summaryrefslogtreecommitdiffstats
path: root/docker
diff options
context:
space:
mode:
Diffstat (limited to 'docker')
-rwxr-xr-xdocker/docker-puppet.py1
-rw-r--r--docker/services/ceph-ansible/ceph-base.yaml2
-rw-r--r--docker/services/database/redis.yaml87
3 files changed, 66 insertions, 24 deletions
diff --git a/docker/docker-puppet.py b/docker/docker-puppet.py
index 613adf10..0451ed51 100755
--- a/docker/docker-puppet.py
+++ b/docker/docker-puppet.py
@@ -366,6 +366,7 @@ for infile in infiles:
outfile = os.path.join(os.path.dirname(infile), "hashed-" + os.path.basename(infile))
with open(outfile, 'w') as out_f:
+ os.chmod(out_f.name, 0600)
json.dump(infile_data, out_f)
if not success:
diff --git a/docker/services/ceph-ansible/ceph-base.yaml b/docker/services/ceph-ansible/ceph-base.yaml
index 3eba2091..2a592869 100644
--- a/docker/services/ceph-ansible/ceph-base.yaml
+++ b/docker/services/ceph-ansible/ceph-base.yaml
@@ -240,7 +240,7 @@ outputs:
- - client
- {get_param: ManilaCephFSNativeCephFSAuthId}
key: {get_param: CephManilaClientKey}
- mon_cap: "allow r, allow command auth del, allow command auth caps, allow command auth get, allow command auth get-or-create"
+ mon_cap: 'allow r, allow command \\\"auth del\\\", allow command \\\"auth caps\\\", allow command \\\"auth get\\\", allow command \\\"auth get-or-create\\\"'
mds_cap: "allow *"
osd_cap: "allow rw"
mode: "0644"
diff --git a/docker/services/database/redis.yaml b/docker/services/database/redis.yaml
index 980a8c6d..487b4c67 100644
--- a/docker/services/database/redis.yaml
+++ b/docker/services/database/redis.yaml
@@ -36,9 +36,19 @@ parameters:
default: {}
description: Parameters specific to the role
type: json
+ EnableInternalTLS:
+ type: boolean
+ default: false
+
+conditions:
+
+ internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
resources:
+ ContainersCommon:
+ type: ../containers-common.yaml
+
RedisBase:
type: ../../../puppet/services/database/redis.yaml
properties:
@@ -56,6 +66,8 @@ outputs:
map_merge:
- {get_attr: [RedisBase, role_data, config_settings]}
- redis::daemonize: false
+ tripleo::stunnel::manage_service: false
+ tripleo::stunnel::foreground: 'yes'
step_config: &step_config
get_attr: [RedisBase, role_data, step_config]
service_config_settings: {get_attr: [RedisBase, role_data, service_config_settings]}
@@ -80,31 +92,60 @@ outputs:
- path: /var/run/redis
owner: redis:redis
recurse: true
+ /var/lib/kolla/config_files/redis_tls_proxy.json:
+ command: stunnel /etc/stunnel/stunnel.conf
+ config_files:
+ - source: "/var/lib/kolla/config_files/src/*"
+ dest: "/"
+ merge: true
+ preserve_properties: true
docker_config:
step_1:
- redis_init_logs:
- start_order: 0
- detach: false
- image: &redis_image {get_param: DockerRedisImage}
- privileged: false
- user: root
- volumes:
- - /var/log/containers/redis:/var/log/redis
- command: ['/bin/bash', '-c', 'chown -R redis:redis /var/log/redis']
- redis:
- start_order: 1
- image: *redis_image
- net: host
- privileged: false
- restart: always
- volumes:
- - /run:/run
- - /var/lib/kolla/config_files/redis.json:/var/lib/kolla/config_files/config.json:ro
- - /var/lib/config-data/puppet-generated/redis/:/var/lib/kolla/config_files/src:ro
- - /etc/localtime:/etc/localtime:ro
- - /var/log/containers/redis:/var/log/redis
- environment:
- - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
+ map_merge:
+ - redis_init_logs:
+ start_order: 0
+ detach: false
+ image: &redis_image {get_param: DockerRedisImage}
+ privileged: false
+ user: root
+ volumes:
+ - /var/log/containers/redis:/var/log/redis
+ command: ['/bin/bash', '-c', 'chown -R redis:redis /var/log/redis']
+ - redis:
+ start_order: 1
+ image: *redis_image
+ net: host
+ privileged: false
+ restart: always
+ volumes:
+ - /run:/run
+ - /var/lib/kolla/config_files/redis.json:/var/lib/kolla/config_files/config.json:ro
+ - /var/lib/config-data/puppet-generated/redis/:/var/lib/kolla/config_files/src:ro
+ - /etc/localtime:/etc/localtime:ro
+ - /var/log/containers/redis:/var/log/redis
+ environment:
+ - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
+ - if:
+ - internal_tls_enabled
+ - redis_tls_proxy:
+ start_order: 2
+ image: *redis_image
+ net: host
+ user: root
+ restart: always
+ volumes:
+ list_concat:
+ - {get_attr: [ContainersCommon, volumes]}
+ -
+ - /var/lib/kolla/config_files/redis_tls_proxy.json:/var/lib/kolla/config_files/config.json:ro
+ - /var/lib/config-data/puppet-generated/redis/:/var/lib/kolla/config_files/src:ro
+ - /etc/pki/tls/certs/redis.crt:/etc/pki/tls/certs/redis.crt:ro
+ - /etc/pki/tls/private/redis.key:/etc/pki/tls/private/redis.key:ro
+ environment:
+ - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
+ - {}
+ metadata_settings:
+ get_attr: [RedisBase, role_data, metadata_settings]
host_prep_tasks:
- name: create persistent directories
file: