Support TLS deployments with KernelDisableIPv6 enabled

Bind to 127.0.0.1 in case ipv6 is disabled. Set a hiera value localhost_address, so that it can be used in tls_proxy.pp to unambiguously connect to those services. Change-Id: Ide761c21dc87dadc722e27c9b8a7b68194164cb2 Related: rhbz#1703460
openstack-archive · Jul 9, 2019 · d48d1bd · d48d1bd
1 parent 23801a6
commit d48d1bd
Show file tree

Hide file tree

Showing 5 changed files with 13 additions and 5 deletions.
diff --git a/deployment/ec2/ec2-api-container-puppet.yaml b/deployment/ec2/ec2-api-container-puppet.yaml
@@ -129,7 +129,7 @@ outputs:
           ec2api::api::ec2api_listen:
             if:
             - use_tls_proxy
-            - 'localhost'
+            - "%{hiera('localhost_address')}"
             - str_replace:
                 template:
                   "%{hiera('fqdn_$NETWORK')}"
@@ -138,7 +138,7 @@ outputs:
           ec2api::metadata::metadata_listen:
             if:
             - use_tls_proxy
-            - 'localhost'
+            - "%{hiera('localhost_address')}"
             - str_replace:
                 template:
                   "%{hiera('fqdn_$NETWORK')}"

diff --git a/deployment/glance/glance-api-container-puppet.yaml b/deployment/glance/glance-api-container-puppet.yaml
@@ -357,7 +357,7 @@ outputs:
             glance::api::bind_host:
               if:
               - use_tls_proxy
-              - 'localhost'
+              - "%{hiera('localhost_address')}"
               - str_replace:
                   template:
                     "%{hiera('$NETWORK')}"

diff --git a/deployment/kernel/kernel-baremetal-puppet.yaml b/deployment/kernel/kernel-baremetal-puppet.yaml
@@ -85,6 +85,9 @@ parameters:
     tags:
       - role_specific
 
+conditions:
+  ipv6_disabled: {equals: [{get_param: KernelDisableIPv6}, 1]}
+
 resources:
   # Merging role-specific parameters (RoleParameters) with the default parameters.
   # RoleParameters will have the precedence over the default parameters.
@@ -108,6 +111,11 @@ outputs:
     value:
       service_name: kernel
       config_settings:
+        localhost_address:
+          if:
+          - ipv6_disabled
+          - '127.0.0.1'
+          - 'localhost'
         kernel_modules:
           map_merge:
             - nf_conntrack: {}

diff --git a/deployment/neutron/neutron-api-container-puppet.yaml b/deployment/neutron/neutron-api-container-puppet.yaml
@@ -277,7 +277,7 @@ outputs:
             neutron::bind_host:
               if:
               - use_tls_proxy
-              - 'localhost'
+              - "%{hiera('localhost_address')}"
               - str_replace:
                   template:
                     "%{hiera('$NETWORK')}"

diff --git a/deployment/swift/swift-proxy-container-puppet.yaml b/deployment/swift/swift-proxy-container-puppet.yaml
@@ -247,7 +247,7 @@ outputs:
             swift::proxy::proxy_local_net_ip:
               if:
               - use_tls_proxy
-              - 'localhost'
+              - "%{hiera('localhost_address')}"
               - str_replace:
                   template:
                     "%{hiera('$NETWORK')}"