From a37debd3dfc590f4d4b3a10369a26ad36c4add91 Mon Sep 17 00:00:00 2001
From: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Date: Fri, 12 May 2017 08:44:47 +0000
Subject: [PATCH] docker/internal TLS: spawn extra container for neutron
 server's TLS proxy

This spawns an extra container that runs httpd to run the TLS proxy that
will go in front of neutron server.

bp tls-via-certmonger-containers

Change-Id: I2529d78e889835f48c51e12d28ecd7c48739b02b
---
 docker/services/neutron-api.yaml                 | 56 ++++++++++++++++++------
 environments/docker-services-tls-everywhere.yaml |  7 +++
 2 files changed, 49 insertions(+), 14 deletions(-)

diff --git a/docker/services/neutron-api.yaml b/docker/services/neutron-api.yaml
index 9d266b0b..748371d5 100644
--- a/docker/services/neutron-api.yaml
+++ b/docker/services/neutron-api.yaml
@@ -39,6 +39,13 @@ parameters:
     default: {}
     description: Parameters specific to the role
     type: json
+  EnableInternalTLS:
+    type: boolean
+    default: false
+
+conditions:
+
+  internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
 
 resources:
 
@@ -81,6 +88,8 @@ outputs:
             - path: /var/log/neutron
               owner: neutron:neutron
               recurse: true
+        /var/lib/kolla/config_files/neutron_server_tls_proxy.json:
+          command: /usr/sbin/httpd -DFOREGROUND
       docker_config:
         # db sync runs before permissions set by kolla_config
         step_3:
@@ -113,20 +122,39 @@ outputs:
                   - /var/log/containers/neutron:/var/log/neutron
             command: ['neutron-db-manage', 'upgrade', 'heads']
         step_4:
-          neutron_api:
-            image: *neutron_api_image
-            net: host
-            privileged: false
-            restart: always
-            volumes:
-              list_concat:
-                - {get_attr: [ContainersCommon, volumes]}
-                -
-                  - /var/lib/kolla/config_files/neutron_api.json:/var/lib/kolla/config_files/config.json:ro
-                  - /var/lib/config-data/neutron/etc/neutron/:/etc/neutron/:ro
-                  - /var/log/containers/neutron:/var/log/neutron
-            environment:
-              - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
+          map_merge:
+            - neutron_api:
+                image: *neutron_api_image
+                net: host
+                privileged: false
+                restart: always
+                volumes:
+                  list_concat:
+                    - {get_attr: [ContainersCommon, volumes]}
+                    -
+                      - /var/lib/kolla/config_files/neutron_api.json:/var/lib/kolla/config_files/config.json:ro
+                      - /var/lib/config-data/neutron/etc/neutron/:/etc/neutron/:ro
+                      - /var/log/containers/neutron:/var/log/neutron
+                environment:
+                  - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
+            - if:
+                - internal_tls_enabled
+                - neutron_server_tls_proxy:
+                    image: *neutron_api_image
+                    net: host
+                    user: root
+                    restart: always
+                    volumes:
+                      list_concat:
+                        - {get_attr: [ContainersCommon, volumes]}
+                        -
+                          - /var/lib/kolla/config_files/neutron_server_tls_proxy.json:/var/lib/kolla/config_files/config.json:ro
+                          - /var/lib/config-data/neutron/etc/httpd/:/etc/httpd/:ro
+                          - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
+                          - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
+                    environment:
+                      - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
+                - {}
       host_prep_tasks:
         - name: create persistent logs directory
           file:
diff --git a/environments/docker-services-tls-everywhere.yaml b/environments/docker-services-tls-everywhere.yaml
index 33afbc66..e37f2515 100644
--- a/environments/docker-services-tls-everywhere.yaml
+++ b/environments/docker-services-tls-everywhere.yaml
@@ -12,6 +12,7 @@ resource_registry:
   OS::TripleO::Services::AodhEvaluator: ../docker/services/aodh-evaluator.yaml
   OS::TripleO::Services::AodhListener: ../docker/services/aodh-listener.yaml
   OS::TripleO::Services::AodhNotifier: ../docker/services/aodh-notifier.yaml
+  OS::TripleO::Services::ComputeNeutronOvsAgent: ../docker/services/neutron-ovs-agent.yaml
   OS::TripleO::Services::GlanceApi: ../docker/services/glance-api.yaml
   OS::TripleO::Services::GnocchiApi: ../docker/services/gnocchi-api.yaml
   OS::TripleO::Services::GnocchiMetricd: ../docker/services/gnocchi-metricd.yaml
@@ -20,6 +21,12 @@ resource_registry:
   OS::TripleO::Services::HeatApiCfn: ../docker/services/heat-api-cfn.yaml
   OS::TripleO::Services::HeatEngine: ../docker/services/heat-engine.yaml
   OS::TripleO::Services::Keystone: ../docker/services/keystone.yaml
+  OS::TripleO::Services::NeutronApi: ../docker/services/neutron-api.yaml
+  OS::TripleO::Services::NeutronCorePlugin: ../docker/services/neutron-plugin-ml2.yaml
+  OS::TripleO::Services::NeutronDhcpAgent: ../docker/services/neutron-dhcp.yaml
+  OS::TripleO::Services::NeutronL3Agent: ../docker/services/neutron-l3.yaml
+  OS::TripleO::Services::NeutronOvsAgent: ../docker/services/neutron-ovs-agent.yaml
+  OS::TripleO::Services::NeutronServer: ../docker/services/neutron-api.yaml
   OS::TripleO::Services::PankoApi: ../docker/services/panko-api.yaml
   OS::TripleO::Services::SwiftProxy: ../docker/services/swift-proxy.yaml
   OS::TripleO::Services::SwiftRingBuilder: ../docker/services/swift-ringbuilder.yaml
-- 
2.16.6