summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJuan Antonio Osorio Robles <jaosorior@redhat.com>2017-03-24 12:52:40 +0200
committerJuan Antonio Osorio Robles <jaosorior@redhat.com>2017-04-12 09:45:17 +0000
commitdd43ba1cf2dc59156684c9598103f898a6f0bb5b (patch)
tree1eaf5fd3ffdadf897da009bcac846e3fb5be96a1
parent39f63c5efa2dd2eef139ac7719ded18f7fd8b94c (diff)
Bind mount directories that contain the key/certs for keystone
This is only done when TLS-everywhere is enabled, and depends on those directories being exclusive for services that run over httpd. Which is the commit this is on top of. Also, an environment file was added that's similar to environments/docker.yaml. The difference is that this one will contain the services that can run containerized with TLS-everywhere. This file will be updated as more services get support for this. bp tls-via-certmonger-containers Change-Id: I87bf59f2c33de6cf2d4ce0679a5e0e22bc24bf78
-rw-r--r--docker/services/keystone.yaml17
-rw-r--r--environments/docker-services-tls-everywhere.yaml28
2 files changed, 45 insertions, 0 deletions
diff --git a/docker/services/keystone.yaml b/docker/services/keystone.yaml
index 90ddeb9f..526a357b 100644
--- a/docker/services/keystone.yaml
+++ b/docker/services/keystone.yaml
@@ -36,6 +36,9 @@ parameters:
default: 'fernet'
constraints:
- allowed_values: ['uuid', 'fernet']
+ EnableInternalTLS:
+ type: boolean
+ default: false
resources:
@@ -46,6 +49,10 @@ resources:
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
+conditions:
+
+ internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
+
outputs:
role_data:
description: Role data for the Keystone API role.
@@ -96,6 +103,16 @@ outputs:
- /etc/hosts:/etc/hosts:ro
- /etc/localtime:/etc/localtime:ro
- logs:/var/log
+ -
+ if:
+ - internal_tls_enabled
+ - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
+ - ''
+ -
+ if:
+ - internal_tls_enabled
+ - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
+ - ''
environment:
- KOLLA_BOOTSTRAP=True
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
diff --git a/environments/docker-services-tls-everywhere.yaml b/environments/docker-services-tls-everywhere.yaml
new file mode 100644
index 00000000..ec39951b
--- /dev/null
+++ b/environments/docker-services-tls-everywhere.yaml
@@ -0,0 +1,28 @@
+# This environment contains the services that can work with TLS-everywhere.
+resource_registry:
+ # This can be used when you don't want to run puppet on the host,
+ # e.g atomic, but it has been replaced with OS::TripleO::Services::Docker
+ # OS::TripleO::NodeUserData: ../docker/firstboot/setup_docker_host.yaml
+ OS::TripleO::Services::Docker: ../puppet/services/docker.yaml
+ # The compute node still needs extra initialization steps
+ OS::TripleO::Compute::NodeUserData: ../docker/firstboot/setup_docker_host.yaml
+
+ # NOTE: add roles to be docker enabled as we support them.
+ OS::TripleO::Services::Keystone: ../docker/services/keystone.yaml
+
+ OS::TripleO::PostDeploySteps: ../docker/post.yaml
+ OS::TripleO::PostUpgradeSteps: ../docker/post-upgrade.yaml
+
+ OS::TripleO::Services: ../docker/services/services.yaml
+
+parameter_defaults:
+ # Defaults to 'tripleoupstream'. Specify a local docker registry
+ # Example: 192.168.24.1:8787/tripleoupstream
+ DockerNamespace: tripleoupstream
+ DockerNamespaceIsRegistry: false
+
+ ComputeServices:
+ - OS::TripleO::Services::NovaCompute
+ - OS::TripleO::Services::NovaLibvirt
+ - OS::TripleO::Services::ComputeNeutronOvsAgent
+ - OS::TripleO::Services::Docker