Bind mount directories that contain the key/certs for keystone

This is only done when TLS-everywhere is enabled, and depends on those
directories being exclusive for services that run over httpd. Which is
the commit this is on top of.

Also, an environment file was added that's similar to
environments/docker.yaml. The difference is that this one will contain
the services that can run containerized with TLS-everywhere. This file
will be updated as more services get support for this.

bp tls-via-certmonger-containers

Change-Id: I87bf59f2c33de6cf2d4ce0679a5e0e22bc24bf78

1 files changed, 17 insertions, 0 deletions

diff --git a/docker/services/keystone.yaml b/docker/services/keystone.yaml
index 90ddeb9f..526a357b 100644
--- a/docker/services/keystone.yaml
+++ b/docker/services/keystone.yaml
@@ -36,6 +36,9 @@ parameters:
     default: 'fernet'
     constraints:
       - allowed_values: ['uuid', 'fernet']
+  EnableInternalTLS:
+    type: boolean
+    default: false
 
 resources:
 
@@ -46,6 +49,10 @@ resources:
       ServiceNetMap: {get_param: ServiceNetMap}
       DefaultPasswords: {get_param: DefaultPasswords}
 
+conditions:
+
+  internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
+
 outputs:
   role_data:
     description: Role data for the Keystone API role.
@@ -96,6 +103,16 @@ outputs:
               - /etc/hosts:/etc/hosts:ro
               - /etc/localtime:/etc/localtime:ro
               - logs:/var/log
+              -
+                if:
+                  - internal_tls_enabled
+                  - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
+                  - ''
+              -
+                if:
+                  - internal_tls_enabled
+                  - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
+                  - ''
             environment:
               - KOLLA_BOOTSTRAP=True
               - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS