diff options
| author |   Jenkins <jenkins@review.openstack.org> | 2016-10-13 11:41:20 +0000 |
|---|---|---|
| committer |   Gerrit Code Review <review@openstack.org> | 2016-10-13 11:41:20 +0000 |
| commit | a3f9cf1314ae2d29ba68c012069dcc2b2431aa05 (patch) | |
| tree | 0393d112c2ffc8ce70a621944a3475f38cd6ecf9 /puppet/services/haproxy-internal-tls-certmonger.yaml | |
| parent | 3c438851e73489e03e7fd0e54ce700f5c8953ce3 (diff) | |
| parent | 9bf37e06b53a1f621eb4fee314a57d2d4a17c644 (diff) | |
Merge "Add HAProxy TLS handled by certmonger as composable service"
Diffstat (limited to 'puppet/services/haproxy-internal-tls-certmonger.yaml')
| -rw-r--r-- | puppet/services/haproxy-internal-tls-certmonger.yaml | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/puppet/services/haproxy-internal-tls-certmonger.yaml b/puppet/services/haproxy-internal-tls-certmonger.yaml new file mode 100644 index 00000000..c6d53542 --- /dev/null +++ b/puppet/services/haproxy-internal-tls-certmonger.yaml @@ -0,0 +1,51 @@ +heat_template_version: 2016-10-14 + +description: > + HAProxy deployment with TLS enabled, powered by certmonger + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + +outputs: + role_data: + description: Role data for the HAProxy internal TLS via certmonger role. + value: + service_name: haproxy_internal_tls_certmonger + config_settings: + generate_service_certificates: true + tripleo::haproxy::use_internal_certificates: true + certificates_specs: + map_merge: + repeat: + template: + haproxy-NETWORK: + service_pem: '/etc/pki/tls/certs/overcloud-haproxy-NETWORK.pem' + service_certificate: '/etc/pki/tls/certs/overcloud-haproxy-NETWORK.crt' + service_key: '/etc/pki/tls/private/overcloud-haproxy-NETWORK.key' + hostname: "%{hiera('cloud_name_NETWORK')}" + postsave_cmd: "" # TODO + principal: "haproxy/%{hiera('cloud_name_NETWORK')}" + for_each: + NETWORK: + # NOTE(jaosorior) Get unique network names to create + # certificates for those. We skip the tenant network since + # we don't need a certificate for that, and the external + # network will be handled in another template. + yaql: + expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant) + data: + map: + get_param: ServiceNetMap |