diff options
author | Jenkins <jenkins@review.openstack.org> | 2017-06-15 20:22:15 +0000 |
---|---|---|
committer | Gerrit Code Review <review@openstack.org> | 2017-06-15 20:22:15 +0000 |
commit | 0354927a1143dd766cab4b9a88d4af84e404d6d9 (patch) | |
tree | 856ea52fb2c8de1ba0aa4bc625d706a989304815 /docker | |
parent | e23e8c46f4384bd691982b073f4b2aae987708bc (diff) | |
parent | 31f773a95bf64e4da49edc41a4e36ffc9ee012fd (diff) |
Merge "Bind mount internal CA file to all containers"
Diffstat (limited to 'docker')
-rw-r--r-- | docker/services/containers-common.yaml | 69 |
1 files changed, 57 insertions, 12 deletions
diff --git a/docker/services/containers-common.yaml b/docker/services/containers-common.yaml index 973d9994..d104853f 100644 --- a/docker/services/containers-common.yaml +++ b/docker/services/containers-common.yaml @@ -3,19 +3,64 @@ heat_template_version: pike description: > Contains a static list of common things necessary for containers +parameters: + + # Required parameters + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + RoleName: + default: '' + description: Role name on which the service is applied + type: string + RoleParameters: + default: {} + description: Parameters specific to the role + type: json + + + EnableInternalTLS: + type: boolean + default: false + InternalTLSCAFile: + default: '/etc/ipa/ca.crt' + type: string + description: Specifies the default CA cert to use if TLS is used for + services in the internal network. + +conditions: + + internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} + outputs: volumes: description: Common volumes for the containers. value: - - /etc/hosts:/etc/hosts:ro - - /etc/localtime:/etc/localtime:ro - # required for bootstrap_host_exec - - /etc/puppet:/etc/puppet:ro - # OpenSSL trusted CAs - - /etc/pki/ca-trust/extracted:/etc/pki/ca-trust/extracted:ro - - /etc/pki/tls/certs/ca-bundle.crt:/etc/pki/tls/certs/ca-bundle.crt:ro - - /etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/certs/ca-bundle.trust.crt:ro - - /etc/pki/tls/cert.pem:/etc/pki/tls/cert.pem:ro - # Syslog socket - - /dev/log:/dev/log - - /etc/ssh/ssh_known_hosts:/etc/ssh/ssh_known_hosts:ro + list_concat: + - - /etc/hosts:/etc/hosts:ro + - /etc/localtime:/etc/localtime:ro + # required for bootstrap_host_exec + - /etc/puppet:/etc/puppet:ro + # OpenSSL trusted CAs + - /etc/pki/ca-trust/extracted:/etc/pki/ca-trust/extracted:ro + - /etc/pki/tls/certs/ca-bundle.crt:/etc/pki/tls/certs/ca-bundle.crt:ro + - /etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/certs/ca-bundle.trust.crt:ro + - /etc/pki/tls/cert.pem:/etc/pki/tls/cert.pem:ro + # Syslog socket + - /dev/log:/dev/log + - /etc/ssh/ssh_known_hosts:/etc/ssh/ssh_known_hosts:ro + - if: + - internal_tls_enabled + - - {get_param: InternalTLSCAFile} + - null |