Add TLS for nova metadata service

author Juan Antonio Osorio Robles <jaosorior@redhat.com>

Thu, 17 Aug 2017 17:29:32 +0000 (17:29 +0000)

committer Juan Antonio Osorio Robles <jaosorior@redhat.com>

Thu, 17 Aug 2017 17:29:32 +0000 (17:29 +0000)
author Juan Antonio Osorio Robles <jaosorior@redhat.com>
Thu, 17 Aug 2017 17:29:32 +0000 (17:29 +0000)
committer Juan Antonio Osorio Robles <jaosorior@redhat.com>
Thu, 17 Aug 2017 17:29:32 +0000 (17:29 +0000)
diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp

index a3d088a..697f9ff 100644 (file)
--- a/manifests/haproxy.pp
+++ b/manifests/haproxy.pp
@@ -1071,6 +1071,7 @@ class tripleo::haproxy (
          'option'  => [ 'httpchk', ],
        },
        service_network => $nova_metadata_network,
+      member_options  => union($haproxy_member_options, $internal_tls_member_options),
      }
    }
  
diff --git a/manifests/profile/base/nova/api.pp b/manifests/profile/base/nova/api.pp

index 0dcc754..2ff1add 100644 (file)
--- a/manifests/profile/base/nova/api.pp
+++ b/manifests/profile/base/nova/api.pp
@@ -46,18 +46,42 @@
  #   Nova Team discourages it.
  #   Defaults to hiera('nova_wsgi_enabled', false)
  #
+# [*nova_metadata_network*]
+#   (Optional) The network name where the nova metadata endpoint is listening on.
+#   This is set by t-h-t.
+#   Defaults to hiera('nova_metadata_network', undef)
+#
  # [*step*]
  #   (Optional) The current step in deployment. See tripleo-heat-templates
  #   for more details.
  #   Defaults to hiera('step')
  #
+# [*metadata_tls_proxy_bind_ip*]
+#   IP on which the TLS proxy will listen on. Required only if
+#   enable_internal_tls is set.
+#   Defaults to undef
+#
+# [*metadata_tls_proxy_fqdn*]
+#   fqdn on which the tls proxy will listen on. required only used if
+#   enable_internal_tls is set.
+#   defaults to undef
+#
+# [*metadata_tls_proxy_port*]
+#   port on which the tls proxy will listen on. Only used if
+#   enable_internal_tls is set.
+#   defaults to 8080
+#
  class tripleo::profile::base::nova::api (
    $bootstrap_node                = hiera('bootstrap_nodeid', undef),
    $certificates_specs            = hiera('apache_certificates_specs', {}),
    $enable_internal_tls           = hiera('enable_internal_tls', false),
    $nova_api_network              = hiera('nova_api_network', undef),
    $nova_api_wsgi_enabled         = hiera('nova_wsgi_enabled', false),
+  $nova_metadata_network         = hiera('nova_metadata_network', undef),
    $step                          = Integer(hiera('step')),
+  $metadata_tls_proxy_bind_ip    = undef,
+  $metadata_tls_proxy_fqdn       = undef,
+  $metadata_tls_proxy_port       = 8775,
  ) {
    if $::hostname == downcase($bootstrap_node) {
      $sync_db = true
@@ -73,6 +97,22 @@ class tripleo::profile::base::nova::api (
    }
  
    if $step >= 4 or ($step >= 3 and $sync_db) {
+    if $enable_internal_tls {
+      if !$nova_metadata_network {
+        fail('nova_metadata_network is not set in the hieradata.')
+      }
+      $metadata_tls_certfile = $certificates_specs["httpd-${nova_metadata_network}"]['service_certificate']
+      $metadata_tls_keyfile = $certificates_specs["httpd-${nova_metadata_network}"]['service_key']
+
+      ::tripleo::tls_proxy { 'nova-metadata-api':
+        servername => $metadata_tls_proxy_fqdn,
+        ip         => $metadata_tls_proxy_bind_ip,
+        port       => $metadata_tls_proxy_port,
+        tls_cert   => $metadata_tls_certfile,
+        tls_key    => $metadata_tls_keyfile,
+      }
+      Tripleo::Tls_proxy['nova-metadata-api'] ~> Anchor<| title == 'nova::service::begin' |>
+    }
  
      class { '::nova::api':
        sync_db     => $sync_db,
author	Juan Antonio Osorio Robles <jaosorior@redhat.com>
	Thu, 17 Aug 2017 17:29:32 +0000 (17:29 +0000)
committer	Juan Antonio Osorio Robles <jaosorior@redhat.com>
	Thu, 17 Aug 2017 17:29:32 +0000 (17:29 +0000)
manifests/haproxy.pp		patch \| blob \| history
manifests/profile/base/nova/api.pp		patch \| blob \| history