From afa1634d7ff7b727f4af22a8bcb79820fb76bd1f Mon Sep 17 00:00:00 2001 From: Emilien Macchi Date: Mon, 6 Feb 2017 07:47:41 -0500 Subject: [PATCH] metadata: allow to configure insecure SSL Add nova_metadata_insecure option, to allow deployments without valid SSL certificates. It should not be set to True in production. Disabled by default. Change-Id: I1688eae1369f6da2c7084dc3864d19708d15c78d --- manifests/agents/metadata.pp | 6 ++++++ releasenotes/notes/metadata_insecure-26c1ffa53b77dc78.yaml | 4 ++++ spec/classes/neutron_agents_metadata_spec.rb | 3 +++ 3 files changed, 13 insertions(+) create mode 100644 releasenotes/notes/metadata_insecure-26c1ffa53b77dc78.yaml diff --git a/manifests/agents/metadata.pp b/manifests/agents/metadata.pp index 480c67e5d..c312f33de 100644 --- a/manifests/agents/metadata.pp +++ b/manifests/agents/metadata.pp @@ -54,6 +54,10 @@ # Set to 0 will cause cache entries to never expire. # Set to $::os_service_default or false to disable cache. # +# [*metadata_insecure*] +# (optional) Allow to perform insecure SSL (https) requests to nova metadata. +# Defaults to $::os_service_default +# # [*purge_config*] # (optional) Whether to set only the specified config options # in the metadata config. @@ -73,6 +77,7 @@ class neutron::agents::metadata ( $metadata_workers = $::os_workers, $metadata_backlog = $::os_service_default, $metadata_memory_cache_ttl = $::os_service_default, + $metadata_insecure = $::os_service_default, $nova_client_cert = $::os_service_default, $nova_client_priv_key = $::os_service_default, $purge_config = false, @@ -91,6 +96,7 @@ class neutron::agents::metadata ( 'DEFAULT/nova_metadata_ip': value => $metadata_ip; 'DEFAULT/nova_metadata_port': value => $metadata_port; 'DEFAULT/nova_metadata_protocol': value => $metadata_protocol; + 'DEFAULT/nova_metadata_insecure': value => $metadata_insecure; 'DEFAULT/metadata_proxy_shared_secret': value => $shared_secret; 'DEFAULT/metadata_workers': value => $metadata_workers; 'DEFAULT/metadata_backlog': value => $metadata_backlog; diff --git a/releasenotes/notes/metadata_insecure-26c1ffa53b77dc78.yaml b/releasenotes/notes/metadata_insecure-26c1ffa53b77dc78.yaml new file mode 100644 index 000000000..e8ad999b2 --- /dev/null +++ b/releasenotes/notes/metadata_insecure-26c1ffa53b77dc78.yaml @@ -0,0 +1,4 @@ +--- +features: + - Add nova_metadata_insecure option, to allow deployments without valid + SSL certificates. diff --git a/spec/classes/neutron_agents_metadata_spec.rb b/spec/classes/neutron_agents_metadata_spec.rb index 3880bbf2e..fe8ec9ca0 100644 --- a/spec/classes/neutron_agents_metadata_spec.rb +++ b/spec/classes/neutron_agents_metadata_spec.rb @@ -61,6 +61,7 @@ describe 'neutron::agents::metadata' do is_expected.to contain_neutron_metadata_agent_config('DEFAULT/nova_metadata_protocol').with(:value => '') is_expected.to contain_neutron_metadata_agent_config('DEFAULT/metadata_workers').with(:value => facts[:os_workers]) is_expected.to contain_neutron_metadata_agent_config('DEFAULT/metadata_backlog').with(:value => '') + is_expected.to contain_neutron_metadata_agent_config('DEFAULT/nova_metadata_insecure').with(:value => '') is_expected.to contain_neutron_metadata_agent_config('DEFAULT/metadata_proxy_shared_secret').with(:value => params[:shared_secret]) is_expected.to contain_neutron_metadata_agent_config('DEFAULT/cache_url').with(:ensure => 'absent') end @@ -72,6 +73,7 @@ describe 'neutron::agents::metadata' do :shared_secret => '42', :nova_client_cert => '/nova/cert', :nova_client_priv_key => '/nova/key', + :metadata_insecure => true, } end @@ -79,6 +81,7 @@ describe 'neutron::agents::metadata' do is_expected.to contain_neutron_metadata_agent_config('DEFAULT/auth_ca_cert').with_value('/some/cert') is_expected.to contain_neutron_metadata_agent_config('DEFAULT/nova_client_cert').with_value('/nova/cert') is_expected.to contain_neutron_metadata_agent_config('DEFAULT/nova_client_priv_key').with_value('/nova/key') + is_expected.to contain_neutron_metadata_agent_config('DEFAULT/nova_metadata_insecure').with_value(true) end end