11 files changed, 86 insertions, 18 deletions

diff --git a/deployed-server/deployed-server-roles-data.yaml b/deployed-server/deployed-server-roles-data.yaml
index 04da5565..084c2f8f 100644
--- a/deployed-server/deployed-server-roles-data.yaml
+++ b/deployed-server/deployed-server-roles-data.yaml
@@ -26,6 +26,7 @@
   disable_constraints: True
   ServicesDefault:
     - OS::TripleO::Services::CACerts
+    - OS::TripleO::Services::CertmongerUser
     - OS::TripleO::Services::CephMon
     - OS::TripleO::Services::CephExternal
     - OS::TripleO::Services::CephRgw
@@ -109,6 +110,7 @@
   disable_constraints: True
   ServicesDefault:
     - OS::TripleO::Services::CACerts
+    - OS::TripleO::Services::CertmongerUser
     - OS::TripleO::Services::CephClient
     - OS::TripleO::Services::CephExternal
     - OS::TripleO::Services::Timezone
@@ -133,6 +135,7 @@
   disable_constraints: True
   ServicesDefault:
     - OS::TripleO::Services::CACerts
+    - OS::TripleO::Services::CertmongerUser
     - OS::TripleO::Services::BlockStorageCinderVolume
     - OS::TripleO::Services::Kernel
     - OS::TripleO::Services::Ntp
@@ -147,6 +150,7 @@
   disable_constraints: True
   ServicesDefault:
     - OS::TripleO::Services::CACerts
+    - OS::TripleO::Services::CertmongerUser
     - OS::TripleO::Services::Kernel
     - OS::TripleO::Services::Ntp
     - OS::TripleO::Services::SwiftStorage
@@ -162,6 +166,7 @@
   disable_constraints: True
   ServicesDefault:
     - OS::TripleO::Services::CACerts
+    - OS::TripleO::Services::CertmongerUser
     - OS::TripleO::Services::CephOSD
     - OS::TripleO::Services::Kernel
     - OS::TripleO::Services::Ntp
diff --git a/docker/services/keystone.yaml b/docker/services/keystone.yaml
index 3f8baef7..656f3348 100644
--- a/docker/services/keystone.yaml
+++ b/docker/services/keystone.yaml
@@ -176,3 +176,5 @@ outputs:
         - name: Stop and disable keystone service (running under httpd)
           tags: step2
           service: name=httpd state=stopped enabled=no
+      metadata_settings:
+        get_attr: [KeystoneBase, role_data, metadata_settings]
diff --git a/docker/services/rabbitmq.yaml b/docker/services/rabbitmq.yaml
index 573ec178..341ec3de 100644
--- a/docker/services/rabbitmq.yaml
+++ b/docker/services/rabbitmq.yaml
@@ -90,7 +90,7 @@ outputs:
               - /var/lib/config-data/rabbitmq/:/var/lib/kolla/config_files/src:ro
               - /etc/hosts:/etc/hosts:ro
               - /etc/localtime:/etc/localtime:ro
-              - rabbitmq:/var/lib/rabbitmq/
+              - /var/lib/rabbitmq:/var/lib/rabbitmq
             environment:
               - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
               - KOLLA_BOOTSTRAP=True
@@ -116,9 +116,14 @@ outputs:
               - /var/lib/config-data/rabbitmq/:/var/lib/kolla/config_files/src:ro
               - /etc/hosts:/etc/hosts:ro
               - /etc/localtime:/etc/localtime:ro
-              - rabbitmq:/var/lib/rabbitmq/
+              - /var/lib/rabbitmq:/var/lib/rabbitmq
             environment:
               - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
+      host_prep_tasks:
+        - name: create /var/lib/rabbitmq
+          file:
+            path: /var/lib/rabbitmq
+            state: directory
       upgrade_tasks:
         - name: Stop and disable rabbitmq service
           tags: step2
diff --git a/docker/services/swift-proxy.yaml b/docker/services/swift-proxy.yaml
index 93e21c81..0d7cd7b9 100644
--- a/docker/services/swift-proxy.yaml
+++ b/docker/services/swift-proxy.yaml
@@ -72,10 +72,15 @@ outputs:
               - /etc/hosts:/etc/hosts:ro
               - /etc/localtime:/etc/localtime:ro
               - /run:/run
-              - swift-srv:/srv
+              - /srv/node:/srv/node
               - /dev:/dev
             environment:
               - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
+      host_prep_tasks:
+        - name: create /srv/node
+          file:
+            path: /srv/node
+            state: directory
