Reorganize metadata related settings

* Transfer all the settings for the metadata proxy under checkbox "Init metadata infrastructure" * Added restrictions to be bound by filling the parameters needs for metadata proxy * Changed in puppet manifests for set up metadata settings only if checkbox "Init metadata infrastructure" in True state * Changed parameter nsxv_metadata_listen_mgtm to radio/select type. * Removed 'insecure' parameter for NSXv, 'insecure = false' if ca loaded and vice versa * Remove nsxv_insecure from nsxv_smoke test * Add nsxv_metadata_initializer to enable_plugin * Change nsxv_metadata_listen_mgmt -> nsxv_metadata_listen in test Change-Id: I4d40ef909646284f3f7e87705e8d2463f374445d
2016-04-28 19:37:58 +03:00
parent ab0db2e127
commit 6872aa1927
9 changed files with 192 additions and 140 deletions
--- a/deployment_scripts/puppet/manifests/haproxy-nova-metadata-config.pp
+++ b/deployment_scripts/puppet/manifests/haproxy-nova-metadata-config.pp
@@ -5,13 +5,11 @@ include ::nsxv::params

 $settings = hiera($::nsxv::params::plugin_name)

-if $settings['nsxv_metadata_listen_mgmt'] {
-  $metadata_listen_ip = hiera('management_vip')
-} else {
-  $metadata_listen_ip = hiera('public_vip')
-}
+if $settings['nsxv_metadata_initializer'] {
+  $metadata_listen_ip = get_nova_metadata_ip($settings['nsxv_metadata_listen'])

-class { 'nsxv::haproxy_nova_metadata_config':
-  metadata_listen => "${metadata_listen_ip}:${::nsxv::params::nova_metadata_port}",
-  notify          => Exec['haproxy-restart'],
+  class { 'nsxv::haproxy_nova_metadata_config':
+    metadata_listen => "${metadata_listen_ip}:${::nsxv::params::nova_metadata_port}",
+    notify          => Exec['haproxy-restart'],
+  }
 }
--- a/deployment_scripts/puppet/manifests/nsxv-config.pp
+++ b/deployment_scripts/puppet/manifests/nsxv-config.pp
@@ -2,35 +2,38 @@ notice('fuel-plugin-nsxv: nsxv-config.pp')

 include ::nsxv::params

-$settings               = hiera($::nsxv::params::plugin_name)
-$neutron_config         = hiera_hash('neutron_config')
-$metadata_shared_secret = $neutron_config['metadata']['metadata_proxy_shared_secret']
+$settings = hiera($::nsxv::params::plugin_name)

-if $settings['nsxv_metadata_listen_mgmt'] {
-  $nova_metadata_ips = hiera('management_vip')
+if $settings['nsxv_metadata_initializer'] {
+  $neutron_config         = hiera_hash('neutron_config')
+  $metadata_shared_secret = $neutron_config['metadata']['metadata_proxy_shared_secret']
+  $nova_metadata_ips      = get_nova_metadata_ip($settings['nsxv_metadata_listen'])
+
+  if $settings['nsxv_mgt_reserve_ip'] {
+    prepare_network_config(hiera('network_scheme'))
+    $network_metadata = hiera('network_metadata')
+    $mgt_ip           = $network_metadata['vips']['nsxv_metadataproxy_ip']['ipaddr']
+    $mgt_netmask      = get_network_role_property('mgmt/vip', 'netmask')
+    $mgt_gateway      = hiera('management_vrouter_vip')
+  } else {
+    $mgt_ip      = $settings['nsxv_mgt_net_proxy_ips']
+    $mgt_netmask = $settings['nsxv_mgt_net_proxy_netmask']
+    $mgt_gateway = $settings['nsxv_mgt_net_default_gateway']
+  }
+
+  class { '::nsxv':
+    nova_metadata_ips      => $nova_metadata_ips,
+    nova_metadata_port     => $::nsxv::params::nova_metadata_port,
+    metadata_shared_secret => $metadata_shared_secret,
+    mgt_ip                 => $mgt_ip,
+    mgt_netmask            => $mgt_netmask,
+    mgt_gateway            => $mgt_gateway,
+    neutron_url_timeout    => $::nsxv::params::neutron_url_timeout,
+    settings               => $settings,
+  }
 } else {
-  $nova_metadata_ips = hiera('public_vip')
-}
-
-if $settings['nsxv_mgt_reserve_ip'] {
-  prepare_network_config(hiera('network_scheme'))
-  $network_metadata = hiera('network_metadata')
-  $mgt_ip           = $network_metadata['vips']['nsxv_metadataproxy_ip']['ipaddr']
-  $mgt_netmask      = get_network_role_property('mgmt/vip', 'netmask')
-  $mgt_gateway      = hiera('management_vrouter_vip')
-} else {
-  $mgt_ip      = $settings['nsxv_mgt_net_proxy_ips']
-  $mgt_netmask = $settings['nsxv_mgt_net_proxy_netmask']
-  $mgt_gateway = $settings['nsxv_mgt_net_default_gateway']
-}
-
-class { '::nsxv':
-  metadata_shared_secret => $metadata_shared_secret,
-  nova_metadata_port     => $::nsxv::params::nova_metadata_port,
-  neutron_url_timeout    => $::nsxv::params::neutron_url_timeout,
-  settings               => $settings,
-  nova_metadata_ips      => $nova_metadata_ips,
-  mgt_ip                 => $mgt_ip,
-  mgt_netmask            => $mgt_netmask,
-  mgt_gateway            => $mgt_gateway,
+  class { '::nsxv':
+    neutron_url_timeout => $::nsxv::params::neutron_url_timeout,
+    settings            => $settings,
+  }
 }
--- a/deployment_scripts/puppet/modules/nsxv/lib/puppet/parser/functions/get_nova_metadata_ip.rb
+++ b/deployment_scripts/puppet/modules/nsxv/lib/puppet/parser/functions/get_nova_metadata_ip.rb
@@ -0,0 +1,19 @@
+module Puppet::Parser::Functions
+  newfunction(:get_nova_metadata_ip, :type => :rvalue, :doc => <<-EOS
+Returns the ip address of the metadata server, computed based on the network
+where it should be. The first argument - network, which should listen to the
+metadata server, ex:
+  get_nova_metadata_ip('management')
+EOS
+  ) do |args|
+    metadata_netwrok = args[0]
+    if metadata_netwrok == 'management'
+      ip = function_hiera(['management_vip'])
+    elsif metadata_netwrok == 'public'
+      ip = function_hiera(['public_vip'])
+    else
+      raise "Network parameter for metadata-server listen must be within the meaning 'public' or 'management'"
+    end
+    return ip
+  end
+end
--- a/deployment_scripts/puppet/modules/nsxv/manifests/init.pp
+++ b/deployment_scripts/puppet/modules/nsxv/manifests/init.pp
@@ -5,21 +5,23 @@ class nsxv (
  $nsx_plugin_name = 'python-vmware-nsx',
  $lbaas_plugin_name = 'python-neutron-lbaas',
  $neutron_url_timeout = '600',
-  $metadata_shared_secret,
  $settings,
-  $nova_metadata_ips,
-  $nova_metadata_port,
-  $mgt_ip,
-  $mgt_netmask,
-  $mgt_gateway,
-  $neutron_url_timeout,
+  $nova_metadata_ips = '',
+  $nova_metadata_port = '',
+  $metadata_shared_secret = '',
+  $mgt_ip = '',
+  $mgt_netmask = '',
+  $mgt_gateway = '',
 ) {

  $cluster_moid = get_vcenter_cluster_id($settings['nsxv_datacenter_moid'])

