puppet/services/apache.yaml

   1 heat_template_version: pike
   2
   3 description: >
   4   Apache service configured with Puppet. Note this is typically included
   5   automatically via other services which run via Apache.
   6
   7 parameters:
   8   ApacheMaxRequestWorkers:
   9     default: 256
  10     description: Maximum number of simultaneously processed requests.
  11     type: number
  12   ApacheServerLimit:
  13     default: 256
  14     description: Maximum number of Apache processes.
  15     type: number
  16   ServiceData:
  17     default: {}
  18     description: Dictionary packing service data
  19     type: json
  20   ServiceNetMap:
  21     default: {}
  22     description: Mapping of service_name -> network name. Typically set
  23                  via parameter_defaults in the resource registry.  This
  24                  mapping overrides those in ServiceNetMapDefaults.
  25     type: json
  26   DefaultPasswords:
  27     default: {}
  28     type: json
  29   RoleName:
  30     default: ''
  31     description: Role name on which the service is applied
  32     type: string
  33   RoleParameters:
  34     default: {}
  35     description: Parameters specific to the role
  36     type: json
  37   EndpointMap:
  38     default: {}
  39     description: Mapping of service endpoint -> protocol. Typically set
  40                  via parameter_defaults in the resource registry.
  41     type: json
  42   EnableInternalTLS:
  43     type: boolean
  44     default: false
  45   InternalTLSCAFile:
  46     default: '/etc/ipa/ca.crt'
  47     type: string
  48     description: Specifies the default CA cert to use if TLS is used for
  49                  services in the internal network.
  50
  51 conditions:
  52
  53   internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
  54
  55 resources:
  56
  57   ApacheNetworks:
  58     type: OS::Heat::Value
  59     properties:
  60       value:
  61         # NOTE(jaosorior) Get unique network names to create
  62         # certificates for those. We skip the tenant network since
  63         # we don't need a certificate for that, and the external
  64         # is for HAProxy so it isn't used for apache either.
  65         yaql:
  66           expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant)
  67           data:
  68             map:
  69               get_param: ServiceNetMap
  70
  71 outputs:
  72   role_data:
  73     description: Role data for the Apache role.
  74     value:
  75       service_name: apache
  76       config_settings:
  77         map_merge:
  78           -
  79             # for the given network; replacement examples (eg. for internal_api):
  80             # internal_api -> IP
  81             # internal_api_uri -> [IP]
  82             # internal_api_subnet - > IP/CIDR
  83             apache::ip: {get_param: [ServiceNetMap, ApacheNetwork]}
  84             apache::default_vhost: false
  85             apache::server_signature: 'Off'
  86             apache::server_tokens: 'Prod'
  87             apache_remote_proxy_ips_network:
  88               str_replace:
  89                 template: "NETWORK_subnet"
  90                 params:
  91                   NETWORK: {get_param: [ServiceNetMap, ApacheNetwork]}
  92             apache::mod::prefork::maxclients: { get_param: ApacheMaxRequestWorkers }
  93             apache::mod::prefork::serverlimit: { get_param: ApacheServerLimit }
  94             apache::mod::remoteip::proxy_ips:
  95               - "%{hiera('apache_remote_proxy_ips_network')}"
  96           - if:
  97             - internal_tls_enabled
  98             -
  99               generate_service_certificates: true
 100               apache::mod::ssl::ssl_ca: {get_param: InternalTLSCAFile}
 101               tripleo::certmonger::apache_dirs::certificate_dir: '/etc/pki/tls/certs/httpd'
 102               tripleo::certmonger::apache_dirs::key_dir: '/etc/pki/tls/private/httpd'
 103               apache_certificates_specs:
 104                 map_merge:
 105                   repeat:
 106                     template:
 107                       httpd-NETWORK:
 108                         service_certificate: '/etc/pki/tls/certs/httpd/httpd-NETWORK.crt'
 109                         service_key: '/etc/pki/tls/private/httpd/httpd-NETWORK.key'
 110                         hostname: "%{hiera('fqdn_NETWORK')}"
 111                         principal: "HTTP/%{hiera('fqdn_NETWORK')}"
 112                     for_each:
 113                       NETWORK: {get_attr: [ApacheNetworks, value]}
 114             - {}
 115       metadata_settings:
 116         if:
 117           - internal_tls_enabled
 118           -
 119             repeat:
 120               template:
 121                 - service: HTTP
 122                   network: $NETWORK
 123                   type: node
 124               for_each:
 125                 $NETWORK: {get_attr: [ApacheNetworks, value]}
 126           - null
 127       upgrade_tasks:
 128         - name: Check if httpd is deployed
 129           command: systemctl is-enabled httpd
 130           tags: common
 131           ignore_errors: True
 132           register: httpd_enabled
 133         - name: "PreUpgrade step0,validation: Check service httpd is running"
 134           shell: /usr/bin/systemctl show 'httpd' --property ActiveState | grep '\bactive\b'
 135           when: httpd_enabled.rc == 0
 136           tags: step0,validation
 137         - name: Ensure mod_ssl package is installed
 138           tags: step3
 139           yum: name=mod_ssl state=latest