Return checkbox 'nsxv_metadata_insecure'
Due to LP Bug #1590840 - parameters nsxv_metadata_nova_client_priv_key/nsxv_metadata_nova_client_cert hidden Change-Id: I8ee1107d24aa79fb02b3b91d79dbd3ddd10a9a83 Closes-Bug: #1590407
This commit is contained in:
parent
e8bfab8631
commit
7598c532a0
|
@ -9,7 +9,9 @@ if $settings['nsxv_metadata_initializer'] {
|
||||||
$metadata_listen_ip = get_nova_metadata_ip($settings['nsxv_metadata_listen'])
|
$metadata_listen_ip = get_nova_metadata_ip($settings['nsxv_metadata_listen'])
|
||||||
|
|
||||||
class { 'nsxv::haproxy_nova_metadata_config':
|
class { 'nsxv::haproxy_nova_metadata_config':
|
||||||
metadata_listen => "${metadata_listen_ip}:${::nsxv::params::nova_metadata_port}",
|
metadata_listen => "${metadata_listen_ip}:${::nsxv::params::nova_metadata_port}",
|
||||||
notify => Exec['haproxy-restart'],
|
metadata_insecure => $settings['nsxv_metadata_insecure'],
|
||||||
|
metadata_crt_key_file => "${::nsxv::params::nsxv_config_dir}/nova_metadata.pem",
|
||||||
|
notify => Exec['haproxy-restart'],
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -34,11 +34,16 @@ if $settings['nsxv_metadata_initializer'] {
|
||||||
neutron_url_timeout => $::nsxv::params::neutron_url_timeout,
|
neutron_url_timeout => $::nsxv::params::neutron_url_timeout,
|
||||||
settings => $settings,
|
settings => $settings,
|
||||||
roles => $roles,
|
roles => $roles,
|
||||||
|
nsxv_config_dirs => $::nsxv::params::nsxv_config_dirs,
|
||||||
|
nsxv_config_dir => $::nsxv::params::nsxv_config_dir,
|
||||||
|
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
class { '::nsxv':
|
class { '::nsxv':
|
||||||
neutron_url_timeout => $::nsxv::params::neutron_url_timeout,
|
neutron_url_timeout => $::nsxv::params::neutron_url_timeout,
|
||||||
settings => $settings,
|
settings => $settings,
|
||||||
roles => $roles,
|
roles => $roles,
|
||||||
|
nsxv_config_dirs => $::nsxv::params::nsxv_config_dirs,
|
||||||
|
nsxv_config_dir => $::nsxv::params::nsxv_config_dir,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,17 @@
|
||||||
|
#!/bin/sh
|
||||||
|
crt_key_file="$1"
|
||||||
|
cn='metadata.nsx.local'
|
||||||
|
cert_gen_dir="$(mktemp -d)"
|
||||||
|
key_path="$cert_gen_dir/$cn.key"
|
||||||
|
crt_path="$cert_gen_dir/$cn.crt"
|
||||||
|
|
||||||
|
mkdir -p "$(dirname $crt_key_file)"
|
||||||
|
if [ ! -f $crt_key_file ]; then
|
||||||
|
bash -c "openssl req -newkey rsa:2048 -nodes -keyout $key_path -x509 -days 3650 -subj /C=US/ST=State/L=Locality/O=Organization/OU=Unit/CN=$cn/emailAddress=root@$cn -out $crt_path 2>&1"
|
||||||
|
cat "$crt_path" "$key_path" > $crt_key_file
|
||||||
|
chown root:root $crt_key_file
|
||||||
|
chmod 600 $crt_key_file
|
||||||
|
else
|
||||||
|
echo "Key $crt_key_file already exists"
|
||||||
|
fi
|
||||||
|
rm -fr "${cert_gen_dir:?}"
|
|
@ -2,21 +2,17 @@
|
||||||
novaHaproxyConf="$(find /etc/haproxy/conf.d -name '*nova-metadata-api*')"
|
novaHaproxyConf="$(find /etc/haproxy/conf.d -name '*nova-metadata-api*')"
|
||||||
tempFile="$(mktemp)"
|
tempFile="$(mktemp)"
|
||||||
|
|
||||||
awk -v metadata_listen="$1" '
|
awk -v metadata_listen="$1" -v metadata_insecure="$2" -v metadata_crt_key_file="$3" '
|
||||||
BEGIN {
|
|
||||||
ipListen=0
|
|
||||||
}
|
|
||||||
{
|
{
|
||||||
if ($1 == "bind") {
|
if ($1 == "bind") { next }
|
||||||
if ($2 == metadata_listen) {
|
if ($1 == "http-request") { next }
|
||||||
ipListen=1
|
|
||||||
}
|
|
||||||
}
|
|
||||||
print $0
|
print $0
|
||||||
}
|
}
|
||||||
END {
|
END {
|
||||||
if (ipListen == 0) {
|
if (metadata_insecure == "false") {
|
||||||
|
print " bind",metadata_listen,"ssl crt",metadata_crt_key_file,"no-sslv3 no-tls-tickets ciphers AES128+EECDH:AES128+EDH:AES256+EECDH:AES256+EDH"
|
||||||
|
print " http-request set-header X-Forwarded-Proto https if { ssl_fc }"
|
||||||
|
} else {
|
||||||
print " bind",metadata_listen
|
print " bind",metadata_listen
|
||||||
}
|
}
|
||||||
|
|
||||||
} ' $novaHaproxyConf > $tempFile && mv -f $tempFile $novaHaproxyConf
|
} ' $novaHaproxyConf > $tempFile && mv -f $tempFile $novaHaproxyConf
|
||||||
|
|
|
@ -1,5 +1,7 @@
|
||||||
class nsxv::haproxy_nova_metadata_config (
|
class nsxv::haproxy_nova_metadata_config (
|
||||||
$metadata_listen,
|
$metadata_listen,
|
||||||
|
$metadata_insecure,
|
||||||
|
$metadata_crt_key_file,
|
||||||
) {
|
) {
|
||||||
file { '/tmp/haproxy-nova-metadata-config.sh':
|
file { '/tmp/haproxy-nova-metadata-config.sh':
|
||||||
ensure => file,
|
ensure => file,
|
||||||
|
@ -8,9 +10,24 @@ class nsxv::haproxy_nova_metadata_config (
|
||||||
replace => true,
|
replace => true,
|
||||||
}
|
}
|
||||||
exec { 'set nova metadata listen ip':
|
exec { 'set nova metadata listen ip':
|
||||||
command => "/tmp/haproxy-nova-metadata-config.sh ${metadata_listen}",
|
command => "/tmp/haproxy-nova-metadata-config.sh ${metadata_listen} ${metadata_insecure} ${metadata_crt_key_file}",
|
||||||
logoutput => on_failure,
|
logoutput => on_failure,
|
||||||
provider => 'shell',
|
provider => 'shell',
|
||||||
require => File['/tmp/haproxy-nova-metadata-config.sh'],
|
require => File['/tmp/haproxy-nova-metadata-config.sh'],
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if ! $metadata_insecure {
|
||||||
|
file { '/tmp/generate_haproxy_key.sh':
|
||||||
|
ensure => file,
|
||||||
|
mode => '0755',
|
||||||
|
source => "puppet:///modules/${module_name}/generate_haproxy_key.sh",
|
||||||
|
replace => true,
|
||||||
|
}
|
||||||
|
exec { 'generate key/cert for nova metadata':
|
||||||
|
command => "/tmp/generate_haproxy_key.sh ${metadata_crt_key_file}",
|
||||||
|
logoutput => on_failure,
|
||||||
|
provider => 'shell',
|
||||||
|
require => File['/tmp/generate_haproxy_key.sh'],
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,10 +1,10 @@
|
||||||
class nsxv (
|
class nsxv (
|
||||||
# Do not remove unused variables: template nsx.ini.erb refers to them
|
# Do not remove unused variables: template nsx.ini.erb refers to them
|
||||||
$nsxv_config_dirs = [ '/etc/neutron', '/etc/neutron/plugins', '/etc/neutron/plugins/vmware' ],
|
|
||||||
$nsxv_config_dir = '/etc/neutron/plugins/vmware',
|
|
||||||
$nsx_plugin_name = 'python-vmware-nsx',
|
$nsx_plugin_name = 'python-vmware-nsx',
|
