Copy-in libvirt certs via kolla extended/start

Instead of bind-mounting directly into the libvirt container, follow the established approach for ditributing certificates in containers. Change-Id: Icdec38004df28988aa3a62019cb092c59d915f0e Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
2018-04-30 12:59:37 +02:00 · 2018-04-30 12:59:37 +02:00 · be5fd4eaeb
parent a3a1ed5933
commit be5fd4eaeb
1 changed files with 11 additions and 6 deletions
--- a/docker/services/nova-libvirt.yaml
+++ b/docker/services/nova-libvirt.yaml
@ -235,6 +235,11 @@ outputs:
                  dest: "/"
                  merge: true
                  preserve_properties: true
+                - source: "/var/lib/kolla/config_files/src-tls/*"
+                  dest: "/"
+                  merge: true
+                  preserve_properties: true
+                  optional: true
                - source: "/var/lib/kolla/config_files/src-ceph/"
                  dest: "/etc/ceph/"
                  merge: true
@ -329,24 +334,24 @@ outputs:
                    - use_tls_for_live_migration
                    -
                      - str_replace:
-                          template: "CACERT:/etc/pki/CA/cacert.pem:ro"
+                          template: "CACERT:/var/lib/kolla/config_files/src-tls/etc/pki/CA/cacert.pem:ro"
                          params:
                            CACERT:
                              if:
                                - libvirt_specific_ca_unset
                                - get_param: InternalTLSCAFile
                                - get_param: LibvirtCACert
-                      - /etc/pki/libvirt/servercert.pem:/etc/pki/libvirt/servercert.pem:ro
-                      - /etc/pki/libvirt/private/serverkey.pem:/etc/pki/libvirt/private/serverkey.pem:ro
-                      - /etc/pki/libvirt/clientcert.pem:/etc/pki/libvirt/clientcert.pem:ro
-                      - /etc/pki/libvirt/private/clientkey.pem:/etc/pki/libvirt/private/clientkey.pem:ro
+                      - /etc/pki/libvirt/servercert.pem:/var/lib/kolla/config_files/src-tls/etc/pki/libvirt/servercert.pem:ro
+                      - /etc/pki/libvirt/private/serverkey.pem:/var/lib/kolla/config_files/src-tls/etc/pki/libvirt/private/serverkey.pem:ro
+                      - /etc/pki/libvirt/clientcert.pem:/var/lib/kolla/config_files/src-tls/etc/pki/libvirt/clientcert.pem:ro
+                      - /etc/pki/libvirt/private/clientkey.pem:/var/lib/kolla/config_files/src-tls/etc/pki/libvirt/private/clientkey.pem:ro
                    - null
                -
                  if:
                    - use_tls_for_vnc
                    -
                      - str_replace:
-                          template: "CACERT:/etc/pki/libvirt-vnc/ca-cert.pem:ro"
+                          template: "CACERT:/var/lib/kolla/config_files/src-tls/etc/pki/libvirt-vnc/ca-cert.pem:ro"
                          params:
                            CACERT:
                              if: