Merge "Return checkbox 'nsxv_metadata_insecure'"

This commit is contained in:
Jenkins 2016-06-30 13:11:26 +00:00 committed by Gerrit Code Review
commit b7abfba8dd
10 changed files with 114 additions and 58 deletions

View File

@ -9,7 +9,9 @@ if $settings['nsxv_metadata_initializer'] {
$metadata_listen_ip = get_nova_metadata_ip($settings['nsxv_metadata_listen'])
class { 'nsxv::haproxy_nova_metadata_config':
metadata_listen => "${metadata_listen_ip}:${::nsxv::params::nova_metadata_port}",
notify => Exec['haproxy-restart'],
metadata_listen => "${metadata_listen_ip}:${::nsxv::params::nova_metadata_port}",
metadata_insecure => $settings['nsxv_metadata_insecure'],
metadata_crt_key_file => "${::nsxv::params::nsxv_config_dir}/nova_metadata.pem",
notify => Exec['haproxy-restart'],
}
}

View File

@ -34,11 +34,16 @@ if $settings['nsxv_metadata_initializer'] {
neutron_url_timeout => $::nsxv::params::neutron_url_timeout,
settings => $settings,
roles => $roles,
nsxv_config_dirs => $::nsxv::params::nsxv_config_dirs,
nsxv_config_dir => $::nsxv::params::nsxv_config_dir,
}
} else {
class { '::nsxv':
neutron_url_timeout => $::nsxv::params::neutron_url_timeout,
settings => $settings,
roles => $roles,
nsxv_config_dirs => $::nsxv::params::nsxv_config_dirs,
nsxv_config_dir => $::nsxv::params::nsxv_config_dir,
}
}

View File

@ -0,0 +1,17 @@
#!/bin/sh
crt_key_file="$1"
cn='metadata.nsx.local'
cert_gen_dir="$(mktemp -d)"
key_path="$cert_gen_dir/$cn.key"
crt_path="$cert_gen_dir/$cn.crt"
mkdir -p "$(dirname $crt_key_file)"
if [ ! -f $crt_key_file ]; then
bash -c "openssl req -newkey rsa:2048 -nodes -keyout $key_path -x509 -days 3650 -subj /C=US/ST=State/L=Locality/O=Organization/OU=Unit/CN=$cn/emailAddress=root@$cn -out $crt_path 2>&1"
cat "$crt_path" "$key_path" > $crt_key_file
chown root:root $crt_key_file
chmod 600 $crt_key_file
else
echo "Key $crt_key_file already exists"
fi
rm -fr "${cert_gen_dir:?}"

View File

@ -2,21 +2,17 @@
novaHaproxyConf="$(find /etc/haproxy/conf.d -name '*nova-metadata-api*')"
tempFile="$(mktemp)"
awk -v metadata_listen="$1" '
BEGIN {
ipListen=0
}
awk -v metadata_listen="$1" -v metadata_insecure="$2" -v metadata_crt_key_file="$3" '
{
if ($1 == "bind") {
if ($2 == metadata_listen) {
ipListen=1
}
}
if ($1 == "bind") { next }
if ($1 == "http-request") { next }
print $0
}
END {
if (ipListen == 0) {
if (metadata_insecure == "false") {
print " bind",metadata_listen,"ssl crt",metadata_crt_key_file,"no-sslv3 no-tls-tickets ciphers AES128+EECDH:AES128+EDH:AES256+EECDH:AES256+EDH"
print " http-request set-header X-Forwarded-Proto https if { ssl_fc }"
} else {
print " bind",metadata_listen
}
} ' $novaHaproxyConf > $tempFile && mv -f $tempFile $novaHaproxyConf

View File

@ -1,5 +1,7 @@
class nsxv::haproxy_nova_metadata_config (
$metadata_listen,
$metadata_insecure,
$metadata_crt_key_file,
) {
file { '/tmp/haproxy-nova-metadata-config.sh':
ensure => file,
@ -8,9 +10,24 @@ class nsxv::haproxy_nova_metadata_config (
replace => true,
}
exec { 'set nova metadata listen ip':
command => "/tmp/haproxy-nova-metadata-config.sh ${metadata_listen}",
command => "/tmp/haproxy-nova-metadata-config.sh ${metadata_listen} ${metadata_insecure} ${metadata_crt_key_file}",
logoutput => on_failure,
provider => 'shell',
require => File['/tmp/haproxy-nova-metadata-config.sh'],
}
if ! $metadata_insecure {
file { '/tmp/generate_haproxy_key.sh':
ensure => file,
mode => '0755',
source => "puppet:///modules/${module_name}/generate_haproxy_key.sh",
replace => true,
}
exec { 'generate key/cert for nova metadata':
command => "/tmp/generate_haproxy_key.sh ${metadata_crt_key_file}",
logoutput => on_failure,
provider => 'shell',
require => File['/tmp/generate_haproxy_key.sh'],
}
}
}

