Enable TLS for nova-metadata

This also tells the neutron metadata agent to use TLS for contacting
nova-metadata.

bp tls-via-certmonger
Depends-On: I97ac2da29be468c75713fe2fae7e6d84cae8f67c
Depends-On: I9df395dc699090bd73265d10395e155e9b8adb26

Change-Id: I9a8c54f6e052852b8f9d06a42da87773f4da3a15

1 files changed, 16 insertions, 0 deletions

diff --git a/puppet/services/neutron-metadata.yaml b/puppet/services/neutron-metadata.yaml
index 81f12f01..30f34777 100644
--- a/puppet/services/neutron-metadata.yaml
+++ b/puppet/services/neutron-metadata.yaml
@@ -57,10 +57,15 @@ parameters:
     default:
       tag: openstack.neutron.agent.metadata
       path: /var/log/neutron/metadata-agent.log
+  EnableInternalTLS:
+    type: boolean
+    default: false
 
 conditions:
   neutron_workers_unset: {equals : [{get_param: NeutronWorkers}, '']}
 
+  internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
+
 resources:
 
   NeutronBase:
@@ -90,6 +95,17 @@ outputs:
             neutron::agents::metadata::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
             neutron::agents::metadata::auth_tenant: 'service'
             neutron::agents::metadata::metadata_ip: "%{hiera('nova_metadata_vip')}"
+            neutron::agents::metadata::metadata_host:
+              str_replace:
+                template:
+                  "%{hiera('cloud_name_$NETWORK')}"
+                params:
+                  $NETWORK: {get_param: [ServiceNetMap, NovaMetadataNetwork]}
+            neutron::agents::metadata::metadata_protocol:
+              if:
+              - internal_tls_enabled
+              - 'https'
+              - 'http'
           -
             if:
             - neutron_workers_unset