Add metadata proxy shared secret for Nova and Neutron

Override default "metadata_proxy_shared_secret" parameter. This secret is used by Neutron to sign instance-id headers to prevent spoofing when proxying metadata requests. Change-Id: I771d7f818a18b82d55bf781d71fc95114ac7e78c
2019-02-25 11:49:00 -08:00 · 2019-02-25 11:49:00 -08:00 · 6514b2f77f
commit 6514b2f77f
parent 2ed2a37124
5 changed files with 45 additions and 0 deletions
--- a/global/software/charts/osh/openstack-compute-kit/neutron.yaml
+++ b/global/software/charts/osh/openstack-compute-kit/neutron.yaml
@ -169,6 +169,12 @@ metadata:
        schema: deckhand/Passphrase/v1
        name: osh_oslo_cache_secret_key
        path: .
    - dest:
        path: .values.conf.metadata_agent.DEFAULT.metadata_proxy_shared_secret
      src:
        schema: deckhand/Passphrase/v1
        name: osh_nova_metadata_proxy_shared_secret
        path: .
    # Interfaces for neutron configuration
    - src:
--- a/global/software/charts/osh/openstack-compute-kit/nova.yaml
+++ b/global/software/charts/osh/openstack-compute-kit/nova.yaml
@ -269,6 +269,12 @@ metadata:
        schema: deckhand/Passphrase/v1
        name: osh_oslo_cache_secret_key
        path: .
    - dest:
        path: .values.conf.nova.neutron.metadata_proxy_shared_secret
      src:
        schema: deckhand/Passphrase/v1
        name: osh_nova_metadata_proxy_shared_secret
        path: .
 data:
  chart_name: nova
  release: nova
--- a/site/airship-seaworthy/secrets/passphrases/osh_nova_metadata_proxy_shared_secret.yaml
+++ b/site/airship-seaworthy/secrets/passphrases/osh_nova_metadata_proxy_shared_secret.yaml
@ -0,0 +1,11 @@
 ---
 schema: deckhand/Passphrase/v1
 metadata:
  schema: metadata/Document/v1
  name: osh_nova_metadata_proxy_shared_secret
  layeringDefinition:
    abstract: false
    layer: site
  storagePolicy: cleartext
 data: password123
 ...
--- a/site/airskiff/secrets/passphrases/osh_nova_metadata_proxy_shared_secret.yaml
+++ b/site/airskiff/secrets/passphrases/osh_nova_metadata_proxy_shared_secret.yaml
@ -0,0 +1,11 @@
 ---
 schema: deckhand/Passphrase/v1
 metadata:
  schema: metadata/Document/v1
  name: osh_nova_metadata_proxy_shared_secret
  layeringDefinition:
    abstract: false
    layer: site
  storagePolicy: cleartext
 data: password123
 ...
--- a/site/airsloop/secrets/passphrases/osh_nova_metadata_proxy_shared_secret.yaml
+++ b/site/airsloop/secrets/passphrases/osh_nova_metadata_proxy_shared_secret.yaml
@ -0,0 +1,11 @@
 ---
 schema: deckhand/Passphrase/v1
 metadata:
  schema: metadata/Document/v1
  name: osh_nova_metadata_proxy_shared_secret
  layeringDefinition:
    abstract: false
    layer: site
  storagePolicy: cleartext
 data: password123
 ...