From a378a01102a13ae336963d18aa7abba948711f8b Mon Sep 17 00:00:00 2001 From: Juan Antonio Osorio Robles Date: Mon, 8 May 2017 09:38:16 +0000 Subject: Containers: Bind mount directories with the key/certs for heat This is only done when TLS-everywhere is enabled, and depends on those directories being exclusive for services that run over httpd. bp tls-via-certmonger-containers Change-Id: I194c33992c7f3628f7858ecf5e472ecfdee969ed --- docker/services/heat-api-cfn.yaml | 16 ++++++++++++++++ docker/services/heat-api.yaml | 16 ++++++++++++++++ environments/docker-services-tls-everywhere.yaml | 13 ++++++++----- 3 files changed, 40 insertions(+), 5 deletions(-) diff --git a/docker/services/heat-api-cfn.yaml b/docker/services/heat-api-cfn.yaml index fc228155..ff18f177 100644 --- a/docker/services/heat-api-cfn.yaml +++ b/docker/services/heat-api-cfn.yaml @@ -31,7 +31,13 @@ parameters: DefaultPasswords: default: {} type: json + EnableInternalTLS: + type: boolean + default: false +conditions: + + internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} resources: @@ -95,6 +101,16 @@ outputs: - /var/lib/config-data/heat_api_cfn/etc/httpd/:/etc/httpd/:ro - /var/lib/config-data/heat_api_cfn/var/www/:/var/www/:ro - /var/log/containers/heat:/var/log/heat + - + if: + - internal_tls_enabled + - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro + - '' + - + if: + - internal_tls_enabled + - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro + - '' environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS host_prep_tasks: diff --git a/docker/services/heat-api.yaml b/docker/services/heat-api.yaml index fe565411..886a0d80 100644 --- a/docker/services/heat-api.yaml +++ b/docker/services/heat-api.yaml @@ -31,7 +31,13 @@ parameters: DefaultPasswords: default: {} type: json + EnableInternalTLS: + type: boolean + default: false +conditions: + + internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} resources: @@ -95,6 +101,16 @@ outputs: - /var/lib/config-data/heat_api/etc/httpd/:/etc/httpd/:ro - /var/lib/config-data/heat_api/var/www/:/var/www/:ro - /var/log/containers/heat:/var/log/heat + - + if: + - internal_tls_enabled + - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro + - '' + - + if: + - internal_tls_enabled + - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro + - '' environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS host_prep_tasks: diff --git a/environments/docker-services-tls-everywhere.yaml b/environments/docker-services-tls-everywhere.yaml index 73b91727..7b27663f 100644 --- a/environments/docker-services-tls-everywhere.yaml +++ b/environments/docker-services-tls-everywhere.yaml @@ -8,14 +8,17 @@ resource_registry: OS::TripleO::Compute::NodeUserData: ../docker/firstboot/setup_docker_host.yaml # NOTE: add roles to be docker enabled as we support them. - OS::TripleO::Services::Keystone: ../docker/services/keystone.yaml - OS::TripleO::Services::GnocchiApi: ../docker/services/gnocchi-api.yaml - OS::TripleO::Services::GnocchiMetricd: ../docker/services/gnocchi-metricd.yaml - OS::TripleO::Services::GnocchiStatsd: ../docker/services/gnocchi-statsd.yaml OS::TripleO::Services::AodhApi: ../docker/services/aodh-api.yaml OS::TripleO::Services::AodhEvaluator: ../docker/services/aodh-evaluator.yaml - OS::TripleO::Services::AodhNotifier: ../docker/services/aodh-notifier.yaml OS::TripleO::Services::AodhListener: ../docker/services/aodh-listener.yaml + OS::TripleO::Services::AodhNotifier: ../docker/services/aodh-notifier.yaml + OS::TripleO::Services::GnocchiApi: ../docker/services/gnocchi-api.yaml + OS::TripleO::Services::GnocchiMetricd: ../docker/services/gnocchi-metricd.yaml + OS::TripleO::Services::GnocchiStatsd: ../docker/services/gnocchi-statsd.yaml + OS::TripleO::Services::HeatApi: ../docker/services/heat-api.yaml + OS::TripleO::Services::HeatApiCfn: ../docker/services/heat-api-cfn.yaml + OS::TripleO::Services::HeatEngine: ../docker/services/heat-engine.yaml + OS::TripleO::Services::Keystone: ../docker/services/keystone.yaml OS::TripleO::Services::PankoApi: ../docker/services/panko-api.yaml OS::TripleO::PostDeploySteps: ../docker/post.yaml -- cgit 1.2.3-korg