-  if ! $settings['nsxv_insecure'] {
+  $ca_filename = try_get_value($settings['nsxv_ca_file'],'name','')
+  if empty($ca_filename) {
+    $insecure = true # used in nsx.ini.erb template
+  } else {
+    $insecure = false
    $ca_certificate_content = $settings['nsxv_ca_file']['content']
-    $ca_filename = $settings['nsxv_ca_file']['name']
    $ca_file = "${nsxv_config_dir}/${ca_filename}"

    file { $ca_file:
@@ -29,31 +31,33 @@ class nsxv (
    }
  }

-  $metadata_nova_client_cert_filename = try_get_value($settings['nsxv_metadata_nova_client_cert'], 'name', '')
-  $metadata_nova_client_priv_key_filename = try_get_value($settings['nsxv_metadata_nova_client_priv_key'], 'name', '')
-  if empty($metadata_nova_client_cert_filename) and empty($metadata_nova_client_priv_key_filename) {
-    $metadata_insecure = true
-  } else {
-    $metadata_insecure = false
+  if $settings['nsxv_metadata_initializer'] {
+    $metadata_nova_client_cert_filename = try_get_value($settings['nsxv_metadata_nova_client_cert'], 'name', '')
+    $metadata_nova_client_priv_key_filename = try_get_value($settings['nsxv_metadata_nova_client_priv_key'], 'name', '')
+    if empty($metadata_nova_client_cert_filename) and empty($metadata_nova_client_priv_key_filename) {
+      $metadata_insecure = true # used in nsx.ini.erb template
+    } else {
+      $metadata_insecure = false

-    $metadata_nova_client_cert_content = $settings['nsxv_metadata_nova_client_cert']['content']
-    $metadata_nova_client_cert_file = "${nsxv_config_dir}/cert_${metadata_nova_client_cert_filename}"
+      $metadata_nova_client_cert_content = $settings['nsxv_metadata_nova_client_cert']['content']
+      $metadata_nova_client_cert_file = "${nsxv_config_dir}/cert_${metadata_nova_client_cert_filename}"

-    $metadata_nova_client_priv_key_content = $settings['nsxv_metadata_nova_client_priv_key']['content']
-    $metadata_nova_client_priv_key_file = "${nsxv_config_dir}/key_${metadata_nova_client_priv_key_filename}"
+      $metadata_nova_client_priv_key_content = $settings['nsxv_metadata_nova_client_priv_key']['content']
+      $metadata_nova_client_priv_key_file = "${nsxv_config_dir}/key_${metadata_nova_client_priv_key_filename}"

-    file { $metadata_nova_client_cert_file:
-      ensure  => present,
-      content => $metadata_nova_client_cert_content,
-      require => File[$nsxv_config_dirs],
-    }
-    file { $metadata_nova_client_priv_key_file:
-      ensure  => present,
-      content => $metadata_nova_client_priv_key_content,
-      require => File[$nsxv_config_dirs],
-      owner   => 'neutron',
-      group   => 'neutron',
-      mode    => '0600',
+      file { $metadata_nova_client_cert_file:
+        ensure  => present,
+        content => $metadata_nova_client_cert_content,
+        require => File[$nsxv_config_dirs],
+      }
+      file { $metadata_nova_client_priv_key_file:
+        ensure  => present,
+        content => $metadata_nova_client_priv_key_content,
+        require => File[$nsxv_config_dirs],
+        owner   => 'neutron',
+        group   => 'neutron',
+        mode    => '0600',
+      }
    }
  }

--- a/deployment_scripts/puppet/modules/nsxv/templates/nsx.ini.erb
+++ b/deployment_scripts/puppet/modules/nsxv/templates/nsx.ini.erb
@@ -5,10 +5,10 @@ manager_uri = https://<%= settings['nsxv_manager_host'] %>
 # (Optional) If true, the NSXv server certificate is not verified.
 # If false, then the default CA truststore is used for verification.
 # This option is ignored if "ca_file" is set.
-insecure = <%= settings['nsxv_insecure'] %>
+insecure = <%= scope.lookupvar('insecure') %>

