Merge "Bind mount directories that contain the key/certs for keystone"

2017-04-12 14:18:57 +00:00 · 2017-04-12 14:18:57 +00:00 · 4df0fcdffb
commit 4df0fcdffb
parent 9584d5955c dd43ba1cf2
2 changed files with 45 additions and 0 deletions
--- a/docker/services/keystone.yaml
+++ b/docker/services/keystone.yaml
@ -36,6 +36,9 @@ parameters:
    default: 'fernet'
    constraints:
      - allowed_values: ['uuid', 'fernet']
+  EnableInternalTLS:
+    type: boolean
+    default: false

 resources:

@ -46,6 +49,10 @@ resources:
      ServiceNetMap: {get_param: ServiceNetMap}
      DefaultPasswords: {get_param: DefaultPasswords}

+conditions:
+
+  internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
+
 outputs:
  role_data:
    description: Role data for the Keystone API role.
@ -96,6 +103,16 @@ outputs:
              - /etc/hosts:/etc/hosts:ro
              - /etc/localtime:/etc/localtime:ro
              - logs:/var/log
+              -
+                if:
+                  - internal_tls_enabled
+                  - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
+                  - ''
+              -
+                if:
+                  - internal_tls_enabled
+                  - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
+                  - ''
            environment:
              - KOLLA_BOOTSTRAP=True
              - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
--- a/environments/docker-services-tls-everywhere.yaml
+++ b/environments/docker-services-tls-everywhere.yaml
@ -0,0 +1,28 @@
+# This environment contains the services that can work with TLS-everywhere.
+resource_registry:
+  # This can be used when you don't want to run puppet on the host,
+  # e.g atomic, but it has been replaced with OS::TripleO::Services::Docker
+  # OS::TripleO::NodeUserData: ../docker/firstboot/setup_docker_host.yaml
+  OS::TripleO::Services::Docker: ../puppet/services/docker.yaml
+  # The compute node still needs extra initialization steps
+  OS::TripleO::Compute::NodeUserData: ../docker/firstboot/setup_docker_host.yaml
+
+  # NOTE: add roles to be docker enabled as we support them.
+  OS::TripleO::Services::Keystone: ../docker/services/keystone.yaml
+
+  OS::TripleO::PostDeploySteps: ../docker/post.yaml
+  OS::TripleO::PostUpgradeSteps: ../docker/post-upgrade.yaml
+
+  OS::TripleO::Services: ../docker/services/services.yaml
+
+parameter_defaults:
+  # Defaults to 'tripleoupstream'.  Specify a local docker registry
+  # Example: 192.168.24.1:8787/tripleoupstream
+  DockerNamespace: tripleoupstream
+  DockerNamespaceIsRegistry: false
+
+  ComputeServices:
+    - OS::TripleO::Services::NovaCompute
+    - OS::TripleO::Services::NovaLibvirt
+    - OS::TripleO::Services::ComputeNeutronOvsAgent
+    - OS::TripleO::Services::Docker