diff --git a/deployment_scripts/puppet/manifests/haproxy-nova-metadata-config.pp b/deployment_scripts/puppet/manifests/haproxy-nova-metadata-config.pp index 64dc63d..af37a8b 100644 --- a/deployment_scripts/puppet/manifests/haproxy-nova-metadata-config.pp +++ b/deployment_scripts/puppet/manifests/haproxy-nova-metadata-config.pp @@ -9,7 +9,9 @@ if $settings['nsxv_metadata_initializer'] { $metadata_listen_ip = get_nova_metadata_ip($settings['nsxv_metadata_listen']) class { 'nsxv::haproxy_nova_metadata_config': - metadata_listen => "${metadata_listen_ip}:${::nsxv::params::nova_metadata_port}", - notify => Exec['haproxy-restart'], + metadata_listen => "${metadata_listen_ip}:${::nsxv::params::nova_metadata_port}", + metadata_insecure => $settings['nsxv_metadata_insecure'], + metadata_crt_key_file => "${::nsxv::params::nsxv_config_dir}/nova_metadata.pem", + notify => Exec['haproxy-restart'], } } diff --git a/deployment_scripts/puppet/manifests/nsxv-config.pp b/deployment_scripts/puppet/manifests/nsxv-config.pp index b86b923..ee96a00 100644 --- a/deployment_scripts/puppet/manifests/nsxv-config.pp +++ b/deployment_scripts/puppet/manifests/nsxv-config.pp @@ -34,11 +34,16 @@ if $settings['nsxv_metadata_initializer'] { neutron_url_timeout => $::nsxv::params::neutron_url_timeout, settings => $settings, roles => $roles, + nsxv_config_dirs => $::nsxv::params::nsxv_config_dirs, + nsxv_config_dir => $::nsxv::params::nsxv_config_dir, + } } else { class { '::nsxv': neutron_url_timeout => $::nsxv::params::neutron_url_timeout, settings => $settings, roles => $roles, + nsxv_config_dirs => $::nsxv::params::nsxv_config_dirs, + nsxv_config_dir => $::nsxv::params::nsxv_config_dir, } } diff --git a/deployment_scripts/puppet/modules/nsxv/files/generate_haproxy_key.sh b/deployment_scripts/puppet/modules/nsxv/files/generate_haproxy_key.sh new file mode 100755 index 0000000..d0690c4 --- /dev/null +++ b/deployment_scripts/puppet/modules/nsxv/files/generate_haproxy_key.sh @@ -0,0 +1,17 @@ +#!/bin/sh +crt_key_file="$1" +cn='metadata.nsx.local' +cert_gen_dir="$(mktemp -d)" +key_path="$cert_gen_dir/$cn.key" +crt_path="$cert_gen_dir/$cn.crt" + +mkdir -p "$(dirname $crt_key_file)" +if [ ! -f $crt_key_file ]; then + bash -c "openssl req -newkey rsa:2048 -nodes -keyout $key_path -x509 -days 3650 -subj /C=US/ST=State/L=Locality/O=Organization/OU=Unit/CN=$cn/emailAddress=root@$cn -out $crt_path 2>&1" + cat "$crt_path" "$key_path" > $crt_key_file + chown root:root $crt_key_file + chmod 600 $crt_key_file +else + echo "Key $crt_key_file already exists" +fi +rm -fr "${cert_gen_dir:?}" diff --git a/deployment_scripts/puppet/modules/nsxv/files/haproxy-nova-metadata-config.sh b/deployment_scripts/puppet/modules/nsxv/files/haproxy-nova-metadata-config.sh index 4d44adc..a5f663d 100755 --- a/deployment_scripts/puppet/modules/nsxv/files/haproxy-nova-metadata-config.sh +++ b/deployment_scripts/puppet/modules/nsxv/files/haproxy-nova-metadata-config.sh @@ -2,21 +2,17 @@ novaHaproxyConf="$(find /etc/haproxy/conf.d -name '*nova-metadata-api*')" tempFile="$(mktemp)" -awk -v metadata_listen="$1" ' -BEGIN { - ipListen=0 -} +awk -v metadata_listen="$1" -v metadata_insecure="$2" -v metadata_crt_key_file="$3" ' { - if ($1 == "bind") { - if ($2 == metadata_listen) { - ipListen=1 - } - } + if ($1 == "bind") { next } + if ($1 == "http-request") { next } print $0 } END { - if (ipListen == 0) { + if (metadata_insecure == "false") { + print " bind",metadata_listen,"ssl crt",metadata_crt_key_file,"no-sslv3 no-tls-tickets ciphers