Merge "mysql: Only set certificate specs if TLS everywhere is enabled" into stable...
[apex-tripleo-heat-templates.git] / docker / services / containers-common.yaml
index a9912a1..9f982f8 100644 (file)
@@ -3,18 +3,73 @@ heat_template_version: pike
 description: >
   Contains a static list of common things necessary for containers
 
+parameters:
+
+  # Required parameters
+  EndpointMap:
+    default: {}
+    description: Mapping of service endpoint -> protocol. Typically set
+                 via parameter_defaults in the resource registry.
+    type: json
+  ServiceData:
+    default: {}
+    description: Dictionary packing service data
+    type: json
+  ServiceNetMap:
+    default: {}
+    description: Mapping of service_name -> network name. Typically set
+                 via parameter_defaults in the resource registry.  This
+                 mapping overrides those in ServiceNetMapDefaults.
+    type: json
+  DefaultPasswords:
+    default: {}
+    type: json
+  RoleName:
+    default: ''
+    description: Role name on which the service is applied
+    type: string
+  RoleParameters:
+    default: {}
+    description: Parameters specific to the role
+    type: json
+
+
+  EnableInternalTLS:
+    type: boolean
+    default: false
+  InternalTLSCAFile:
+    default: '/etc/ipa/ca.crt'
+    type: string
+    description: Specifies the default CA cert to use if TLS is used for
+                 services in the internal network.
+
+conditions:
+
+  internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
+
 outputs:
   volumes:
     description: Common volumes for the containers.
     value:
-      - /etc/hosts:/etc/hosts:ro
-      - /etc/localtime:/etc/localtime:ro
-      # required for bootstrap_host_exec
-      - /etc/puppet:/etc/puppet:ro
-      # OpenSSL trusted CAs
-      - /etc/pki/ca-trust/extracted:/etc/pki/ca-trust/extracted:ro
-      - /etc/pki/tls/certs/ca-bundle.crt:/etc/pki/tls/certs/ca-bundle.crt:ro
-      - /etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/certs/ca-bundle.trust.crt:ro
-      - /etc/pki/tls/cert.pem:/etc/pki/tls/cert.pem:ro
-      # Syslog socket
-      - /dev/log:/dev/log
+      list_concat:
+        - - /etc/hosts:/etc/hosts:ro
+          - /etc/localtime:/etc/localtime:ro
+          # required for bootstrap_host_exec
+          - /etc/puppet:/etc/puppet:ro
+          # OpenSSL trusted CAs
+          - /etc/pki/ca-trust/extracted:/etc/pki/ca-trust/extracted:ro
+          - /etc/pki/tls/certs/ca-bundle.crt:/etc/pki/tls/certs/ca-bundle.crt:ro
+          - /etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/certs/ca-bundle.trust.crt:ro
+          - /etc/pki/tls/cert.pem:/etc/pki/tls/cert.pem:ro
+          # Syslog socket
+          - /dev/log:/dev/log
+          - /etc/ssh/ssh_known_hosts:/etc/ssh/ssh_known_hosts:ro
+          - /sys/fs/selinux:/sys/fs/selinux
+        - if:
+          - internal_tls_enabled
+          - - list_join:
+              - ':'
+              - - {get_param: InternalTLSCAFile}
+                - {get_param: InternalTLSCAFile}
+                - 'ro'
+          - null