docker/internal TLS: spawn extra container for glance API's TLS proxy

This spawns an extra container that runs httpd to run the TLS proxy that
will go in front of glance-api.

bp tls-via-certmonger-containers

Change-Id: If902ac732479832b9aa3e4a8d063b5be68a42a9b

docker/services/glance-api.yaml

@@ -26,6 +26,13 @@ parameters:
   DefaultPasswords:
     default: {}
     type: json
+  EnableInternalTLS:
+    type: boolean
+    default: false
+
+conditions:
+
+  internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
 
 resources:
 
@@ -63,6 +70,8 @@ outputs:
       kolla_config:
         /var/lib/kolla/config_files/glance-api.json:
           command: /usr/bin/glance-api --config-file /usr/share/glance/glance-api-dist.conf --config-file /etc/glance/glance-api.conf
+        /var/lib/kolla/config_files/glance_api_tls_proxy.json:
+          command: /usr/sbin/httpd -DFOREGROUND
       docker_config:
         # Kolla_bootstrap/db_sync runs before permissions set by kolla_config
         step_3:
@@ -91,15 +100,35 @@ outputs:
               - KOLLA_BOOTSTRAP=True
               - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
         step_4:
-          glance_api:
-            start_order: 2
-            image: *glance_image
-            net: host
-            privileged: false
-            restart: always
-            volumes: *glance_volumes
-            environment:
-              - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
+          map_merge:
+            - glance_api:
+                start_order: 2
+                image: *glance_image
+                net: host
+                privileged: false
+                restart: always
+                volumes: *glance_volumes
+                environment:
+                  - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
+            - if:
+                - internal_tls_enabled
+                - glance_api_tls_proxy:
+                    start_order: 2
+                    image: *glance_image
+                    net: host
+                    user: root
+                    restart: always
+                    volumes:
+                      list_concat:
+                        - {get_attr: [ContainersCommon, volumes]}
+                        -
+                          - /var/lib/kolla/config_files/glance_api_tls_proxy.json:/var/lib/kolla/config_files/config.json:ro
+                          - /var/lib/config-data/glance_api/etc/httpd/:/etc/httpd/:ro
+                          - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
+                          - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
+                    environment:
+                      - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
+                - {}
       host_prep_tasks:
         - name: create persistent logs directory
           file:

environments/docker-services-tls-everywhere.yaml

@@ -12,6 +12,7 @@ resource_registry:
   OS::TripleO::Services::AodhEvaluator: ../docker/services/aodh-evaluator.yaml
   OS::TripleO::Services::AodhListener: ../docker/services/aodh-listener.yaml
   OS::TripleO::Services::AodhNotifier: ../docker/services/aodh-notifier.yaml
+  OS::TripleO::Services::GlanceApi: ../docker/services/glance-api.yaml
   OS::TripleO::Services::GnocchiApi: ../docker/services/gnocchi-api.yaml
   OS::TripleO::Services::GnocchiMetricd: ../docker/services/gnocchi-metricd.yaml
   OS::TripleO::Services::GnocchiStatsd: ../docker/services/gnocchi-statsd.yaml
@@ -21,8 +22,8 @@ resource_registry:
   OS::TripleO::Services::Keystone: ../docker/services/keystone.yaml
   OS::TripleO::Services::PankoApi: ../docker/services/panko-api.yaml
   OS::TripleO::Services::SwiftProxy: ../docker/services/swift-proxy.yaml
-  OS::TripleO::Services::SwiftStorage: ../docker/services/swift-storage.yaml
   OS::TripleO::Services::SwiftRingBuilder: ../docker/services/swift-ringbuilder.yaml
+  OS::TripleO::Services::SwiftStorage: ../docker/services/swift-storage.yaml
 
   OS::TripleO::PostDeploySteps: ../docker/post.yaml
   OS::TripleO::PostUpgradeSteps: ../docker/post-upgrade.yaml