aboutsummaryrefslogtreecommitdiffstats
path: root/puppet/services/apache.yaml
AgeCommit message (Collapse)AuthorFilesLines
2017-05-17TLS-everywhere: Configure CA for apacheJuan Antonio Osorio Robles1-0/+6
This tells apache which CA certificate was used to sign the certs it's using. this setting is useful in case we want to enable OCSP stapling or client authentication via TLS. Change-Id: I97a7e5332aea8377c7662ca98beb71ed5e236640
2017-05-17Only set apache certificates if TLS everywhere is enabledJuan Antonio Osorio Robles1-15/+18
The Apache certs were were being set even if TLS everywhere isn't enabled. This fixes that. Change-Id: If143d1fdeb0102a1c13441f89acaa73af24bf48f
2017-05-15Add role specific information to the service templateSaravanan KR1-0/+8
When a service is enabled on multiple roles, the parameters for the service will be global. This change enables an option to provide role specific parameter to services and other templates. Two new parameters - RoleName and RoleParameters, are added to the service template. RoleName provides the role name of on which the current instance of the service is being applied on. RoleParameters provides the list of parameters which are configured specific to the role in the environment file, like below: parameters_default: # Default value for applied to all roles NovaReservedHostMemory: 2048 ComputeDpdkParameters: # Applied only to ComputeDpdk role NovaReservedHostMemory: 4096 In above sample, the cluster contains 2 roles - Compute, ComputeDpdk. The values of ComputeDpdkParameters will be passed on to the templates as RoleParameters while creating the stack for ComputeDpdk role. The parameter which supports role specific configuration, should find the parameter first in in the RoleParameters list, if not found, then the default (for all roles) should be used. Implements: blueprint tripleo-derive-parameters Change-Id: I72376a803ec6b2ed93903cc0c95a6ffce718b6dc
2017-04-27Merge "Disable default vhost for apache"Jenkins1-0/+1
2017-04-27Disable default vhost for apacheBogdan Dobrelya1-0/+1
It is required for a hybrid deployments when WSGI based services running both at host and in containers, without conflicting default ports. Partial-bug: #1686637 Co-authored-by: Juan Antonio Osorio Robles <jaosorior@redhat.com> Change-Id: I9d0a5bb32337a6a8f1a4036f9560df79dfe1d90a Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
2017-04-26upgrades: deploy mod_ssl when upgrading apacheEmilien Macchi1-0/+3
1) When Apache is upgraded, install mod_ssl rpm. See https://bugs.launchpad.net/tripleo/+bug/1682448 to understand why we need mod_ssl. 2) All services that run Apache for API will use the snippet from Apache service to deploy mod_ssl, so we don't duplicate the code in all services. It's using the same mechanism as ovs upgrade to compile upgrade_tasks between both services. Change-Id: Ia2f6fea45c2c09790c49baab19b1efcab25e9a84 Closes-Bug: #1686503
2017-04-11Change the directory for httpd certs/keys to be service-specificJuan Antonio Osorio Robles1-2/+4
This moves the directories containing the certs/keys for httpd one step further inside the hierarchy. This way we will be able to bind-mount this certificate into the container without bind-mounting any other certs/keys from other services. bp tls-via-certmonger-containers Change-Id: Ibe6e66ae4589b9eab7db330dd8b178e0f8775639 Depends-On: I0b71902358b754fa8bd7fdbb213479503c87aa46
2017-03-27Apache: Use conditional instead of nested stack for TLS-specific bitsJuan Antonio Osorio Robles1-5/+39
Usually a nested stack is used that contains the TLS-everywhere bits (config_settings and metadata_settings). Nested stacks are very resource intensive. So, instead of doing using nested stacks, this patch changes that to use a conditional, and output the necessary config_settings and metadata_settings this way in an attempt to save resources. Change-Id: Ia7ee632383542ac012c20448ff1b4435004e57e3
2017-03-01upgrades/validation: only run validation when services existEmilien Macchi1-0/+6