||||||
$lbaas_plugin_name = 'python-neutron-lbaas',
|
$lbaas_plugin_name = 'python-neutron-lbaas',
|
||||||
$neutron_url_timeout = '600',
|
$neutron_url_timeout = '600',
|
||||||
|
$nsxv_config_dirs,
|
||||||
|
$nsxv_config_dir,
|
||||||
$settings,
|
$settings,
|
||||||
$roles,
|
$roles,
|
||||||
$nova_metadata_ips = '',
|
$nova_metadata_ips = '',
|
||||||
|
@ -39,19 +39,16 @@ class nsxv (
|
||||||
$metadata_initializer = false
|
$metadata_initializer = false
|
||||||
}
|
}
|
||||||
|
|
||||||
if $settings['nsxv_metadata_initializer'] {
|
if $settings['nsxv_metadata_initializer'] and !$settings['nsxv_metadata_insecure'] {
|
||||||
$metadata_nova_client_cert_filename = try_get_value($settings['nsxv_metadata_nova_client_cert'], 'name', '')
|
$metadata_nova_client_cert_filename = try_get_value($settings['nsxv_metadata_nova_client_cert'], 'name', '')
|
||||||
$metadata_nova_client_priv_key_filename = try_get_value($settings['nsxv_metadata_nova_client_priv_key'], 'name', '')
|
$metadata_nova_client_priv_key_filename = try_get_value($settings['nsxv_metadata_nova_client_priv_key'], 'name', '')
|
||||||
if empty($metadata_nova_client_cert_filename) and empty($metadata_nova_client_priv_key_filename) {
|
|
||||||
$metadata_insecure = true # used in nsx.ini.erb template
|
|
||||||
} else {
|
|
||||||
$metadata_insecure = false
|
|
||||||
|
|
||||||
|
if !empty($metadata_nova_client_cert_filename) and !empty($metadata_nova_client_priv_key_filename) {
|
||||||
$metadata_nova_client_cert_content = $settings['nsxv_metadata_nova_client_cert']['content']
|
$metadata_nova_client_cert_content = $settings['nsxv_metadata_nova_client_cert']['content']
|
||||||
$metadata_nova_client_cert_file = "${nsxv_config_dir}/cert_${metadata_nova_client_cert_filename}"
|
$metadata_nova_client_cert_file = "${nsxv_config_dir}/cert_${metadata_nova_client_cert_filename}"
|
||||||
|
|
||||||
$metadata_nova_client_priv_key_content = $settings['nsxv_metadata_nova_client_priv_key']['content']
|
$metadata_nova_client_priv_key_content = $settings['nsxv_metadata_nova_client_priv_key']['content']
|
||||||
$metadata_nova_client_priv_key_file = "${nsxv_config_dir}/key_${metadata_nova_client_priv_key_filename}"
|
$metadata_nova_client_priv_key_file = "${nsxv_config_dir}/key_${metadata_nova_client_priv_key_filename}"
|
||||||
|
|
||||||
file { $metadata_nova_client_cert_file:
|
file { $metadata_nova_client_cert_file:
|
||||||
ensure => present,
|
ensure => present,
|
||||||
|
|
|
@ -6,4 +6,7 @@ class nsxv::params {
|
||||||
$core_plugin = 'vmware_nsx.plugin.NsxVPlugin'
|
$core_plugin = 'vmware_nsx.plugin.NsxVPlugin'
|
||||||
$service_plugins = 'neutron_lbaas.services.loadbalancer.plugin.LoadBalancerPluginv2'
|
$service_plugins = 'neutron_lbaas.services.loadbalancer.plugin.LoadBalancerPluginv2'
|
||||||
$service_providers = 'LOADBALANCERV2:VMWareEdge:neutron_lbaas.drivers.vmware.edge_driver_v2.EdgeLoadBalancerDriverV2:default'
|
$service_providers = 'LOADBALANCERV2:VMWareEdge:neutron_lbaas.drivers.vmware.edge_driver_v2.EdgeLoadBalancerDriverV2:default'
|
||||||
|
|
||||||
|
