listen_options => $heat_options,
public_ssl_port => $ports[heat_api_ssl_port],
service_network => $heat_api_network,
+ member_options => union($haproxy_member_options, $internal_tls_member_options),
}
}
listen_options => $heat_options,
public_ssl_port => $ports[heat_cw_ssl_port],
service_network => $heat_cloudwatch_network,
+ member_options => union($haproxy_member_options, $internal_tls_member_options),
}
}
listen_options => $heat_options,
public_ssl_port => $ports[heat_cfn_ssl_port],
service_network => $heat_cfn_network,
+ member_options => union($haproxy_member_options, $internal_tls_member_options),
}
}
#
# === Parameters
#
+# [*certificates_specs*]
+# (Optional) The specifications to give to certmonger for the certificate(s)
+# it will create.
+# Example with hiera:
+# apache_certificates_specs:
+# httpd-internal_api:
+# hostname: <overcloud controller fqdn>
+# service_certificate: <service certificate path>
+# service_key: <service key path>
+# principal: "haproxy/<overcloud controller fqdn>"
+# Defaults to hiera('apache_certificate_specs', {}).
+#
+# [*enable_internal_tls*]
+# (Optional) Whether TLS in the internal network is enabled or not.
+# Defaults to hiera('enable_internal_tls', false)
+#
+# [*generate_service_certificates*]
+# (Optional) Whether or not certmonger will generate certificates for
+# HAProxy. This could be as many as specified by the $certificates_specs
+# variable.
+# Note that this doesn't configure the certificates in haproxy, it merely
+# creates the certificates.
+# Defaults to hiera('generate_service_certificate', false).
+#
+# [*heat_api_network*]
+# (Optional) The network name where the heat API endpoint is listening on.
+# This is set by t-h-t.
+# Defaults to hiera('heat_api_network', undef)
+#
# [*step*]
# (Optional) The current step in deployment. See tripleo-heat-templates
# for more details.
# Defaults to hiera('step')
#
class tripleo::profile::base::heat::api (
- $step = hiera('step'),
+ $certificates_specs = hiera('apache_certificates_specs', {}),
+ $enable_internal_tls = hiera('enable_internal_tls', false),
+ $generate_service_certificates = hiera('generate_service_certificates', false),
+ $heat_api_network = hiera('heat_api_network', undef),
+ $step = hiera('step'),
) {
include ::tripleo::profile::base::heat
+ if $enable_internal_tls {
+ if $generate_service_certificates {
+ ensure_resources('tripleo::certmonger::httpd', $certificates_specs)
+ }
+
+ if !$heat_api_network {
+ fail('heat_api_network is not set in the hieradata.')
+ }
+ $tls_certfile = $certificates_specs["httpd-${heat_api_network}"]['service_certificate']
+ $tls_keyfile = $certificates_specs["httpd-${heat_api_network}"]['service_key']
+ } else {
+ $tls_certfile = undef
+ $tls_keyfile = undef
+ }
+
if $step >= 4 {
- include ::heat::api
+ class { '::heat::api':
+ service_name => 'httpd', # TODO cleanup when this is passed by t-h-t.
+ }
+
+ class { '::heat::wsgi::apache_api':
+ ssl_cert => $tls_certfile,
+ ssl_key => $tls_keyfile,
+ # TODO: The following are temporary and will be passed via t-h-t
+ ssl => $enable_internal_tls,
+ servername => hiera("fqdn_${heat_api_network}"),
+ bind_host => hiera('heat::api::bind_host'),
+ }
}
}
#
# === Parameters
#
+# [*certificates_specs*]
+# (Optional) The specifications to give to certmonger for the certificate(s)
+# it will create.
+# Example with hiera:
+# apache_certificates_specs:
+# httpd-internal_api:
+# hostname: <overcloud controller fqdn>
+# service_certificate: <service certificate path>
+# service_key: <service key path>
+# principal: "haproxy/<overcloud controller fqdn>"
+# Defaults to hiera('apache_certificate_specs', {}).
+#
+# [*enable_internal_tls*]
+# (Optional) Whether TLS in the internal network is enabled or not.
+# Defaults to hiera('enable_internal_tls', false)
+#
+# [*generate_service_certificates*]
+# (Optional) Whether or not certmonger will generate certificates for
+# HAProxy. This could be as many as specified by the $certificates_specs
+# variable.
+# Note that this doesn't configure the certificates in haproxy, it merely
+# creates the certificates.
+# Defaults to hiera('generate_service_certificate', false).
+#
+# [*heat_api_cfn_network*]
+# (Optional) The network name where the heat cfn endpoint is listening on.
+# This is set by t-h-t.
