Merge "Return checkbox 'nsxv_metadata_insecure'"
This commit is contained in:
commit
b7abfba8dd
|
@ -9,7 +9,9 @@ if $settings['nsxv_metadata_initializer'] {
|
|||
$metadata_listen_ip = get_nova_metadata_ip($settings['nsxv_metadata_listen'])
|
||||
|
||||
class { 'nsxv::haproxy_nova_metadata_config':
|
||||
metadata_listen => "${metadata_listen_ip}:${::nsxv::params::nova_metadata_port}",
|
||||
notify => Exec['haproxy-restart'],
|
||||
metadata_listen => "${metadata_listen_ip}:${::nsxv::params::nova_metadata_port}",
|
||||
metadata_insecure => $settings['nsxv_metadata_insecure'],
|
||||
metadata_crt_key_file => "${::nsxv::params::nsxv_config_dir}/nova_metadata.pem",
|
||||
notify => Exec['haproxy-restart'],
|
||||
}
|
||||
}
|
||||
|
|
|
@ -34,11 +34,16 @@ if $settings['nsxv_metadata_initializer'] {
|
|||
neutron_url_timeout => $::nsxv::params::neutron_url_timeout,
|
||||
settings => $settings,
|
||||
roles => $roles,
|
||||
nsxv_config_dirs => $::nsxv::params::nsxv_config_dirs,
|
||||
nsxv_config_dir => $::nsxv::params::nsxv_config_dir,
|
||||
|
||||
}
|
||||
} else {
|
||||
class { '::nsxv':
|
||||
neutron_url_timeout => $::nsxv::params::neutron_url_timeout,
|
||||
settings => $settings,
|
||||
roles => $roles,
|
||||
nsxv_config_dirs => $::nsxv::params::nsxv_config_dirs,
|
||||
nsxv_config_dir => $::nsxv::params::nsxv_config_dir,
|
||||
}
|
||||
}
|
||||
|
|
|
@ -0,0 +1,17 @@
|
|||
#!/bin/sh
|
||||
crt_key_file="$1"
|
||||
cn='metadata.nsx.local'
|
||||
cert_gen_dir="$(mktemp -d)"
|
||||
key_path="$cert_gen_dir/$cn.key"
|
||||
crt_path="$cert_gen_dir/$cn.crt"
|
||||
|
||||
mkdir -p "$(dirname $crt_key_file)"
|
||||
if [ ! -f $crt_key_file ]; then
|
||||
bash -c "openssl req -newkey rsa:2048 -nodes -keyout $key_path -x509 -days 3650 -subj /C=US/ST=State/L=Locality/O=Organization/OU=Unit/CN=$cn/emailAddress=root@$cn -out $crt_path 2>&1"
|
||||
cat "$crt_path" "$key_path" > $crt_key_file
|
||||
chown root:root $crt_key_file
|
||||
chmod 600 $crt_key_file
|
||||
else
|
||||
echo "Key $crt_key_file already exists"
|
||||
fi
|
||||
rm -fr "${cert_gen_dir:?}"
|
|
@ -2,21 +2,17 @@
|
|||
novaHaproxyConf="$(find /etc/haproxy/conf.d -name '*nova-metadata-api*')"
|
||||
tempFile="$(mktemp)"
|
||||
|
||||
awk -v metadata_listen="$1" '
|
||||
BEGIN {
|
||||
ipListen=0
|
||||
}
|
||||
awk -v metadata_listen="$1" -v metadata_insecure="$2" -v metadata_crt_key_file="$3" '
|
||||
{
|
||||
if ($1 == "bind") {
|
||||
if ($2 == metadata_listen) {
|
||||
ipListen=1
|
||||
}
|
||||
}
|
||||
if ($1 == "bind") { next }
|
||||
if ($1 == "http-request") { next }
|
||||
print $0
|
||||
}
|
||||
END {
|
||||
if (ipListen == 0) {
|
||||
if (metadata_insecure == "false") {
|
||||
print " bind",metadata_listen,"ssl crt",metadata_crt_key_file,"no-sslv3 no-tls-tickets ciphers AES128+EECDH:AES128+EDH:AES256+EECDH:AES256+EDH"
|
||||
print " http-request set-header X-Forwarded-Proto https if { ssl_fc }"
|
||||
} else {
|
||||
print " bind",metadata_listen
|
||||
}
|
||||
|
||||
} ' $novaHaproxyConf > $tempFile && mv -f $tempFile $novaHaproxyConf
|
||||
|
|
|
@ -1,5 +1,7 @@
|
|||
class nsxv::haproxy_nova_metadata_config (
|
||||
$metadata_listen,
|
||||
$metadata_insecure,
|
||||
$metadata_crt_key_file,
|
||||
) {
|
||||
file { '/tmp/haproxy-nova-metadata-config.sh':
|
||||
ensure => file,
|
||||
|
@ -8,9 +10,24 @@ class nsxv::haproxy_nova_metadata_config (
|
|||
replace => true,
|
||||
}
|
||||
exec { 'set nova metadata listen ip':
|
||||
command => "/tmp/haproxy-nova-metadata-config.sh ${metadata_listen}",
|
||||