View File

@ -1,10 +1,10 @@
class nsxv (
# Do not remove unused variables: template nsx.ini.erb refers to them
$nsxv_config_dirs = [ '/etc/neutron', '/etc/neutron/plugins', '/etc/neutron/plugins/vmware' ],
$nsxv_config_dir = '/etc/neutron/plugins/vmware',
$nsx_plugin_name = 'python-vmware-nsx',
$lbaas_plugin_name = 'python-neutron-lbaas',
$neutron_url_timeout = '600',
$nsxv_config_dirs,
$nsxv_config_dir,
$settings,
$roles,
$nova_metadata_ips = '',
@ -39,19 +39,16 @@ class nsxv (
$metadata_initializer = false
}
if $settings['nsxv_metadata_initializer'] {
$metadata_nova_client_cert_filename = try_get_value($settings['nsxv_metadata_nova_client_cert'], 'name', '')
if $settings['nsxv_metadata_initializer'] and !$settings['nsxv_metadata_insecure'] {
$metadata_nova_client_cert_filename = try_get_value($settings['nsxv_metadata_nova_client_cert'], 'name', '')
$metadata_nova_client_priv_key_filename = try_get_value($settings['nsxv_metadata_nova_client_priv_key'], 'name', '')
if empty($metadata_nova_client_cert_filename) and empty($metadata_nova_client_priv_key_filename) {
$metadata_insecure = true # used in nsx.ini.erb template
} else {
$metadata_insecure = false
if !empty($metadata_nova_client_cert_filename) and !empty($metadata_nova_client_priv_key_filename) {
$metadata_nova_client_cert_content = $settings['nsxv_metadata_nova_client_cert']['content']
$metadata_nova_client_cert_file = "${nsxv_config_dir}/cert_${metadata_nova_client_cert_filename}"
$metadata_nova_client_cert_file = "${nsxv_config_dir}/cert_${metadata_nova_client_cert_filename}"
$metadata_nova_client_priv_key_content = $settings['nsxv_metadata_nova_client_priv_key']['content']
$metadata_nova_client_priv_key_file = "${nsxv_config_dir}/key_${metadata_nova_client_priv_key_filename}"
$metadata_nova_client_priv_key_file = "${nsxv_config_dir}/key_${metadata_nova_client_priv_key_filename}"
file { $metadata_nova_client_cert_file:
ensure => present,

View File

@ -6,4 +6,7 @@ class nsxv::params {
$core_plugin = 'vmware_nsx.plugin.NsxVPlugin'
$service_plugins = 'neutron_lbaas.services.loadbalancer.plugin.LoadBalancerPluginv2'
$service_providers = 'LOADBALANCERV2:VMWareEdge:neutron_lbaas.drivers.vmware.edge_driver_v2.EdgeLoadBalancerDriverV2:default'
$nsxv_config_dirs = [ '/etc/neutron', '/etc/neutron/plugins', '/etc/neutron/plugins/vmware' ]
$nsxv_config_dir = '/etc/neutron/plugins/vmware'
}

View File

@ -129,18 +129,18 @@ metadata_shared_secret = <%= scope.lookupvar('metadata_shared_secret') %>
# (Optional) If True, the end to end connection for metadata service is
# not verified. If False, the default CA truststore is used for verification.
metadata_insecure = <%= scope.lookupvar('metadata_insecure') %>
metadata_insecure = <%= settings['nsxv_metadata_insecure'] %>
# (Optional) Client certificate to use when metadata connection is to be
# verified. If not provided, a self signed certificate will be used.
<% if not scope.lookupvar('metadata_insecure') -%>
<% if scope.lookupvar('metadata_nova_client_cert_file') -%>
metadata_nova_client_cert = <%= scope.lookupvar('metadata_nova_client_cert_file') %>
<% else -%>
# metadata_nova_client_cert =
<% end -%>
# (Optional) Private key to use for client certificate
<% if not scope.lookupvar('metadata_insecure') -%>
<% if scope.lookupvar('metadata_nova_client_priv_key_file') -%>
metadata_nova_client_priv_key = <%= scope.lookupvar('metadata_nova_client_priv_key_file') %>
<% else -%>
# metadata_nova_client_priv_key =

