summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rwxr-xr-xdocker/docker-puppet.py43
-rw-r--r--docker/services/swift-proxy.yaml66
-rw-r--r--environments/docker-services-tls-everywhere.yaml3
-rw-r--r--environments/services-docker/undercloud-aodh.yaml8
-rw-r--r--environments/services-docker/undercloud-gnocchi.yaml6
-rw-r--r--environments/services-docker/undercloud-panko.yaml2
-rw-r--r--puppet/services/keystone.yaml1
7 files changed, 81 insertions, 48 deletions
diff --git a/docker/docker-puppet.py b/docker/docker-puppet.py
index 111005ac..f1594d2d 100755
--- a/docker/docker-puppet.py
+++ b/docker/docker-puppet.py
@@ -152,8 +152,7 @@ def mp_puppet_config((config_volume, puppet_tags, manifest, config_image, volume
log.debug('manifest %s' % manifest)
log.debug('config_image %s' % config_image)
log.debug('volumes %s' % volumes)
- hostname = short_hostname()
- sh_script = '/var/lib/docker-puppet/docker-puppet-%s.sh' % config_volume
+ sh_script = '/var/lib/docker-puppet/docker-puppet.sh'
with open(sh_script, 'w') as script_file:
os.chmod(script_file.name, 0755)
@@ -162,43 +161,40 @@ def mp_puppet_config((config_volume, puppet_tags, manifest, config_image, volume
mkdir -p /etc/puppet
cp -a /tmp/puppet-etc/* /etc/puppet
rm -Rf /etc/puppet/ssl # not in use and causes permission errors
- echo '{"step": %(step)s}' > /etc/puppet/hieradata/docker.json
+ echo "{\\"step\\": $STEP}" > /etc/puppet/hieradata/docker.json
TAGS=""
- if [ -n "%(puppet_tags)s" ]; then
- TAGS='--tags "%(puppet_tags)s"'
+ if [ -n "$PUPPET_TAGS" ]; then
+ TAGS="--tags \"$PUPPET_TAGS\""
fi
- FACTER_hostname=%(hostname)s FACTER_uuid=docker /usr/bin/puppet apply --verbose $TAGS /etc/config.pp
+ FACTER_hostname=$HOSTNAME FACTER_uuid=docker /usr/bin/puppet apply --verbose $TAGS /etc/config.pp
# Disables archiving
- if [ -z "%(no_archive)s" ]; then
- rm -Rf /var/lib/config-data/%(name)s
+ if [ -z "$NO_ARCHIVE" ]; then
+ rm -Rf /var/lib/config-data/${NAME}
# copying etc should be enough for most services
- mkdir -p /var/lib/config-data/%(name)s/etc
- cp -a /etc/* /var/lib/config-data/%(name)s/etc/
+ mkdir -p /var/lib/config-data/${NAME}/etc
+ cp -a /etc/* /var/lib/config-data/${NAME}/etc/
if [ -d /root/ ]; then
- cp -a /root/ /var/lib/config-data/%(name)s/root/
+ cp -a /root/ /var/lib/config-data/${NAME}/root/
fi
if [ -d /var/lib/ironic/tftpboot/ ]; then
- mkdir -p /var/lib/config-data/%(name)s/var/lib/ironic/
- cp -a /var/lib/ironic/tftpboot/ /var/lib/config-data/%(name)s/var/lib/ironic/tftpboot/
+ mkdir -p /var/lib/config-data/${NAME}/var/lib/ironic/
+ cp -a /var/lib/ironic/tftpboot/ /var/lib/config-data/${NAME}/var/lib/ironic/tftpboot/
fi
if [ -d /var/lib/ironic/httpboot/ ]; then
- mkdir -p /var/lib/config-data/%(name)s/var/lib/ironic/
- cp -a /var/lib/ironic/httpboot/ /var/lib/config-data/%(name)s/var/lib/ironic/httpboot/
