summaryrefslogtreecommitdiffstats
path: root/environments/docker-services-tls-everywhere.yaml
AgeCommit message (Collapse)AuthorFilesLines
2017-08-23Docker: Enable TLS in the internal network for libvirtJuan Antonio Osorio Robles1-0/+5
Bind mounts the necessary certs and keys to enable live migrations using TLS. bp tls-via-certmonger-containers Depends-On: I26a7748b37059ea37f460d8c70ef684cc41b16d3 Change-Id: I81efa85d916823f740bf320c88a248403743a45b
2017-08-22Merge "Add nova metadata to TLS everywhere/docker services list"Jenkins1-3/+4
2017-08-21Add nova metadata to TLS everywhere/docker services listJuan Antonio Osorio Robles1-3/+4
This is working, so we add it to the list. bp tls-via-certmonger-containers Change-Id: Ib545d4e6c130b73b4921eb9b6325d2e8d6ff1e2c
2017-08-21TLS for containerized horizonJuan Antonio Osorio Robles1-0/+1
bind mount the certificates needed for TLS. bp tls-via-certmonger-containers Change-Id: Ib9b533249be37665b77396a76133cc42fd15ee2b
2017-08-21Merge "Enable TLS for containerized RabbitMQ"Jenkins1-0/+1
2017-08-18Merge "TLS everywhere/docker: add nova services to environment"Jenkins1-0/+7
2017-08-18Enable TLS for containerized RabbitMQJuan Antonio Osorio Robles1-0/+1
Bind mounts and adds the appropriate permissions for the cert and key that's used for TLS. bp tls-via-certmonger-containers Depends-On: I62ff89362cfcc80e6e62fad09110918c36802813 Change-Id: I48325893a00690e2f5d6f1d685f903234545d5b8
2017-08-18Merge "Refactor setup_docker_host.sh as host_prep_tasks"Jenkins1-5/+0
2017-08-18Merge "Remove iscsid from TLS everywhere docker environment"Jenkins1-1/+0
2017-08-17Refactor setup_docker_host.sh as host_prep_tasksJiri Stransky1-5/+0
Previously what we've been doing with setup_docker_host.sh can now be achieved with host_prep_tasks, and we can free up the NodeUserData interface for other use cases. Closes-Bug: #1711387 Change-Id: Iaac90efd03e37ceb02c312f9c15c1da7d4982510
2017-08-17TLS everywhere/docker: add nova services to environmentJuan Antonio Osorio Robles1-0/+7
Most nova services are working with TLS everywhere, so they can be added to the environment. The compute and libvirt services are still pending. bp tls-via-certmonger-containers Change-Id: I80745fff5fbd9a6ccd701c1d154b38ad41b0cc3c
2017-08-17Remove iscsid from TLS everywhere docker environmentJuan Antonio Osorio Robles1-1/+0
Since nova-compute is not containerized with TLS yet, using containerized iscsid causes errors when trying to spawn a VM with a volume. Since the path is different in this case. I will re-add iscsid to this environment once nova-compute is containerized with TLS. bp tls-via-certmonger-containers Change-Id: Ida87b187e56ae852c5a4ef6f78cc04a0870fe3f4
2017-08-14Enable TLS for containerized MySQLJuan Antonio Osorio Robles1-0/+1
Bind mounts and adds the appropriate permissions for the cert and key that's used for TLS. bp tls-via-certmonger-containers Change-Id: I7fae4083604c7dc89ca04141080a228ebfc44ac9
2017-08-14Enable TLS for containerized haproxyJuan Antonio Osorio Robles1-0/+1
This bind mounts the certificates if TLS is enabled in the internal network. It also disables the CRL usage since we can't restart haproxy at the rate that the CRL is updated. This will be addressed later and is a known limitation of using containerized haproxy (there's the same issue in the HA scenario). To address the different UID that the certs and keys will have, I added an extra step that changes the ownership of these files; though this only gets included if TLS in the internal network is enabled. bp tls-via-certmonger-containers Depends-On: I2078da7757ff3af1d05d36315fcebd54bb4ca3ec Change-Id: Ic6ca88ee7b6b256ae6182e60e07498a8a793d66a
2017-08-11Consolidate puppet/docker deployments with one deploy steps workflowSteven Hardy1-3/+0
If we consolidate these we can focus on one implementation (the new ansible based one used for docker-steps) Change-Id: Iec0ad2278d62040bf03613fc9556b199c6a80546 Depends-On: Ifa2afa915e0fee368fb2506c02de75bf5efe82d5
2017-08-08Docker/TLS everywhere: Add telemetry and neutron services to environmentJuan Antonio Osorio Robles1-4/+9
some resources were missing, so this syncs up what's working right now. bp tls-via-certmonger-containers Change-Id: Ic8fe20d0240f1ad8f18218d66634029d522d4d5a
2017-08-01Update TLS-everywhere docker environmentJuan Antonio Osorio Robles1-2/+5
Some resources have changed. So the environment needed syncing Change-Id: I9aa310ae80edfccd3ed28e67a431aad6e1ed8a7f
2017-07-24Merge "Add support for nova live/cold-migration with containers"Jenkins1-0/+1
2017-07-23Add support for nova live/cold-migration with containersOliver Walsh1-0/+1