View File

@ -12,7 +12,7 @@
version: 2.0.0
type: puppet
groups: [primary-controller,controller]
required_for: [nsxv-install]
required_for: [nsxv-config]
requires: [globals]
parameters:
puppet_manifest: puppet/manifests/gem-install.pp
@ -49,7 +49,7 @@
puppet_manifest: puppet/manifests/haproxy-neutron-config.pp
puppet_modules: puppet/modules
timeout: 120
- id: nsxv-install
- id: nsxv-config
version: 2.0.0
refresh_on: [neutron_config,nova_config]
type: puppet
@ -76,7 +76,7 @@
type: puppet
groups: [controller]
required_for: [deploy_end]
requires: [openstack-network-neutron-policy,nsxv-install]
requires: [openstack-network-neutron-policy,nsxv-config]
cross-depended-by:
- name: primary-openstack-network-neutron-start
parameters:
@ -89,7 +89,7 @@
type: puppet
groups: [primary-controller]
required_for: [openstack-network-networks-nsxv]
requires: [openstack-network-neutron-policy,nsxv-install]
requires: [openstack-network-neutron-policy,nsxv-config]
parameters:
puppet_manifest: puppet/manifests/neutron-server-start.pp
puppet_modules: puppet/modules

View File

@ -113,9 +113,54 @@ attributes:
description: 'If enabled, instance will attempt to initialize the metadata infrastructure to access to metadata proxy service'
weight: 70
type: 'checkbox'
nsxv_metadata_insecure:
value: true
label: 'Bypass metadata service certificate verification'
description: ''
weight: 75
type: 'checkbox'
restrictions:
- condition: 'settings:nsxv.nsxv_metadata_initializer.value == false'
action: 'hide'
# hidden due to https://bugs.launchpad.net/vmware-nsx/+bug/1590840
nsxv_metadata_nova_client_cert:
type: 'hidden'
value: ''
weight: 80
label: ''
#label: 'Certificate for metadata proxy'
#description: 'PEM format'
#type: 'file'
#restrictions:
# - condition: 'settings:nsxv.nsxv_metadata_nova_client_priv_key.value.name != null and settings:nsxv.nsxv_metadata_nova_client_cert.value.name == null'
# action: 'none'
# strict: false
# message: 'Private key loaded, but certificate is absent'
# - condition: 'settings:nsxv.nsxv_metadata_initializer.value == false'
# action: 'hide'
# - condition: 'settings:nsxv.nsxv_metadata_insecure.value == true'
# action: 'hide'
# hidden due to https://bugs.launchpad.net/vmware-nsx/+bug/1590840
nsxv_metadata_nova_client_priv_key:
type: 'hidden'
value: ''
weight: 85
label: ''
#label: 'Private key'
#description: 'Private key for metadata certificate'
#type: 'file'
#restrictions:
# - condition: 'settings:nsxv.nsxv_metadata_nova_client_priv_key.value.name == null and settings:nsxv.nsxv_metadata_nova_client_cert.value.name != null'
# action: 'none'
# strict: false
# message: 'Certificate loaded, but private key is absent.'
# - condition: 'settings:nsxv.nsxv_metadata_initializer.value == false'
# action: 'hide'
# - condition: 'settings:nsxv.nsxv_metadata_insecure.value == true'
# action: 'hide'
nsxv_metadata_listen:
label: 'Which network will be used to access the nova-metadata'
weight: 75
weight: 90
type: 'select'
value: 'public'
values:
@ -126,32 +171,6 @@ attributes:
restrictions:
- condition: 'settings:nsxv.nsxv_metadata_initializer.value == false'
action: 'hide'
nsxv_metadata_nova_client_cert:
value: ''
label: 'Certificate for metadata proxy'
description: 'PEM format'
weight: 85
type: 'file'
restrictions:
- condition: 'settings:nsxv.nsxv_metadata_nova_client_priv_key.value.name != null and settings:nsxv.nsxv_metadata_nova_client_cert.value.name == null'
action: 'none'
strict: false
message: 'Private key loaded, but certificate is absent'
- condition: 'settings:nsxv.nsxv_metadata_initializer.value == false'
action: 'hide'
nsxv_metadata_nova_client_priv_key:
value: ''
label: 'Private key'
description: 'Private key for metadata certificate'
weight: 90
type: 'file'
restrictions:
- condition: 'settings:nsxv.nsxv_metadata_nova_client_priv_key.value.name == null and settings:nsxv.nsxv_metadata_nova_client_cert.value.name != null'
action: 'none'
strict: false
message: 'Certificate loaded, but private key is absent.'
- condition: 'settings:nsxv.nsxv_metadata_initializer.value == false'
action: 'hide'
nsxv_metadata_service_allowed_ports:
value: ''
label: 'Metadata allowed ports'