puppet/services/haproxy-internal-tls-certmonger.yaml

   1 heat_template_version: pike
   2
   3 description: >
   4   HAProxy deployment with TLS enabled, powered by certmonger
   5
   6 parameters:
   7   ServiceNetMap:
   8     default: {}
   9     description: Mapping of service_name -> network name. Typically set
  10                  via parameter_defaults in the resource registry.  This
  11                  mapping overrides those in ServiceNetMapDefaults.
  12     type: json
  13   DefaultPasswords:
  14     default: {}
  15     type: json
  16   RoleName:
  17     default: ''
  18     description: Role name on which the service is applied
  19     type: string
  20   RoleParameters:
  21     default: {}
  22     description: Parameters specific to the role
  23     type: json
  24   EndpointMap:
  25     default: {}
  26     description: Mapping of service endpoint -> protocol. Typically set
  27                  via parameter_defaults in the resource registry.
  28     type: json
  29
  30 resources:
  31
  32   HAProxyNetworks:
  33     type: OS::Heat::Value
  34     properties:
  35       value:
  36         # NOTE(jaosorior) Get unique network names to create
  37         # certificates for those. We skip the tenant network since
  38         # we don't need a certificate for that, and the external
  39         # network will be handled in another template.
  40         yaql:
  41           expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant)
  42           data:
  43             map:
  44               get_param: ServiceNetMap
  45
  46 outputs:
  47   role_data:
  48     description: Role data for the HAProxy internal TLS via certmonger role.
  49     value:
  50       service_name: haproxy_internal_tls_certmonger
  51       config_settings:
  52         generate_service_certificates: true
  53         tripleo::haproxy::use_internal_certificates: true
  54       certificates_specs:
  55         map_merge:
  56           repeat:
  57             template:
  58               haproxy-NETWORK:
  59                 service_pem: '/etc/pki/tls/certs/overcloud-haproxy-NETWORK.pem'
  60                 service_certificate: '/etc/pki/tls/certs/overcloud-haproxy-NETWORK.crt'
  61                 service_key: '/etc/pki/tls/private/overcloud-haproxy-NETWORK.key'
  62                 hostname: "%{hiera('cloud_name_NETWORK')}"
  63                 postsave_cmd: "" # TODO
  64                 principal: "haproxy/%{hiera('cloud_name_NETWORK')}"
  65             for_each:
  66               NETWORK: {get_attr: [HAProxyNetworks, value]}
  67       metadata_settings:
  68         repeat:
  69           template:
  70           - service: haproxy
  71             network: $NETWORK
  72             type: vip
  73           for_each:
  74             $NETWORK: {get_attr: [HAProxyNetworks, value]}