Support TLS deployments with KernelDisableIPv6 enabled

Bind to 127.0.0.1 in case ipv6 is disabled. Set a hiera value localhost_address, so that it can be used in tls_proxy.pp to unambiguously connect to those services. Change-Id: Ide761c21dc87dadc722e27c9b8a7b68194164cb2 Related: rhbz#1703460
2019-07-03 18:49:35 +02:00 · 2019-07-03 18:49:35 +02:00 · d48d1bdb37
commit d48d1bdb37
parent 23801a62b8
5 changed files with 13 additions and 5 deletions
--- a/deployment/ec2/ec2-api-container-puppet.yaml
+++ b/deployment/ec2/ec2-api-container-puppet.yaml
@ -129,7 +129,7 @@ outputs:
          ec2api::api::ec2api_listen:
            if:
            - use_tls_proxy
-            - 'localhost'
+            - "%{hiera('localhost_address')}"
            - str_replace:
                template:
                  "%{hiera('fqdn_$NETWORK')}"
@ -138,7 +138,7 @@ outputs:
          ec2api::metadata::metadata_listen:
            if:
            - use_tls_proxy
-            - 'localhost'
+            - "%{hiera('localhost_address')}"
            - str_replace:
                template:
                  "%{hiera('fqdn_$NETWORK')}"
--- a/deployment/glance/glance-api-container-puppet.yaml
+++ b/deployment/glance/glance-api-container-puppet.yaml
@ -357,7 +357,7 @@ outputs:
            glance::api::bind_host:
              if:
              - use_tls_proxy
-              - 'localhost'
+              - "%{hiera('localhost_address')}"
              - str_replace:
                  template:
                    "%{hiera('$NETWORK')}"
--- a/deployment/kernel/kernel-baremetal-puppet.yaml
+++ b/deployment/kernel/kernel-baremetal-puppet.yaml
@ -85,6 +85,9 @@ parameters:
    tags:
      - role_specific

+conditions:
+  ipv6_disabled: {equals: [{get_param: KernelDisableIPv6}, 1]}
+
 resources:
  # Merging role-specific parameters (RoleParameters) with the default parameters.
  # RoleParameters will have the precedence over the default parameters.
@ -108,6 +111,11 @@ outputs:
    value:
      service_name: kernel
      config_settings:
+        localhost_address:
+          if:
+          - ipv6_disabled
+          - '127.0.0.1'
+          - 'localhost'
        kernel_modules:
          map_merge:
            - nf_conntrack: {}
--- a/deployment/neutron/neutron-api-container-puppet.yaml
+++ b/deployment/neutron/neutron-api-container-puppet.yaml
@ -277,7 +277,7 @@ outputs:
            neutron::bind_host:
              if:
              - use_tls_proxy
-              - 'localhost'
+              - "%{hiera('localhost_address')}"
              - str_replace:
                  template:
                    "%{hiera('$NETWORK')}"
--- a/deployment/swift/swift-proxy-container-puppet.yaml
+++ b/deployment/swift/swift-proxy-container-puppet.yaml
@ -247,7 +247,7 @@ outputs:
            swift::proxy::proxy_local_net_ip:
              if:
              - use_tls_proxy
-              - 'localhost'
+              - "%{hiera('localhost_address')}"
              - str_replace:
                  template:
                    "%{hiera('$NETWORK')}"