command => "/tmp/haproxy-nova-metadata-config.sh ${metadata_listen} ${metadata_insecure} ${metadata_crt_key_file}",
|
||||
logoutput => on_failure,
|
||||
provider => 'shell',
|
||||
require => File['/tmp/haproxy-nova-metadata-config.sh'],
|
||||
}
|
||||
|
||||
if ! $metadata_insecure {
|
||||
file { '/tmp/generate_haproxy_key.sh':
|
||||
ensure => file,
|
||||
mode => '0755',
|
||||
source => "puppet:///modules/${module_name}/generate_haproxy_key.sh",
|
||||
replace => true,
|
||||
}
|
||||
exec { 'generate key/cert for nova metadata':
|
||||
command => "/tmp/generate_haproxy_key.sh ${metadata_crt_key_file}",
|
||||
logoutput => on_failure,
|
||||
provider => 'shell',
|
||||
require => File['/tmp/generate_haproxy_key.sh'],
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1,10 +1,10 @@
|
|||
class nsxv (
|
||||
# Do not remove unused variables: template nsx.ini.erb refers to them
|
||||
$nsxv_config_dirs = [ '/etc/neutron', '/etc/neutron/plugins', '/etc/neutron/plugins/vmware' ],
|
||||
$nsxv_config_dir = '/etc/neutron/plugins/vmware',
|
||||
$nsx_plugin_name = 'python-vmware-nsx',
|
||||
$lbaas_plugin_name = 'python-neutron-lbaas',
|
||||
$neutron_url_timeout = '600',
|
||||
$nsxv_config_dirs,
|
||||
$nsxv_config_dir,
|
||||
$settings,
|
||||
$roles,
|
||||
$nova_metadata_ips = '',
|
||||
|
@ -39,19 +39,16 @@ class nsxv (
|
|||
$metadata_initializer = false
|
||||
}
|
||||
|
||||
if $settings['nsxv_metadata_initializer'] {
|
||||
$metadata_nova_client_cert_filename = try_get_value($settings['nsxv_metadata_nova_client_cert'], 'name', '')
|
||||
if $settings['nsxv_metadata_initializer'] and !$settings['nsxv_metadata_insecure'] {
|
||||
$metadata_nova_client_cert_filename = try_get_value($settings['nsxv_metadata_nova_client_cert'], 'name', '')
|
||||
$metadata_nova_client_priv_key_filename = try_get_value($settings['nsxv_metadata_nova_client_priv_key'], 'name', '')
|
||||
if empty($metadata_nova_client_cert_filename) and empty($metadata_nova_client_priv_key_filename) {
|
||||
$metadata_insecure = true # used in nsx.ini.erb template
|
||||
} else {
|
||||
$metadata_insecure = false
|
||||
|
||||
if !empty($metadata_nova_client_cert_filename) and !empty($metadata_nova_client_priv_key_filename) {
|
||||
$metadata_nova_client_cert_content = $settings['nsxv_metadata_nova_client_cert']['content']
|
||||
$metadata_nova_client_cert_file = "${nsxv_config_dir}/cert_${metadata_nova_client_cert_filename}"
|
||||
$metadata_nova_client_cert_file = "${nsxv_config_dir}/cert_${metadata_nova_client_cert_filename}"
|
||||
|
||||
$metadata_nova_client_priv_key_content = $settings['nsxv_metadata_nova_client_priv_key']['content']
|
||||
$metadata_nova_client_priv_key_file = "${nsxv_config_dir}/key_${metadata_nova_client_priv_key_filename}"
|
||||
$metadata_nova_client_priv_key_file = "${nsxv_config_dir}/key_${metadata_nova_client_priv_key_filename}"
|
||||
|
||||
file { $metadata_nova_client_cert_file:
|
||||
ensure => present,
|
||||
|
|
|
@ -6,4 +6,7 @@ class nsxv::params {
|
|||
$core_plugin = 'vmware_nsx.plugin.NsxVPlugin'
|
||||
$service_plugins = 'neutron_lbaas.services.loadbalancer.plugin.LoadBalancerPluginv2'
|
||||
$service_providers = 'LOADBALANCERV2:VMWareEdge:neutron_lbaas.drivers.vmware.edge_driver_v2.EdgeLoadBalancerDriverV2:default'
|
||||
|
||||
$nsxv_config_dirs = [ '/etc/neutron', '/etc/neutron/plugins', '/etc/neutron/plugins/vmware' ]
|
||||
$nsxv_config_dir = '/etc/neutron/plugins/vmware'
|
||||
}
|
||||
|
|
|
@ -129,18 +129,18 @@ metadata_shared_secret = <%= scope.lookupvar('metadata_shared_secret') %>