 # (Optional) Specify a CA bundle file to use in verifying the NSXv server certificate.
-<% if not settings['nsxv_insecure'] -%>
+<% if not scope.lookupvar('insecure') -%>
 ca_file = <%= scope.lookupvar('ca_file') %>
 <% else -%>
 # ca_file =
@@ -89,7 +89,7 @@ retries = <%= settings['nsxv_retries'] %>
 # If True, the server instance will attempt to initialize the metadata
 # infrastructure for access to nova-metadata service
 metadata_initializer = <%= settings['nsxv_metadata_initializer'] %>
-
+<% if settings['nsxv_metadata_initializer'] -%>
 # (Optional) Network ID for management network connectivity
 <% if not (settings['nsxv_mgt_net_moid']).to_s.strip.empty? -%>
 mgt_net_moid = <%= settings['nsxv_mgt_net_moid'] %>
@@ -153,6 +153,7 @@ metadata_service_allowed_ports = <%= settings['nsxv_metadata_service_allowed_por
 <% else -%>
 # metadata_service_allowed_ports =
 <% end -%>
+<% end -%>

 # (Optional) Indicates if Nsxv spoofguard component is used to implement
 # port-security feature.
--- a/environment_config.yaml
+++ b/environment_config.yaml
@@ -9,7 +9,7 @@ attributes:
    value: ''
    label: 'NSX Manager hostname (or IP)'
    description: ''
-    weight: 20
+    weight: 10
    type: 'text'
    regex:
      source: '^.+$'
@@ -18,7 +18,7 @@ attributes:
    value: ''
    label: 'NSX Manager user'
    description: ''
-    weight: 25
+    weight: 15
    type: 'text'
    regex:
      source: '^.+$'
@@ -27,16 +27,22 @@ attributes:
    value: ''
    label: 'NSX Manager password'
    description: ''
-    weight: 30
+    weight: 20
    type: 'password'
    regex:
      source: '^.+$'
      error: 'You must specify the password'
+  nsxv_ca_file:
+    value: ''
+    label: 'CA certificate file'
+    description: 'Specify a CA certificate file to use in NSX Manager certificate verification, if empty - certificate will not be verified'
+    weight: 25
+    type: 'file'
  nsxv_datacenter_moid:
    value: ''
    label: 'Datacenter MoRef ID'
    description: 'Datacenter MoRef ID for Edge deployment, e.g. datacenter-126'
-    weight: 35
+    weight: 30
    type: 'text'
    regex:
      source: '^[a-z]+-[a-z0-9]+$'
@@ -45,7 +51,7 @@ attributes:
    value: ''
    label: 'Resource pool MoRef ID'
    description: 'Resource pool MoRef ID for NSX Edge nodes deployment'
-    weight: 45
+    weight: 35
    type: 'text'
    regex:
      source: '^[a-z]+-[a-z0-9]+$'
@@ -54,7 +60,7 @@ attributes:
    value: ''
    label: 'Datastore MoRef ID'
    description: 'Datastore MoRef ID for NSX Edge nodes deployment'
-    weight: 50
+    weight: 40
    type: 'text'
    regex:
      source: '^[a-z]+-[a-z0-9]+$'
@@ -63,7 +69,7 @@ attributes:
    value: ''
    label: 'External portgroup MoRef ID'
    description: 'External portgroup MoRef ID for NSX Edge physical connectivity'
-    weight: 55
+    weight: 45
    type: 'text'
    regex:
      source: '^[a-z]+-[a-z0-9]+$'
@@ -72,7 +78,7 @@ attributes:
    value: ''
    label: 'Transport zone MoRef ID'
    description: 'Transport zone MoRef ID for VXLAN networks'
-    weight: 60
+    weight: 50
    type: 'text'
    regex:
      source: '^vdnscope-[0-9]+$'
@@ -81,7 +87,7 @@ attributes:
    value: ''
    label: 'Distributed virtual switch MoRef ID'
    description: 'DVS MoRef ID connected to Edge cluster'
-    weight: 65
+    weight: 55
    type: 'text'
    regex:
      source: '^dvs-[0-9]+$'
@@ -90,7 +96,7 @@ attributes:
    value: ''
    label: 'NSX backup Edge pool'
    description: 'Define backup edge pools management range with the four-tuple: <edge_type>:[edge_size]:<minimum_pooled_edges>:<maximum_pooled_edges>'
-    weight: 70
+    weight: 60
    type: 'text'
    regex:
      source: '^(?:(?:service|vdr):(?:compact|large|xlarge|quadlarge):[0-9]+:[0-9]+)(?:,(?:service|vdr):(?:compact|large|xlarge|quadlarge):[0-9]+:[0-9]+)*$'
@@ -99,111 +105,133 @@ attributes:
    value: true
    label: 'Enable HA for NSX Edges'
    description: 'Deploy NSX Edges in HA pair'
-    weight: 75
+    weight: 65
    type: 'checkbox'
-  nsxv_insecure:
-    value: true
-    label: 'Bypass NSX Manager certificate verification'
-    description: ''
-    weight: 80
-    type: 'checkbox'
-  nsxv_ca_file:
-    value: ''
-    label: 'CA certificate file'
-    description: 'Specify a CA certificate file to use in verifying NSX Manager certificate'
-    weight: 85
-    type: 'file'
-    restrictions:
-      - condition: 'settings:nsxv.nsxv_insecure.value == true'
-        action: 'hide'
  nsxv_metadata_initializer:
    value: true
    label: 'Init metadata infrastructure'
    description: 'If enabled, instance will attempt to initialize the metadata infrastructure to access to metadata proxy  service'
-    weight: 86
-    type: 'checkbox'
-  nsxv_metadata_listen_mgmt:
-    value: false
-    label: 'Use management network to access the nova-api-metadata'
-    description: 'If disabled nova-api-metadata listens on Public network'
-    weight: 90
+    weight: 70
    type: 'checkbox'
+  nsxv_metadata_listen:
+    label: 'Which network will be used to access the nova-api-metadata'
+    weight: 75
+    type: 'radio'
+    value: 'public'
+    values:
+      - data: 'public'
+        label: 'Public network'
+      - data: 'management'
+        label: 'Management network'
+    restrictions:
+      - condition: 'settings:nsxv.nsxv_metadata_initializer.value == false'
+        action: 'hide'
  nsxv_mgt_reserve_ip:
    value: false
    label: 'Allocate IP address in management network for NSX metadata proxy'
    description: 'If enabled, then IP address for NSX metadata proxy will be allocated in the OpenStack management network. In the parameter "Metadata portgroup MoRef ID", you must specify portgroup id, which is adjacent with OpenStack management network'
-    weight: 95
+    weight: 80
    type: 'checkbox'
    restrictions:
-      - condition: 'settings:nsxv.nsxv_metadata_listen_mgmt.value == false'
-        message: '"Use management network to access the nova-api-metadata" not enabled'
+      - condition: "settings:nsxv.nsxv_metadata_listen.value == 'public'"
+        message: 'Management network to access the nova-api-metadata not selected'
        action: 'disable'
+      - condition: 'settings:nsxv.nsxv_metadata_initializer.value == false'
+        action: 'hide'
  nsxv_metadata_nova_client_cert:
    value: ''
    label: 'Certificate for metadata proxy'
    description: 'PEM format'
-    weight: 100
+    weight: 85
    type: 'file'
    restrictions:
      - condition: 'settings:nsxv.nsxv_metadata_nova_client_priv_key.value.name != null and settings:nsxv.nsxv_metadata_nova_client_cert.value.name == null'
        action: 'none'
        strict: false
        message: 'Private key loaded, but certificate is absent'
+      - condition: 'settings:nsxv.nsxv_metadata_initializer.value == false'
+        action: 'hide'
  nsxv_metadata_nova_client_priv_key:
    value: ''
    label: 'Private key'
    description: 'Private key for metadata certificate'
-    weight: 105
+    weight: 90
    type: 'file'
    restrictions:
      - condition: 'settings:nsxv.nsxv_metadata_nova_client_priv_key.value.name == null and settings:nsxv.nsxv_metadata_nova_client_cert.value.name != null'
        action: 'none'
        strict: false
        message: 'Certificate loaded, but private key is absent.'
+      - condition: 'settings:nsxv.nsxv_metadata_initializer.value == false'
+        action: 'hide'
  nsxv_metadata_service_allowed_ports:
    value: ''
    label: 'Metadata allowed ports'
    description: 'Additional ports to 80, 443 and 8775'
-    weight: 110
+    weight: 95
    type: 'text'
+    restrictions:
+      - condition: 'settings:nsxv.nsxv_metadata_initializer.value == false'
+        action: 'hide'
  nsxv_mgt_net_moid:
    value: ''
    label: 'Metadata portgroup MoRef ID'
    description: 'Portgroup MoRef ID for metadata proxy management network'
-    weight: 115
+    weight: 100
    type: 'text'
+    regex:
+      source: '^[a-z]+-[a-z0-9]+$'
+      error: 'Invalid portgroup MoRef ID'
+    restrictions:
+      - condition: 'settings:nsxv.nsxv_metadata_initializer.value == false'
+        action: 'hide'
  nsxv_mgt_net_proxy_ips:
    value: ''
    label: 'Metadata proxy IP addresses'
    description: 'Management network IP address for metadata proxy, comma separated'
-    weight: 120
+    weight: 105
    type: 'text'
+    regex:
+      source: '^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$'
+      error: 'Invalid IP address'
    restrictions:
      - condition: 'settings:nsxv.nsxv_mgt_reserve_ip.value == true'
        action: 'hide'
+      - condition: 'settings:nsxv.nsxv_metadata_initializer.value == false'
+        action: 'hide'
  nsxv_mgt_net_proxy_netmask:
    value: ''
    label: 'Management network netmask'
    description: 'Management network netmask for metadata proxy'
-    weight: 125
+    weight: 110
    type: 'text'
+    regex:
+      source: '^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$'
+      error: 'Invalid netmask'
    restrictions:
      - condition: 'settings:nsxv.nsxv_mgt_reserve_ip.value == true'
        action: 'hide'
+      - condition: 'settings:nsxv.nsxv_metadata_initializer.value == false'
+        action: 'hide'
  nsxv_mgt_net_default_gateway:
    value: ''
    label: 'Management network default gateway'
    description: 'Management network default gateway for metadata proxy'
-    weight: 130
+    weight: 115
    type: 'text'
+    regex:
+      source: '^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$'
+      error: 'Invalid IP address of the default gateway'
    restrictions:
      - condition: 'settings:nsxv.nsxv_mgt_reserve_ip.value == true'
        action: 'hide'
