Cover nova metadata with SSL

We should also cover nova metadata endpoint with SSL in case
haproxy_ssl_all_vips is set to true.

This also places nova_metadata_* variables under correct scope, since
the only place they are used is
neutron hosts

Change-Id: Ie05e07624b204c92f02e05d6d8c8d02ab8ff9008
This commit is contained in:
Dmitriy Rabotyagov 2020-10-28 17:16:59 +02:00
parent 47e5a90a7f
commit 2fc0afec71
3 changed files with 4 additions and 5 deletions

View File

@ -13,12 +13,12 @@
# See the License for the specific language governing permissions and
# limitations under the License.
nova_service_port: 8774
# Consumed by Neutron role and must remained scoped to 'all' group
nova_metadata_port: 8775
nova_metadata_protocol: "{{ openstack_service_internaluri_proto | default('http') }}"
nova_metadata_insecure: "{{ keystone_service_internaluri_insecure | default(False) }}"
nova_service_region: "{{ service_region }}"
nova_service_user_name: nova
nova_service_project_name: service
nova_service_project_domain_id: default
nova_service_user_domain_id: default
nova_keystone_auth_plugin: password

View File

@ -136,7 +136,8 @@ haproxy_default_services:
haproxy_backend_nodes: "{{ groups['nova_api_metadata'] | default([]) }}"
haproxy_bind: "{{ [internal_lb_vip_address] }}"
haproxy_port: 8775
haproxy_ssl: False
haproxy_ssl: "{{ haproxy_ssl_all_vips }}"
haproxy_ssl_all_vips: "{{ haproxy_ssl_all_vips }}"
haproxy_balance_type: http
haproxy_backend_options:
- "httpchk HEAD / HTTP/1.0\\r\\nUser-agent:\\ osa-haproxy-healthcheck"

View File

@ -15,8 +15,6 @@
nova_service_port: 8774
nova_service_proto: http
nova_metadata_protocol: "{{ openstack_service_internaluri_proto | default(nova_service_proto) }}"
nova_metadata_insecure: False
nova_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(nova_service_proto) }}"
nova_service_adminuri: "{{ nova_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ nova_service_port }}"
nova_service_adminurl: "{{ nova_service_adminuri }}/v2.1"