openstack/tripleo-heat-templates
Code Issues Proposed changes

Merge "Fix TLS when using a containerized undercloud"

Browse Source
This commit is contained in:
Zuul 2018-10-07 00:52:09 +00:00 committed by Gerrit Code Review
commit 17933be619
7 changed files with 40 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
docker/services/nova-metadata.yaml
View File

@ -44,10 +44,14 @@ parameters:
EnableInternalTLS:
type: boolean
default: false
MetadataNATRule:
default: false
description: When true we create the NAT rule for the metadata service
type: boolean
conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
need_metadata_nat_rule: {equals: [{get_param: MetadataNATRule}, true]}
resources:
@ -80,6 +84,20 @@ outputs:
- get_attr: [NovaMetadataBase, role_data, config_settings]
- get_attr: [NovaMetadataLogging, config_settings]
- apache::default_vhost: false
- tripleo.nova_metadata.firewall_rules:
if:
- need_metadata_nat_rule
- '144 undercloud metadata nat':
dport: 80
proto: 'tcp'
table: 'nat'
chain: 'PREROUTING'
jump: 'REDIRECT'
iniface: 'br-ctlplane'
destination: '169.254.169.254/32'
extras:
toports: 8775
- {}
logging_source: {get_attr: [NovaMetadataBase, role_data, logging_source]}
service_config_settings:
map_merge:

2
environments/undercloud.yaml
View File

@ -145,3 +145,5 @@ parameter_defaults:
connect_timeout: 60
MistralExecutorExtraVolumes:
- /usr/share/ceph-ansible:/usr/share/ceph-ansible:ro
NeutronMetadataProxySharedSecret: ''
MetadataNATRule: true

9
puppet/services/neutron-metadata.yaml
View File

@ -75,6 +75,7 @@ conditions:
neutron_workers_unset: {equals : [{get_param: NeutronWorkers}, '']}
service_debug_unset: {equals: [{get_param: NeutronMetadataAgentDebug}, '']}
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
is_neutron_shared_metadata_notempty: {not: {equals: [{get_param: NeutronMetadataProxySharedSecret}, '']}}
resources:
@ -97,8 +98,7 @@ outputs:
config_settings:
map_merge:
- get_attr: [NeutronBase, role_data, config_settings]
- neutron::agents::metadata::shared_secret: {get_param: NeutronMetadataProxySharedSecret}
neutron::agents::metadata::auth_password: {get_param: NeutronPassword}
- neutron::agents::metadata::auth_password: {get_param: NeutronPassword}
neutron::agents::metadata::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
neutron::agents::metadata::auth_tenant: 'service'
neutron::agents::metadata::debug:
@ -122,6 +122,11 @@ outputs:
- neutron_workers_unset
- {}
- neutron::agents::metadata::metadata_workers: {get_param: NeutronWorkers}
-
if:
- is_neutron_shared_metadata_notempty
- neutron::agents::metadata::shared_secret: {get_param: NeutronMetadataProxySharedSecret}
- {}
service_config_settings:
fluentd:
tripleo_fluentd_groups_neutron_metadata:

7
puppet/services/nova-api.yaml
View File

@ -113,6 +113,7 @@ parameters:
conditions:
nova_workers_zero: {equals : [{get_param: NovaWorkers}, 0]}
is_neutron_shared_metadata_notempty: {not: {equals: [{get_param: NeutronMetadataProxySharedSecret}, '']}}
resources:
ApacheServiceBase:
@ -190,7 +191,6 @@ outputs:
"%{hiera('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]}
nova::api::neutron_metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret}
nova::api::instance_name_template: {get_param: InstanceNameTemplate}
nova_enable_db_purge: {get_param: NovaEnableDBPurge}
nova::cron::archive_deleted_rows::minute: {get_param: NovaCronDBArchivedMinute}
@ -206,6 +206,11 @@ outputs:
- {}
- nova::api::osapi_compute_workers: {get_param: NovaWorkers}
nova::wsgi::apache_api::workers: {get_param: NovaWorkers}
-
if:
- is_neutron_shared_metadata_notempty
- nova::api::neutron_metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret}
- {}
step_config: |
include tripleo::profile::base::nova::api
service_config_settings:

7
puppet/services/nova-metadata.yaml
View File

@ -60,6 +60,7 @@ parameters:
conditions:
nova_workers_zero: {equals : [{get_param: NovaWorkers}, 0]}
is_neutron_shared_metadata_notempty: {not: {equals: [{get_param: NeutronMetadataProxySharedSecret}, '']}}
resources:
ApacheServiceBase:
@ -101,7 +102,6 @@ outputs:
nova::keystone::authtoken::password: {get_param: NovaPassword}
nova::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]}
nova::metadata::neutron_metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret}
nova::metadata::enable_proxy_headers_parsing: true
nova_metadata_wsgi_enabled: true
nova::wsgi::apache_metadata::api_port: '8775'
@ -128,6 +128,11 @@ outputs:
- nova_workers_zero
- {}
- nova::wsgi::apache_metadata::workers: {get_param: NovaWorkers}
-
if:
- is_neutron_shared_metadata_notempty
- nova::metadata::neutron_metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret}
- {}
step_config: |
include tripleo::profile::base::nova::metadata
service_config_settings:

1
roles/Undercloud.yaml
View File

@ -63,7 +63,6 @@
- OS::TripleO::Services::NeutronCorePlugin
- OS::TripleO::Services::NeutronDhcpAgent
- OS::TripleO::Services::NeutronL3Agent
- OS::TripleO::Services::NeutronMetadataAgent
- OS::TripleO::Services::NeutronOvsAgent
- OS::TripleO::Services::NovaApi
- OS::TripleO::Services::NovaConductor

1
roles_data_undercloud.yaml
View File

@ -66,7 +66,6 @@
- OS::TripleO::Services::NeutronCorePlugin
- OS::TripleO::Services::NeutronDhcpAgent
- OS::TripleO::Services::NeutronL3Agent
- OS::TripleO::Services::NeutronMetadataAgent
- OS::TripleO::Services::NeutronOvsAgent
- OS::TripleO::Services::NovaApi
- OS::TripleO::Services::NovaConductor