docker/internal TLS: spawn extra container for neutron server's TLS proxy

This spawns an extra container that runs httpd to run the TLS proxy that will go in front of neutron server. bp tls-via-certmonger-containers Change-Id: I2529d78e889835f48c51e12d28ecd7c48739b02b
2017-05-12 08:44:47 +00:00 · 2017-05-12 08:44:47 +00:00 · a37debd3df
commit a37debd3df
parent 563a900be0
2 changed files with 49 additions and 14 deletions
--- a/docker/services/neutron-api.yaml
+++ b/docker/services/neutron-api.yaml
@ -39,6 +39,13 @@ parameters:
    default: {}
    description: Parameters specific to the role
    type: json
+  EnableInternalTLS:
+    type: boolean
+    default: false
+
+conditions:
+
+  internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}

 resources:

@ -81,6 +88,8 @@ outputs:
            - path: /var/log/neutron
              owner: neutron:neutron
              recurse: true
+        /var/lib/kolla/config_files/neutron_server_tls_proxy.json:
+          command: /usr/sbin/httpd -DFOREGROUND
      docker_config:
        # db sync runs before permissions set by kolla_config
        step_3:
@ -113,20 +122,39 @@ outputs:
                  - /var/log/containers/neutron:/var/log/neutron
            command: ['neutron-db-manage', 'upgrade', 'heads']
        step_4:
-          neutron_api:
-            image: *neutron_api_image
-            net: host
-            privileged: false
-            restart: always
-            volumes:
-              list_concat:
-                - {get_attr: [ContainersCommon, volumes]}
-                -
-                  - /var/lib/kolla/config_files/neutron_api.json:/var/lib/kolla/config_files/config.json:ro
-                  - /var/lib/config-data/neutron/etc/neutron/:/etc/neutron/:ro
-                  - /var/log/containers/neutron:/var/log/neutron
-            environment:
-              - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
+          map_merge:
+            - neutron_api:
+                image: *neutron_api_image
+                net: host
+                privileged: false
+                restart: always
+                volumes:
+                  list_concat:
+                    - {get_attr: [ContainersCommon, volumes]}
+                    -
+                      - /var/lib/kolla/config_files/neutron_api.json:/var/lib/kolla/config_files/config.json:ro
+                      - /var/lib/config-data/neutron/etc/neutron/:/etc/neutron/:ro
+                      - /var/log/containers/neutron:/var/log/neutron
+                environment:
+                  - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
+            - if:
+                - internal_tls_enabled
+                - neutron_server_tls_proxy:
+                    image: *neutron_api_image
+                    net: host
+                    user: root
+                    restart: always
+                    volumes:
+                      list_concat:
+                        - {get_attr: [ContainersCommon, volumes]}
+                        -
+                          - /var/lib/kolla/config_files/neutron_server_tls_proxy.json:/var/lib/kolla/config_files/config.json:ro
+                          - /var/lib/config-data/neutron/etc/httpd/:/etc/httpd/:ro
+                          - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
+                          - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
+                    environment:
+                      - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
+                - {}
      host_prep_tasks:
        - name: create persistent logs directory
          file:
--- a/environments/docker-services-tls-everywhere.yaml
+++ b/environments/docker-services-tls-everywhere.yaml
@ -12,6 +12,7 @@ resource_registry:
  OS::TripleO::Services::AodhEvaluator: ../docker/services/aodh-evaluator.yaml
  OS::TripleO::Services::AodhListener: ../docker/services/aodh-listener.yaml
  OS::TripleO::Services::AodhNotifier: ../docker/services/aodh-notifier.yaml
+  OS::TripleO::Services::ComputeNeutronOvsAgent: ../docker/services/neutron-ovs-agent.yaml
  OS::TripleO::Services::GlanceApi: ../docker/services/glance-api.yaml
  OS::TripleO::Services::GnocchiApi: ../docker/services/gnocchi-api.yaml
  OS::TripleO::Services::GnocchiMetricd: ../docker/services/gnocchi-metricd.yaml
@ -20,6 +21,12 @@ resource_registry:
  OS::TripleO::Services::HeatApiCfn: ../docker/services/heat-api-cfn.yaml
  OS::TripleO::Services::HeatEngine: ../docker/services/heat-engine.yaml
  OS::TripleO::Services::Keystone: ../docker/services/keystone.yaml
+  OS::TripleO::Services::NeutronApi: ../docker/services/neutron-api.yaml
+  OS::TripleO::Services::NeutronCorePlugin: ../docker/services/neutron-plugin-ml2.yaml
+  OS::TripleO::Services::NeutronDhcpAgent: ../docker/services/neutron-dhcp.yaml
+  OS::TripleO::Services::NeutronL3Agent: ../docker/services/neutron-l3.yaml
+  OS::TripleO::Services::NeutronOvsAgent: ../docker/services/neutron-ovs-agent.yaml
+  OS::TripleO::Services::NeutronServer: ../docker/services/neutron-api.yaml
  OS::TripleO::Services::PankoApi: ../docker/services/panko-api.yaml
  OS::TripleO::Services::SwiftProxy: ../docker/services/swift-proxy.yaml
  OS::TripleO::Services::SwiftRingBuilder: ../docker/services/swift-ringbuilder.yaml