metadata: allow to configure insecure SSL

Add nova_metadata_insecure option, to allow deployments without valid
SSL certificates.
It should not be set to True in production.
Disabled by default.

Change-Id: I1688eae1369f6da2c7084dc3864d19708d15c78d
This commit is contained in:
Emilien Macchi 2017-02-06 07:47:41 -05:00
parent fe87852692
commit afa1634d7f
3 changed files with 13 additions and 0 deletions

View File

@ -54,6 +54,10 @@
# Set to 0 will cause cache entries to never expire. # Set to 0 will cause cache entries to never expire.
# Set to $::os_service_default or false to disable cache. # Set to $::os_service_default or false to disable cache.
# #
# [*metadata_insecure*]
# (optional) Allow to perform insecure SSL (https) requests to nova metadata.
# Defaults to $::os_service_default
#
# [*purge_config*] # [*purge_config*]
# (optional) Whether to set only the specified config options # (optional) Whether to set only the specified config options
# in the metadata config. # in the metadata config.
@ -73,6 +77,7 @@ class neutron::agents::metadata (
$metadata_workers = $::os_workers, $metadata_workers = $::os_workers,
$metadata_backlog = $::os_service_default, $metadata_backlog = $::os_service_default,
$metadata_memory_cache_ttl = $::os_service_default, $metadata_memory_cache_ttl = $::os_service_default,
$metadata_insecure = $::os_service_default,
$nova_client_cert = $::os_service_default, $nova_client_cert = $::os_service_default,
$nova_client_priv_key = $::os_service_default, $nova_client_priv_key = $::os_service_default,
$purge_config = false, $purge_config = false,
@ -91,6 +96,7 @@ class neutron::agents::metadata (
'DEFAULT/nova_metadata_ip': value => $metadata_ip; 'DEFAULT/nova_metadata_ip': value => $metadata_ip;
'DEFAULT/nova_metadata_port': value => $metadata_port; 'DEFAULT/nova_metadata_port': value => $metadata_port;
'DEFAULT/nova_metadata_protocol': value => $metadata_protocol; 'DEFAULT/nova_metadata_protocol': value => $metadata_protocol;
'DEFAULT/nova_metadata_insecure': value => $metadata_insecure;
'DEFAULT/metadata_proxy_shared_secret': value => $shared_secret; 'DEFAULT/metadata_proxy_shared_secret': value => $shared_secret;
'DEFAULT/metadata_workers': value => $metadata_workers; 'DEFAULT/metadata_workers': value => $metadata_workers;
'DEFAULT/metadata_backlog': value => $metadata_backlog; 'DEFAULT/metadata_backlog': value => $metadata_backlog;

View File

@ -0,0 +1,4 @@
---
features:
- Add nova_metadata_insecure option, to allow deployments without valid
SSL certificates.

View File

@ -61,6 +61,7 @@ describe 'neutron::agents::metadata' do
is_expected.to contain_neutron_metadata_agent_config('DEFAULT/nova_metadata_protocol').with(:value => '<SERVICE DEFAULT>') is_expected.to contain_neutron_metadata_agent_config('DEFAULT/nova_metadata_protocol').with(:value => '<SERVICE DEFAULT>')
is_expected.to contain_neutron_metadata_agent_config('DEFAULT/metadata_workers').with(:value => facts[:os_workers]) is_expected.to contain_neutron_metadata_agent_config('DEFAULT/metadata_workers').with(:value => facts[:os_workers])
is_expected.to contain_neutron_metadata_agent_config('DEFAULT/metadata_backlog').with(:value => '<SERVICE DEFAULT>') is_expected.to contain_neutron_metadata_agent_config('DEFAULT/metadata_backlog').with(:value => '<SERVICE DEFAULT>')
is_expected.to contain_neutron_metadata_agent_config('DEFAULT/nova_metadata_insecure').with(:value => '<SERVICE DEFAULT>')
is_expected.to contain_neutron_metadata_agent_config('DEFAULT/metadata_proxy_shared_secret').with(:value => params[:shared_secret]) is_expected.to contain_neutron_metadata_agent_config('DEFAULT/metadata_proxy_shared_secret').with(:value => params[:shared_secret])
is_expected.to contain_neutron_metadata_agent_config('DEFAULT/cache_url').with(:ensure => 'absent') is_expected.to contain_neutron_metadata_agent_config('DEFAULT/cache_url').with(:ensure => 'absent')
end end
@ -72,6 +73,7 @@ describe 'neutron::agents::metadata' do
:shared_secret => '42', :shared_secret => '42',
:nova_client_cert => '/nova/cert', :nova_client_cert => '/nova/cert',
:nova_client_priv_key => '/nova/key', :nova_client_priv_key => '/nova/key',
:metadata_insecure => true,
} }
end end
@ -79,6 +81,7 @@ describe 'neutron::agents::metadata' do
is_expected.to contain_neutron_metadata_agent_config('DEFAULT/auth_ca_cert').with_value('/some/cert') is_expected.to contain_neutron_metadata_agent_config('DEFAULT/auth_ca_cert').with_value('/some/cert')
is_expected.to contain_neutron_metadata_agent_config('DEFAULT/nova_client_cert').with_value('/nova/cert') is_expected.to contain_neutron_metadata_agent_config('DEFAULT/nova_client_cert').with_value('/nova/cert')
is_expected.to contain_neutron_metadata_agent_config('DEFAULT/nova_client_priv_key').with_value('/nova/key') is_expected.to contain_neutron_metadata_agent_config('DEFAULT/nova_client_priv_key').with_value('/nova/key')
is_expected.to contain_neutron_metadata_agent_config('DEFAULT/nova_metadata_insecure').with_value(true)
end end
end end