From e3bf1cd37a14ad1336956d80acff1b4b282b2b7c Mon Sep 17 00:00:00 2001 From: Grzegorz Grasza Date: Wed, 3 Jul 2019 18:49:35 +0200 Subject: [PATCH] Support TLS deployments with KernelDisableIPv6 enabled Bind to 127.0.0.1 in case ipv6 is disabled. Set a hiera value localhost_address, so that it can be used in tls_proxy.pp to unambiguously connect to those services. Change-Id: Ide761c21dc87dadc722e27c9b8a7b68194164cb2 Related: rhbz#1703460 (cherry picked from commit d48d1bdb37a4262ffe36ae5003312dfdfad083ab) --- puppet/services/ec2-api.yaml | 4 ++-- puppet/services/glance-api.yaml | 2 +- puppet/services/kernel.yaml | 8 ++++++++ puppet/services/neutron-api.yaml | 2 +- puppet/services/swift-proxy.yaml | 2 +- 5 files changed, 13 insertions(+), 5 deletions(-) diff --git a/puppet/services/ec2-api.yaml b/puppet/services/ec2-api.yaml index c9988e5310..57d776a9eb 100644 --- a/puppet/services/ec2-api.yaml +++ b/puppet/services/ec2-api.yaml @@ -115,7 +115,7 @@ outputs: ec2api::api::ec2api_listen: if: - use_tls_proxy - - 'localhost' + - "%{hiera('localhost_address')}" - str_replace: template: "%{hiera('fqdn_$NETWORK')}" @@ -124,7 +124,7 @@ outputs: ec2api::metadata::metadata_listen: if: - use_tls_proxy - - 'localhost' + - "%{hiera('localhost_address')}" - str_replace: template: "%{hiera('fqdn_$NETWORK')}" diff --git a/puppet/services/glance-api.yaml b/puppet/services/glance-api.yaml index ae4280faef..5123caba59 100644 --- a/puppet/services/glance-api.yaml +++ b/puppet/services/glance-api.yaml @@ -316,7 +316,7 @@ outputs: glance::api::bind_host: if: - use_tls_proxy - - 'localhost' + - "%{hiera('localhost_address')}" - str_replace: template: "%{hiera('$NETWORK')}" diff --git a/puppet/services/kernel.yaml b/puppet/services/kernel.yaml index f24e160e0f..2c04087130 100644 --- a/puppet/services/kernel.yaml +++ b/puppet/services/kernel.yaml @@ -85,6 +85,9 @@ parameters: tags: - role_specific +conditions: + ipv6_disabled: {equals: [{get_param: KernelDisableIPv6}, 1]} + resources: # Merging role-specific parameters (RoleParameters) with the default parameters. # RoleParameters will have the precedence over the default parameters. @@ -108,6 +111,11 @@ outputs: value: service_name: kernel config_settings: + localhost_address: + if: + - ipv6_disabled + - '127.0.0.1' + - 'localhost' kernel_modules: map_merge: - nf_conntrack: {} diff --git a/puppet/services/neutron-api.yaml b/puppet/services/neutron-api.yaml index 1df7db7def..6d3a912c5e 100644 --- a/puppet/services/neutron-api.yaml +++ b/puppet/services/neutron-api.yaml @@ -215,7 +215,7 @@ outputs: neutron::bind_host: if: - use_tls_proxy - - 'localhost' + - "%{hiera('localhost_address')}" - str_replace: template: "%{hiera('$NETWORK')}" diff --git a/puppet/services/swift-proxy.yaml b/puppet/services/swift-proxy.yaml index cf657edb9b..c3b02684c7 100644 --- a/puppet/services/swift-proxy.yaml +++ b/puppet/services/swift-proxy.yaml @@ -251,7 +251,7 @@ outputs: swift::proxy::proxy_local_net_ip: if: - use_tls_proxy - - 'localhost' + - "%{hiera('localhost_address')}" - str_replace: template: "%{hiera('$NETWORK')}"