+      - condition: 'settings:nsxv.nsxv_metadata_initializer.value == false'
+        action: 'hide'
  nsxv_floating_ip_range:
    value: ''
    label: 'Floating IP ranges'
    description: 'Dash separated IP addresses allocation pool from external network, e.g. "start_ip_address-end_ip_address"'
-    weight: 135
+    weight: 120
    type: 'text'
    regex:
      source: '^(?:[0-9]{1,3}\.){3}[0-9]{1,3}-(?:[0-9]{1,3}\.){3}[0-9]{1,3}$'
@@ -212,7 +240,7 @@ attributes:
    value: ''
    label: 'External network CIDR'
    description: 'Network in CIDR notation that includes floating IP ranges'
-    weight: 140
+    weight: 125
    type: 'text'
    regex:
      source: '^(?:[0-9]{1,3}\.){3}[0-9]{1,3}/[0-9]{1,2}$'
@@ -221,13 +249,13 @@ attributes:
    value: ''
    label: 'Gateway'
    description: 'Default gateway for external network, if not defined, first IP address of the network is used'
-    weight: 145
+    weight: 130
    type: 'text'
  nsxv_internal_net_cidr:
    value: ''
    label: 'Internal network CIDR'
    description: 'Network in CIDR notation for use as internal'
-    weight: 150
+    weight: 135
    type: 'text'
    regex:
      source: '^(?:[0-9]{1,3}\.){3}[0-9]{1,3}/[0-9]{1,2}$'
@@ -236,19 +264,19 @@ attributes:
    value: ''
    label: 'DNS for internal network'
    description: 'Comma separated IP addresses of DNS server for internal network'
-    weight: 155
+    weight: 140
    type: 'text'
  nsxv_additional:
    value: false
    label: 'Additional settings'
    description: ''
-    weight: 160
+    weight: 145
    type: 'checkbox'
  nsxv_nameservers:
    value: ''
    label: 'Instance name servers'
    description: 'Comma separated list of nameservers to configure for the DHCP binding entries. These will be used if there are no nameservers defined on the subnet.'
-    weight: 161
+    weight: 150
    type: 'text'
    restrictions:
      - condition: 'settings:nsxv.nsxv_additional.value == false'
@@ -257,7 +285,7 @@ attributes:
    value: ''
    label: 'Task status check interval (millisecond)'
    description: 'Asynchronous task status check interval'
-    weight: 165
+    weight: 155
    type: 'text'
    restrictions:
      - condition: 'settings:nsxv.nsxv_additional.value == false'
@@ -266,7 +294,7 @@ attributes:
    value: ''
    label: 'Maximum tunnels per vnic'
    description: 'Maximum number of sub interfaces supported per vnic in edge'
-    weight: 170
+    weight: 160
    type: 'text'
    restrictions:
      - condition: 'settings:nsxv.nsxv_additional.value == false'
@@ -275,7 +303,7 @@ attributes:
    value: ''
    label: 'API retries'
    description: 'Maximum number of API retries'
-    weight: 175
+    weight: 165
    type: 'text'
    restrictions:
      - condition: 'settings:nsxv.nsxv_additional.value == false'
@@ -284,7 +312,7 @@ attributes:
    value: false
    label: 'Enable SpoofGuard'
    description: 'Indicates if NSXv SpoofGuard component is used to implement port-security feature'
-    weight: 180
+    weight: 170
    type: 'checkbox'
    restrictions:
      - condition: 'settings:nsxv.nsxv_additional.value == false'
@@ -293,7 +321,7 @@ attributes:
    value: ''
    label: 'Tenant router types'
    description: 'Ordered list of router types to allocate as tenant routers'
-    weight: 185
+    weight: 175
    type: 'text'
    restrictions:
      - condition: 'settings:nsxv.nsxv_additional.value == false'
@@ -302,7 +330,7 @@ attributes:
    value: ''
    label: 'Exclusive router size'
    description: 'Edge form factor for exclusive router'
-    weight: 190
+    weight: 180
    type: 'text'
    restrictions:
      - condition: 'settings:nsxv.nsxv_additional.value == false'
@@ -311,7 +339,7 @@ attributes:
    value: ''
    label: 'Edge user'
    description: 'User for Edge node login'
-    weight: 195
+    weight: 185
    type: 'text'
    restrictions:
      - condition: 'settings:nsxv.nsxv_additional.value == false'
@@ -320,7 +348,7 @@ attributes:
    value: ''
    label: 'Edge password'
    description: 'Password for Edge node login'
-    weight: 200
+    weight: 190
    type: 'password'
    restrictions:
      - condition: 'settings:nsxv.nsxv_additional.value == false'
@@ -329,7 +357,7 @@ attributes:
    value: ''
    label: 'DHCP lease time (sec)'
    description: ''
-    weight: 205
+    weight: 195
    type: 'text'
    restrictions:
      - condition: 'settings:nsxv.nsxv_additional.value == false'
@@ -338,7 +366,7 @@ attributes:
    value: ''
    label: 'Coordinator URL'
    description: 'URL for distributed locking coordinator'
-    weight: 210
+    weight: 200
    type: 'text'
    restrictions:
      - condition: 'settings:nsxv.nsxv_additional.value == false'
--- a/plugin_test/helpers/settings.py
+++ b/plugin_test/helpers/settings.py
@@ -36,8 +36,6 @@ NSXV_PLUGIN_PATH = os.environ.get('NSXV_PLUGIN_PATH')