       upgrade_tasks:
         - name: Stop and disable swift_proxy service
           tags: step2
diff --git a/docker/services/swift-storage.yaml b/docker/services/swift-storage.yaml
index 8e76504c..9c8d84e2 100644
--- a/docker/services/swift-storage.yaml
+++ b/docker/services/swift-storage.yaml
@@ -104,9 +104,9 @@ outputs:
                 - '/'
                 - [ {get_param: DockerNamespace}, {get_param: DockerSwiftAccountImage} ]
             user: root
-            command: ['/bin/bash', '-c', 'mkdir /srv/node && chown swift:swift /srv/node']
+            command: ['chown', '-R', 'swift:', '/srv/node']
             volumes:
-              - swift-srv:/srv
+              - /srv/node:/srv/node
         step_4:
           swift_account_auditor:
             image:
@@ -123,7 +123,7 @@ outputs:
               - /etc/hosts:/etc/hosts:ro
               - /etc/localtime:/etc/localtime:ro
               - /run:/run
-              - swift-srv:/srv
+              - /srv/node:/srv/node
               - /dev:/dev
             environment: &kolla_env
               - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
@@ -142,7 +142,7 @@ outputs:
               - /etc/hosts:/etc/hosts:ro
               - /etc/localtime:/etc/localtime:ro
               - /run:/run
-              - swift-srv:/srv
+              - /srv/node:/srv/node
               - /dev:/dev
             environment: *kolla_env
           swift_account_replicator:
@@ -160,7 +160,7 @@ outputs:
               - /etc/hosts:/etc/hosts:ro
               - /etc/localtime:/etc/localtime:ro
               - /run:/run
-              - swift-srv:/srv
+              - /srv/node:/srv/node
               - /dev:/dev
             environment: *kolla_env
           swift_account_server:
@@ -178,7 +178,7 @@ outputs:
               - /etc/hosts:/etc/hosts:ro
               - /etc/localtime:/etc/localtime:ro
               - /run:/run
-              - swift-srv:/srv
+              - /srv/node:/srv/node
               - /dev:/dev
             environment: *kolla_env
           swift_container_auditor:
@@ -196,7 +196,7 @@ outputs:
               - /etc/hosts:/etc/hosts:ro
               - /etc/localtime:/etc/localtime:ro
               - /run:/run
-              - swift-srv:/srv
+              - /srv/node:/srv/node
               - /dev:/dev
             environment: *kolla_env
           swift_container_replicator:
@@ -214,7 +214,7 @@ outputs:
               - /etc/hosts:/etc/hosts:ro
               - /etc/localtime:/etc/localtime:ro
               - /run:/run
-              - swift-srv:/srv
+              - /srv/node:/srv/node
               - /dev:/dev
             environment: *kolla_env
           swift_container_updater:
@@ -232,7 +232,7 @@ outputs:
               - /etc/hosts:/etc/hosts:ro
               - /etc/localtime:/etc/localtime:ro
               - /run:/run
-              - swift-srv:/srv
+              - /srv/node:/srv/node
               - /dev:/dev
             environment: *kolla_env
           swift_container_server:
@@ -250,7 +250,7 @@ outputs:
               - /etc/hosts:/etc/hosts:ro
               - /etc/localtime:/etc/localtime:ro
               - /run:/run
-              - swift-srv:/srv
+              - /srv/node:/srv/node
               - /dev:/dev
             environment: *kolla_env
           swift_object_auditor:
@@ -268,7 +268,7 @@ outputs:
               - /etc/hosts:/etc/hosts:ro
               - /etc/localtime:/etc/localtime:ro
               - /run:/run
-              - swift-srv:/srv
+              - /srv/node:/srv/node
               - /dev:/dev
             environment: *kolla_env
           swift_object_expirer:
@@ -286,7 +286,7 @@ outputs:
               - /etc/hosts:/etc/hosts:ro
               - /etc/localtime:/etc/localtime:ro
               - /run:/run
-              - swift-srv:/srv
+              - /srv/node:/srv/node
               - /dev:/dev
             environment: *kolla_env
           swift_object_replicator:
@@ -304,7 +304,7 @@ outputs:
