diff options
Diffstat (limited to 'docker')
-rwxr-xr-x | docker/docker-puppet.py | 1 | ||||
-rw-r--r-- | docker/services/ceph-ansible/ceph-base.yaml | 2 | ||||
-rw-r--r-- | docker/services/database/redis.yaml | 87 |
3 files changed, 66 insertions, 24 deletions
diff --git a/docker/docker-puppet.py b/docker/docker-puppet.py index 613adf10..0451ed51 100755 --- a/docker/docker-puppet.py +++ b/docker/docker-puppet.py @@ -366,6 +366,7 @@ for infile in infiles: outfile = os.path.join(os.path.dirname(infile), "hashed-" + os.path.basename(infile)) with open(outfile, 'w') as out_f: + os.chmod(out_f.name, 0600) json.dump(infile_data, out_f) if not success: diff --git a/docker/services/ceph-ansible/ceph-base.yaml b/docker/services/ceph-ansible/ceph-base.yaml index 3eba2091..2a592869 100644 --- a/docker/services/ceph-ansible/ceph-base.yaml +++ b/docker/services/ceph-ansible/ceph-base.yaml @@ -240,7 +240,7 @@ outputs: - - client - {get_param: ManilaCephFSNativeCephFSAuthId} key: {get_param: CephManilaClientKey} - mon_cap: "allow r, allow command auth del, allow command auth caps, allow command auth get, allow command auth get-or-create" + mon_cap: 'allow r, allow command \\\"auth del\\\", allow command \\\"auth caps\\\", allow command \\\"auth get\\\", allow command \\\"auth get-or-create\\\"' mds_cap: "allow *" osd_cap: "allow rw" mode: "0644" diff --git a/docker/services/database/redis.yaml b/docker/services/database/redis.yaml index 980a8c6d..487b4c67 100644 --- a/docker/services/database/redis.yaml +++ b/docker/services/database/redis.yaml @@ -36,9 +36,19 @@ parameters: default: {} description: Parameters specific to the role type: json + EnableInternalTLS: + type: boolean + default: false + +conditions: + + internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} resources: + ContainersCommon: + type: ../containers-common.yaml + RedisBase: type: ../../../puppet/services/database/redis.yaml properties: @@ -56,6 +66,8 @@ outputs: map_merge: - {get_attr: [RedisBase, role_data, config_settings]} - redis::daemonize: false + tripleo::stunnel::manage_service: false + tripleo::stunnel::foreground: 'yes' step_config: &step_config get_attr: [RedisBase, role_data, step_config] service_config_settings: {get_attr: [RedisBase, role_data, service_config_settings]} @@ -80,31 +92,60 @@ outputs: - path: /var/run/redis owner: redis:redis recurse: true + /var/lib/kolla/config_files/redis_tls_proxy.json: + command: stunnel /etc/stunnel/stunnel.conf + config_files: + - source: "/var/lib/kolla/config_files/src/*" + dest: "/" + merge: true + preserve_properties: true docker_config: step_1: - redis_init_logs: - start_order: 0 - detach: false - image: &redis_image {get_param: DockerRedisImage} - privileged: false - user: root - volumes: - - /var/log/containers/redis:/var/log/redis - command: ['/bin/bash', '-c', 'chown -R redis:redis /var/log/redis'] - redis: - start_order: 1 - image: *redis_image - net: host - privileged: false - restart: always - volumes: - - /run:/run - - /var/lib/kolla/config_files/redis.json:/var/lib/kolla/config_files/config.json:ro - - /var/lib/config-data/puppet-generated/redis/:/var/lib/kolla/config_files/src:ro - - /etc/localtime:/etc/localtime:ro - - /var/log/containers/redis:/var/log/redis - environment: - - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + map_merge: + - redis_init_logs: + start_order: 0 + detach: false + image: &redis_image {get_param: DockerRedisImage} + privileged: false + user: root + volumes: + - /var/log/containers/redis:/var/log/redis + command: ['/bin/bash', '-c', 'chown -R redis:redis /var/log/redis'] + - redis: + start_order: 1 + image: *redis_image + net: host + privileged: false + restart: always + volumes: + - /run:/run + - /var/lib/kolla/config_files/redis.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/puppet-generated/redis/:/var/lib/kolla/config_files/src:ro + - /etc/localtime:/etc/localtime:ro + - /var/log/containers/redis:/var/log/redis + environment: + - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + - if: + - internal_tls_enabled + - redis_tls_proxy: + start_order: 2 + image: *redis_image + net: host + user: root + restart: always + volumes: + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/redis_tls_proxy.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/puppet-generated/redis/:/var/lib/kolla/config_files/src:ro + - /etc/pki/tls/certs/redis.crt:/etc/pki/tls/certs/redis.crt:ro + - /etc/pki/tls/private/redis.key:/etc/pki/tls/private/redis.key:ro + environment: + - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + - {} + metadata_settings: + get_attr: [RedisBase, role_data, metadata_settings] host_prep_tasks: - name: create persistent directories file: |