|
|||
|
||||
# (Optional) If True, the end to end connection for metadata service is
|
||||
# not verified. If False, the default CA truststore is used for verification.
|
||||
metadata_insecure = <%= scope.lookupvar('metadata_insecure') %>
|
||||
metadata_insecure = <%= settings['nsxv_metadata_insecure'] %>
|
||||
|
||||
# (Optional) Client certificate to use when metadata connection is to be
|
||||
# verified. If not provided, a self signed certificate will be used.
|
||||
<% if not scope.lookupvar('metadata_insecure') -%>
|
||||
<% if scope.lookupvar('metadata_nova_client_cert_file') -%>
|
||||
metadata_nova_client_cert = <%= scope.lookupvar('metadata_nova_client_cert_file') %>
|
||||
<% else -%>
|
||||
# metadata_nova_client_cert =
|
||||
<% end -%>
|
||||
|
||||
# (Optional) Private key to use for client certificate
|
||||
<% if not scope.lookupvar('metadata_insecure') -%>
|
||||
<% if scope.lookupvar('metadata_nova_client_priv_key_file') -%>
|
||||
metadata_nova_client_priv_key = <%= scope.lookupvar('metadata_nova_client_priv_key_file') %>
|
||||
<% else -%>
|
||||
# metadata_nova_client_priv_key =
|
||||
|
|
|
@ -12,7 +12,7 @@
|
|||
version: 2.0.0
|
||||
type: puppet
|
||||
groups: [primary-controller,controller]
|
||||
required_for: [nsxv-install]
|
||||
required_for: [nsxv-config]
|
||||
requires: [globals]
|
||||
parameters:
|
||||
puppet_manifest: puppet/manifests/gem-install.pp
|
||||
|
@ -49,7 +49,7 @@
|
|||
puppet_manifest: puppet/manifests/haproxy-neutron-config.pp
|
||||
puppet_modules: puppet/modules
|
||||
timeout: 120
|
||||
- id: nsxv-install
|
||||
- id: nsxv-config
|
||||
version: 2.0.0
|
||||
refresh_on: [neutron_config,nova_config]
|
||||
type: puppet
|
||||
|
@ -76,7 +76,7 @@
|
|||
type: puppet
|
||||
groups: [controller]
|
||||
required_for: [deploy_end]
|
||||
requires: [openstack-network-neutron-policy,nsxv-install]
|
||||
requires: [openstack-network-neutron-policy,nsxv-config]
|
||||
cross-depended-by:
|
||||
- name: primary-openstack-network-neutron-start
|
||||
parameters:
|
||||
|
@ -89,7 +89,7 @@
|
|||
type: puppet
|
||||
groups: [primary-controller]
|
||||
required_for: [openstack-network-networks-nsxv]
|
||||
requires: [openstack-network-neutron-policy,nsxv-install]
|
||||
requires: [openstack-network-neutron-policy,nsxv-config]
|
||||
parameters:
|
||||
puppet_manifest: puppet/manifests/neutron-server-start.pp
|
||||
puppet_modules: puppet/modules
|
||||
|
|
|
@ -113,9 +113,54 @@ attributes:
|
|||
description: 'If enabled, instance will attempt to initialize the metadata infrastructure to access to metadata proxy service'
|
||||
weight: 70
|
||||
type: 'checkbox'
|
||||
nsxv_metadata_insecure:
|
||||
value: true
|
||||
label: 'Bypass metadata service certificate verification'
|
||||
description: ''
|
||||
weight: 75
|
||||
type: 'checkbox'
|
||||
restrictions:
|
||||
- condition: 'settings:nsxv.nsxv_metadata_initializer.value == false'
|
||||
action: 'hide'
|
||||
# hidden due to https://bugs.launchpad.net/vmware-nsx/+bug/1590840
|
||||
nsxv_metadata_nova_client_cert:
|
||||
type: 'hidden'
