X-Git-Url: https://gerrit.opnfv.org/gerrit/gitweb?a=blobdiff_plain;f=docker%2Fservices%2Fcontainers-common.yaml;h=9f982f8bce2859117f3bfcb04a88f8ee0c5453f6;hb=5ee398bd0145fbc3e7584c3a9fd8b6c6cf5f61ad;hp=a9912a1fb38e50371c3c9cb1781df8733691f594;hpb=af1aed82693565da6a651c0b75a9f0d3d87a57b5;p=apex-tripleo-heat-templates.git

diff --git a/docker/services/containers-common.yaml b/docker/services/containers-common.yaml
index a9912a1f..9f982f8b 100644
--- a/docker/services/containers-common.yaml
+++ b/docker/services/containers-common.yaml
@@ -3,18 +3,73 @@ heat_template_version: pike
 description: >
   Contains a static list of common things necessary for containers
 
+parameters:
+
+  # Required parameters
+  EndpointMap:
+    default: {}
+    description: Mapping of service endpoint -> protocol. Typically set
+                 via parameter_defaults in the resource registry.
+    type: json
+  ServiceData:
+    default: {}
+    description: Dictionary packing service data
+    type: json
+  ServiceNetMap:
+    default: {}
+    description: Mapping of service_name -> network name. Typically set
+                 via parameter_defaults in the resource registry.  This
+                 mapping overrides those in ServiceNetMapDefaults.
+    type: json
+  DefaultPasswords:
+    default: {}
+    type: json
+  RoleName:
+    default: ''
+    description: Role name on which the service is applied
+    type: string
+  RoleParameters:
+    default: {}
+    description: Parameters specific to the role
+    type: json
+
+
+  EnableInternalTLS:
+    type: boolean
+    default: false
+  InternalTLSCAFile:
+    default: '/etc/ipa/ca.crt'
+    type: string
+    description: Specifies the default CA cert to use if TLS is used for
+                 services in the internal network.
+
+conditions:
+
+  internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
+
 outputs:
   volumes:
     description: Common volumes for the containers.
     value:
-      - /etc/hosts:/etc/hosts:ro
-      - /etc/localtime:/etc/localtime:ro
-      # required for bootstrap_host_exec
-      - /etc/puppet:/etc/puppet:ro
-      # OpenSSL trusted CAs
-      - /etc/pki/ca-trust/extracted:/etc/pki/ca-trust/extracted:ro
-      - /etc/pki/tls/certs/ca-bundle.crt:/etc/pki/tls/certs/ca-bundle.crt:ro
-      - /etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/certs/ca-bundle.trust.crt:ro
-      - /etc/pki/tls/cert.pem:/etc/pki/tls/cert.pem:ro
-      # Syslog socket
-      - /dev/log:/dev/log
+      list_concat:
+        - - /etc/hosts:/etc/hosts:ro
+          - /etc/localtime:/etc/localtime:ro
+          # required for bootstrap_host_exec
+          - /etc/puppet:/etc/puppet:ro
+          # OpenSSL trusted CAs
+          - /etc/pki/ca-trust/extracted:/etc/pki/ca-trust/extracted:ro
+          - /etc/pki/tls/certs/ca-bundle.crt:/etc/pki/tls/certs/ca-bundle.crt:ro
+          - /etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/certs/ca-bundle.trust.crt:ro
+          - /etc/pki/tls/cert.pem:/etc/pki/tls/cert.pem:ro
+          # Syslog socket
+          - /dev/log:/dev/log
+          - /etc/ssh/ssh_known_hosts:/etc/ssh/ssh_known_hosts:ro
+          - /sys/fs/selinux:/sys/fs/selinux
+        - if:
+          - internal_tls_enabled
+          - - list_join:
+              - ':'
+              - - {get_param: InternalTLSCAFile}
+                - {get_param: InternalTLSCAFile}
+                - 'ro'
+          - null