NSXv3: Add support for secure metadata-proxy access

This will allow the edge-cluster running metadata-proxy to talk to Nova API via https. Change-Id: Ibb1fe8fbd976aef4539673da132c38a12c12beb4
2017-03-14 14:51:10 -07:00 · 2017-03-14 14:51:10 -07:00 · 5cd1495665
parent 58f3691bcd
commit 5cd1495665
2 changed files with 12 additions and 0 deletions
--- a/devstack/lib/vmware_nsx_v3
+++ b/devstack/lib/vmware_nsx_v3
@ -94,6 +94,15 @@ function neutron_plugin_create_nova_conf {
        iniset $NOVA_CONF neutron service_metadata_proxy True
        if [[ "$NATIVE_DHCP_METADATA" == "True" ]]; then
            iniset $NOVA_CONF neutron metadata_proxy_shared_secret $METADATA_PROXY_SHARED_SECRET
+            if [[ "$METADATA_PROXY_USE_HTTPS" == "True" ]]; then
+                iniset $NOVA_CONF DEFAULT enabled_ssl_apis metadata
+                if [[ "$METADATA_PROXY_CERT_FILE" != "" ]]; then
+                    iniset $NOVA_CONF wsgi ssl_cert_file $METADATA_PROXY_CERT_FILE
+                fi
+                if [[ "$METADATA_PROXY_PRIV_KEY_FILE" != "" ]]; then
+                    iniset $NOVA_CONF wsgi ssl_key_file $METADATA_PROXY_PRIV_KEY_FILE
+                fi
+            fi
        fi
    fi
 }
--- a/devstack/nsx_v3/controller_local.conf.sample
+++ b/devstack/nsx_v3/controller_local.conf.sample
@ -111,4 +111,7 @@ DEFAULT_EDGE_CLUSTER_UUID=<edge-cluster-uuid>
 DHCP_PROFILE_UUID=<dhcp-profile-uuid>
 METADATA_PROXY_UUID=<metadata-proxy-uuid>
 METADATA_PROXY_SHARED_SECRET=<metadata-proxy-secret>
+METADATA_PROXY_USE_HTTPS=False
+METADATA_PROXY_CERT_FILE=<metadata-proxy-cert-file>
+METADATA_PROXY_PRIV_KEY_FILE=<metadata-proxy-priv-key-file>
 NATIVE_DHCP_METADATA=True