Updates hieradata for changes in https://review.openstack.org/471950. Creates a new service - NovaMigrationTarget. On baremetal this just configures live/cold-migration. On docker is includes a container running a second sshd services on an alternative port. Configures /var/lib/nova/.ssh/config and mounts in nova-compute and libvirtd containers. Change-Id: Ic4b810ff71085b73ccd08c66a3739f94e6c0c427 Implements: blueprint tripleo-cold-migration Depends-On: I6c04cebd1cf066c79c5b4335011733d32ac208dc Depends-On: I063a84a8e6da64ae3b09125cfa42e48df69adc12
2017-07-17Refactor iscsi initiator-name reset into separate serviceOliver Walsh1-0/+1
This currently assumes nova-compute and iscsid run in the same context which isn't true for a containerized deployment Change-Id: I11232fc412adcc18087928c281ba82546388376e Depends-On: I91f1ce7625c351745dbadd84b565d55598ea5b59 Depends-On: I0cbb1081ad00b2202c9d913e0e1759c2b95612a5
2017-07-12Drop ComputeServices from environments/docker.yamlDan Prince1-15/+0
Change-Id: Ibfc568755764203b68aed524d6f334eeb7cd5da7 Closes-bug: #1703001
2017-06-19Comment parameters for registry in docker tls envMartin André1-4/+4
This commit brings change from I3896fa2ea7caa603186f0af04f6d8382d50dd97a to docker-services-tls-everywhere.yaml, which original commit message was: These duplicate the defaults in puppet/services/docker.yaml and break things if you include an environment file (e.g that generated by quickstart containers-default-parameters.yaml) before the docker.yaml. Instead it's probably more helpful to include the commented lines showing how to enable use of a local docker registry. Change-Id: Ifa95ef60bc17bd2638ebb6aebf77a819b28c9f0b Related-Bug: #1691524
2017-06-09Remove duplicate docker/puppet services.yamlSteven Hardy1-2/+0
Move to one common services.yaml not only reduces the duplication, but it should improve performance for the docker/services.yaml case, because we were creating two ResourceChains with $many services which we know can be really slow (especially since we seem to be missing concurrent: true on one) Change-Id: I76f188438bfc6449b152c2861d99738e6eb3c61b
2017-05-26Add sshd service to containerized compute roleOliver Walsh1-0/+1
This adds the sshd puppet service to the containerized compute role All other roles already include this service from the defaults roles data, it is only missing from the compute role. As the sshd service runs on the docker host, this must remain as a traditional puppet service. NB the sshd puppet service does not enable sshd, it just enables the management of the sshd config via t-h-t/puppet. Closes-bug: #1693837 Change-Id: I86ff749245ac791e870528ad4b410f3c1fd812e0
2017-05-16docker/internal TLS: spawn extra container for neutron server's TLS proxyJuan Antonio Osorio Robles1-0/+7
This spawns an extra container that runs httpd to run the TLS proxy that will go in front of neutron server. bp tls-via-certmonger-containers Change-Id: I2529d78e889835f48c51e12d28ecd7c48739b02b
2017-05-12docker/internal TLS: spawn extra container for glance API's TLS proxyJuan Antonio Osorio Robles1-1/+2
This spawns an extra container that runs httpd to run the TLS proxy that will go in front of glance-api. bp tls-via-certmonger-containers Change-Id: If902ac732479832b9aa3e4a8d063b5be68a42a9b
2017-05-12docker/internal TLS: spawn extra container for swift's TLS proxyJuan Antonio Osorio Robles1-0/+3
This spawns an extra container that runs httpd to run the TLS proxy that will go in front of swift. bp tls-via-certmonger-containers Depends-On: Ib01137cd0d98e6f5a3e49579c080ab18d8905b0d Change-Id: I9639af8b46b8e865cc1fa7249bf1d8b1b978adfe
2017-05-08Containers: Bind mount directories with the key/certs for heatJuan Antonio Osorio Robles1-5/+8
This is only done when TLS-everywhere is enabled, and depends on those directories being exclusive for services that run over httpd. bp tls-via-certmonger-containers Change-Id: I194c33992c7f3628f7858ecf5e472ecfdee969ed
2017-04-27TLS-everywhere: Add missing profiles to docker compute servicesJuan Antonio Osorio Robles1-0/+2
the CA and certmonger user profiles were needed in the compute services list from the tls-everywhere in containers environment. bp tls-via-certmonger-containers Change-Id: Ib584ac0745d68828467bcfad7f6472ab66adbac3
2017-04-19containers: TLS in the internal network for telemetry servicesJuan Antonio Osorio Robles1-0/+8
This covers aodh, gnocchi and panko. cp tls-via-certmonger-containers Change-Id: I6dabb0d82755c28b8940c0baab0e23cfcc587c42
2017-04-12Bind mount directories that contain the key/certs for keystoneJuan Antonio Osorio Robles1-0/+28
This is only done when TLS-everywhere is enabled, and depends on those directories being exclusive for services that run over httpd. Which is the commit this is on top of. Also, an environment file was added that's similar to environments/docker.yaml. The difference is that this one will contain the services that can run containerized with TLS-everywhere. This file will be updated as more services get support for this. bp tls-via-certmonger-containers Change-Id: I87bf59f2c33de6cf2d4ce0679a5e0e22bc24bf78