heat_template_version: rocky description: > Contains a static list of common things necessary for containers parameters: # Required parameters EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json ServiceData: default: {} description: Dictionary packing service data type: json ServiceNetMap: default: {} description: Mapping of service_name -> network name. Typically set via parameter_defaults in the resource registry. This mapping overrides those in ServiceNetMapDefaults. type: json DefaultPasswords: default: {} type: json RoleName: default: '' description: Role name on which the service is applied type: string RoleParameters: default: {} description: Parameters specific to the role type: json EnableInternalTLS: type: boolean default: false InternalTLSCAFile: default: '/etc/ipa/ca.crt' type: string description: Specifies the default CA cert to use if TLS is used for services in the internal network. conditions: internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} outputs: docker_config_scripts: description: Shared docker config scripts value: docker_puppet_apply.sh: mode: "0700" content: | #!/bin/bash set -eux STEP=$1 TAGS=$2 CONFIG=$3 EXTRA_ARGS=${4:-''} if [ -d /tmp/puppet-etc ]; then # ignore copy failures as these may be the same file depending on docker mounts cp -a /tmp/puppet-etc/* /etc/puppet || true fi echo "{\"step\": ${STEP}}" > /etc/puppet/hieradata/docker_puppet.json # $::deployment_type in puppet-tripleo export FACTER_deployment_type=containers set +e puppet apply $EXTRA_ARGS \ --verbose \ --detailed-exitcodes \ --summarize \ --color=false \ --modulepath /etc/puppet/modules:/opt/stack/puppet-modules:/usr/share/openstack-puppet/modules \ --tags $TAGS \ -e "${CONFIG}" rc=$? set -e set +ux if [ $rc -eq 2 -o $rc -eq 0 ]; then exit 0 fi exit $rc volumes_base: description: Base volume list value: &volumes_base list_concat: - - /etc/hosts:/etc/hosts:ro - /etc/localtime:/etc/localtime:ro # OpenSSL trusted CAs - /etc/pki/ca-trust/extracted:/etc/pki/ca-trust/extracted:ro - /etc/pki/ca-trust/source/anchors:/etc/pki/ca-trust/source/anchors:ro - /etc/pki/tls/certs/ca-bundle.crt:/etc/pki/tls/certs/ca-bundle.crt:ro - /etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/certs/ca-bundle.trust.crt:ro - /etc/pki/tls/cert.pem:/etc/pki/tls/cert.pem:ro # Syslog socket - /dev/log:/dev/log - if: - internal_tls_enabled - - list_join: - ':' - - {get_param: InternalTLSCAFile} - {get_param: InternalTLSCAFile} - 'ro' - null volumes: description: Common volumes for the containers. value: list_concat: - *volumes_base - - /etc/ssh/ssh_known_hosts:/etc/ssh/ssh_known_hosts:ro # required for bootstrap_host_exec - /etc/puppet:/etc/puppet:ro docker_puppet_apply_volumes: description: Common volumes needed to run the docker_puppet_apply.sh from docker_config_scripts value: list_concat: - *volumes_base - - /var/lib/docker-config-scripts/docker_puppet_apply.sh:/docker_puppet_apply.sh:ro # docker_puppet_apply.sh will copy this to /etc/puppet in the container - /etc/puppet:/tmp/puppet-etc:ro - /usr/share/openstack-puppet/modules:/usr/share/openstack-puppet/modules:ro