Enable TLS for nova-metadata

This also tells the neutron metadata agent to use TLS for contacting
nova-metadata.

bp tls-via-certmonger
Depends-On: I97ac2da29be468c75713fe2fae7e6d84cae8f67c
Depends-On: I9df395dc699090bd73265d10395e155e9b8adb26

Change-Id: I9a8c54f6e052852b8f9d06a42da87773f4da3a15

puppet/services/neutron-metadata.yaml

@@ -57,10 +57,15 @@ parameters:
     default:
       tag: openstack.neutron.agent.metadata
       path: /var/log/neutron/metadata-agent.log
+  EnableInternalTLS:
+    type: boolean
+    default: false
 
 conditions:
   neutron_workers_unset: {equals : [{get_param: NeutronWorkers}, '']}
 
+  internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
+
 resources:
 
   NeutronBase:
@@ -90,6 +95,17 @@ outputs:
             neutron::agents::metadata::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] }
             neutron::agents::metadata::auth_tenant: 'service'
             neutron::agents::metadata::metadata_ip: "%{hiera('nova_metadata_vip')}"
+            neutron::agents::metadata::metadata_host:
+              str_replace:
+                template:
+                  "%{hiera('cloud_name_$NETWORK')}"
+                params:
+                  $NETWORK: {get_param: [ServiceNetMap, NovaMetadataNetwork]}
+            neutron::agents::metadata::metadata_protocol:
+              if:
+              - internal_tls_enabled
+              - 'https'
+              - 'http'
           -
             if:
             - neutron_workers_unset

puppet/services/nova-metadata.yaml

@@ -34,10 +34,26 @@ parameters:
     default: 0
     description: Number of workers for Nova services.
     type: number
+  EnableInternalTLS:
+    type: boolean
+    default: false
 
 conditions:
   nova_workers_zero: {equals : [{get_param: NovaWorkers}, 0]}
 
+  use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]}
+
+resources:
+
+  TLSProxyBase:
+    type: OS::TripleO::Services::TLSProxyBase
+    properties:
+      ServiceData: {get_param: ServiceData}
+      ServiceNetMap: {get_param: ServiceNetMap}
+      DefaultPasswords: {get_param: DefaultPasswords}
+      EndpointMap: {get_param: EndpointMap}
+      EnableInternalTLS: {get_param: EnableInternalTLS}
+
 outputs:
   role_data:
     description: Role data for the Nova Metadata service.
@@ -45,10 +61,29 @@ outputs:
       service_name: nova_metadata
       config_settings:
         map_merge:
-        - nova::api::metadata_listen: {get_param: [ServiceNetMap, NovaMetadataNetwork]}
+        - get_attr: [TLSProxyBase, role_data, config_settings]
+        - nova::api::metadata_listen:
+            if:
+            - use_tls_proxy
+            - 'localhost'
+            - {get_param: [ServiceNetMap, NovaMetadataNetwork]}
         -
           if:
           - nova_workers_zero
           - {}
           - nova::api::metadata_workers: {get_param: NovaWorkers}
+        -
+          if:
+          - use_tls_proxy
+          - tripleo::profile::base::nova::api::metadata_tls_proxy_bind_ip:
+              get_param: [ServiceNetMap, NovaMetadataNetwork]
+            tripleo::profile::base::nova::api::metadata_tls_proxy_fqdn:
+              str_replace:
+                template:
+                  "%{hiera('fqdn_$NETWORK')}"
+                params:
+                  $NETWORK: {get_param: [ServiceNetMap, NovaMetadataNetwork]}
+          - {}
       step_config: ""
+      metadata_settings:
+        get_attr: [TLSProxyBase, role_data, metadata_settings]