Support TLS deployments with KernelDisableIPv6 enabled

Bind to 127.0.0.1 in case ipv6 is disabled. Set a hiera value
localhost_address, so that it can be used in tls_proxy.pp to
unambiguously connect to those services.

Change-Id: Ide761c21dc87dadc722e27c9b8a7b68194164cb2
Related: rhbz#1703460
(cherry picked from commit d48d1bdb37)
This commit is contained in:
Grzegorz Grasza 2019-07-03 18:49:35 +02:00
parent 691b18e71d
commit 0a3ee4ea74
5 changed files with 13 additions and 5 deletions

View File

@ -129,7 +129,7 @@ outputs:
ec2api::api::ec2api_listen:
if:
- use_tls_proxy
- 'localhost'
- "%{hiera('localhost_address')}"
- str_replace:
template:
"%{hiera('fqdn_$NETWORK')}"
@ -138,7 +138,7 @@ outputs:
ec2api::metadata::metadata_listen:
if:
- use_tls_proxy
- 'localhost'
- "%{hiera('localhost_address')}"
- str_replace:
template:
"%{hiera('fqdn_$NETWORK')}"

View File

@ -378,7 +378,7 @@ outputs:
glance::api::bind_host:
if:
- use_tls_proxy
- 'localhost'
- "%{hiera('localhost_address')}"
- str_replace:
template:
"%{hiera('$NETWORK')}"

View File

@ -85,6 +85,9 @@ parameters:
tags:
- role_specific
conditions:
ipv6_disabled: {equals: [{get_param: KernelDisableIPv6}, 1]}
resources:
# Merging role-specific parameters (RoleParameters) with the default parameters.
# RoleParameters will have the precedence over the default parameters.
@ -108,6 +111,11 @@ outputs:
value:
service_name: kernel
config_settings:
localhost_address:
if:
- ipv6_disabled
- '127.0.0.1'
- 'localhost'
kernel_modules:
map_merge:
- nf_conntrack: {}

View File

@ -244,7 +244,7 @@ outputs:
neutron::bind_host:
if:
- use_tls_proxy
- 'localhost'
- "%{hiera('localhost_address')}"
- str_replace:
template:
"%{hiera('$NETWORK')}"

View File

@ -271,7 +271,7 @@ outputs:
swift::proxy::proxy_local_net_ip:
if:
- use_tls_proxy
- 'localhost'
- "%{hiera('localhost_address')}"
- str_replace:
template:
"%{hiera('$NETWORK')}"