Add metadata proxy shared secret for Nova and Neutron

Override default "metadata_proxy_shared_secret" parameter. This secret is used by Neutron to sign instance-id headers to prevent spoofing when proxying metadata requests. Change-Id: I771d7f818a18b82d55bf781d71fc95114ac7e78c
2019-02-25 11:49:00 -08:00 · 2019-02-25 11:49:00 -08:00 · 6514b2f77f
commit 6514b2f77f
parent 2ed2a37124
5 changed files with 45 additions and 0 deletions
--- a/global/software/charts/osh/openstack-compute-kit/neutron.yaml
+++ b/global/software/charts/osh/openstack-compute-kit/neutron.yaml
@ -169,6 +169,12 @@ metadata:
        schema: deckhand/Passphrase/v1
        name: osh_oslo_cache_secret_key
        path: .
+    - dest:
+        path: .values.conf.metadata_agent.DEFAULT.metadata_proxy_shared_secret
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_nova_metadata_proxy_shared_secret
+        path: .

    # Interfaces for neutron configuration
    - src:
--- a/global/software/charts/osh/openstack-compute-kit/nova.yaml
+++ b/global/software/charts/osh/openstack-compute-kit/nova.yaml
@ -269,6 +269,12 @@ metadata:
        schema: deckhand/Passphrase/v1
        name: osh_oslo_cache_secret_key
        path: .
+    - dest:
+        path: .values.conf.nova.neutron.metadata_proxy_shared_secret
+      src:
+        schema: deckhand/Passphrase/v1
+        name: osh_nova_metadata_proxy_shared_secret
+        path: .
 data:
  chart_name: nova
  release: nova
--- a/site/airship-seaworthy/secrets/passphrases/osh_nova_metadata_proxy_shared_secret.yaml
+++ b/site/airship-seaworthy/secrets/passphrases/osh_nova_metadata_proxy_shared_secret.yaml
@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_nova_metadata_proxy_shared_secret
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
--- a/site/airskiff/secrets/passphrases/osh_nova_metadata_proxy_shared_secret.yaml
+++ b/site/airskiff/secrets/passphrases/osh_nova_metadata_proxy_shared_secret.yaml
@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_nova_metadata_proxy_shared_secret
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...
--- a/site/airsloop/secrets/passphrases/osh_nova_metadata_proxy_shared_secret.yaml
+++ b/site/airsloop/secrets/passphrases/osh_nova_metadata_proxy_shared_secret.yaml
@ -0,0 +1,11 @@
+---
+schema: deckhand/Passphrase/v1
+metadata:
+  schema: metadata/Document/v1
+  name: osh_nova_metadata_proxy_shared_secret
+  layeringDefinition:
+    abstract: false
+    layer: site
+  storagePolicy: cleartext
+data: password123
+...