+ mkdir -p /var/lib/config-data/${NAME}/var/lib/ironic/
+ cp -a /var/lib/ironic/httpboot/ /var/lib/config-data/${NAME}/var/lib/ironic/httpboot/
fi
# apache services may files placed in /var/www/
if [ -d /var/www/ ]; then
- mkdir -p /var/lib/config-data/%(name)s/var/www
- cp -a /var/www/* /var/lib/config-data/%(name)s/var/www/
+ mkdir -p /var/lib/config-data/${NAME}/var/www
+ cp -a /var/www/* /var/lib/config-data/${NAME}/var/www/
fi
fi
- """ % {'puppet_tags': puppet_tags, 'name': config_volume,
- 'hostname': hostname,
- 'no_archive': os.environ.get('NO_ARCHIVE', ''),
- 'step': os.environ.get('STEP', '6')})
+ """)
with tempfile.NamedTemporaryFile() as tmp_man:
with open(tmp_man.name, 'w') as man_file:
@@ -211,6 +207,11 @@ def mp_puppet_config((config_volume, puppet_tags, manifest, config_image, volume
dcmd = ['/usr/bin/docker', 'run',
'--user', 'root',
'--name', 'docker-puppet-%s' % config_volume,
+ '--env', 'PUPPET_TAGS=%s' % puppet_tags,
+ '--env', 'NAME=%s' % config_volume,
+ '--env', 'HOSTNAME=%s' % short_hostname(),
+ '--env', 'NO_ARCHIVE=%s' % os.environ.get('NO_ARCHIVE', ''),
+ '--env', 'STEP=%s' % os.environ.get('STEP', '6'),
'--volume', '%s:/etc/config.pp:ro' % tmp_man.name,
'--volume', '/etc/puppet/:/tmp/puppet-etc/:ro',
'--volume', '/usr/share/openstack-puppet/modules/:/usr/share/openstack-puppet/modules/:ro',
diff --git a/docker/services/swift-proxy.yaml b/docker/services/swift-proxy.yaml
index bcf24c33..d183cc24 100644
--- a/docker/services/swift-proxy.yaml
+++ b/docker/services/swift-proxy.yaml
@@ -26,6 +26,13 @@ parameters:
DefaultPasswords:
default: {}
type: json
+ EnableInternalTLS:
+ type: boolean
+ default: false
+
+conditions:
+
+ internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
resources:
@@ -64,27 +71,48 @@ outputs:
- path: /var/log/swift
owner: swift:swift
recurse: true
+ /var/lib/kolla/config_files/swift_proxy_tls_proxy.json:
+ command: /usr/sbin/httpd -DFOREGROUND
docker_config:
step_4:
- swift_proxy:
- image: *swift_proxy_image
- net: host
- user: swift
- restart: always
- volumes:
- list_concat:
- - {get_attr: [ContainersCommon, volumes]}
- -
- - /var/lib/kolla/config_files/swift_proxy.json:/var/lib/kolla/config_files/config.json:ro
- # FIXME I'm mounting /etc/swift as rw. Are the rings written to
- # at all during runtime?
- - /var/lib/config-data/swift/etc/swift:/etc/swift:rw
- - /run:/run
- - /srv/node:/srv/node
- - /dev:/dev
- - /var/log/containers/swift:/var/log/swift
- environment:
- - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
+ map_merge:
+ - swift_proxy:
+ image: *swift_proxy_image
+ net: host
+ user: swift
+ restart: always
+ volumes:
+ list_concat:
+ - {get_attr: [ContainersCommon, volumes]}
+ -
+ - /var/lib/kolla/config_files/swift_proxy.json:/var/lib/kolla/config_files/config.json:ro
+ # FIXME I'm mounting /etc/swift as rw. Are the rings written to
+ # at all during runtime?
