blob: 1866bb97b95deda8f5733a561ed0813e9889dc69 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
|
heat_template_version: pike
description: >
HAProxy deployment with TLS enabled, powered by certmonger
parameters:
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
resources:
HAProxyNetworks:
type: OS::Heat::Value
properties:
value:
# NOTE(jaosorior) Get unique network names to create
# certificates for those. We skip the tenant network since
# we don't need a certificate for that, and the external
# network will be handled in another template.
yaql:
expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant)
data:
map:
get_param: ServiceNetMap
outputs:
role_data:
description: Role data for the HAProxy internal TLS via certmonger role.
value:
service_name: haproxy_internal_tls_certmonger
config_settings:
generate_service_certificates: true
tripleo::haproxy::use_internal_certificates: true
certificates_specs:
map_merge:
repeat:
template:
haproxy-NETWORK:
service_pem: '/etc/pki/tls/certs/overcloud-haproxy-NETWORK.pem'
service_certificate: '/etc/pki/tls/certs/overcloud-haproxy-NETWORK.crt'
service_key: '/etc/pki/tls/private/overcloud-haproxy-NETWORK.key'
hostname: "%{hiera('cloud_name_NETWORK')}"
postsave_cmd: "" # TODO
principal: "haproxy/%{hiera('cloud_name_NETWORK')}"
for_each:
NETWORK: {get_attr: [HAProxyNetworks, value]}
metadata_settings:
repeat:
template:
- service: haproxy
network: $NETWORK
type: vip
for_each:
$NETWORK: {get_attr: [HAProxyNetworks, value]}
|