AES128+EECDH:AES128+EDH:AES256+EECDH:AES256+EDH" + print " http-request set-header X-Forwarded-Proto https if { ssl_fc }" + } else { print " bind",metadata_listen } - } ' $novaHaproxyConf > $tempFile && mv -f $tempFile $novaHaproxyConf diff --git a/deployment_scripts/puppet/modules/nsxv/manifests/haproxy_nova_metadata_config.pp b/deployment_scripts/puppet/modules/nsxv/manifests/haproxy_nova_metadata_config.pp index 029dbcf..a7e509c 100644 --- a/deployment_scripts/puppet/modules/nsxv/manifests/haproxy_nova_metadata_config.pp +++ b/deployment_scripts/puppet/modules/nsxv/manifests/haproxy_nova_metadata_config.pp @@ -1,5 +1,7 @@ class nsxv::haproxy_nova_metadata_config ( $metadata_listen, + $metadata_insecure, + $metadata_crt_key_file, ) { file { '/tmp/haproxy-nova-metadata-config.sh': ensure => file, @@ -8,9 +10,24 @@ class nsxv::haproxy_nova_metadata_config ( replace => true, } exec { 'set nova metadata listen ip': - command => "/tmp/haproxy-nova-metadata-config.sh ${metadata_listen}", + command => "/tmp/haproxy-nova-metadata-config.sh ${metadata_listen} ${metadata_insecure} ${metadata_crt_key_file}", logoutput => on_failure, provider => 'shell', require => File['/tmp/haproxy-nova-metadata-config.sh'], } + + if ! $metadata_insecure { + file { '/tmp/generate_haproxy_key.sh': + ensure => file, + mode => '0755', + source => "puppet:///modules/${module_name}/generate_haproxy_key.sh", + replace => true, + } + exec { 'generate key/cert for nova metadata': + command => "/tmp/generate_haproxy_key.sh ${metadata_crt_key_file}", + logoutput => on_failure, + provider => 'shell', + require => File['/tmp/generate_haproxy_key.sh'], + } + } } diff --git a/deployment_scripts/puppet/modules/nsxv/manifests/init.pp b/deployment_scripts/puppet/modules/nsxv/manifests/init.pp index 4f0b765..1367cac 100644 --- a/deployment_scripts/puppet/modules/nsxv/manifests/init.pp +++ b/deployment_scripts/puppet/modules/nsxv/manifests/init.pp @@ -1,10 +1,10 @@ class nsxv ( # Do not remove unused variables: template nsx.ini.erb refers to them - $nsxv_config_dirs = [ '/etc/neutron', '/etc/neutron/plugins', '/etc/neutron/plugins/vmware' ], - $nsxv_config_dir = '/etc/neutron/plugins/vmware', $nsx_plugin_name = 'python-vmware-nsx', $lbaas_plugin_name = 'python-neutron-lbaas', $neutron_url_timeout = '600', + $nsxv_config_dirs, + $nsxv_config_dir, $settings, $roles, $nova_metadata_ips = '', @@ -39,19 +39,16 @@ class nsxv ( $metadata_initializer = false } - if $settings['nsxv_metadata_initializer'] { - $metadata_nova_client_cert_filename = try_get_value($settings['nsxv_metadata_nova_client_cert'], 'name', '') + if $settings['nsxv_metadata_initializer'] and !$settings['nsxv_metadata_insecure'] { + $metadata_nova_client_cert_filename = try_get_value($settings['nsxv_metadata_nova_client_cert'], 'name', '') $metadata_nova_client_priv_key_filename = try_get_value($settings['nsxv_metadata_nova_client_priv_key'], 'name', '') - if empty($metadata_nova_client_cert_filename) and empty($metadata_nova_client_priv_key_filename) { - $metadata_insecure = true # used in nsx.ini.erb template - } else { - $metadata_insecure = false + if !empty($metadata_nova_client_cert_filename) and !empty($metadata_nova_client_priv_key_filename) { $metadata_nova_client_cert_content = $settings['nsxv_metadata_nova_client_cert']['content'] - $metadata_nova_client_cert_file = "${nsxv_config_dir}/cert_${metadata_nova_client_cert_filename}" + $metadata_nova_client_cert_file = "${nsxv_config_dir}/cert_${metadata_nova_client_cert_filename}" $metadata_nova_client_priv_key_content = $settings['nsxv_metadata_nova_client_priv_key']['content'] - $metadata_nova_client_priv_key_file = "${nsxv_config_dir}/key_${metadata_nova_client_priv_key_filename}" + $metadata_nova_client_priv_key_file = "${nsxv_config_dir}/key_${metadata_nova_client_priv_key_filename}" file { $metadata_nova_client_cert_file: ensure => present, diff --git a/deployment_scripts/puppet/modules/nsxv/manifests/params.pp b/deployment_scripts/puppet/modules/nsxv/manifests/params.pp index c50c3b8..351fda8 100644 --- a/deployment_scripts/puppet/modules/nsxv/manifests/params.pp +++ b/deployment_scripts/puppet/modules/nsxv/manifests/params.pp @@ -6,4 +6,7 @@ class nsxv::params { $core_plugin = 'vmware_nsx.plugin.NsxVPlugin' $service_plugins = 'neutron_lbaas.services.loadbalancer.plugin.LoadBalancerPluginv2' $service_providers = 'LOADBALANCERV2:VMWareEdge:neutron_lbaas.drivers.vmware.edge_driver_v2.EdgeLoadBalancerDriverV2:default' + + $nsxv_config_dirs = [ '/etc/neutron', '/etc/neutron/plugins', '/etc/neutron/plugins/vmware' ] + $nsxv_config_dir = '/etc/neutron/plugins/vmware' } diff --git a/deployment_scripts/puppet/modules/nsxv/templates/nsx.ini.erb b/deployment_scripts/puppet/modules/nsxv/templates/nsx.ini.erb index d15f839..006e289 100644 --- a/deployment_scripts/puppet/modules/nsxv/templates/nsx.ini.erb +++ b/deployment_scripts/puppet/modules/nsxv/templates/nsx.ini.erb @@ -129,18 +129,18 @@ metadata_shared_secret = <%= scope.lookupvar('metadata_shared_secret') %> # (Optional) If True, the end to end connection for metadata service is # not verified. If False, the default CA truststore is used for verification. -metadata_insecure = <%= scope.lookupvar('metadata_insecure') %> +metadata_insecure = <%= settings['nsxv_metadata_insecure'] %> # (Optional) Client certificate to use when metadata connection is to be # verified. If not provided, a self signed certificate will be used. -<% if not scope.lookupvar('metadata_insecure') -%> +<% if scope.lookupvar('metadata_nova_client_cert_file') -%> metadata_nova_client_cert = <%= scope.lookupvar('metadata_nova_client_cert_file') %> <% else -%> # metadata_nova_client_cert = <% end -%> # (Optional) Private key to use for client certificate -<% if not scope.lookupvar('metadata_insecure') -%> +<% if scope.lookupvar('metadata_nova_client_priv_key_file') -%> metadata_nova_client_priv_key = <%= scope.lookupvar('metadata_nova_client_priv_key_file') %> <% else -%> # metadata_nova_client_priv_key = diff --git a/deployment_tasks.yaml b/deployment_tasks.yaml index 48213e8..0425aef 100644 --- a/deployment_tasks.yaml +++ b/deployment_tasks.yaml @@ -12,7 +12,7 @@ version: 2.0.0 type: puppet groups: [primary-controller,controller] - required_for: [nsxv-install] + required_for: [nsxv-config] requires: [globals] parameters: puppet_manifest: puppet/manifests/gem-install.pp @@ -49,7 +49,7 @@ puppet_manifest: puppet/manifests/haproxy-neutron-config.pp puppet_modules: puppet/modules timeout: 120 -- id: nsxv-install +- id: nsxv-config version: 2.0.0 refresh_on: [neutron_config,nova_config] type: puppet @@ -76,7 +76,7 @@ type: puppet groups: [controller] required_for: [deploy_end] - requires: [openstack-network-neutron-policy,nsxv-install] + requires: [openstack-network-neutron-policy,nsxv-config] cross-depended-by: - name: primary-openstack-network-neutron-start parameters: @@ -89,7 +89,7 @@ type: puppet groups: [primary-controller] required_for: [openstack-network-networks-nsxv] - requires: [openstack-network-neutron-policy,nsxv-install] + requires: [openstack-network-neutron-policy,nsxv-config] parameters: puppet_manifest: puppet/manifests/neutron-server-start.pp puppet_modules: puppet/modules diff --git a/environment_config.yaml b/environment_config.yaml index 7806d3a..5bcc7b0 100644 --- a/environment_config.yaml +++ b/environment_config.yaml @@ -113,9 +113,54 @@ attributes: description: 'If enabled, instance will attempt to initialize the metadata infrastructure to access to metadata proxy service' weight: 70 type: 'checkbox' + nsxv_metadata_insecure: + value: true + label: 'Bypass metadata service certificate verification' + description: '' + weight: 75 + type: 'checkbox' + restrictions: + - condition: 'settings:nsxv.nsxv_metadata_initializer.value == false' + action: 'hide' + # hidden due to https://bugs.launchpad.net/vmware-nsx/+bug/1590840 + nsxv_metadata_nova_client_cert: + type: 'hidden' + value: '' + weight: 80 + label: '' + #label: 'Certificate for metadata proxy' + #description: 'PEM format' + #type: 'file' + #restrictions: + # - condition: 'settings:nsxv.nsxv_metadata_nova_client_priv_key.value.name != null and settings:nsxv.nsxv_metadata_nova_client_cert.value.name == null' + # action: 'none' + # strict: false + # message: 'Private key loaded, but certificate is absent' + # - condition: 'settings:nsxv.nsxv_metadata_initializer.value == false' + # action: 'hide' + # - condition: 'settings:nsxv.nsxv_metadata_insecure.value == true' + # action: 'hide' + # hidden due to https://bugs.launchpad.net/vmware-nsx/+bug/1590840 + nsxv_metadata_nova_client_priv_key: + type: 'hidden' + value: '' + weight: 85 + label: '' + #label: 'Private key' + #description: 'Private key for metadata certificate' + #type: 'file' + #restrictions: + # - condition: 'settings:nsxv.nsxv_metadata_nova_client_priv_key.value.name == null and settings:nsxv.nsxv_metadata_nova_client_cert.value.name != null' + # action: 'none' + # strict: false + # message: 'Certificate loaded, but private key is absent.' + # - condition: 'settings:nsxv.nsxv_metadata_initializer.value == false' + # action: 'hide' + # - condition: 'settings:nsxv.nsxv_metadata_insecure.value == true' + # action: 'hide' nsxv_metadata_listen: label: 'Which network will be used to access the nova-metadata' - weight: 75 + weight: 90 type: 'select' value: 'public' values: @@ -126,32 +171,6 @@ attributes: restrictions: - condition: 'settings:nsxv.nsxv_metadata_initializer.value == false' action: 'hide' - nsxv_metadata_nova_client_cert: - value: '' - label: 'Certificate for metadata proxy' - description: 'PEM format' - weight: 85 - type: 'file' - restrictions: - - condition: 'settings:nsxv.nsxv_metadata_nova_client_priv_key.value.name != null and settings:nsxv.nsxv_metadata_nova_client_cert.value.name == null' - action: 'none' - strict: false - message: 'Private key loaded, but certificate is absent' - - condition: 'settings:nsxv.nsxv_metadata_initializer.value == false' - action: 'hide' - nsxv_metadata_nova_client_priv_key: - value: '' - label: 'Private key' - description: 'Private key for metadata certificate' - weight: 90 - type: 'file' - restrictions: - - condition: 'settings:nsxv.nsxv_metadata_nova_client_priv_key.value.name == null and settings:nsxv.nsxv_metadata_nova_client_cert.value.name != null' - action: 'none' - strict: false - message: 'Certificate loaded, but private key is absent.' - - condition: 'settings:nsxv.nsxv_metadata_initializer.value == false' - action: 'hide' nsxv_metadata_service_allowed_ports: value: '' label: 'Metadata allowed ports'