|
||||
value: ''
|
||||
weight: 80
|
||||
label: ''
|
||||
#label: 'Certificate for metadata proxy'
|
||||
#description: 'PEM format'
|
||||
#type: 'file'
|
||||
#restrictions:
|
||||
# - condition: 'settings:nsxv.nsxv_metadata_nova_client_priv_key.value.name != null and settings:nsxv.nsxv_metadata_nova_client_cert.value.name == null'
|
||||
# action: 'none'
|
||||
# strict: false
|
||||
# message: 'Private key loaded, but certificate is absent'
|
||||
# - condition: 'settings:nsxv.nsxv_metadata_initializer.value == false'
|
||||
# action: 'hide'
|
||||
# - condition: 'settings:nsxv.nsxv_metadata_insecure.value == true'
|
||||
# action: 'hide'
|
||||
# hidden due to https://bugs.launchpad.net/vmware-nsx/+bug/1590840
|
||||
nsxv_metadata_nova_client_priv_key:
|
||||
type: 'hidden'
|
||||
value: ''
|
||||
weight: 85
|
||||
label: ''
|
||||
#label: 'Private key'
|
||||
#description: 'Private key for metadata certificate'
|
||||
#type: 'file'
|
||||
#restrictions:
|
||||
# - condition: 'settings:nsxv.nsxv_metadata_nova_client_priv_key.value.name == null and settings:nsxv.nsxv_metadata_nova_client_cert.value.name != null'
|
||||
# action: 'none'
|
||||
# strict: false
|
||||
# message: 'Certificate loaded, but private key is absent.'
|
||||
# - condition: 'settings:nsxv.nsxv_metadata_initializer.value == false'
|
||||
# action: 'hide'
|
||||
# - condition: 'settings:nsxv.nsxv_metadata_insecure.value == true'
|
||||
# action: 'hide'
|
||||
nsxv_metadata_listen:
|
||||
label: 'Which network will be used to access the nova-metadata'
|
||||
weight: 75
|
||||
weight: 90
|
||||
type: 'select'
|
||||
value: 'public'
|
||||
values:
|
||||
|
@ -126,32 +171,6 @@ attributes:
|
|||
restrictions:
|
||||
- condition: 'settings:nsxv.nsxv_metadata_initializer.value == false'
|
||||
action: 'hide'
|
||||
nsxv_metadata_nova_client_cert:
|
||||
value: ''
|
||||
label: 'Certificate for metadata proxy'
|
||||
description: 'PEM format'
|
||||
weight: 85
|
||||
type: 'file'
|
||||
restrictions:
|
||||
- condition: 'settings:nsxv.nsxv_metadata_nova_client_priv_key.value.name != null and settings:nsxv.nsxv_metadata_nova_client_cert.value.name == null'
|
||||
action: 'none'
|
||||
strict: false
|
||||
message: 'Private key loaded, but certificate is absent'
|
||||
- condition: 'settings:nsxv.nsxv_metadata_initializer.value == false'
|
||||
action: 'hide'
|
||||
nsxv_metadata_nova_client_priv_key:
|
||||
value: ''
|
||||
label: 'Private key'
|
||||
description: 'Private key for metadata certificate'
|
||||
weight: 90
|
||||
type: 'file'
|
||||
restrictions:
|
||||
- condition: 'settings:nsxv.nsxv_metadata_nova_client_priv_key.value.name == null and settings:nsxv.nsxv_metadata_nova_client_cert.value.name != null'
|
||||
action: 'none'
|
||||
strict: false
|
||||
message: 'Certificate loaded, but private key is absent.'
|
||||
- condition: 'settings:nsxv.nsxv_metadata_initializer.value == false'
|
||||
action: 'hide'
|
||||
nsxv_metadata_service_allowed_ports:
|
||||
value: ''
|
||||
label: 'Metadata allowed ports'
|
||||
|
|
Loading…
Reference in New Issue