Browse Source

Merge "Bind mount directories that contain the key/certs for keystone"

changes/14/454314/4
Jenkins 5 years ago
committed by Gerrit Code Review
parent
commit
4df0fcdffb
  1. 17
      docker/services/keystone.yaml
  2. 28
      environments/docker-services-tls-everywhere.yaml

17
docker/services/keystone.yaml

@ -36,6 +36,9 @@ parameters:
default: 'fernet'
constraints:
- allowed_values: ['uuid', 'fernet']
EnableInternalTLS:
type: boolean
default: false
resources:
@ -46,6 +49,10 @@ resources:
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
outputs:
role_data:
description: Role data for the Keystone API role.
@ -96,6 +103,16 @@ outputs:
- /etc/hosts:/etc/hosts:ro
- /etc/localtime:/etc/localtime:ro
- logs:/var/log
-
if:
- internal_tls_enabled
- /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
- ''
-
if:
- internal_tls_enabled
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
- ''
environment:
- KOLLA_BOOTSTRAP=True
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS

28
environments/docker-services-tls-everywhere.yaml

@ -0,0 +1,28 @@
# This environment contains the services that can work with TLS-everywhere.
resource_registry:
# This can be used when you don't want to run puppet on the host,
# e.g atomic, but it has been replaced with OS::TripleO::Services::Docker
# OS::TripleO::NodeUserData: ../docker/firstboot/setup_docker_host.yaml
OS::TripleO::Services::Docker: ../puppet/services/docker.yaml
# The compute node still needs extra initialization steps
OS::TripleO::Compute::NodeUserData: ../docker/firstboot/setup_docker_host.yaml
# NOTE: add roles to be docker enabled as we support them.
OS::TripleO::Services::Keystone: ../docker/services/keystone.yaml
OS::TripleO::PostDeploySteps: ../docker/post.yaml
OS::TripleO::PostUpgradeSteps: ../docker/post-upgrade.yaml
OS::TripleO::Services: ../docker/services/services.yaml
parameter_defaults:
# Defaults to 'tripleoupstream'. Specify a local docker registry
# Example: 192.168.24.1:8787/tripleoupstream
DockerNamespace: tripleoupstream
DockerNamespaceIsRegistry: false
ComputeServices:
- OS::TripleO::Services::NovaCompute
- OS::TripleO::Services::NovaLibvirt
- OS::TripleO::Services::ComputeNeutronOvsAgent
- OS::TripleO::Services::Docker
Loading…
Cancel
Save