$nsxv_config_dirs = [ '/etc/neutron', '/etc/neutron/plugins', '/etc/neutron/plugins/vmware' ]
|
||||||
|
$nsxv_config_dir = '/etc/neutron/plugins/vmware'
|
||||||
}
|
}
|
||||||
|
|
|
@ -129,18 +129,18 @@ metadata_shared_secret = <%= scope.lookupvar('metadata_shared_secret') %>
|
||||||
|
|
||||||
# (Optional) If True, the end to end connection for metadata service is
|
# (Optional) If True, the end to end connection for metadata service is
|
||||||
# not verified. If False, the default CA truststore is used for verification.
|
# not verified. If False, the default CA truststore is used for verification.
|
||||||
metadata_insecure = <%= scope.lookupvar('metadata_insecure') %>
|
metadata_insecure = <%= settings['nsxv_metadata_insecure'] %>
|
||||||
|
|
||||||
# (Optional) Client certificate to use when metadata connection is to be
|
# (Optional) Client certificate to use when metadata connection is to be
|
||||||
# verified. If not provided, a self signed certificate will be used.
|
# verified. If not provided, a self signed certificate will be used.
|
||||||
<% if not scope.lookupvar('metadata_insecure') -%>
|
<% if scope.lookupvar('metadata_nova_client_cert_file') -%>
|
||||||
metadata_nova_client_cert = <%= scope.lookupvar('metadata_nova_client_cert_file') %>
|
metadata_nova_client_cert = <%= scope.lookupvar('metadata_nova_client_cert_file') %>
|
||||||
<% else -%>
|
<% else -%>
|
||||||
# metadata_nova_client_cert =
|
# metadata_nova_client_cert =
|
||||||
<% end -%>
|
<% end -%>
|
||||||
|
|
||||||
# (Optional) Private key to use for client certificate
|
# (Optional) Private key to use for client certificate
|
||||||
<% if not scope.lookupvar('metadata_insecure') -%>
|
<% if scope.lookupvar('metadata_nova_client_priv_key_file') -%>
|
||||||
metadata_nova_client_priv_key = <%= scope.lookupvar('metadata_nova_client_priv_key_file') %>
|
metadata_nova_client_priv_key = <%= scope.lookupvar('metadata_nova_client_priv_key_file') %>
|
||||||
<% else -%>
|
<% else -%>
|
||||||
# metadata_nova_client_priv_key =
|
# metadata_nova_client_priv_key =
|
||||||
|
|
|
@ -12,7 +12,7 @@
|
||||||
version: 2.0.0
|
version: 2.0.0
|
||||||
type: puppet
|
type: puppet
|
||||||
groups: [primary-controller,controller]
|
groups: [primary-controller,controller]
|
||||||
required_for: [nsxv-install]
|
required_for: [nsxv-config]
|
||||||
requires: [globals]
|
requires: [globals]
|
||||||
parameters:
|
parameters:
|
||||||
puppet_manifest: puppet/manifests/gem-install.pp
|
puppet_manifest: puppet/manifests/gem-install.pp
|
||||||
|
@ -49,7 +49,7 @@
|
||||||
puppet_manifest: puppet/manifests/haproxy-neutron-config.pp
|
puppet_manifest: puppet/manifests/haproxy-neutron-config.pp
|
||||||
puppet_modules: puppet/modules
|
puppet_modules: puppet/modules
|
||||||
timeout: 120
|
timeout: 120
|
||||||
- id: nsxv-install
|
- id: nsxv-config
|
||||||
version: 2.0.0
|
version: 2.0.0
|
||||||
refresh_on: [neutron_config,nova_config]
|
refresh_on: [neutron_config,nova_config]
|
||||||
type: puppet
|
type: puppet
|
||||||
|
@ -76,7 +76,7 @@
|
||||||
type: puppet
|
type: puppet
|
||||||
groups: [controller]
|
groups: [controller]
|
||||||
required_for: [deploy_end]
|
required_for: [deploy_end]
|
||||||
requires: [openstack-network-neutron-policy,nsxv-install]
|
requires: [openstack-network-neutron-policy,nsxv-config]
|
||||||
cross-depended-by:
|
cross-depended-by:
|
||||||
- name: primary-openstack-network-neutron-start
|
- name: primary-openstack-network-neutron-start
|
||||||
parameters:
|
parameters:
|
||||||
|
@ -89,7 +89,7 @@
|
||||||
type: puppet
|
type: puppet
|
||||||
groups: [primary-controller]
|
groups: [primary-controller]
|
||||||
required_for: [openstack-network-networks-nsxv]
|
required_for: [openstack-network-networks-nsxv]
|
||||||
requires: [openstack-network-neutron-policy,nsxv-install]
|
requires: [openstack-network-neutron-policy,nsxv-config]
|
||||||
parameters:
|
parameters:
|
||||||
puppet_manifest: puppet/manifests/neutron-server-start.pp
|
puppet_manifest: puppet/manifests/neutron-server-start.pp
|
||||||
puppet_modules: puppet/modules
|
puppet_modules: puppet/modules
|
||||||
|
|
|
@ -113,9 +113,54 @@ attributes:
|
||||||
description: 'If enabled, instance will attempt to initialize the metadata infrastructure to access to metadata proxy service'
|
description: 'If enabled, instance will attempt to initialize the metadata infrastructure to access to metadata proxy service'
|
||||||
weight: 70
|
weight: 70
|
||||||
type: 'checkbox'
|
type: 'checkbox'
|
||||||
|
nsxv_metadata_insecure:
|
||||||
|
value: true
|
||||||
|
label: 'Bypass metadata service certificate verification'
|
||||||
|
description: ''
|
||||||
|
weight: 75
|
||||||
|
type: 'checkbox'
|
||||||
|
restrictions:
|
||||||
|
- condition: 'settings:nsxv.nsxv_metadata_initializer.value == false'
|
||||||
|
action: 'hide'
|
||||||
|
# hidden due to https://bugs.launchpad.net/vmware-nsx/+bug/1590840
|
||||||
|
nsxv_metadata_nova_client_cert:
|
||||||
|
type: 'hidden'
|
||||||
|
value: ''
|
||||||
|
weight: 80
|
||||||
|
label: ''
|
||||||
|
#label: 'Certificate for metadata proxy'
|
||||||
|
#description: 'PEM format'
|
||||||
|
#type: 'file'
|
||||||
|
#restrictions:
|
||||||
|
# - condition: 'settings:nsxv.nsxv_metadata_nova_client_priv_key.value.name != null and settings:nsxv.nsxv_metadata_nova_client_cert.value.name == null'
|
||||||
|
# action: 'none'
|
||||||
|
# strict: false
|
||||||
|
# message: 'Private key loaded, but certificate is absent'
|
||||||
|
# - condition: 'settings:nsxv.nsxv_metadata_initializer.value == false'
|
||||||
|
# action: 'hide'
|
||||||
|
# - condition: 'settings:nsxv.nsxv_metadata_insecure.value == true'
|
||||||
|
# action: 'hide'
|
||||||
|
# hidden due to https://bugs.launchpad.net/vmware-nsx/+bug/1590840
|
||||||
|
nsxv_metadata_nova_client_priv_key:
|
||||||
|
type: 'hidden'
|
||||||
|
value: ''
|
||||||
|
weight: 85
|
||||||
|
label: ''
|
||||||
|
#label: 'Private key'
|
||||||
|
#description: 'Private key for metadata certificate'
|
||||||
|
#type: 'file'
|
||||||
|
#restrictions:
|
||||||
|
# - condition: 'settings:nsxv.nsxv_metadata_nova_client_priv_key.value.name == null and settings:nsxv.nsxv_metadata_nova_client_cert.value.name != null'
