Fixes SSL/TLS with OpenDaylight docker service

The ODL private key, cert, and CA cert were missing in the puppet container config. These are required during puppet stage in order to create the proper keystores in ODL. The files are not needed during the service bringup time, because the information is built into the keystore created by puppet. Closes-Bug: 1747700 Change-Id: If548fdba836104412bf20e8e05ecf6a5058aa318 Signed-off-by: Tim Rozet <trozet@redhat.com>
2018-02-06 11:02:57 -05:00 · 2018-02-06 11:02:57 -05:00 · e5c72b1129
parent bf1678ef46
commit e5c72b1129
2 changed files with 22 additions and 11 deletions
--- a/docker/services/opendaylight-api.yaml
+++ b/docker/services/opendaylight-api.yaml
@ -39,6 +39,11 @@ parameters:
  EnableInternalTLS:
    type: boolean
    default: false
+  InternalTLSCAFile:
+    default: '/etc/ipa/ca.crt'
+    type: string
+    description: Specifies the default CA cert to use if TLS is used for
+                 services in the internal network.

 conditions:

@ -76,8 +81,20 @@ outputs:
      # BEGIN DOCKER SETTINGS
      puppet_config:
        config_volume: opendaylight
+        volumes:
+          list_concat:
+          - if:
+            - internal_tls_enabled
+            - - /etc/pki/tls/certs/odl.crt:/etc/pki/tls/certs/odl.crt:ro
+              - /etc/pki/tls/private/odl.key:/etc/pki/tls/private/odl.key:ro
+              - list_join:
+                  - ':'
+                  - - {get_param: InternalTLSCAFile}
+                    - {get_param: InternalTLSCAFile}
+                    - 'ro'
+            - null
        # 'file,concat,file_line,augeas' are included by default
-        puppet_tags: odl_user
+        puppet_tags: odl_user,odl_keystore
        step_config:
          get_attr: [OpenDaylightBase, role_data, step_config]
        config_image: {get_param: DockerOpendaylightConfigImage}
@ -114,16 +131,6 @@ outputs:
                  - /var/lib/opendaylight/journal:/opt/opendaylight/journal
                  - /var/lib/opendaylight/snapshots:/opt/opendaylight/snapshots
                  - /var/lib/opendaylight/etc:/opt/opendaylight/etc
-                  -
-                    if:
-                      - internal_tls_enabled
-                      - /etc/pki/tls/certs/odl.crt:/etc/pki/tls/certs/odl.crt:ro
-                      - ''
-                  -
-                    if:
-                      - internal_tls_enabled
-                      - /etc/pki/tls/private/odl.key:/etc/pki/tls/private/odl.key:ro
-                      - ''
            environment:
              - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
      metadata_settings:
--- a/releasenotes/notes/fix-odl-tls-docker-67b8453a6be7fa58.yaml
+++ b/releasenotes/notes/fix-odl-tls-docker-67b8453a6be7fa58.yaml
@ -0,0 +1,4 @@
+---
+fixes:
+  - |
+    Fixes missing SSL/TLS configuration for OpenDaylight docker deployments.