puppet/services/apache-internal-tls-certmonger.yaml

   1 heat_template_version: ocata
   2
   3 description: >
   4   Apache service TLS configurations.
   5
   6 parameters:
   7   ServiceNetMap:
   8     default: {}
   9     description: Mapping of service_name -> network name. Typically set
  10                  via parameter_defaults in the resource registry.  This
  11                  mapping overrides those in ServiceNetMapDefaults.
  12     type: json
  13   # The following parameters are not needed by the template but are
  14   # required to pass the pep8 tests
  15   DefaultPasswords:
  16     default: {}
  17     type: json
  18   EndpointMap:
  19     default: {}
  20     description: Mapping of service endpoint -> protocol. Typically set
  21                  via parameter_defaults in the resource registry.
  22     type: json
  23
  24 resources:
  25
  26   ApacheNetworks:
  27     type: OS::Heat::Value
  28     properties:
  29       value:
  30         # NOTE(jaosorior) Get unique network names to create
  31         # certificates for those. We skip the tenant network since
  32         # we don't need a certificate for that, and the external
  33         # network will be handled in another template.
  34         yaql:
  35           expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant)
  36           data:
  37             map:
  38               get_param: ServiceNetMap
  39
  40 outputs:
  41   role_data:
  42     description: Role data for the Apache role.
  43     value:
  44       service_name: apache_internal_tls_certmonger
  45       config_settings:
  46         generate_service_certificates: true
  47         apache_certificates_specs:
  48           map_merge:
  49             repeat:
  50               template:
  51                 httpd-NETWORK:
  52                   service_certificate: '/etc/pki/tls/certs/httpd-NETWORK.crt'
  53                   service_key: '/etc/pki/tls/private/httpd-NETWORK.key'
  54                   hostname: "%{hiera('fqdn_NETWORK')}"
  55                   principal: "HTTP/%{hiera('fqdn_NETWORK')}"
  56               for_each:
  57                 NETWORK: {get_attr: [ApacheNetworks, value]}
  58       metadata_settings:
  59         repeat:
  60           template:
  61             - service: HTTP
  62               network: $NETWORK
  63               type: node
  64           for_each:
  65             $NETWORK: {get_attr: [ApacheNetworks, value]}
  66       upgrade_tasks:
  67         - name: "PreUpgrade step0,validation: Check service httpd is running"
  68           shell: /usr/bin/systemctl show 'httpd' --property ActiveState | grep '\bactive\b'
  69           tags: step0,validation