Code Review / apex-tripleo-heat-templates.git / blob
? search:
summary | shortlog | log | commit | commitdiff | review | tree
history | raw | HEAD
Merge "Add support for upgrading ec2-api"
[apex-tripleo-heat-templates.git] / puppet / services / haproxy-internal-tls-certmonger.yaml
1 heat_template_version: ocata
2
3 description: >
4   HAProxy deployment with TLS enabled, powered by certmonger
5
6 parameters:
7   ServiceNetMap:
8     default: {}
9     description: Mapping of service_name -> network name. Typically set
10                  via parameter_defaults in the resource registry.  This
11                  mapping overrides those in ServiceNetMapDefaults.
12     type: json
13   DefaultPasswords:
14     default: {}
15     type: json
16   EndpointMap:
17     default: {}
18     description: Mapping of service endpoint -> protocol. Typically set
19                  via parameter_defaults in the resource registry.
20     type: json
21
22 resources:
23
24   HAProxyNetworks:
25     type: OS::Heat::Value
26     properties:
27       value:
28         # NOTE(jaosorior) Get unique network names to create
29         # certificates for those. We skip the tenant network since
30         # we don't need a certificate for that, and the external
31         # network will be handled in another template.
32         yaql:
33           expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant)
34           data:
35             map:
36               get_param: ServiceNetMap
37
38 outputs:
39   role_data:
40     description: Role data for the HAProxy internal TLS via certmonger role.
41     value:
42       service_name: haproxy_internal_tls_certmonger
43       config_settings:
44         generate_service_certificates: true
45         tripleo::haproxy::use_internal_certificates: true
46       certificates_specs:
47         map_merge:
48           repeat:
49             template:
50               haproxy-NETWORK:
51                 service_pem: '/etc/pki/tls/certs/overcloud-haproxy-NETWORK.pem'
52                 service_certificate: '/etc/pki/tls/certs/overcloud-haproxy-NETWORK.crt'
53                 service_key: '/etc/pki/tls/private/overcloud-haproxy-NETWORK.key'
54                 hostname: "%{hiera('cloud_name_NETWORK')}"
55                 postsave_cmd: "" # TODO
56                 principal: "haproxy/%{hiera('cloud_name_NETWORK')}"
57             for_each:
58               NETWORK: {get_attr: [HAProxyNetworks, value]}
59       metadata_settings:
60         repeat:
61           template:
62           - service: haproxy
63             network: $NETWORK
64             type: vip
65           for_each:
66             $NETWORK: {get_attr: [HAProxyNetworks, value]}