1 heat_template_version: pike
4 HAProxy deployment with TLS enabled, powered by certmonger
9 description: Dictionary packing service data
13 description: Mapping of service_name -> network name. Typically set
14 via parameter_defaults in the resource registry. This
15 mapping overrides those in ServiceNetMapDefaults.
22 description: Role name on which the service is applied
26 description: Parameters specific to the role
30 description: Mapping of service endpoint -> protocol. Typically set
31 via parameter_defaults in the resource registry.
33 HAProxyInternalTLSCertsDirectory:
34 default: '/etc/pki/tls/certs/haproxy'
36 HAProxyInternalTLSKeysDirectory:
37 default: '/etc/pki/tls/private/haproxy'
46 # NOTE(jaosorior) Get unique network names to create
47 # certificates for those. We skip the tenant network since
48 # we don't need a certificate for that, and the external
49 # network will be handled in another template.
51 expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant)
54 get_param: ServiceNetMap
58 description: Role data for the HAProxy internal TLS via certmonger role.
60 service_name: haproxy_internal_tls_certmonger
62 generate_service_certificates: true
63 tripleo::haproxy::use_internal_certificates: true
64 tripleo::certmonger::haproxy_dirs::certificate_dir:
65 get_param: HAProxyInternalTLSCertsDirectory
66 tripleo::certmonger::haproxy_dirs::key_dir:
67 get_param: HAProxyInternalTLSKeysDirectory
76 - - {get_param: HAProxyInternalTLSCertsDirectory}
77 - '/overcloud-haproxy-NETWORK.pem'
81 - - {get_param: HAProxyInternalTLSCertsDirectory}
82 - '/overcloud-haproxy-NETWORK.crt'
86 - - {get_param: HAProxyInternalTLSKeysDirectory}
87 - '/overcloud-haproxy-NETWORK.key'
88 hostname: "%{hiera('cloud_name_NETWORK')}"
89 postsave_cmd: "" # TODO
90 principal: "haproxy/%{hiera('cloud_name_NETWORK')}"
92 NETWORK: {get_attr: [HAProxyNetworks, value]}
100 $NETWORK: {get_attr: [HAProxyNetworks, value]}