+# Defaults to hiera('heat_api_cfn_network', undef)
+#
# [*step*]
# (Optional) The current step in deployment. See tripleo-heat-templates
# for more details.
# Defaults to hiera('step')
#
class tripleo::profile::base::heat::api_cfn (
- $step = hiera('step'),
+ $certificates_specs = hiera('apache_certificates_specs', {}),
+ $enable_internal_tls = hiera('enable_internal_tls', false),
+ $generate_service_certificates = hiera('generate_service_certificates', false),
+ $heat_api_cfn_network = hiera('heat_api_cfn_network', undef),
+ $step = hiera('step'),
) {
include ::tripleo::profile::base::heat
+ if $enable_internal_tls {
+ if $generate_service_certificates {
+ ensure_resources('tripleo::certmonger::httpd', $certificates_specs)
+ }
+
+ if !$heat_api_cfn_network {
+ fail('heat_api_cfn_network is not set in the hieradata.')
+ }
+ $tls_certfile = $certificates_specs["httpd-${heat_api_cfn_network}"]['service_certificate']
+ $tls_keyfile = $certificates_specs["httpd-${heat_api_cfn_network}"]['service_key']
+ } else {
+ $tls_certfile = undef
+ $tls_keyfile = undef
+ }
+
if $step >= 4 {
- include ::heat::api_cfn
+ class { '::heat::api_cfn':
+ service_name => 'httpd', # TODO cleanup when this is passed by t-h-t.
+ }
+
+ class { '::heat::wsgi::apache_api_cfn':
+ ssl_cert => $tls_certfile,
+ ssl_key => $tls_keyfile,
+ # TODO: The following are temporary and will be passed via t-h-t
+ ssl => $enable_internal_tls,
+ servername => hiera("fqdn_${heat_api_cfn_network}"),
+ bind_host => hiera('heat::api_cfn::bind_host'),
+ }
}
}
#
# === Parameters
#
+# [*certificates_specs*]
+# (Optional) The specifications to give to certmonger for the certificate(s)
+# it will create.
+# Example with hiera:
+# apache_certificates_specs:
+# httpd-internal_api:
+# hostname: <overcloud controller fqdn>
+# service_certificate: <service certificate path>
+# service_key: <service key path>
+# principal: "haproxy/<overcloud controller fqdn>"
+# Defaults to hiera('apache_certificate_specs', {}).
+#
+# [*enable_internal_tls*]
+# (Optional) Whether TLS in the internal network is enabled or not.
+# Defaults to hiera('enable_internal_tls', false)
+#
+# [*generate_service_certificates*]
+# (Optional) Whether or not certmonger will generate certificates for
+# HAProxy. This could be as many as specified by the $certificates_specs
+# variable.
+# Note that this doesn't configure the certificates in haproxy, it merely
+# creates the certificates.
+# Defaults to hiera('generate_service_certificate', false).
+#
+# [*heat_api_cloudwatch_network*]
+# (Optional) The network name where the heat cloudwatch endpoint is listening
+# on. This is set by t-h-t.
+# Defaults to hiera('heat_api_cloudwatch_network', undef)
+#
# [*step*]
# (Optional) The current step in deployment. See tripleo-heat-templates
# for more details.
# Defaults to hiera('step')
#
class tripleo::profile::base::heat::api_cloudwatch (
- $step = hiera('step'),
+ $certificates_specs = hiera('apache_certificates_specs', {}),
+ $enable_internal_tls = hiera('enable_internal_tls', false),
+ $generate_service_certificates = hiera('generate_service_certificates', false),
+ $heat_api_cloudwatch_network = hiera('heat_api_cloudwatch_network', undef),
+ $step = hiera('step'),
) {
include ::tripleo::profile::base::heat
+ if $enable_internal_tls {
+ if $generate_service_certificates {
+ ensure_resources('tripleo::certmonger::httpd', $certificates_specs)
+ }
+
+ if !$heat_api_cloudwatch_network {
+ fail('heat_api_cloudwatch_network is not set in the hieradata.')
+ }
+ $tls_certfile = $certificates_specs["httpd-${heat_api_cloudwatch_network}"]['service_certificate']
+ $tls_keyfile = $certificates_specs["httpd-${heat_api_cloudwatch_network}"]['service_key']
+ } else {
+ $tls_certfile = undef
+ $tls_keyfile = undef
+ }
+
if $step >= 4 {
- include ::heat::api_cloudwatch
+ class { '::heat::api_cloudwatch':
+ service_name => 'httpd', # TODO cleanup when this is passed by t-h-t.
+ }
+
+ class { '::heat::wsgi::apache_api_cloudwatch':
+ ssl_cert => $tls_certfile,
+ ssl_key => $tls_keyfile,
+ # TODO: The following are temporary and will be passed via t-h-t
+ ssl => $enable_internal_tls,
+ servername => hiera("fqdn_${heat_api_cloudwatch_network}"),
+ bind_host => hiera('heat::api_cloudwatch::bind_host'),
+ }
}
}
Code Review / apex-puppet-tripleo.git / commitdiff