Merge "Bind mount directories that contain the key/certs for keystone"

docker/services/keystone.yaml

@@ -36,6 +36,9 @@ parameters:
     default: 'fernet'
     constraints:
       - allowed_values: ['uuid', 'fernet']
+  EnableInternalTLS:
+    type: boolean
+    default: false
 
 resources:
 
@@ -46,6 +49,10 @@ resources:
       ServiceNetMap: {get_param: ServiceNetMap}
       DefaultPasswords: {get_param: DefaultPasswords}
 
+conditions:
+
+  internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
+
 outputs:
   role_data:
     description: Role data for the Keystone API role.
@@ -96,6 +103,16 @@ outputs:
               - /etc/hosts:/etc/hosts:ro
               - /etc/localtime:/etc/localtime:ro
               - logs:/var/log
+              -
+                if:
+                  - internal_tls_enabled
+                  - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
+                  - ''
+              -
+                if:
+                  - internal_tls_enabled
+                  - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
+                  - ''
             environment:
               - KOLLA_BOOTSTRAP=True
               - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS

environments/docker-services-tls-everywhere.yaml

@@ -0,0 +1,28 @@
+# This environment contains the services that can work with TLS-everywhere.
+resource_registry:
+  # This can be used when you don't want to run puppet on the host,
+  # e.g atomic, but it has been replaced with OS::TripleO::Services::Docker
+  # OS::TripleO::NodeUserData: ../docker/firstboot/setup_docker_host.yaml
+  OS::TripleO::Services::Docker: ../puppet/services/docker.yaml
+  # The compute node still needs extra initialization steps
+  OS::TripleO::Compute::NodeUserData: ../docker/firstboot/setup_docker_host.yaml
+
+  # NOTE: add roles to be docker enabled as we support them.
+  OS::TripleO::Services::Keystone: ../docker/services/keystone.yaml
+
+  OS::TripleO::PostDeploySteps: ../docker/post.yaml
+  OS::TripleO::PostUpgradeSteps: ../docker/post-upgrade.yaml
+
+  OS::TripleO::Services: ../docker/services/services.yaml
+
+parameter_defaults:
+  # Defaults to 'tripleoupstream'.  Specify a local docker registry
+  # Example: 192.168.24.1:8787/tripleoupstream
+  DockerNamespace: tripleoupstream
+  DockerNamespaceIsRegistry: false
+
+  ComputeServices:
+    - OS::TripleO::Services::NovaCompute
+    - OS::TripleO::Services::NovaLibvirt
+    - OS::TripleO::Services::ComputeNeutronOvsAgent
+    - OS::TripleO::Services::Docker