During upgrades, validation test if a service is running before the upgrade process starts. In some cases, servies doesn't exist yet so we don't want to run the validation. This patch makes sure we check if the service is actually present on the system before validating it's running correctly. Also it makes sure that services are enabled before trying to stop them. It allows use-cases where we want to add new services during an upgrade. Also install new packages of services added in Ocata, so we can validate upgrades on scenarios jobs. Change-Id: Ib48fb6b1557be43956557cbde4cbe26b53a50bd8
2017-01-27Adds a pre-upgrade check that service is running (step0)marios1-0/+4
Adds a step0 for most services to check that the state is running before continuing with any of the other upgrades steps (these are tagged step0). You can skip this service check by overriding the SkipUpgradeConfigTags parameter as follows: parameter_defaults: SkipUpgradeConfigTags: validation Co-Authored-By: Steven Hardy <shardy@redhat.com> Change-Id: Ie276f153015f671b720b6ed5beaac1b921661909
2017-01-25Add metadata settings for needed kerberos principalsJuan Antonio Osorio Robles1-0/+2
These are only used for TLS-everywhere, and fills up the kerberos principals that will need to be created for the certs used by the overcloud. With this, the metadata hook will format these principals correctly and will further pass them on to the nova metadata service. Where they can be used if there's a plugin enabled. bp tls-via-certmonger bp novajoin Change-Id: I873094bb69200052febda629fda698a7a782c031
2016-12-23Bump template version for all templates to "ocata"Steven Hardy1-1/+1
Heat now supports release name aliases, so we can replace the inconsistent mix of date related versions with one consistent version that aligns with the supported version of heat for this t-h-t branch. This should also help new users who sometimes copy/paste old templates and discover intrinsic functions in the t-h-t docs don't work because their template version is too old. Change-Id: Ib415e7290fea27447460baa280291492df197e54
2016-10-20Generate internal TLS hieradata for apache servicesJuan Antonio Osorio Robles1-16/+30
This adds an environment file that can be used to enable TLS in the internal endpoints via certmonger if used. This will include a nested stack that will create the hash that will be used to create the certmonger certificates. When setting up a service over apache via puppet, we used to disable explicitly ssl (which sets modd_ssl-related fields for that vhost). We now make this depend on the EnableInternalTLS flag. This has only been done for keystone, but more services will be added as the puppet code lands bp tls-via-certmonger Depends-On: I303f6cf47859284785c0cdc65284a7eb89a4e039 Change-Id: I12e794f2d4076be9505dabfe456c1ca6cfbd359c
2016-09-21Provide for RAM-constrained environmentsJiri Stransky1-0/+10
We hit problems in environments which don't have a lot of RAM (e.g. dev envs, could be also CI) that Apache ate too much memory due to too many worker processes being spawned. This commit allows customizing the Apache MaxRequestWorkers and ServerLimit directives via Heat parameters. The default stays 256 as that's the default in the Puppet module, to be suited for production environments with powerful machines. Also low-memory-usage.yaml environment file is added, which can be used to make dev/test/CI overclouds less memory hungry, where the limits are now set to 32. Change-Id: Ibcf1d9c3326df8bb5b380066166c4ae3c4bf8d96 Co-Authored-By: Carlos Camacho <ccamacho@redhat.com> Closes-Bug: #1619205
2016-08-30apache: Remove product informationsDimitri Savineau1-0/+2
By default, the httpd version and the OS type is described in the HTTP header 'Server'. Server: Apache/2.4.6 (Red Hat Enterprise Linux) This patch allows to remove the specific informations related to the httpd server and the OS. Change-Id: Ib608919102bc6b2c7619a522ae1262729dc7a91e
2016-08-30Mv Nova, Neutron, Horizon out of controller.yamlDan Prince1-0/+40
This patch moves the settings for Nova, Neutron, and Horizon out of controller.yaml. Also fixes the NovaPassword settings in nova-base.yaml so they don't use get_input. Also, creates a new apache.yaml base service to contain shared apache settings for several services which use Apache for WSGI. Co-Authored-By: Giulio Fidente <gfidente@redhat.com> Change-Id: I35d909bd5abc23976b5732a2b9af31cf1448838e Related-bug: #1604414