From d48d1bdb37a4262ffe36ae5003312dfdfad083ab Mon Sep 17 00:00:00 2001 From: Grzegorz Grasza Date: Wed, 3 Jul 2019 18:49:35 +0200 Subject: [PATCH] Support TLS deployments with KernelDisableIPv6 enabled Bind to 127.0.0.1 in case ipv6 is disabled. Set a hiera value localhost_address, so that it can be used in tls_proxy.pp to unambiguously connect to those services. Change-Id: Ide761c21dc87dadc722e27c9b8a7b68194164cb2 Related: rhbz#1703460 --- deployment/ec2/ec2-api-container-puppet.yaml | 4 ++-- deployment/glance/glance-api-container-puppet.yaml | 2 +- deployment/kernel/kernel-baremetal-puppet.yaml | 8 ++++++++ deployment/neutron/neutron-api-container-puppet.yaml | 2 +- deployment/swift/swift-proxy-container-puppet.yaml | 2 +- 5 files changed, 13 insertions(+), 5 deletions(-) diff --git a/deployment/ec2/ec2-api-container-puppet.yaml b/deployment/ec2/ec2-api-container-puppet.yaml index 57819c3227..703a6ba5ed 100644 --- a/deployment/ec2/ec2-api-container-puppet.yaml +++ b/deployment/ec2/ec2-api-container-puppet.yaml @@ -129,7 +129,7 @@ outputs: ec2api::api::ec2api_listen: if: - use_tls_proxy - - 'localhost' + - "%{hiera('localhost_address')}" - str_replace: template: "%{hiera('fqdn_$NETWORK')}" @@ -138,7 +138,7 @@ outputs: ec2api::metadata::metadata_listen: if: - use_tls_proxy - - 'localhost' + - "%{hiera('localhost_address')}" - str_replace: template: "%{hiera('fqdn_$NETWORK')}" diff --git a/deployment/glance/glance-api-container-puppet.yaml b/deployment/glance/glance-api-container-puppet.yaml index 31733833c5..ef48fd512c 100644 --- a/deployment/glance/glance-api-container-puppet.yaml +++ b/deployment/glance/glance-api-container-puppet.yaml @@ -357,7 +357,7 @@ outputs: glance::api::bind_host: if: - use_tls_proxy - - 'localhost' + - "%{hiera('localhost_address')}" - str_replace: template: "%{hiera('$NETWORK')}" diff --git a/deployment/kernel/kernel-baremetal-puppet.yaml b/deployment/kernel/kernel-baremetal-puppet.yaml index 0834680ed5..d6e60cedaa 100644 --- a/deployment/kernel/kernel-baremetal-puppet.yaml +++ b/deployment/kernel/kernel-baremetal-puppet.yaml @@ -85,6 +85,9 @@ parameters: tags: - role_specific +conditions: + ipv6_disabled: {equals: [{get_param: KernelDisableIPv6}, 1]} + resources: # Merging role-specific parameters (RoleParameters) with the default parameters. # RoleParameters will have the precedence over the default parameters. @@ -108,6 +111,11 @@ outputs: value: service_name: kernel config_settings: + localhost_address: + if: + - ipv6_disabled + - '127.0.0.1' + - 'localhost' kernel_modules: map_merge: - nf_conntrack: {} diff --git a/deployment/neutron/neutron-api-container-puppet.yaml b/deployment/neutron/neutron-api-container-puppet.yaml index 79fc05534b..3a3161d0ba 100644 --- a/deployment/neutron/neutron-api-container-puppet.yaml +++ b/deployment/neutron/neutron-api-container-puppet.yaml @@ -277,7 +277,7 @@ outputs: neutron::bind_host: if: - use_tls_proxy - - 'localhost' + - "%{hiera('localhost_address')}" - str_replace: template: "%{hiera('$NETWORK')}" diff --git a/deployment/swift/swift-proxy-container-puppet.yaml b/deployment/swift/swift-proxy-container-puppet.yaml index a8ef9afecd..866bc5bd0c 100644 --- a/deployment/swift/swift-proxy-container-puppet.yaml +++ b/deployment/swift/swift-proxy-container-puppet.yaml @@ -247,7 +247,7 @@ outputs: swift::proxy::proxy_local_net_ip: if: - use_tls_proxy - - 'localhost' + - "%{hiera('localhost_address')}" - str_replace: template: "%{hiera('$NETWORK')}"