diff options
author | Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2017-04-19 10:58:11 +0000 |
---|---|---|
committer | Juan Antonio Osorio Robles <jaosorior@redhat.com> | 2017-04-19 11:04:31 +0000 |
commit | 2fda963fc73c17693669898fcd3ea3a94c1bf841 (patch) | |
tree | 3a575c23177b8e363419a5f50c261720a39f17f4 | |
parent | 56c8f120770b63b5518d3738ed56de626d24eb80 (diff) |
containers: TLS in the internal network for telemetry services
This covers aodh, gnocchi and panko.
cp tls-via-certmonger-containers
Change-Id: I6dabb0d82755c28b8940c0baab0e23cfcc587c42
-rw-r--r-- | docker/services/aodh-api.yaml | 19 | ||||
-rw-r--r-- | docker/services/gnocchi-api.yaml | 19 | ||||
-rw-r--r-- | docker/services/panko-api.yaml | 19 | ||||
-rw-r--r-- | environments/docker-services-tls-everywhere.yaml | 8 |
4 files changed, 65 insertions, 0 deletions
diff --git a/docker/services/aodh-api.yaml b/docker/services/aodh-api.yaml index 3181fad7..9480ce84 100644 --- a/docker/services/aodh-api.yaml +++ b/docker/services/aodh-api.yaml @@ -26,6 +26,13 @@ parameters: DefaultPasswords: default: {} type: json + EnableInternalTLS: + type: boolean + default: false + +conditions: + + internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} resources: @@ -104,9 +111,21 @@ outputs: - /var/lib/config-data/aodh/etc/httpd/:/etc/httpd/:ro - /var/lib/config-data/aodh/var/www/:/var/www/:ro - logs:/var/log + - + if: + - internal_tls_enabled + - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro + - '' + - + if: + - internal_tls_enabled + - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro + - '' environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS upgrade_tasks: - name: Stop and disable aodh service (running under httpd) tags: step2 service: name=httpd state=stopped enabled=no + metadata_settings: + get_attr: [AodhApiPuppetBase, role_data, metadata_settings] diff --git a/docker/services/gnocchi-api.yaml b/docker/services/gnocchi-api.yaml index 1c61fa3e..6cddcd54 100644 --- a/docker/services/gnocchi-api.yaml +++ b/docker/services/gnocchi-api.yaml @@ -26,6 +26,13 @@ parameters: DefaultPasswords: default: {} type: json + EnableInternalTLS: + type: boolean + default: false + +conditions: + + internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} resources: @@ -103,9 +110,21 @@ outputs: - /var/lib/config-data/gnocchi/etc/gnocchi/:/etc/gnocchi/:ro - /var/lib/config-data/gnocchi/etc/httpd/:/etc/httpd/:ro - /var/lib/config-data/gnocchi/var/www/:/var/www/:ro + - + if: + - internal_tls_enabled + - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro + - '' + - + if: + - internal_tls_enabled + - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro + - '' environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS upgrade_tasks: - name: Stop and disable httpd service tags: step2 service: name=httpd state=stopped enabled=no + metadata_settings: + get_attr: [GnocchiApiPuppetBase, role_data, metadata_settings] diff --git a/docker/services/panko-api.yaml b/docker/services/panko-api.yaml index 61bdf7ac..e87bb570 100644 --- a/docker/services/panko-api.yaml +++ b/docker/services/panko-api.yaml @@ -26,6 +26,13 @@ parameters: DefaultPasswords: default: {} type: json + EnableInternalTLS: + type: boolean + default: false + +conditions: + + internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} resources: @@ -104,5 +111,17 @@ outputs: - /var/lib/config-data/panko/etc/panko/:/etc/panko/:ro - /var/lib/config-data/panko/etc/httpd/:/etc/httpd/:ro - /var/lib/config-data/panko/var/www/:/var/www/:ro + - + if: + - internal_tls_enabled + - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro + - '' + - + if: + - internal_tls_enabled + - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro + - '' environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + metadata_settings: + get_attr: [PankoApiPuppetBase, role_data, metadata_settings] diff --git a/environments/docker-services-tls-everywhere.yaml b/environments/docker-services-tls-everywhere.yaml index ec39951b..b880f35a 100644 --- a/environments/docker-services-tls-everywhere.yaml +++ b/environments/docker-services-tls-everywhere.yaml @@ -9,6 +9,14 @@ resource_registry: # NOTE: add roles to be docker enabled as we support them. OS::TripleO::Services::Keystone: ../docker/services/keystone.yaml + OS::TripleO::Services::GnocchiApi: ../docker/services/gnocchi-api.yaml + OS::TripleO::Services::GnocchiMetricd: ../docker/services/gnocchi-metricd.yaml + OS::TripleO::Services::GnocchiStatsd: ../docker/services/gnocchi-statsd.yaml + OS::TripleO::Services::AodhApi: ../docker/services/aodh-api.yaml + OS::TripleO::Services::AodhEvaluator: ../docker/services/aodh-evaluator.yaml + OS::TripleO::Services::AodhNotifier: ../docker/services/aodh-notifier.yaml + OS::TripleO::Services::AodhListener: ../docker/services/aodh-listener.yaml + OS::TripleO::Services::PankoApi: ../docker/services/panko-api.yaml OS::TripleO::PostDeploySteps: ../docker/post.yaml OS::TripleO::PostUpgradeSteps: ../docker/post-upgrade.yaml |