1 heat_template_version: pike
4 Apache service configured with Puppet. Note this is typically included
5 automatically via other services which run via Apache.
8 ApacheMaxRequestWorkers:
10 description: Maximum number of simultaneously processed requests.
14 description: Maximum number of Apache processes.
18 description: Dictionary packing service data
22 description: Mapping of service_name -> network name. Typically set
23 via parameter_defaults in the resource registry. This
24 mapping overrides those in ServiceNetMapDefaults.
31 description: Role name on which the service is applied
35 description: Parameters specific to the role
39 description: Mapping of service endpoint -> protocol. Typically set
40 via parameter_defaults in the resource registry.
46 default: '/etc/ipa/ca.crt'
48 description: Specifies the default CA cert to use if TLS is used for
49 services in the internal network.
53 internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
61 # NOTE(jaosorior) Get unique network names to create
62 # certificates for those. We skip the tenant network since
63 # we don't need a certificate for that, and the external
64 # is for HAProxy so it isn't used for apache either.
66 expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant)
69 get_param: ServiceNetMap
73 description: Role data for the Apache role.
79 # for the given network; replacement examples (eg. for internal_api):
81 # internal_api_uri -> [IP]
82 # internal_api_subnet - > IP/CIDR
83 apache::ip: {get_param: [ServiceNetMap, ApacheNetwork]}
84 apache::default_vhost: false
85 apache::server_signature: 'Off'
86 apache::server_tokens: 'Prod'
87 apache_remote_proxy_ips_network:
89 template: "NETWORK_subnet"
91 NETWORK: {get_param: [ServiceNetMap, ApacheNetwork]}
92 apache::mod::prefork::maxclients: { get_param: ApacheMaxRequestWorkers }
93 apache::mod::prefork::serverlimit: { get_param: ApacheServerLimit }
94 apache::mod::remoteip::proxy_ips:
95 - "%{hiera('apache_remote_proxy_ips_network')}"
97 - internal_tls_enabled
99 generate_service_certificates: true
100 apache::mod::ssl::ssl_ca: {get_param: InternalTLSCAFile}
101 tripleo::certmonger::apache_dirs::certificate_dir: '/etc/pki/tls/certs/httpd'
102 tripleo::certmonger::apache_dirs::key_dir: '/etc/pki/tls/private/httpd'
103 apache_certificates_specs:
108 service_certificate: '/etc/pki/tls/certs/httpd/httpd-NETWORK.crt'
109 service_key: '/etc/pki/tls/private/httpd/httpd-NETWORK.key'
110 hostname: "%{hiera('fqdn_NETWORK')}"
111 principal: "HTTP/%{hiera('fqdn_NETWORK')}"
113 NETWORK: {get_attr: [ApacheNetworks, value]}
117 - internal_tls_enabled
125 $NETWORK: {get_attr: [ApacheNetworks, value]}
128 - name: Check if httpd is deployed
129 command: systemctl is-enabled httpd
132 register: httpd_enabled
133 - name: "PreUpgrade step0,validation: Check service httpd is running"
134 shell: /usr/bin/systemctl show 'httpd' --property ActiveState | grep '\bactive\b'
135 when: httpd_enabled.rc == 0
136 tags: step0,validation
137 - name: Ensure mod_ssl package is installed
139 yum: name=mod_ssl state=latest