Enable nova metadata via httpd wsgi

Support for nova metadata api via wsgi was added in dependency. This changes so that we test with running via wsgi. With nova metadata api running via wsgi it is ssl terminated, also neutron metadata agent does not support an ipv6 address for the metadata_host, so we need to configure the neutron metadata agent to connect via https to the nova metadata api. Related-Bug: 1781405 Depends-On: Ic65736cb0e95c400a728cd699ecf06c6aecff832 Depends-On: I3d572dda2e90b7e24f2f8912d704462b9332d807 Change-Id: I03f4dcb7f40055d802b114ee305323c95975e4df
2018-08-20 15:03:31 +02:00 · 2018-08-20 15:03:31 +02:00 · ba4be683d4
commit ba4be683d4
parent 5844ae23fa
2 changed files with 28 additions and 5 deletions
--- a/manifests/neutron.pp
+++ b/manifests/neutron.pp
@ -208,10 +208,24 @@ class openstack_integration::neutron (
    mechanism_drivers    => $driver,
    firewall_driver      => $firewall_driver,
  }
+
+  if $::openstack_integration::config::ssl {
+    # with nova metadata api running via wsgi it is ssl terminated, also
+    # neutron metadata agent does not support an ipv6 address for the
+    # metadata_host, so we need to use the hostname
+    $metadata_host     = 'localhost'
+    $metadata_protocol = 'https'
+  } else {
+    $metadata_host     = $::openstack_integration::config::host
+    $metadata_protocol = 'http'
+  }
+
  class { '::neutron::agents::metadata':
-    debug            => true,
-    shared_secret    => 'a_big_secret',
-    metadata_workers => 2,
+    debug             => true,
+    shared_secret     => 'a_big_secret',
+    metadata_workers  => 2,
+    metadata_host     => $metadata_host,
+    metadata_protocol => $metadata_protocol,
  }
  class { '::neutron::agents::lbaas':
    interface_driver => $driver,
--- a/manifests/nova.pp
+++ b/manifests/nova.pp
@ -131,10 +131,12 @@ class openstack_integration::nova (
  }
  class { '::nova::api':
    api_bind_address                     => $::openstack_integration::config::host,
-    neutron_metadata_proxy_shared_secret => 'a_big_secret',
-    metadata_workers                     => 2,
    sync_db_api                          => true,
    service_name                         => 'httpd',
+    nova_metadata_wsgi_enabled           => true,
+  }
+  class { '::nova::metadata':
+    neutron_metadata_proxy_shared_secret => 'a_big_secret',
  }
  include ::apache
  class { '::nova::wsgi::apache_api':
@ -144,6 +146,13 @@ class openstack_integration::nova (
    ssl       => $::openstack_integration::config::ssl,
    workers   => '2',
  }
+  class { '::nova::wsgi::apache_metadata':
+    bind_host => $::openstack_integration::config::ip_for_url,
+    ssl_key   => "/etc/nova/ssl/private/${::fqdn}.pem",
+    ssl_cert  => $::openstack_integration::params::cert_path,
+    ssl       => $::openstack_integration::config::ssl,
+    workers   => '2',
+  }
  if ($::os_package_type != 'debian') {
    class { '::nova::wsgi::apache_placement':
      bind_host => $::openstack_integration::config::ip_for_url,