Bind mount internal CA file to all containers

author Juan Antonio Osorio Robles <jaosorior@redhat.com>

Tue, 13 Jun 2017 09:42:54 +0000 (12:42 +0300)

committer Juan Antonio Osorio Robles <jaosorior@redhat.com>

Tue, 13 Jun 2017 13:28:03 +0000 (16:28 +0300)
author Juan Antonio Osorio Robles <jaosorior@redhat.com>
Tue, 13 Jun 2017 09:42:54 +0000 (12:42 +0300)
committer Juan Antonio Osorio Robles <jaosorior@redhat.com>
Tue, 13 Jun 2017 13:28:03 +0000 (16:28 +0300)
diff --git a/docker/services/containers-common.yaml b/docker/services/containers-common.yaml

index 973d999..d104853 100644 (file)
--- a/docker/services/containers-common.yaml
+++ b/docker/services/containers-common.yaml
@@ -3,19 +3,64 @@ heat_template_version: pike
  description: >
    Contains a static list of common things necessary for containers
  
+parameters:
+
+  # Required parameters
+  EndpointMap:
+    default: {}
+    description: Mapping of service endpoint -> protocol. Typically set
+                 via parameter_defaults in the resource registry.
+    type: json
+  ServiceNetMap:
+    default: {}
+    description: Mapping of service_name -> network name. Typically set
+                 via parameter_defaults in the resource registry.  This
+                 mapping overrides those in ServiceNetMapDefaults.
+    type: json
+  DefaultPasswords:
+    default: {}
+    type: json
+  RoleName:
+    default: ''
+    description: Role name on which the service is applied
+    type: string
+  RoleParameters:
+    default: {}
+    description: Parameters specific to the role
+    type: json
+
+
+  EnableInternalTLS:
+    type: boolean
+    default: false
+  InternalTLSCAFile:
+    default: '/etc/ipa/ca.crt'
+    type: string
+    description: Specifies the default CA cert to use if TLS is used for
+                 services in the internal network.
+
+conditions:
+
+  internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
+
  outputs:
    volumes:
      description: Common volumes for the containers.
      value:
-      - /etc/hosts:/etc/hosts:ro
-      - /etc/localtime:/etc/localtime:ro
-      # required for bootstrap_host_exec
-      - /etc/puppet:/etc/puppet:ro
-      # OpenSSL trusted CAs
-      - /etc/pki/ca-trust/extracted:/etc/pki/ca-trust/extracted:ro
-      - /etc/pki/tls/certs/ca-bundle.crt:/etc/pki/tls/certs/ca-bundle.crt:ro
-      - /etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/certs/ca-bundle.trust.crt:ro
-      - /etc/pki/tls/cert.pem:/etc/pki/tls/cert.pem:ro
-      # Syslog socket
-      - /dev/log:/dev/log
-      - /etc/ssh/ssh_known_hosts:/etc/ssh/ssh_known_hosts:ro
+      list_concat:
+        - - /etc/hosts:/etc/hosts:ro
+          - /etc/localtime:/etc/localtime:ro
+          # required for bootstrap_host_exec
+          - /etc/puppet:/etc/puppet:ro
+          # OpenSSL trusted CAs
+          - /etc/pki/ca-trust/extracted:/etc/pki/ca-trust/extracted:ro
+          - /etc/pki/tls/certs/ca-bundle.crt:/etc/pki/tls/certs/ca-bundle.crt:ro
+          - /etc/pki/tls/certs/ca-bundle.trust.crt:/etc/pki/tls/certs/ca-bundle.trust.crt:ro
+          - /etc/pki/tls/cert.pem:/etc/pki/tls/cert.pem:ro
+          # Syslog socket
+          - /dev/log:/dev/log
+          - /etc/ssh/ssh_known_hosts:/etc/ssh/ssh_known_hosts:ro
+        - if:
+          - internal_tls_enabled
+          - - {get_param: InternalTLSCAFile}
+          - null
author	Juan Antonio Osorio Robles <jaosorior@redhat.com>
	Tue, 13 Jun 2017 09:42:54 +0000 (12:42 +0300)
committer	Juan Antonio Osorio Robles <jaosorior@redhat.com>
	Tue, 13 Jun 2017 13:28:03 +0000 (16:28 +0300)