               - /etc/hosts:/etc/hosts:ro
               - /etc/localtime:/etc/localtime:ro
               - /run:/run
-              - swift-srv:/srv
+              - /srv/node:/srv/node
               - /dev:/dev
             environment: *kolla_env
           swift_object_updater:
@@ -322,7 +322,7 @@ outputs:
               - /etc/hosts:/etc/hosts:ro
               - /etc/localtime:/etc/localtime:ro
               - /run:/run
-              - swift-srv:/srv
+              - /srv/node:/srv/node
               - /dev:/dev
             environment: *kolla_env
           swift_object_server:
@@ -340,9 +340,14 @@ outputs:
               - /etc/hosts:/etc/hosts:ro
               - /etc/localtime:/etc/localtime:ro
               - /run:/run
-              - swift-srv:/srv
+              - /srv/node:/srv/node
               - /dev:/dev
             environment: *kolla_env
+      host_prep_tasks:
+        - name: create /srv/node
+          file:
+            path: /srv/node
+            state: directory
       upgrade_tasks:
         - name: Stop and disable swift storage services
           tags: step2
diff --git a/environments/contrail/roles_data_contrail.yaml b/environments/contrail/roles_data_contrail.yaml
index 5f6c4691..d6d6f291 100644
--- a/environments/contrail/roles_data_contrail.yaml
+++ b/environments/contrail/roles_data_contrail.yaml
@@ -29,6 +29,7 @@
   CountDefault: 1
   ServicesDefault:
     - OS::TripleO::Services::CACerts
+    - OS::TripleO::Services::CertmongerUser
     - OS::TripleO::Services::CephMds
     - OS::TripleO::Services::CephMon
     - OS::TripleO::Services::CephExternal
@@ -115,6 +116,7 @@
   disable_upgrade_deployment: True
   ServicesDefault:
     - OS::TripleO::Services::CACerts
+    - OS::TripleO::Services::CertmongerUser
     - OS::TripleO::Services::CephClient
     - OS::TripleO::Services::CephExternal
     - OS::TripleO::Services::Timezone
@@ -140,6 +142,7 @@
 - name: BlockStorage
   ServicesDefault:
     - OS::TripleO::Services::CACerts
+    - OS::TripleO::Services::CertmongerUser
     - OS::TripleO::Services::BlockStorageCinderVolume
     - OS::TripleO::Services::Kernel
     - OS::TripleO::Services::Ntp
@@ -156,6 +159,7 @@
   disable_upgrade_deployment: True
   ServicesDefault:
     - OS::TripleO::Services::CACerts
+    - OS::TripleO::Services::CertmongerUser
     - OS::TripleO::Services::Kernel
     - OS::TripleO::Services::Ntp
     - OS::TripleO::Services::SwiftStorage
@@ -173,6 +177,7 @@
   disable_upgrade_deployment: True
   ServicesDefault:
     - OS::TripleO::Services::CACerts
+    - OS::TripleO::Services::CertmongerUser
     - OS::TripleO::Services::CephOSD
     - OS::TripleO::Services::Kernel
     - OS::TripleO::Services::Ntp
@@ -188,6 +193,7 @@
 - name: ContrailController
   ServicesDefault:
     - OS::TripleO::Services::CACerts
+    - OS::TripleO::Services::CertmongerUser
     - OS::TripleO::Services::ContrailConfig
     - OS::TripleO::Services::ContrailControl
     - OS::TripleO::Services::ContrailDatabase
@@ -203,6 +209,7 @@
 - name: ContrailAnalytics
   ServicesDefault:
     - OS::TripleO::Services::CACerts
+    - OS::TripleO::Services::CertmongerUser
     - OS::TripleO::Services::ContrailAnalytics
     - OS::TripleO::Services::Kernel
     - OS::TripleO::Services::Ntp
@@ -215,6 +222,7 @@
 - name: ContrailAnalyticsDatabase
   ServicesDefault:
     - OS::TripleO::Services::CACerts
+    - OS::TripleO::Services::CertmongerUser
     - OS::TripleO::Services::ContrailAnalyticsDatabase
     - OS::TripleO::Services::Kernel
     - OS::TripleO::Services::Ntp
@@ -227,6 +235,7 @@
 - name: ContrailTsn
   ServicesDefault:
     - OS::TripleO::Services::CACerts
+    - OS::TripleO::Services::CertmongerUser
     - OS::TripleO::Services::ContrailTsn
     - OS::TripleO::Services::Kernel
     - OS::TripleO::Services::Ntp
diff --git a/environments/enable-internal-tls.yaml b/environments/enable-internal-tls.yaml
index f485e4a5..e245a6af 100644
--- a/environments/enable-internal-tls.yaml
