From 7d0f27980dd60f4274f353fe7594905d1de45b13 Mon Sep 17 00:00:00 2001
From: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Date: Mon, 27 Mar 2017 13:23:53 +0300
Subject: Apache: Use conditional instead of nested stack for TLS-specific bits

Usually a nested stack is used that contains the TLS-everywhere bits
(config_settings and metadata_settings). Nested stacks are very
resource intensive. So, instead of doing using nested stacks, this patch
changes that to use a conditional, and output the necessary
config_settings  and metadata_settings this way in an attempt to save
resources.

Change-Id: Ia7ee632383542ac012c20448ff1b4435004e57e3
---
 puppet/services/apache.yaml | 44 +++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 39 insertions(+), 5 deletions(-)

(limited to 'puppet/services/apache.yaml')

diff --git a/puppet/services/apache.yaml b/puppet/services/apache.yaml
index 2d950151..9bd282f8 100644
--- a/puppet/services/apache.yaml
+++ b/puppet/services/apache.yaml
@@ -31,13 +31,25 @@ parameters:
     type: boolean
     default: false
 
+conditions:
+
+  internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
 
 resources:
 
-  ApacheTLS:
-    type: OS::TripleO::Services::ApacheTLS
+  ApacheNetworks:
+    type: OS::Heat::Value
     properties:
-      ServiceNetMap: {get_param: ServiceNetMap}
+      value:
+        # NOTE(jaosorior) Get unique network names to create
+        # certificates for those. We skip the tenant network since
+        # we don't need a certificate for that, and the external
+        # is for HAProxy so it isn't used for apache either.
+        yaql:
+          expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant)
+          data:
+            map:
+              get_param: ServiceNetMap
 
 outputs:
   role_data:
@@ -46,7 +58,6 @@ outputs:
       service_name: apache
       config_settings:
         map_merge:
-          - get_attr: [ApacheTLS, role_data, config_settings]
           -
             # for the given network; replacement examples (eg. for internal_api):
             # internal_api -> IP
@@ -64,8 +75,31 @@ outputs:
             apache::mod::prefork::serverlimit: { get_param: ApacheServerLimit }
             apache::mod::remoteip::proxy_ips:
               - "%{hiera('apache_remote_proxy_ips_network')}"
+          -
+            generate_service_certificates: true
+            apache_certificates_specs:
+              map_merge:
+                repeat:
+                  template:
+                    httpd-NETWORK:
+                      service_certificate: '/etc/pki/tls/certs/httpd-NETWORK.crt'
+                      service_key: '/etc/pki/tls/private/httpd-NETWORK.key'
+                      hostname: "%{hiera('fqdn_NETWORK')}"
+                      principal: "HTTP/%{hiera('fqdn_NETWORK')}"
+                  for_each:
+                    NETWORK: {get_attr: [ApacheNetworks, value]}
       metadata_settings:
-        get_attr: [ApacheTLS, role_data, metadata_settings]
+        if:
+          - internal_tls_enabled
+          -
+            repeat:
+              template:
+                - service: HTTP
+                  network: $NETWORK
+                  type: node
+              for_each:
+                $NETWORK: {get_attr: [ApacheNetworks, value]}
+          - null
       upgrade_tasks:
         - name: Check if httpd is deployed
           command: systemctl is-enabled httpd
-- 
cgit 1.2.3-korg