3 files changed, 27 insertions, 1 deletions

diff --git a/docker/docker-puppet.py b/docker/docker-puppet.py
index c364d039..5c68b08d 100755
--- a/docker/docker-puppet.py
+++ b/docker/docker-puppet.py
@@ -202,6 +202,12 @@ def mp_puppet_config((config_volume, puppet_tags, manifest, config_image, volume
                 '--volume', '/usr/share/openstack-puppet/modules/:/usr/share/openstack-puppet/modules/:ro',
                 '--volume', '/var/lib/config-data/:/var/lib/config-data/:rw',
                 '--volume', 'tripleo_logs:/var/log/tripleo/',
+                # OpenSSL trusted CA injection
+                '--volume', '/etc/pki/ca-trust/extracted:/etc/pki/ca-trust/extracted:ro',
+                '--volume', '/etc/pki/tls/certs/ca-bundle.crt:/etc/pki/tls/certs/ca-bundle.crt:ro',
+                '--volume', '/etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/certs/ca-bundle.trust.crt:ro',
+                '--volume', '/etc/pki/tls/cert.pem:/etc/pki/tls/cert.pem:ro',
+                # script injection
                 '--volume', '%s:%s:rw' % (sh_script, sh_script) ]
 
         for volume in volumes:
diff --git a/docker/services/keystone.yaml b/docker/services/keystone.yaml
index 90ddeb9f..526a357b 100644
--- a/docker/services/keystone.yaml
+++ b/docker/services/keystone.yaml
@@ -36,6 +36,9 @@ parameters:
     default: 'fernet'
     constraints:
       - allowed_values: ['uuid', 'fernet']
+  EnableInternalTLS:
+    type: boolean
+    default: false
 
 resources:
 
@@ -46,6 +49,10 @@ resources:
       ServiceNetMap: {get_param: ServiceNetMap}
       DefaultPasswords: {get_param: DefaultPasswords}
 
+conditions:
+
+  internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
+
 outputs:
   role_data:
     description: Role data for the Keystone API role.
@@ -96,6 +103,16 @@ outputs:
               - /etc/hosts:/etc/hosts:ro
               - /etc/localtime:/etc/localtime:ro
               - logs:/var/log
+              -
+                if:
+                  - internal_tls_enabled
+                  - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
+                  - ''
+              -
+                if:
+                  - internal_tls_enabled
+                  - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
+                  - ''
             environment:
               - KOLLA_BOOTSTRAP=True
               - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
diff --git a/docker/services/nova-api.yaml b/docker/services/nova-api.yaml
index 4cd48b75..97fafb09 100644
--- a/docker/services/nova-api.yaml
+++ b/docker/services/nova-api.yaml
@@ -50,7 +50,10 @@ outputs:
           - get_attr: [NovaApiBase, role_data, config_settings]
           - apache::default_vhost: false
       step_config: &step_config
-        get_attr: [NovaApiBase, role_data, step_config]
+        list_join:
+          - "\n"
+          - - "['Nova_cell_v2'].each |String $val| { noop_resource($val) }"
+            - {get_attr: [NovaApiBase, role_data, step_config]}
       service_config_settings: {get_attr: [NovaApiBase, role_data, service_config_settings]}
       # BEGIN DOCKER SETTINGS
       puppet_config: