Skip to content

Commit

Permalink
metadata ssl configuration support for Ocata
Browse files Browse the repository at this point in the history 
When metadata_ssl_enable is set to 'true' under contrail_4 in the cluster.json,
set the following settings in the nova.conf of the nova_api container:
    enabled_ssl_apis= metadata
    nova_metadata_protocol = https
    nova_metadata_insecure = False
    ssl_cert_file = /etc/nova/ssl/certs/nova.pem
    ssl_key_file = /etc/nova/ssl/private/novakey.pem
    ssl_ca_file = /etc/nova/ssl/certs/ca.pem

Also the following files are copied from the server-manager node to the
openstack node:
1. /etc/contrail_smgr/puppet/ssl/<hostname>.pem as /etc/nova/ssl/certs/nova.pem
2. /etc/contrail_smgr/puppet/ssl/<hostname>-privkey.pem as
   /etc/nova/ssl/private/novakey.pem
3. /etc/contrail_smgr/puppet/ssl/ca-cert.pem as /etc/nova/ssl/certs/ca.pem

To enable this, metadata_ssl_enable knob has been added to the
etc/kolla/globals.yml

Change-Id: I7eaeff8938231405c002808f310cff8820097ede
Closes-bug: #1730631
  • Loading branch information
@ramprackash
ramprackash committed Nov 27, 2017
1 parent 6b6cf8b commit 98fa89b
Showing 1 changed file with 5 additions and 5 deletions.
10 changes: 5 additions & 5 deletions kolla-ansible/ansible/roles/nova/templates/nova.conf.j2
View file
Expand Up @@ -20,11 +20,11 @@ metadata_listen_port = {{ nova_metadata_port }}

{% if metadata_ssl_enable | bool %}
enabled_ssl_apis= metadata
nova_metadata_protocol= https
nova_metadata_insecure= True
ssl_cert_file= /etc/nova/ssl/certs/nova.pem
ssl_key_file= /etc/nova/ssl/private/novakey.pem
ssl_ca_file= /etc/nova/ssl/certs/ca.pem
nova_metadata_protocol = https
nova_metadata_insecure = False
ssl_cert_file = /etc/nova/ssl/certs/nova.pem
ssl_key_file = /etc/nova/ssl/private/novakey.pem
ssl_ca_file = /etc/nova/ssl/certs/ca.pem
{% endif %}

use_neutron = True
Expand Down

0 comments on commit 98fa89b

Please sign in to comment.