puppet/services/haproxy-internal-tls-certmonger.yaml

   1 heat_template_version: pike
   2
   3 description: >
   4   HAProxy deployment with TLS enabled, powered by certmonger
   5
   6 parameters:
   7   ServiceData:
   8     default: {}
   9     description: Dictionary packing service data
  10     type: json
  11   ServiceNetMap:
  12     default: {}
  13     description: Mapping of service_name -> network name. Typically set
  14                  via parameter_defaults in the resource registry.  This
  15                  mapping overrides those in ServiceNetMapDefaults.
  16     type: json
  17   DefaultPasswords:
  18     default: {}
  19     type: json
  20   RoleName:
  21     default: ''
  22     description: Role name on which the service is applied
  23     type: string
  24   RoleParameters:
  25     default: {}
  26     description: Parameters specific to the role
  27     type: json
  28   EndpointMap:
  29     default: {}
  30     description: Mapping of service endpoint -> protocol. Typically set
  31                  via parameter_defaults in the resource registry.
  32     type: json
  33   HAProxyInternalTLSCertsDirectory:
  34     default: '/etc/pki/tls/certs/haproxy'
  35     type: string
  36   HAProxyInternalTLSKeysDirectory:
  37     default: '/etc/pki/tls/private/haproxy'
  38     type: string
  39
  40 resources:
  41
  42   HAProxyNetworks:
  43     type: OS::Heat::Value
  44     properties:
  45       value:
  46         # NOTE(jaosorior) Get unique network names to create
  47         # certificates for those. We skip the tenant network since
  48         # we don't need a certificate for that, and the external
  49         # network will be handled in another template.
  50         yaql:
  51           expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant)
  52           data:
  53             map:
  54               get_param: ServiceNetMap
  55
  56 outputs:
  57   role_data:
  58     description: Role data for the HAProxy internal TLS via certmonger role.
  59     value:
  60       service_name: haproxy_internal_tls_certmonger
  61       config_settings:
  62         generate_service_certificates: true
  63         tripleo::haproxy::use_internal_certificates: true
  64         tripleo::certmonger::haproxy_dirs::certificate_dir:
  65           get_param: HAProxyInternalTLSCertsDirectory
  66         tripleo::certmonger::haproxy_dirs::key_dir:
  67           get_param: HAProxyInternalTLSKeysDirectory
  68       certificates_specs:
  69         map_merge:
  70           repeat:
  71             template:
  72               haproxy-NETWORK:
  73                 service_pem:
  74                   list_join:
  75                   - ''
  76                   - - {get_param: HAProxyInternalTLSCertsDirectory}
  77                     - '/overcloud-haproxy-NETWORK.pem'
  78                 service_certificate:
  79                   list_join:
  80                   - ''
  81                   - - {get_param: HAProxyInternalTLSCertsDirectory}
  82                     - '/overcloud-haproxy-NETWORK.crt'
  83                 service_key:
  84                   list_join:
  85                   - ''
  86                   - - {get_param: HAProxyInternalTLSKeysDirectory}
  87                     - '/overcloud-haproxy-NETWORK.key'
  88                 hostname: "%{hiera('cloud_name_NETWORK')}"
  89                 principal: "haproxy/%{hiera('cloud_name_NETWORK')}"
  90             for_each:
  91               NETWORK: {get_attr: [HAProxyNetworks, value]}
  92       metadata_settings:
  93         repeat:
  94           template:
  95           - service: haproxy
  96             network: $NETWORK
  97             type: vip
  98           for_each:
  99             $NETWORK: {get_attr: [HAProxyNetworks, value]}