docker/internal TLS: spawn extra container for glance API's TLS proxy

author Juan Antonio Osorio Robles <jaosorior@redhat.com>

Fri, 12 May 2017 06:17:04 +0000 (09:17 +0300)

committer Juan Antonio Osorio Robles <jaosorior@redhat.com>

Fri, 12 May 2017 07:23:06 +0000 (07:23 +0000)
author Juan Antonio Osorio Robles <jaosorior@redhat.com>
Fri, 12 May 2017 06:17:04 +0000 (09:17 +0300)
committer Juan Antonio Osorio Robles <jaosorior@redhat.com>
Fri, 12 May 2017 07:23:06 +0000 (07:23 +0000)
diff --git a/docker/services/glance-api.yaml b/docker/services/glance-api.yaml

index 9fa9008..514d2f8 100644 (file)
--- a/docker/services/glance-api.yaml
+++ b/docker/services/glance-api.yaml
@@ -26,6 +26,13 @@ parameters:
    DefaultPasswords:
      default: {}
      type: json
+  EnableInternalTLS:
+    type: boolean
+    default: false
+
+conditions:
+
+  internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
  
  resources:
  
@@ -63,6 +70,8 @@ outputs:
        kolla_config:
          /var/lib/kolla/config_files/glance-api.json:
            command: /usr/bin/glance-api --config-file /usr/share/glance/glance-api-dist.conf --config-file /etc/glance/glance-api.conf
+        /var/lib/kolla/config_files/glance_api_tls_proxy.json:
+          command: /usr/sbin/httpd -DFOREGROUND
        docker_config:
          # Kolla_bootstrap/db_sync runs before permissions set by kolla_config
          step_3:
@@ -91,15 +100,35 @@ outputs:
                - KOLLA_BOOTSTRAP=True
                - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
          step_4:
-          glance_api:
-            start_order: 2
-            image: *glance_image
-            net: host
-            privileged: false
-            restart: always
-            volumes: *glance_volumes
-            environment:
-              - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
+          map_merge:
+            - glance_api:
+                start_order: 2
+                image: *glance_image
+                net: host
+                privileged: false
+                restart: always
+                volumes: *glance_volumes
+                environment:
+                  - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
+            - if:
+                - internal_tls_enabled
+                - glance_api_tls_proxy:
+                    start_order: 2
+                    image: *glance_image
+                    net: host
+                    user: root
+                    restart: always
+                    volumes:
+                      list_concat:
+                        - {get_attr: [ContainersCommon, volumes]}
+                        -
+                          - /var/lib/kolla/config_files/glance_api_tls_proxy.json:/var/lib/kolla/config_files/config.json:ro
+                          - /var/lib/config-data/glance_api/etc/httpd/:/etc/httpd/:ro
+                          - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
+                          - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
+                    environment:
+                      - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
+                - {}
        host_prep_tasks:
          - name: create persistent logs directory
            file:
diff --git a/environments/docker-services-tls-everywhere.yaml b/environments/docker-services-tls-everywhere.yaml

index 9bdbe2b..33afbc6 100644 (file)
--- a/environments/docker-services-tls-everywhere.yaml
+++ b/environments/docker-services-tls-everywhere.yaml
@@ -12,6 +12,7 @@ resource_registry:
    OS::TripleO::Services::AodhEvaluator: ../docker/services/aodh-evaluator.yaml
    OS::TripleO::Services::AodhListener: ../docker/services/aodh-listener.yaml
    OS::TripleO::Services::AodhNotifier: ../docker/services/aodh-notifier.yaml
+  OS::TripleO::Services::GlanceApi: ../docker/services/glance-api.yaml
    OS::TripleO::Services::GnocchiApi: ../docker/services/gnocchi-api.yaml
    OS::TripleO::Services::GnocchiMetricd: ../docker/services/gnocchi-metricd.yaml
    OS::TripleO::Services::GnocchiStatsd: ../docker/services/gnocchi-statsd.yaml
@@ -21,8 +22,8 @@ resource_registry:
    OS::TripleO::Services::Keystone: ../docker/services/keystone.yaml
    OS::TripleO::Services::PankoApi: ../docker/services/panko-api.yaml
    OS::TripleO::Services::SwiftProxy: ../docker/services/swift-proxy.yaml
-  OS::TripleO::Services::SwiftStorage: ../docker/services/swift-storage.yaml
    OS::TripleO::Services::SwiftRingBuilder: ../docker/services/swift-ringbuilder.yaml
+  OS::TripleO::Services::SwiftStorage: ../docker/services/swift-storage.yaml
  
    OS::TripleO::PostDeploySteps: ../docker/post.yaml
    OS::TripleO::PostUpgradeSteps: ../docker/post-upgrade.yaml
author	Juan Antonio Osorio Robles <jaosorior@redhat.com>
	Fri, 12 May 2017 06:17:04 +0000 (09:17 +0300)
committer	Juan Antonio Osorio Robles <jaosorior@redhat.com>
	Fri, 12 May 2017 07:23:06 +0000 (07:23 +0000)
docker/services/glance-api.yaml		patch \| blob \| history
environments/docker-services-tls-everywhere.yaml		patch \| blob \| history