summaryrefslogtreecommitdiffstats
path: root/puppet
diff options
context:
space:
mode:
authorJuan Antonio Osorio Robles <jaosorior@redhat.com>2017-08-17 17:30:57 +0000
committerJuan Antonio Osorio Robles <jaosorior@redhat.com>2017-08-17 18:14:58 +0000
commit33bc901670a952b626d303c91466a593d1310167 (patch)
treed709d648bf793ff340f2db631e3ea2ad20188c58 /puppet
parent4af5f02c808df8fad76d4d0d7b2183619c4628d2 (diff)
Enable TLS for nova-metadata
This also tells the neutron metadata agent to use TLS for contacting nova-metadata. bp tls-via-certmonger Depends-On: I97ac2da29be468c75713fe2fae7e6d84cae8f67c Depends-On: I9df395dc699090bd73265d10395e155e9b8adb26 Change-Id: I9a8c54f6e052852b8f9d06a42da87773f4da3a15
Diffstat (limited to 'puppet')
-rw-r--r--puppet/services/neutron-metadata.yaml16
-rw-r--r--puppet/services/nova-metadata.yaml37
2 files changed, 52 insertions, 1 deletions
diff --git a/puppet/services/neutron-metadata.yaml b/puppet/services/neutron-metadata.yaml
index 81f12f01..30f34777 100644
--- a/puppet/services/neutron-metadata.yaml
+++ b/puppet/services/neutron-metadata.yaml
@@ -57,10 +57,15 @@ parameters:
default:
tag: openstack.neutron.agent.metadata
path: /var/log/neutron/metadata-agent.log
+ EnableInternalTLS:
+ type: boolean
+ default: false
conditions:
neutron_workers_unset: {equals : [{get_param: NeutronWorkers}, '']}
+ internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
+
resources:
NeutronBase:
@@ -90,6 +95,17 @@ outputs:
neutron::agents::metadata::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
neutron::agents::metadata::auth_tenant: 'service'
neutron::agents::metadata::metadata_ip: "%{hiera('nova_metadata_vip')}"
+ neutron::agents::metadata::metadata_host:
+ str_replace:
+ template:
+ "%{hiera('cloud_name_$NETWORK')}"
+ params:
+ $NETWORK: {get_param: [ServiceNetMap, NovaMetadataNetwork]}
+ neutron::agents::metadata::metadata_protocol:
+ if:
+ - internal_tls_enabled
+ - 'https'
+ - 'http'
-
if:
- neutron_workers_unset
diff --git a/puppet/services/nova-metadata.yaml b/puppet/services/nova-metadata.yaml
index ca9eed09..3ac5f300 100644
--- a/puppet/services/nova-metadata.yaml
+++ b/puppet/services/nova-metadata.yaml
@@ -34,10 +34,26 @@ parameters:
default: 0
description: Number of workers for Nova services.
type: number
+ EnableInternalTLS:
+ type: boolean
+ default: false
conditions:
nova_workers_zero: {equals : [{get_param: NovaWorkers}, 0]}
+ use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]}
+
+resources:
+
+ TLSProxyBase:
+ type: OS::TripleO::Services::TLSProxyBase
+ properties:
+ ServiceData: {get_param: ServiceData}
+ ServiceNetMap: {get_param: ServiceNetMap}
+ DefaultPasswords: {get_param: DefaultPasswords}
+ EndpointMap: {get_param: EndpointMap}
+ EnableInternalTLS: {get_param: EnableInternalTLS}
+
outputs:
role_data:
description: Role data for the Nova Metadata service.
@@ -45,10 +61,29 @@ outputs:
service_name: nova_metadata
config_settings:
map_merge:
- - nova::api::metadata_listen: {get_param: [ServiceNetMap, NovaMetadataNetwork]}
+ - get_attr: [TLSProxyBase, role_data, config_settings]
+ - nova::api::metadata_listen:
+ if:
+ - use_tls_proxy
+ - 'localhost'
+ - {get_param: [ServiceNetMap, NovaMetadataNetwork]}
-
if:
- nova_workers_zero
- {}
- nova::api::metadata_workers: {get_param: NovaWorkers}
+ -
+ if:
+ - use_tls_proxy
+ - tripleo::profile::base::nova::api::metadata_tls_proxy_bind_ip:
+ get_param: [ServiceNetMap, NovaMetadataNetwork]
+ tripleo::profile::base::nova::api::metadata_tls_proxy_fqdn:
+ str_replace:
+ template:
+ "%{hiera('fqdn_$NETWORK')}"
+ params:
+ $NETWORK: {get_param: [ServiceNetMap, NovaMetadataNetwork]}
+ - {}
step_config: ""
+ metadata_settings:
+ get_attr: [TLSProxyBase, role_data, metadata_settings]