metadata ssl configuration support for Ocata

When metadata_ssl_enable is set to 'true' under contrail_4 in the cluster.json,
set the following settings in the nova.conf of the nova_api container:
    enabled_ssl_apis= metadata
    nova_metadata_protocol = https
    nova_metadata_insecure = True
    ssl_cert_file = /etc/nova/ssl/certs/nova.pem
    ssl_key_file = /etc/nova/ssl/private/novakey.pem
    ssl_ca_file = /etc/nova/ssl/certs/ca.pem

Also the following files are copied from the server-manager node to the
openstack node:
1. /etc/contrail_smgr/puppet/ssl/<hostname>.pem as /etc/nova/ssl/certs/nova.pem
2. /etc/contrail_smgr/puppet/ssl/<hostname>-privkey.pem as
   /etc/nova/ssl/private/novakey.pem
3. /etc/contrail_smgr/puppet/ssl/ca-cert.pem as /etc/nova/ssl/certs/ca.pem

To enable this, metadata_ssl_enable knob has been added to the
etc/kolla/globals.yml

Change-Id: I45e7448a97dc129d17a5248d7290827b57a95423
Partial-bug: #1730631

kolla-ansible/ansible/group_vars/all.yml

@@ -28,6 +28,15 @@ keystone_admin_project_domain_name: "Default"
 # contrail_additions : We don't use neutron_l3_agent. Set this to "yes" if it is
 # needed for any reason
 enable_neutron_l3_agent: "no"
+
+# contrail_additions : metadata_ssl_enable is set to "yes" to support the SSL
+# encryption feature for vrouter when proxying.
+metadata_ssl_enable: "no"
+
+# contrail_additions : local_ssl_directory is set to the directory where the
+# <hostname>.pem, <hostname>-privkey.pem, ca-cert.pem files are present
+local_ssl_directory: "/etc/contrail_smgr/puppet/ssl"
+
 ####################### CONTRAIL ADDITIONS - END ###########################
 
 # The "temp" files that are created before merge need to stay persistent due

kolla-ansible/ansible/roles/nova/defaults/main.yml

@@ -51,6 +51,7 @@ nova_services:
       - "{{ node_config_directory }}/nova-api/:{{ container_config_directory }}/:ro"
       - "/etc/localtime:/etc/localtime:ro"
       - "/lib/modules:/lib/modules:ro"
+      - "/etc/nova/ssl:/etc/nova/ssl:ro"
       - "kolla_logs:/var/log/kolla/"
   nova-consoleauth:
     container_name: "nova_consoleauth"

kolla-ansible/ansible/roles/nova/tasks/config.yml

@@ -10,6 +10,26 @@
     - set_sysctl | bool
     - inventory_hostname in groups['compute']
 
+- name: Ensuring directories exist to hold certs
+  file:
+    path: "{{ item }}"
+    state: "directory"
+    recurse: yes
+  with_items:
+    - "/etc/nova/ssl/certs"
+    - "/etc/nova/ssl/private"
+  when: metadata_ssl_enable | bool
+
+- name: Copy ssl certs for metadata if required
+  copy:
+    dest: "{{ item.dst }}"
+    src: "{{ item.src }}"
+  with_items:
+    - { dst: "/etc/nova/ssl/certs/nova.pem", src: "{{ local_ssl_directory }}/{{ ansible_hostname }}.pem" }
+    - { dst: "/etc/nova/ssl/certs/ca.pem", src: "{{ local_ssl_directory }}/ca-cert.pem" }
+    - { dst: "/etc/nova/ssl/private/novakey.pem", src: "{{ local_ssl_directory  + '/' + ansible_hostname + '-privkey.pem' }}" }
+  when: metadata_ssl_enable | bool
+
 - name: Ensuring config directories exist
   file:
     path: "{{ node_config_directory }}/{{ item.key }}"

kolla-ansible/ansible/roles/nova/templates/nova.conf.j2

@@ -18,6 +18,15 @@ metadata_workers = {{ openstack_service_workers }}
 metadata_listen = {{ api_interface_address }}
 metadata_listen_port = {{ nova_metadata_port }}
 
+{% if metadata_ssl_enable | bool %}
+enabled_ssl_apis= metadata
+nova_metadata_protocol= https
+nova_metadata_insecure= True
+ssl_cert_file= /etc/nova/ssl/certs/nova.pem
+ssl_key_file= /etc/nova/ssl/private/novakey.pem
+ssl_ca_file= /etc/nova/ssl/certs/ca.pem
+{% endif %}
+
 use_neutron = True
 firewall_driver = nova.virt.firewall.NoopFirewallDriver