Provision metadata ssl options for agent config

Change-Id: I1bce4f06b0fcedcc298de65eaebf4afcf57ac182 Closes-Bug: #1759576
Juniper · Apr 20, 2018 · fe74357 · fe74357
1 parent 6dfc064
commit fe74357
Show file tree

Hide file tree

Showing 6 changed files with 45 additions and 0 deletions.
diff --git a/common.env.sample b/common.env.sample
@@ -226,3 +226,10 @@
 #RABBITMQ_SSL_CERTFILE=
 #RABBITMQ_SSL_KEYFILE=
 #RABBITMQ_SSL_CACERTFILE=
+#
+# Metadata service SSL opts
+#METADATA_SSL_ENABLE=false
+#METADATA_SSL_CERTFILE=
+#METADATA_SSL_KEYFILE=
+#METADATA_SSL_CA_CERTFILE=
+#METADATA_SSL_CERT_TYPE=
diff --git a/containers/base/common.sh b/containers/base/common.sh
@@ -202,6 +202,13 @@ else
   xmpp_certs_config=''
 fi
 
+# Metadata service SSL opts
+METADATA_SSL_ENABLE=${METADATA_SSL_ENABLE:-false}
+METADATA_SSL_CERTFILE=${METADATA_SSL_CERTFILE:-}
+METADATA_SSL_KEYFILE=${METADATA_SSL_KEYFILE:-}
+METADATA_SSL_CA_CERTFILE=${METADATA_SSL_CA_CERTFILE:-}
+METADATA_SSL_CERT_TYPE=${METADATA_SSL_CERT_TYPE:-}
+
 # AMQP options
 RABBITMQ_VHOST=${RABBITMQ_VHOST:-/}
 RABBITMQ_USER=${RABBITMQ_USER:-guest}

diff --git a/containers/vrouter/agent/entrypoint.sh b/containers/vrouter/agent/entrypoint.sh
@@ -148,6 +148,19 @@ EOM
     qos_queueing_option+=$'\n'"${qos_config}"
 fi
 
+metadata_ssl_conf=''
+if is_enabled "$METADATA_SSL_ENABLE" ; then
+    read -r -d '' metadata_ssl_conf << EOM
+metadata_use_ssl=${METADATA_SSL_ENABLE}
+metadata_client_cert=${METADATA_SSL_CERTFILE}
+metadata_client_key=${METADATA_SSL_KEYFILE}
+metadata_ca_cert=${METADATA_SSL_CA_CERTFILE}
+EOM
+    if [[ -n "$METADATA_SSL_CERT_TYPE" ]] ; then
+        metadata_ssl_conf+=$'\n'"${METADATA_SSL_CERT_TYPE}"
+    fi
+fi
+
 echo "INFO: Preparing /etc/contrail/contrail-vrouter-agent.conf"
 cat << EOM > /etc/contrail/contrail-vrouter-agent.conf
 [CONTROL-NODE]
@@ -178,6 +191,7 @@ servers=${DNS_SERVERS:-`get_server_list DNS ":$DNS_SERVER_PORT "`}
 
 [METADATA]
 metadata_proxy_secret=${METADATA_PROXY_SECRET}
+$metadata_ssl_conf
 
 [VIRTUAL-HOST-INTERFACE]
 name=vhost0

diff --git a/kubernetes/manifests/contrail-template-dpdk.yaml b/kubernetes/manifests/contrail-template-dpdk.yaml
@@ -72,6 +72,11 @@ data:
   RABBITMQ_CLIENT_SSL_CERTFILE: "{{ RABBITMQ_CLIENT_SSL_CERTFILE }}"
   RABBITMQ_CLIENT_SSL_KEYFILE: "{{ RABBITMQ_CLIENT_SSL_KEYFILE }}"
   RABBITMQ_CLIENT_SSL_CACERTFILE: "{{ RABBITMQ_CLIENT_SSL_CACERTFILE }}"
+  METADATA_SSL_ENABLE: "{{ METADATA_SSL_ENABLE }}"
+  METADATA_SSL_CERTFILE: "{{ METADATA_SSL_CERTFILE }}"
+  METADATA_SSL_KEYFILE: "{{ METADATA_SSL_KEYFILE }}"
+  METADATA_SSL_CA_CERTFILE: "{{ METADATA_SSL_CA_CERTFILE }}"
+  METADATA_SSL_CERT_TYPE: "{{ METADATA_SSL_CERT_TYPE }}"
 ---
 apiVersion: v1
 kind: ConfigMap

diff --git a/kubernetes/manifests/contrail-template.yaml b/kubernetes/manifests/contrail-template.yaml
@@ -61,6 +61,11 @@ data:
   RABBITMQ_CLIENT_SSL_CERTFILE: "{{ RABBITMQ_CLIENT_SSL_CERTFILE }}"
   RABBITMQ_CLIENT_SSL_KEYFILE: "{{ RABBITMQ_CLIENT_SSL_KEYFILE }}"
   RABBITMQ_CLIENT_SSL_CACERTFILE: "{{ RABBITMQ_CLIENT_SSL_CACERTFILE }}"
+  METADATA_SSL_ENABLE: "{{ METADATA_SSL_ENABLE }}"
+  METADATA_SSL_CERTFILE: "{{ METADATA_SSL_CERTFILE }}"
+  METADATA_SSL_KEYFILE: "{{ METADATA_SSL_KEYFILE }}"
+  METADATA_SSL_CA_CERTFILE: "{{ METADATA_SSL_CA_CERTFILE }}"
+  METADATA_SSL_CERT_TYPE: "{{ METADATA_SSL_CERT_TYPE }}"
 ---
 apiVersion: v1
 kind: ConfigMap

diff --git a/parse-env.sh b/parse-env.sh
@@ -179,3 +179,10 @@ export RABBITMQ_CLIENT_SSL_CACERTFILE=${RABBITMQ_CLIENT_SSL_CACERTFILE:-${SERVER
 export RABBITMQ_SSL_CERTFILE=${RABBITMQ_SSL_CERTFILE:-''}
 export RABBITMQ_SSL_KEYFILE=${RABBITMQ_SSL_KEYFILE:-''}
 export RABBITMQ_SSL_CACERTFILE=${RABBITMQ_SSL_CACERTFILE:-''}
+
+# Metadata service SSL opts
+export METADATA_SSL_ENABLE=${METADATA_SSL_ENABLE:-false}
+export METADATA_SSL_CERTFILE=${METADATA_SSL_CERTFILE:-}
+export METADATA_SSL_KEYFILE=${METADATA_SSL_KEYFILE:-}
+export METADATA_SSL_CA_CERTFILE=${METADATA_SSL_CA_CERTFILE:-}
+export METADATA_SSL_CERT_TYPE=${METADATA_SSL_CERT_TYPE:-}