat:
template:
- service: HTTP
network: $NETWORK
type: node
for_each:
$NETWORK: {get_attr: [ApacheNetworks, value]}
- null
upgrade_tasks: []
View Git Blame Copy Permalink