puppet/services/haproxy-internal-tls-certmonger.yaml

   1 heat_template_version: pike
   2
   3 description: >
   4   HAProxy deployment with TLS enabled, powered by certmonger
   5
   6 parameters:
   7   ServiceData:
   8     default: {}
   9     description: Dictionary packing service data
  10     type: json
  11   ServiceNetMap:
  12     default: {}
  13     description: Mapping of service_name -> network name. Typically set
  14                  via parameter_defaults in the resource registry.  This
  15                  mapping overrides those in ServiceNetMapDefaults.
  16     type: json
  17   DefaultPasswords:
  18     default: {}
  19     type: json
  20   RoleName:
  21     default: ''
  22     description: Role name on which the service is applied
  23     type: string
  24   RoleParameters:
  25     default: {}
  26     description: Parameters specific to the role
  27     type: json
  28   EndpointMap:
  29     default: {}
  30     description: Mapping of service endpoint -> protocol. Typically set
  31                  via parameter_defaults in the resource registry.
  32     type: json
  33
  34 resources:
  35
  36   HAProxyNetworks:
  37     type: OS::Heat::Value
  38     properties:
  39       value:
  40         # NOTE(jaosorior) Get unique network names to create
  41         # certificates for those. We skip the tenant network since
  42         # we don't need a certificate for that, and the external
  43         # network will be handled in another template.
  44         yaql:
  45           expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant)
  46           data:
  47             map:
  48               get_param: ServiceNetMap
  49
  50 outputs:
  51   role_data:
  52     description: Role data for the HAProxy internal TLS via certmonger role.
  53     value:
  54       service_name: haproxy_internal_tls_certmonger
  55       config_settings:
  56         generate_service_certificates: true
  57         tripleo::haproxy::use_internal_certificates: true
  58       certificates_specs:
  59         map_merge:
  60           repeat:
  61             template:
  62               haproxy-NETWORK:
  63                 service_pem: '/etc/pki/tls/certs/overcloud-haproxy-NETWORK.pem'
  64                 service_certificate: '/etc/pki/tls/certs/overcloud-haproxy-NETWORK.crt'
  65                 service_key: '/etc/pki/tls/private/overcloud-haproxy-NETWORK.key'
  66                 hostname: "%{hiera('cloud_name_NETWORK')}"
  67                 postsave_cmd: "" # TODO
  68                 principal: "haproxy/%{hiera('cloud_name_NETWORK')}"
  69             for_each:
  70               NETWORK: {get_attr: [HAProxyNetworks, value]}
  71       metadata_settings:
  72         repeat:
  73           template:
  74           - service: haproxy
  75             network: $NETWORK
  76             type: vip
  77           for_each:
  78             $NETWORK: {get_attr: [HAProxyNetworks, value]}