puppet/services/apache.yaml

   1 heat_template_version: pike
   2
   3 description: >
   4   Apache service configured with Puppet. Note this is typically included
   5   automatically via other services which run via Apache.
   6
   7 parameters:
   8   ApacheMaxRequestWorkers:
   9     default: 256
  10     description: Maximum number of simultaneously processed requests.
  11     type: number
  12   ApacheServerLimit:
  13     default: 256
  14     description: Maximum number of Apache processes.
  15     type: number
  16   ServiceNetMap:
  17     default: {}
  18     description: Mapping of service_name -> network name. Typically set
  19                  via parameter_defaults in the resource registry.  This
  20                  mapping overrides those in ServiceNetMapDefaults.
  21     type: json
  22   DefaultPasswords:
  23     default: {}
  24     type: json
  25   RoleName:
  26     default: ''
  27     description: Role name on which the service is applied
  28     type: string
  29   RoleParameters:
  30     default: {}
  31     description: Parameters specific to the role
  32     type: json
  33   EndpointMap:
  34     default: {}
  35     description: Mapping of service endpoint -> protocol. Typically set
  36                  via parameter_defaults in the resource registry.
  37     type: json
  38   EnableInternalTLS:
  39     type: boolean
  40     default: false
  41   InternalTLSCAFile:
  42     default: '/etc/ipa/ca.crt'
  43     type: string
  44     description: Specifies the default CA cert to use if TLS is used for
  45                  services in the internal network.
  46
  47 conditions:
  48
  49   internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
  50
  51 resources:
  52
  53   ApacheNetworks:
  54     type: OS::Heat::Value
  55     properties:
  56       value:
  57         # NOTE(jaosorior) Get unique network names to create
  58         # certificates for those. We skip the tenant network since
  59         # we don't need a certificate for that, and the external
  60         # is for HAProxy so it isn't used for apache either.
  61         yaql:
  62           expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant)
  63           data:
  64             map:
  65               get_param: ServiceNetMap
  66
  67 outputs:
  68   role_data:
  69     description: Role data for the Apache role.
  70     value:
  71       service_name: apache
  72       config_settings:
  73         map_merge:
  74           -
  75             # for the given network; replacement examples (eg. for internal_api):
  76             # internal_api -> IP
  77             # internal_api_uri -> [IP]
  78             # internal_api_subnet - > IP/CIDR
  79             apache::ip: {get_param: [ServiceNetMap, ApacheNetwork]}
  80             apache::default_vhost: false
  81             apache::server_signature: 'Off'
  82             apache::server_tokens: 'Prod'
  83             apache_remote_proxy_ips_network:
  84               str_replace:
  85                 template: "NETWORK_subnet"
  86                 params:
  87                   NETWORK: {get_param: [ServiceNetMap, ApacheNetwork]}
  88             apache::mod::prefork::maxclients: { get_param: ApacheMaxRequestWorkers }
  89             apache::mod::prefork::serverlimit: { get_param: ApacheServerLimit }
  90             apache::mod::remoteip::proxy_ips:
  91               - "%{hiera('apache_remote_proxy_ips_network')}"
  92           - if:
  93             - internal_tls_enabled
  94             -
  95               generate_service_certificates: true
  96               apache::mod::ssl::ssl_ca: {get_param: InternalTLSCAFile}
  97               tripleo::certmonger::apache_dirs::certificate_dir: '/etc/pki/tls/certs/httpd'
  98               tripleo::certmonger::apache_dirs::key_dir: '/etc/pki/tls/private/httpd'
  99               apache_certificates_specs:
 100                 map_merge:
 101                   repeat:
 102                     template:
 103                       httpd-NETWORK:
 104                         service_certificate: '/etc/pki/tls/certs/httpd/httpd-NETWORK.crt'
 105                         service_key: '/etc/pki/tls/private/httpd/httpd-NETWORK.key'
 106                         hostname: "%{hiera('fqdn_NETWORK')}"
 107                         principal: "HTTP/%{hiera('fqdn_NETWORK')}"
 108                     for_each:
 109                       NETWORK: {get_attr: [ApacheNetworks, value]}
 110             - {}
 111       metadata_settings:
 112         if:
 113           - internal_tls_enabled
 114           -
 115             repeat:
 116               template:
 117                 - service: HTTP
 118                   network: $NETWORK
 119                   type: node
 120               for_each:
 121                 $NETWORK: {get_attr: [ApacheNetworks, value]}
 122           - null
 123       upgrade_tasks:
 124         - name: Check if httpd is deployed
 125           command: systemctl is-enabled httpd
 126           tags: common
 127           ignore_errors: True
 128           register: httpd_enabled
 129         - name: "PreUpgrade step0,validation: Check service httpd is running"
 130           shell: /usr/bin/systemctl show 'httpd' --property ActiveState | grep '\bactive\b'
 131           when: httpd_enabled.rc == 0
 132           tags: step0,validation
 133         - name: Ensure mod_ssl package is installed
 134           tags: step3
 135           yum: name=mod_ssl state=latest