+ - /var/lib/config-data/swift/etc/swift:/etc/swift:rw
+ - /run:/run
+ - /srv/node:/srv/node
+ - /dev:/dev
+ - /var/log/containers/swift:/var/log/swift
+ environment:
+ - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
+ - if:
+ - internal_tls_enabled
+ - swift_proxy_tls_proxy:
+ image: *swift_proxy_image
+ net: host
+ user: root
+ restart: always
+ volumes:
+ list_concat:
+ - {get_attr: [ContainersCommon, volumes]}
+ -
+ - /var/lib/kolla/config_files/swift_proxy_tls_proxy.json:/var/lib/kolla/config_files/config.json:ro
+ - /var/lib/config-data/swift/etc/httpd/:/etc/httpd/:ro
+ - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
+ - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
+ environment:
+ - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
+ - {}
host_prep_tasks:
- name: create persistent directories
file:
diff --git a/environments/docker-services-tls-everywhere.yaml b/environments/docker-services-tls-everywhere.yaml
index 7b27663f..9bdbe2bd 100644
--- a/environments/docker-services-tls-everywhere.yaml
+++ b/environments/docker-services-tls-everywhere.yaml
@@ -20,6 +20,9 @@ resource_registry:
OS::TripleO::Services::HeatEngine: ../docker/services/heat-engine.yaml
OS::TripleO::Services::Keystone: ../docker/services/keystone.yaml
OS::TripleO::Services::PankoApi: ../docker/services/panko-api.yaml
+ OS::TripleO::Services::SwiftProxy: ../docker/services/swift-proxy.yaml
+ OS::TripleO::Services::SwiftStorage: ../docker/services/swift-storage.yaml
+ OS::TripleO::Services::SwiftRingBuilder: ../docker/services/swift-ringbuilder.yaml
OS::TripleO::PostDeploySteps: ../docker/post.yaml
OS::TripleO::PostUpgradeSteps: ../docker/post-upgrade.yaml
diff --git a/environments/services-docker/undercloud-aodh.yaml b/environments/services-docker/undercloud-aodh.yaml
index 236512f6..95d4a873 100644
--- a/environments/services-docker/undercloud-aodh.yaml
+++ b/environments/services-docker/undercloud-aodh.yaml
@@ -1,5 +1,5 @@
resource_registry:
- OS::TripleO::Services::UndercloudAodhApi: ../docker/services/aodh-api.yaml
- OS::TripleO::Services::UndercloudAodhEvaluator: ../docker/services/aodh-evaluator.yaml
- OS::TripleO::Services::UndercloudAodhNotifier: ../docker/services/aodh-notifier.yaml
- OS::TripleO::Services::UndercloudAodhListener: ../docker/services/aodh-listener.yaml
+ OS::TripleO::Services::UndercloudAodhApi: ../../docker/services/aodh-api.yaml
+ OS::TripleO::Services::UndercloudAodhEvaluator: ../../docker/services/aodh-evaluator.yaml
+ OS::TripleO::Services::UndercloudAodhNotifier: ../../docker/services/aodh-notifier.yaml
+ OS::TripleO::Services::UndercloudAodhListener: ../../docker/services/aodh-listener.yaml
diff --git a/environments/services-docker/undercloud-gnocchi.yaml b/environments/services-docker/undercloud-gnocchi.yaml
index 55b0ac2d..4b898cb3 100644
--- a/environments/services-docker/undercloud-gnocchi.yaml
+++ b/environments/services-docker/undercloud-gnocchi.yaml
@@ -1,4 +1,4 @@
resource_registry:
- OS::TripleO::Services::UndercloudGnocchiApi: ../docker/services/gnocchi-api.yaml
- OS::TripleO::Services::UndercloudGnocchiMetricd: ../docker/services/gnocchi-metricd.yaml
- OS::TripleO::Services::UndercloudGnocchiStatsd: ../docker/services/gnocchi-statsd.yaml
+ OS::TripleO::Services::UndercloudGnocchiApi: ../../docker/services/gnocchi-api.yaml
+ OS::TripleO::Services::UndercloudGnocchiMetricd: ../../docker/services/gnocchi-metricd.yaml
+ OS::TripleO::Services::UndercloudGnocchiStatsd: ../../docker/services/gnocchi-statsd.yaml
diff --git a/environments/services-docker/undercloud-panko.yaml b/environments/services-docker/undercloud-panko.yaml
index ffe3b6da..8384f311 100644
--- a/environments/services-docker/undercloud-panko.yaml
+++ b/environments/services-docker/undercloud-panko.yaml
@@ -1,2 +1,2 @@
resource_registry:
- OS::TripleO::Services::UndercloudPankoApi: ../docker/services/panko-api.yaml
+ OS::TripleO::Services::UndercloudPankoApi: ../../docker/services/panko-api.yaml
diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml
index 58b2b7bf..c42b0530 100644
--- a/puppet/services/keystone.yaml
+++ b/puppet/services/keystone.yaml
@@ -231,6 +231,7 @@ outputs:
content: {get_param: KeystoneFernetKey0}
'/etc/keystone/fernet-keys/1':
content: {get_param: KeystoneFernetKey1}
+ keystone::fernet_replace_keys: false
keystone::debug: {get_param: Debug}
keystone::rabbit_userid: {get_param: RabbitUserName}
keystone::rabbit_password: {get_param: RabbitPassword}