From e5c72b11292d3d34c4ebc040931a38756cfb78ef Mon Sep 17 00:00:00 2001
From: Tim Rozet <trozet@redhat.com>
Date: Tue, 6 Feb 2018 11:02:57 -0500
Subject: [PATCH] Fixes SSL/TLS with OpenDaylight docker service

The ODL private key, cert, and CA cert were missing in the puppet
container config.  These are required during puppet stage in order to
create the proper keystores in ODL.  The files are not needed during the
service bringup time, because the information is built into the
keystore created by puppet.

Closes-Bug: 1747700

Change-Id: If548fdba836104412bf20e8e05ecf6a5058aa318
Signed-off-by: Tim Rozet <trozet@redhat.com>
---
 docker/services/opendaylight-api.yaml         | 29 ++++++++++++-------
 .../fix-odl-tls-docker-67b8453a6be7fa58.yaml  |  4 +++
 2 files changed, 22 insertions(+), 11 deletions(-)
 create mode 100644 releasenotes/notes/fix-odl-tls-docker-67b8453a6be7fa58.yaml

diff --git a/docker/services/opendaylight-api.yaml b/docker/services/opendaylight-api.yaml
index 3282023b50..0ccf46e8f0 100644
--- a/docker/services/opendaylight-api.yaml
+++ b/docker/services/opendaylight-api.yaml
@@ -39,6 +39,11 @@ parameters:
   EnableInternalTLS:
     type: boolean
     default: false
+  InternalTLSCAFile:
+    default: '/etc/ipa/ca.crt'
+    type: string
+    description: Specifies the default CA cert to use if TLS is used for
+                 services in the internal network.
 
 conditions:
 
@@ -76,8 +81,20 @@ outputs:
       # BEGIN DOCKER SETTINGS
       puppet_config:
         config_volume: opendaylight
+        volumes:
+          list_concat:
+          - if:
+            - internal_tls_enabled
+            - - /etc/pki/tls/certs/odl.crt:/etc/pki/tls/certs/odl.crt:ro
+              - /etc/pki/tls/private/odl.key:/etc/pki/tls/private/odl.key:ro
+              - list_join:
+                  - ':'
+                  - - {get_param: InternalTLSCAFile}
+                    - {get_param: InternalTLSCAFile}
+                    - 'ro'
+            - null
         # 'file,concat,file_line,augeas' are included by default
-        puppet_tags: odl_user
+        puppet_tags: odl_user,odl_keystore
         step_config:
           get_attr: [OpenDaylightBase, role_data, step_config]
         config_image: {get_param: DockerOpendaylightConfigImage}
@@ -114,16 +131,6 @@ outputs:
                   - /var/lib/opendaylight/journal:/opt/opendaylight/journal
                   - /var/lib/opendaylight/snapshots:/opt/opendaylight/snapshots
                   - /var/lib/opendaylight/etc:/opt/opendaylight/etc
-                  -
-                    if:
-                      - internal_tls_enabled
-                      - /etc/pki/tls/certs/odl.crt:/etc/pki/tls/certs/odl.crt:ro
-                      - ''
-                  -
-                    if:
-                      - internal_tls_enabled
-                      - /etc/pki/tls/private/odl.key:/etc/pki/tls/private/odl.key:ro
-                      - ''
             environment:
               - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
       metadata_settings:
diff --git a/releasenotes/notes/fix-odl-tls-docker-67b8453a6be7fa58.yaml b/releasenotes/notes/fix-odl-tls-docker-67b8453a6be7fa58.yaml
new file mode 100644
index 0000000000..169c23ebfa
--- /dev/null
+++ b/releasenotes/notes/fix-odl-tls-docker-67b8453a6be7fa58.yaml
@@ -0,0 +1,4 @@
+---
+fixes:
+  - |
+    Fixes missing SSL/TLS configuration for OpenDaylight docker deployments.