+++ b/environments/enable-internal-tls.yaml
@@ -9,6 +9,8 @@ parameter_defaults:
     ipa_enroll: True
 
 resource_registry:
+  OS::TripleO::Services::CertmongerUser: ../puppet/services/certmonger-user.yaml
+
   OS::TripleO::Services::HAProxyInternalTLS: ../puppet/services/haproxy-internal-tls-certmonger.yaml
   OS::TripleO::Services::ApacheTLS: ../puppet/services/apache-internal-tls-certmonger.yaml
   OS::TripleO::Services::MySQLTLS: ../puppet/services/database/mysql-internal-tls-certmonger.yaml
diff --git a/environments/hyperconverged-ceph.yaml b/environments/hyperconverged-ceph.yaml
index f59b0414..8f74ec35 100644
--- a/environments/hyperconverged-ceph.yaml
+++ b/environments/hyperconverged-ceph.yaml
@@ -6,6 +6,7 @@ resource_registry:
 parameter_defaults:
   ComputeServices:
     - OS::TripleO::Services::CACerts
+    - OS::TripleO::Services::CertmongerUser
     - OS::TripleO::Services::CephClient
     - OS::TripleO::Services::CephExternal
     - OS::TripleO::Services::Timezone
diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml
index 212e9379..d9eaf8df 100644
--- a/overcloud-resource-registry-puppet.j2.yaml
+++ b/overcloud-resource-registry-puppet.j2.yaml
@@ -252,6 +252,7 @@ resource_registry:
   OS::TripleO::Services::MySQLClient: puppet/services/database/mysql-client.yaml
   OS::TripleO::Services::Vpp: OS::Heat::None
   OS::TripleO::Services::Docker: OS::Heat::None
+  OS::TripleO::Services::CertmongerUser: OS::Heat::None
 
 parameter_defaults:
   EnablePackageInstall: false
diff --git a/puppet/services/certmonger-user.yaml b/puppet/services/certmonger-user.yaml
new file mode 100644
index 00000000..af9802b0
--- /dev/null
+++ b/puppet/services/certmonger-user.yaml
@@ -0,0 +1,28 @@
+heat_template_version: ocata
+
+description: >
+  Requests certificates using certmonger through Puppet
+
+parameters:
+  ServiceNetMap:
+    default: {}
+    description: Mapping of service_name -> network name. Typically set
+                 via parameter_defaults in the resource registry.  This
+                 mapping overrides those in ServiceNetMapDefaults.
+    type: json
+  DefaultPasswords:
+    default: {}
+    type: json
+  EndpointMap:
+    default: {}
+    description: Mapping of service endpoint -> protocol. Typically set
+                 via parameter_defaults in the resource registry.
+    type: json
+
+outputs:
+  role_data:
+    description: Role data for the certmonger-user service
+    value:
+      service_name: certmonger_user
+      step_config: |
+        include ::tripleo::profile::base::certmonger_user
diff --git a/roles_data.yaml b/roles_data.yaml
index e0c1c42d..130451ff 100644
--- a/roles_data.yaml
+++ b/roles_data.yaml
@@ -33,6 +33,7 @@
   CountDefault: 1
   ServicesDefault:
     - OS::TripleO::Services::CACerts
+    - OS::TripleO::Services::CertmongerUser
     - OS::TripleO::Services::CephMds
     - OS::TripleO::Services::CephMon
     - OS::TripleO::Services::CephExternal
@@ -135,6 +136,7 @@
   disable_upgrade_deployment: True
   ServicesDefault:
     - OS::TripleO::Services::CACerts
+    - OS::TripleO::Services::CertmongerUser
     - OS::TripleO::Services::CephClient
     - OS::TripleO::Services::CephExternal
     - OS::TripleO::Services::Timezone
@@ -163,6 +165,7 @@
 - name: BlockStorage
   ServicesDefault:
     - OS::TripleO::Services::CACerts
+    - OS::TripleO::Services::CertmongerUser
     - OS::TripleO::Services::BlockStorageCinderVolume
     - OS::TripleO::Services::Kernel
     - OS::TripleO::Services::Ntp
@@ -181,6 +184,7 @@
   disable_upgrade_deployment: True
   ServicesDefault:
     - OS::TripleO::Services::CACerts
+    - OS::TripleO::Services::CertmongerUser
     - OS::TripleO::Services::Kernel
     - OS::TripleO::Services::Ntp
     - OS::TripleO::Services::SwiftStorage
@@ -199,6 +203,7 @@
 - name: CephStorage
   ServicesDefault:
     - OS::TripleO::Services::CACerts
+    - OS::TripleO::Services::CertmongerUser
     - OS::TripleO::Services::CephOSD
     - OS::TripleO::Services::Kernel
     - OS::TripleO::Services::Ntp