openstack/tripleo-heat-templates
Code Issues Proposed changes
8a03456056
tripleo-heat-templates/docker/services/nova-placement.yaml
Juan Antonio Osorio Robles 9d630f8179 Enable TLS for nova api and placement containers 
With these two services running over httpd in the containers, we can now
enable TLS for them.

bp tls-via-certmonger-containers

Change-Id: Ib8fc37a391e3b32feef0ac6492492c0088866d21
2017-08-11 05:00:02 +00:00

137 lines
4.5 KiB
YAML
Raw Blame History

heat_template_version: pike
description: >
OpenStack containerized Nova Placement API service
parameters:
DockerNovaPlacementImage:
description: image
type: string
DockerNovaPlacementConfigImage:
description: The container image to use for the nova_placement config_volume
type: string
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EnableInternalTLS:
type: boolean
default: false
conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
resources:
ContainersCommon:
type: ./containers-common.yaml
MySQLClient:
type: ../../puppet/services/database/mysql-client.yaml
NovaPlacementBase:
type: ../../puppet/services/nova-placement.yaml
properties:
EndpointMap: {get_param: EndpointMap}
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
outputs:
role_data:
description: Role data for the Nova Placement API role.
value:
service_name: {get_attr: [NovaPlacementBase, role_data, service_name]}
config_settings:
map_merge:
- get_attr: [NovaPlacementBase, role_data, config_settings]
- apache::default_vhost: false
step_config: &step_config
list_join:
- "\n"
- - {get_attr: [NovaPlacementBase, role_data, step_config]}
- {get_attr: [MySQLClient, role_data, step_config]}
service_config_settings: {get_attr: [NovaPlacementBase, role_data, service_config_settings]}
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: nova_placement
puppet_tags: nova_config
step_config: *step_config
config_image: {get_param: DockerNovaPlacementConfigImage}
kolla_config:
/var/lib/kolla/config_files/nova_placement.json:
command: /usr/sbin/httpd -DFOREGROUND
config_files:
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
permissions:
- path: /var/log/nova
owner: nova:nova
recurse: true
docker_config:
# start this early so it is up before computes start reporting
step_3:
nova_placement:
start_order: 1
image: {get_param: DockerNovaPlacementImage}
net: host
user: root
restart: always
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
-
- /var/lib/kolla/config_files/nova_placement.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/nova_placement/:/var/lib/kolla/config_files/src:ro
- /var/log/containers/nova:/var/log/nova
-
if:
- internal_tls_enabled
- /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
- ''
-
if:
- internal_tls_enabled
- /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
- ''
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
metadata_settings:
get_attr: [NovaPlacementBase, role_data, metadata_settings]
host_prep_tasks:
- name: create persistent logs directory
file:
path: /var/log/containers/nova
state: directory
upgrade_tasks:
- name: Stop and disable nova_placement service (running under httpd)
tags: step2
service: name=httpd state=stopped enabled=no
View Git Blame Copy Permalink