 plugin_configuration = {
    'nsxv_manager_host/value': os.environ.get('NSXV_MANAGER_IP'),
-    'nsxv_insecure/value': get_var_as_bool(
-        os.environ.get('NSXV_INSECURE'), True),
    'nsxv_user/value': os.environ.get('NSXV_USER'),
    'nsxv_password/value': os.environ.get('NSXV_PASSWORD'),
    'nsxv_datacenter_moid/value': os.environ.get('NSXV_DATACENTER_MOID'),
--- a/plugin_test/tests/test_plugin_nsxv.py
+++ b/plugin_test/tests/test_plugin_nsxv.py
@@ -91,6 +91,10 @@ class TestNSXvPlugin(TestBasic):
            self.fuel_web.check_plugin_exists(cluster_id, self.plugin_name),
            "Test aborted")

+        # Enable metadata initializer
+        pt_settings.plugin_configuration.update(
+            {'nsxv_metadata_initializer/value': True})
+
        # Enable additional settings
        if settings:
            self.fuel_web.update_plugin_settings(cluster_id,
@@ -1565,7 +1569,7 @@ class TestNSXvPlugin(TestBasic):
          groups=["nsxv_metadata_mgt_disabled", "nsxv_plugin"])
    @log_snapshot_after_test
    def nsxv_metadata_mgt_disabled(self):
-        """Check that option nsxv_metadata_listen_mgmt is disabled by default.
+        """Check that option nsxv_metadata_listen is public by default.

