Fix setting volumes for internal tls

Move the configuration of the internal tls volumes into the common
tripleo_container_standalone role. The logic for adding the volumes when
internal TLS is used is now in a single location.

Updates the tripleo_keystone role to make use of the new variables from
tripleo_container_standalone.

Related-Bug: #1973863
Change-Id: I84c8c15e9e5adbc3798edf0e4ca7717527d0de47
Signed-off-by: James Slagle <jslagle@redhat.com>

tripleo_ansible/roles/tripleo_container_standalone/defaults/main.yml

@@ -29,9 +29,9 @@ tripleo_container_standalone_kolla_config_dir: /var/lib/kolla/config_files
 # Directory for container startup configs
 tripleo_container_standalone_container_startup_config_dir: /var/lib/tripleo-config/container-startup-config
 # Hash with keys of container name and value of YAML kolla config file.
-tripleo_container_standalone_kolla_config_files : {}
+tripleo_container_standalone_kolla_config_files: {}
 # Hash with keys of container name and value of YAML container definition
-tripleo_container_standalone_container_defs : {}
+tripleo_container_standalone_container_defs: {}
 
 # List of common volumes that can be included in the template of a container
 # definition to include the most common volumes.
@@ -48,3 +48,22 @@ tripleo_container_standalone_common_volumes:
   - /dev/log:/dev/log
   # required for bootstrap_host_exec
   - /etc/puppet:/etc/puppet:ro
+
+# List of volumes included when internal tls is enabled
+tripleo_container_standalone_internal_tls_volumes:
+  - /etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro
+  - /etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro
+
+# Internal TLS vars. These vars are not prefixed with the role name as they are
+# intended to be set from other services/roles.
+tripleo_enable_internal_tls: false
+tripleo_internal_tls_ca_file: /etc/ipa/ca.crt
+
+tripleo_container_standalone_volumes: "{{
+    tripleo_enable_internal_tls |
+      ternary(
+        tripleo_container_standalone_common_volumes +
+          tripleo_container_standalone_internal_tls_volumes +
+          [tripleo_internal_tls_ca_file ~ ':' ~ tripleo_internal_tls_ca_file ~ ':ro'],
+        tripleo_container_standalone_common_volumes)
+  }}"

tripleo_ansible/roles/tripleo_keystone/defaults/main.yml

@@ -25,15 +25,9 @@ tripleo_keystone_hide_sensitive_logs: true
 tripleo_keystone_image: ""
 
 tripleo_keystone_volumes:
-    - /etc/openldap:/etc/openldap:ro
-    - /var/lib/kolla/config_files/keystone.json:/var/lib/kolla/config_files/config.json:ro
-    - /var/lib/config-data/puppet-generated/keystone:/var/lib/kolla/config_files/src:ro
-
-tripleo_keystone_enable_internal_tls: false
-tripleo_keystone_internal_tls_ca_file: /etc/ipa/ca.crt
-tripleo_keystone_internal_tls_volumes: "{{ ternary(tripleo_keystone_enable_internal_tls,
-                                                   ['/etc/pki/tls/certs/httpd:/etc/pki/tls/certs/httpd:ro'],
-                                                   ['/etc/pki/tls/private/httpd:/etc/pki/tls/private/httpd:ro']) }}"
+  - /etc/openldap:/etc/openldap:ro
+  - /var/lib/kolla/config_files/keystone.json:/var/lib/kolla/config_files/config.json:ro
+  - /var/lib/config-data/puppet-generated/keystone:/var/lib/kolla/config_files/src:ro
 
 tripleo_keystone_logging_volumes:
   - /var/log/containers/keystone:/var/log/keystone:z

tripleo_ansible/roles/tripleo_keystone/templates/keystone.yaml.j2

@@ -6,16 +6,6 @@ restart: always
 healthcheck:
   test: /openstack/healthcheck
 volumes:
-  {% set keystone_volumes = [] %}
-  {%- set keystone_volumes =
-        keystone_volumes +
-        tripleo_keystone_volumes +
-        tripleo_keystone_logging_volumes +
-        tripleo_keystone_internal_tls_volumes -%}
-  {%- if tripleo_keystone_enable_internal_tls -%}
-  {%-   set keystone_volumes =
-          keystone_volumes + tripleo_keystone_internal_tls_ca_file -%}
-  {%- endif -%}
-  {{ tripleo_container_standalone_common_volumes | default([]) + keystone_volumes }}
+  {{ tripleo_container_standalone_volumes | default([]) + tripleo_keystone_volumes + tripleo_keystone_logging_volumes }}
 environment:
   KOLLA_CONFIG_STRATEGY: COPY_ALWAYS

tripleo_ansible/roles/tripleo_keystone/templates/keystone_cron.yaml.j2

@@ -8,17 +8,6 @@ healthcheck:
   test: '/usr/share/openstack-tripleo-common/healthcheck/cron keystone'
 command: ['/bin/bash', '-c', '/usr/local/bin/kolla_set_configs && /usr/sbin/crond -n']
 volumes:
-  {% set keystone_volumes = [] %}
-  {%- set keystone_volumes =
-        keystone_volumes +
-        tripleo_keystone_common_volumes +
-        tripleo_keystone_volumes +
-        tripleo_keystone_logging_volumes +
-        tripleo_keystone_internal_tls_volumes -%}
-  {%- if tripleo_keystone_enable_internal_tls -%}
-  {%-   set keystone_volumes =
-          keystone_volumes + tripleo_keystone_internal_tls_ca_file -%}
-  {%- endif -%}
-  {{ keystone_volumes }}
+  {{ tripleo_container_standalone_volumes | default([]) + tripleo_keystone_volumes + tripleo_keystone_logging_volumes }}
 environment:
   KOLLA_CONFIG_STRATEGY: COPY_ALWAYS

tripleo_ansible/roles/tripleo_keystone/templates/keystone_db_sync.yaml.j2

@@ -4,17 +4,6 @@ user: root
 privileged: false
 detach: false
 volumes:
-  {% set keystone_volumes = [] %}
-  {%- set keystone_volumes =
-        keystone_volumes +
-        tripleo_keystone_common_volumes +
-        tripleo_keystone_volumes +
-        tripleo_keystone_logging_volumes +
-        tripleo_keystone_internal_tls_volumes -%}
-  {%- if tripleo_keystone_enable_internal_tls -%}
-  {%-   set keystone_volumes =
-          keystone_volumes + tripleo_keystone_internal_tls_ca_file -%}
-  {%- endif -%}
-  {{ keystone_volumes }}
+  {{ tripleo_container_standalone_volumes | default([]) + tripleo_keystone_volumes + tripleo_keystone_logging_volumes }}
 environment: {{ tripleo_keystone_db_sync_environment | combine(tripleo_keystone_logging_environment | default({}, true)) }}
 command: ['/usr/bin/bootstrap_host_exec', 'keystone', '/usr/local/bin/kolla_start']