From: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Date: Fri, 12 May 2017 08:44:47 +0000 (+0000)
Subject: docker/internal TLS: spawn extra container for neutron server's TLS proxy
X-Git-Tag: opnfv-6.0.0~659^2
X-Git-Url: https://gerrit.opnfv.org/gerrit/gitweb?a=commitdiff_plain;h=a37debd3dfc590f4d4b3a10369a26ad36c4add91;p=apex-tripleo-heat-templates.git

docker/internal TLS: spawn extra container for neutron server's TLS proxy

This spawns an extra container that runs httpd to run the TLS proxy that
will go in front of neutron server.

bp tls-via-certmonger-containers

Change-Id: I2529d78e889835f48c51e12d28ecd7c48739b02b
---

diff --git a/docker/services/neutron-api.yaml b/docker/services/neutron-api.yaml
index 9d266b0b..748371d5 100644
--- a/docker/services/neutron-api.yaml
+++ b/docker/services/neutron-api.yaml
@@ -39,6 +39,13 @@ parameters:
     default: {}
     description: Parameters specific to the role
     type: json
+  EnableInternalTLS:
+    type: boolean
+    default: false
+
+conditions:
+
+  internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
 
 resources:
 
@@ -81,6 +88,8 @@ outputs:
             - path: /var/log/neutron
               owner: neutron:neutron
               recurse: true
+        /var/lib/kolla/config_files/neutron_server_tls_proxy.json:
+          command: /usr/sbin/httpd -DFOREGROUND
       docker_config:
         # db sync runs before permissions set by kolla_config
         step_3:
@@ -113,20 +122,39 @@ outputs:
                   - /var/log/containers/neutron:/var/log/neutron
             command: ['neutron-db-manage', 'upgrade', 'heads']
         step_4:
-          neutron_api:
-            image: *neutron_api_image
-            net: host
-            privileged: false
-            restart: always
-            volumes:
-              list_concat:
-                - {get_attr: [ContainersCommon, volumes]}
-                -
-                  - /var/lib/kolla/config_files/neutron_api.json:/var/lib/kolla/config_files/config.json:ro
-                  - /var/lib/config-data/neutron/etc/neutron/:/etc/neutron/:ro
-                  - /var/log/containers/neutron:/var/log/neutron
-            environment:
-              - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
+          map_merge:
+            - neutron_api:
+                image: *neutron_api_image
+                net: host
+                privileged: false
+                restart: always
+                volumes:
+                  list_concat:
+                    - {get_attr: [ContainersCommon, volumes]}
+                    -
+                      - /var/lib/kolla/config_files/neutron_api.json:/var/lib/kolla/config_files/config.json:ro
+                      - /var/lib/config-data/neutron/etc/neutron/:/etc/neutron/:ro
+                      - /var/log/containers/neutron:/var/log/neutron
+                environment:
+                  - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
+            - if:
+                - internal_tls_enabled
+                - neutron_server_tls_proxy:
+                    image: *neutron_api_image
+                    net: host
+                    user: root
+                    restart: always
+                    volumes:
+                      list_concat:
+                        - {get_attr: [ContainersCommon, volumes]}
+                        -
+                          - /var/lib/kolla/config_files/neutron_server_tls_proxy.json:/var/lib/kolla/config_files/config.json:ro
+                          - /var/lib/config-data/neutron/etc/httpd/:/etc/httpd/:ro
+                          - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
+                          - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
+                    environment:
+                      - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
+                - {}
       host_prep_tasks:
         - name: create persistent logs directory
           file:
diff --git a/environments/docker-services-tls-everywhere.yaml b/environments/docker-services-tls-everywhere.yaml
index 33afbc66..e37f2515 100644
--- a/environments/docker-services-tls-everywhere.yaml
+++ b/environments/docker-services-tls-everywhere.yaml
@@ -12,6 +12,7 @@ resource_registry:
   OS::TripleO::Services::AodhEvaluator: ../docker/services/aodh-evaluator.yaml
   OS::TripleO::Services::AodhListener: ../docker/services/aodh-listener.yaml
   OS::TripleO::Services::AodhNotifier: ../docker/services/aodh-notifier.yaml
+  OS::TripleO::Services::ComputeNeutronOvsAgent: ../docker/services/neutron-ovs-agent.yaml
   OS::TripleO::Services::GlanceApi: ../docker/services/glance-api.yaml
   OS::TripleO::Services::GnocchiApi: ../docker/services/gnocchi-api.yaml
   OS::TripleO::Services::GnocchiMetricd: ../docker/services/gnocchi-metricd.yaml
@@ -20,6 +21,12 @@ resource_registry:
   OS::TripleO::Services::HeatApiCfn: ../docker/services/heat-api-cfn.yaml
   OS::TripleO::Services::HeatEngine: ../docker/services/heat-engine.yaml
   OS::TripleO::Services::Keystone: ../docker/services/keystone.yaml
+  OS::TripleO::Services::NeutronApi: ../docker/services/neutron-api.yaml
+  OS::TripleO::Services::NeutronCorePlugin: ../docker/services/neutron-plugin-ml2.yaml
+  OS::TripleO::Services::NeutronDhcpAgent: ../docker/services/neutron-dhcp.yaml
+  OS::TripleO::Services::NeutronL3Agent: ../docker/services/neutron-l3.yaml
+  OS::TripleO::Services::NeutronOvsAgent: ../docker/services/neutron-ovs-agent.yaml
+  OS::TripleO::Services::NeutronServer: ../docker/services/neutron-api.yaml
   OS::TripleO::Services::PankoApi: ../docker/services/panko-api.yaml
   OS::TripleO::Services::SwiftProxy: ../docker/services/swift-proxy.yaml
   OS::TripleO::Services::SwiftRingBuilder: ../docker/services/swift-ringbuilder.yaml