Bind mount directories that contain the key/certs for keystone

This is only done when TLS-everywhere is enabled, and depends on those
directories being exclusive for services that run over httpd. Which is
the commit this is on top of.

Also, an environment file was added that's similar to
environments/docker.yaml. The difference is that this one will contain
the services that can run containerized with TLS-everywhere. This file
will be updated as more services get support for this.

bp tls-via-certmonger-containers

Change-Id: I87bf59f2c33de6cf2d4ce0679a5e0e22bc24bf78

diff --git a/docker/services/keystone.yaml b/docker/services/keystone.yaml
index 90ddeb9..526a357 100644 (file)
--- a/docker/services/keystone.yaml
+++ b/docker/services/keystone.yaml
@@ -36,6 +36,9 @@ parameters:
     default: 'fernet'
     constraints:
       - allowed_values: ['uuid', 'fernet']
+  EnableInternalTLS:
+    type: boolean
+    default: false
 
 resources:
 
@@ -46,6 +49,10 @@ resources:
       ServiceNetMap: {get_param: ServiceNetMap}
       DefaultPasswords: {get_param: DefaultPasswords}
 
+conditions:
+
+  internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
+
 outputs:
   role_data:
     description: Role data for the Keystone API role.
@@ -96,6 +103,16 @@ outputs:
               - /etc/hosts:/etc/hosts:ro
               - /etc/localtime:/etc/localtime:ro
               - logs:/var/log
+              -
+                if:
+                  - internal_tls_enabled
+                  - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
+                  - ''
+              -
+                if:
+                  - internal_tls_enabled
+                  - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
+                  - ''
             environment:
               - KOLLA_BOOTSTRAP=True
               - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS

diff --git a/environments/docker-services-tls-everywhere.yaml b/environments/docker-services-tls-everywhere.yaml
new file mode 100644 (file)
index 0000000..ec39951
--- /dev/null
+++ b/environments/docker-services-tls-everywhere.yaml
@@ -0,0 +1,28 @@
+# This environment contains the services that can work with TLS-everywhere.
+resource_registry:
+  # This can be used when you don't want to run puppet on the host,
+  # e.g atomic, but it has been replaced with OS::TripleO::Services::Docker
+  # OS::TripleO::NodeUserData: ../docker/firstboot/setup_docker_host.yaml
+  OS::TripleO::Services::Docker: ../puppet/services/docker.yaml
+  # The compute node still needs extra initialization steps
+  OS::TripleO::Compute::NodeUserData: ../docker/firstboot/setup_docker_host.yaml
+
+  # NOTE: add roles to be docker enabled as we support them.
+  OS::TripleO::Services::Keystone: ../docker/services/keystone.yaml
+
+  OS::TripleO::PostDeploySteps: ../docker/post.yaml
+  OS::TripleO::PostUpgradeSteps: ../docker/post-upgrade.yaml
+
+  OS::TripleO::Services: ../docker/services/services.yaml
+
+parameter_defaults:
+  # Defaults to 'tripleoupstream'.  Specify a local docker registry
+  # Example: 192.168.24.1:8787/tripleoupstream
+  DockerNamespace: tripleoupstream
+  DockerNamespaceIsRegistry: false
+
+  ComputeServices:
+    - OS::TripleO::Services::NovaCompute
+    - OS::TripleO::Services::NovaLibvirt
+    - OS::TripleO::Services::ComputeNeutronOvsAgent
+    - OS::TripleO::Services::Docker