From 33bc901670a952b626d303c91466a593d1310167 Mon Sep 17 00:00:00 2001 From: Juan Antonio Osorio Robles Date: Thu, 17 Aug 2017 17:30:57 +0000 Subject: Enable TLS for nova-metadata This also tells the neutron metadata agent to use TLS for contacting nova-metadata. bp tls-via-certmonger Depends-On: I97ac2da29be468c75713fe2fae7e6d84cae8f67c Depends-On: I9df395dc699090bd73265d10395e155e9b8adb26 Change-Id: I9a8c54f6e052852b8f9d06a42da87773f4da3a15 --- puppet/services/neutron-metadata.yaml | 16 +++++++++++++++ puppet/services/nova-metadata.yaml | 37 ++++++++++++++++++++++++++++++++++- 2 files changed, 52 insertions(+), 1 deletion(-) diff --git a/puppet/services/neutron-metadata.yaml b/puppet/services/neutron-metadata.yaml index 81f12f01..30f34777 100644 --- a/puppet/services/neutron-metadata.yaml +++ b/puppet/services/neutron-metadata.yaml @@ -57,10 +57,15 @@ parameters: default: tag: openstack.neutron.agent.metadata path: /var/log/neutron/metadata-agent.log + EnableInternalTLS: + type: boolean + default: false conditions: neutron_workers_unset: {equals : [{get_param: NeutronWorkers}, '']} + internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} + resources: NeutronBase: @@ -90,6 +95,17 @@ outputs: neutron::agents::metadata::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } neutron::agents::metadata::auth_tenant: 'service' neutron::agents::metadata::metadata_ip: "%{hiera('nova_metadata_vip')}" + neutron::agents::metadata::metadata_host: + str_replace: + template: + "%{hiera('cloud_name_$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, NovaMetadataNetwork]} + neutron::agents::metadata::metadata_protocol: + if: + - internal_tls_enabled + - 'https' + - 'http' - if: - neutron_workers_unset diff --git a/puppet/services/nova-metadata.yaml b/puppet/services/nova-metadata.yaml index ca9eed09..3ac5f300 100644 --- a/puppet/services/nova-metadata.yaml +++ b/puppet/services/nova-metadata.yaml @@ -34,10 +34,26 @@ parameters: default: 0 description: Number of workers for Nova services. type: number + EnableInternalTLS: + type: boolean + default: false conditions: nova_workers_zero: {equals : [{get_param: NovaWorkers}, 0]} + use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]} + +resources: + + TLSProxyBase: + type: OS::TripleO::Services::TLSProxyBase + properties: + ServiceData: {get_param: ServiceData} + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + EnableInternalTLS: {get_param: EnableInternalTLS} + outputs: role_data: description: Role data for the Nova Metadata service. @@ -45,10 +61,29 @@ outputs: service_name: nova_metadata config_settings: map_merge: - - nova::api::metadata_listen: {get_param: [ServiceNetMap, NovaMetadataNetwork]} + - get_attr: [TLSProxyBase, role_data, config_settings] + - nova::api::metadata_listen: + if: + - use_tls_proxy + - 'localhost' + - {get_param: [ServiceNetMap, NovaMetadataNetwork]} - if: - nova_workers_zero - {} - nova::api::metadata_workers: {get_param: NovaWorkers} + - + if: + - use_tls_proxy + - tripleo::profile::base::nova::api::metadata_tls_proxy_bind_ip: + get_param: [ServiceNetMap, NovaMetadataNetwork] + tripleo::profile::base::nova::api::metadata_tls_proxy_fqdn: + str_replace: + template: + "%{hiera('fqdn_$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, NovaMetadataNetwork]} + - {} step_config: "" + metadata_settings: + get_attr: [TLSProxyBase, role_data, metadata_settings] -- cgit 1.2.3-korg