From 71efc9fcecf7b9b6939a3f8a9a8a1ab0c6d702e8 Mon Sep 17 00:00:00 2001 From: Juan Antonio Osorio Robles Date: Fri, 12 May 2017 09:17:04 +0300 Subject: [PATCH] docker/internal TLS: spawn extra container for glance API's TLS proxy This spawns an extra container that runs httpd to run the TLS proxy that will go in front of glance-api. bp tls-via-certmonger-containers Change-Id: If902ac732479832b9aa3e4a8d063b5be68a42a9b --- docker/services/glance-api.yaml | 47 +++++++++++++++---- .../docker-services-tls-everywhere.yaml | 3 +- 2 files changed, 40 insertions(+), 10 deletions(-) diff --git a/docker/services/glance-api.yaml b/docker/services/glance-api.yaml index 9fa9008271..514d2f8d4e 100644 --- a/docker/services/glance-api.yaml +++ b/docker/services/glance-api.yaml @@ -26,6 +26,13 @@ parameters: DefaultPasswords: default: {} type: json + EnableInternalTLS: + type: boolean + default: false + +conditions: + + internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} resources: @@ -63,6 +70,8 @@ outputs: kolla_config: /var/lib/kolla/config_files/glance-api.json: command: /usr/bin/glance-api --config-file /usr/share/glance/glance-api-dist.conf --config-file /etc/glance/glance-api.conf + /var/lib/kolla/config_files/glance_api_tls_proxy.json: + command: /usr/sbin/httpd -DFOREGROUND docker_config: # Kolla_bootstrap/db_sync runs before permissions set by kolla_config step_3: @@ -91,15 +100,35 @@ outputs: - KOLLA_BOOTSTRAP=True - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS step_4: - glance_api: - start_order: 2 - image: *glance_image - net: host - privileged: false - restart: always - volumes: *glance_volumes - environment: - - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + map_merge: + - glance_api: + start_order: 2 + image: *glance_image + net: host + privileged: false + restart: always + volumes: *glance_volumes + environment: + - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + - if: + - internal_tls_enabled + - glance_api_tls_proxy: + start_order: 2 + image: *glance_image + net: host + user: root + restart: always + volumes: + list_concat: + - {get_attr: [ContainersCommon, volumes]} + - + - /var/lib/kolla/config_files/glance_api_tls_proxy.json:/var/lib/kolla/config_files/config.json:ro + - /var/lib/config-data/glance_api/etc/httpd/:/etc/httpd/:ro + - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro + - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro + environment: + - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + - {} host_prep_tasks: - name: create persistent logs directory file: diff --git a/environments/docker-services-tls-everywhere.yaml b/environments/docker-services-tls-everywhere.yaml index 9bdbe2bdf1..33afbc666b 100644 --- a/environments/docker-services-tls-everywhere.yaml +++ b/environments/docker-services-tls-everywhere.yaml @@ -12,6 +12,7 @@ resource_registry: OS::TripleO::Services::AodhEvaluator: ../docker/services/aodh-evaluator.yaml OS::TripleO::Services::AodhListener: ../docker/services/aodh-listener.yaml OS::TripleO::Services::AodhNotifier: ../docker/services/aodh-notifier.yaml + OS::TripleO::Services::GlanceApi: ../docker/services/glance-api.yaml OS::TripleO::Services::GnocchiApi: ../docker/services/gnocchi-api.yaml OS::TripleO::Services::GnocchiMetricd: ../docker/services/gnocchi-metricd.yaml OS::TripleO::Services::GnocchiStatsd: ../docker/services/gnocchi-statsd.yaml @@ -21,8 +22,8 @@ resource_registry: OS::TripleO::Services::Keystone: ../docker/services/keystone.yaml OS::TripleO::Services::PankoApi: ../docker/services/panko-api.yaml OS::TripleO::Services::SwiftProxy: ../docker/services/swift-proxy.yaml - OS::TripleO::Services::SwiftStorage: ../docker/services/swift-storage.yaml OS::TripleO::Services::SwiftRingBuilder: ../docker/services/swift-ringbuilder.yaml + OS::TripleO::Services::SwiftStorage: ../docker/services/swift-storage.yaml OS::TripleO::PostDeploySteps: ../docker/post.yaml OS::TripleO::PostUpgradeSteps: ../docker/post-upgrade.yaml