        Scenario:
            1. Upload the plugin to master node
@@ -1603,10 +1607,10 @@ class TestNSXvPlugin(TestBasic):

        plugin_data = self.fuel_web.get_plugin_data(
            cluster_id, self.plugin_name, self.plugin_version)
-        assert_true(plugin_data['nsxv_metadata_listen_mgmt']['value'] is False,
-                    "Check default value of nsxv_metadata_listen_mgmt (False)")
+        assert_true(plugin_data['nsxv_metadata_listen']['value'] == "public",
+                    "Check default value of nsxv_metadata_listen")
        assert_true(plugin_data['nsxv_mgt_reserve_ip']['value'] is False,
-                    "Check default value of nsxv_mgt_reserve_ip (False)")
+                    "Check default value of nsxv_mgt_reserve_ip")

        self.fuel_web.deploy_cluster_wait(cluster_id)

--- a/plugin_test/utils/jenkins/system_tests.sh
+++ b/plugin_test/utils/jenkins/system_tests.sh
@@ -339,9 +339,6 @@ CheckVariables() {
  if [ -z "${NSXV_EDGE_HA}" ]; then
    export NSXV_EDGE_HA='false'
  fi
-  if [ -z "${NSXV_INSECURE}" ]; then
-    export NSXV_INSECURE='true'
-  fi

  if [ -z "${NSXV_FLOATING_IP_RANGE}" ]; then
    export NSXV_FLOATING_IP_RANGE='172.16.211.100-172.16.211.150'