|
||||||
|
# action: 'none'
|
||||||
|
# strict: false
|
||||||
|
# message: 'Certificate loaded, but private key is absent.'
|
||||||
|
# - condition: 'settings:nsxv.nsxv_metadata_initializer.value == false'
|
||||||
|
# action: 'hide'
|
||||||
|
# - condition: 'settings:nsxv.nsxv_metadata_insecure.value == true'
|
||||||
|
# action: 'hide'
|
||||||
nsxv_metadata_listen:
|
nsxv_metadata_listen:
|
||||||
label: 'Which network will be used to access the nova-metadata'
|
label: 'Which network will be used to access the nova-metadata'
|
||||||
weight: 75
|
weight: 90
|
||||||
type: 'select'
|
type: 'select'
|
||||||
value: 'public'
|
value: 'public'
|
||||||
values:
|
values:
|
||||||
|
@ -126,32 +171,6 @@ attributes:
|
||||||
restrictions:
|
restrictions:
|
||||||
- condition: 'settings:nsxv.nsxv_metadata_initializer.value == false'
|
- condition: 'settings:nsxv.nsxv_metadata_initializer.value == false'
|
||||||
action: 'hide'
|
action: 'hide'
|
||||||
nsxv_metadata_nova_client_cert:
|
|
||||||
value: ''
|
|
||||||
label: 'Certificate for metadata proxy'
|
|
||||||
description: 'PEM format'
|
|
||||||
weight: 85
|
|
||||||
type: 'file'
|
|
||||||
restrictions:
|
|
||||||
- condition: 'settings:nsxv.nsxv_metadata_nova_client_priv_key.value.name != null and settings:nsxv.nsxv_metadata_nova_client_cert.value.name == null'
|
|
||||||
action: 'none'
|
|
||||||
strict: false
|
|
||||||
message: 'Private key loaded, but certificate is absent'
|
|
||||||
- condition: 'settings:nsxv.nsxv_metadata_initializer.value == false'
|
|
||||||
action: 'hide'
|
|
||||||
nsxv_metadata_nova_client_priv_key:
|
|
||||||
value: ''
|
|
||||||
label: 'Private key'
|
|
||||||
description: 'Private key for metadata certificate'
|
|
||||||
weight: 90
|
|
||||||
type: 'file'
|
|
||||||
restrictions:
|
|
||||||
- condition: 'settings:nsxv.nsxv_metadata_nova_client_priv_key.value.name == null and settings:nsxv.nsxv_metadata_nova_client_cert.value.name != null'
|
|
||||||
action: 'none'
|
|
||||||
strict: false
|
|
||||||
message: 'Certificate loaded, but private key is absent.'
|
|
||||||
- condition: 'settings:nsxv.nsxv_metadata_initializer.value == false'
|
|
||||||
action: 'hide'
|
|
||||||
nsxv_metadata_service_allowed_ports:
|
nsxv_metadata_service_allowed_ports:
|
||||||
value: ''
|
value: ''
|
||||||
label: 'Metadata allowed ports'
|
label: 'Metadata allowed ports'
|
||||||
|
|
Loading…
Reference in New Issue