From 6514b2f77f2c99cdee03bb75d4967652f4412c7a Mon Sep 17 00:00:00 2001 From: Evgeny Date: Mon, 25 Feb 2019 11:49:00 -0800 Subject: [PATCH] Add metadata proxy shared secret for Nova and Neutron Override default "metadata_proxy_shared_secret" parameter. This secret is used by Neutron to sign instance-id headers to prevent spoofing when proxying metadata requests. Change-Id: I771d7f818a18b82d55bf781d71fc95114ac7e78c --- .../charts/osh/openstack-compute-kit/neutron.yaml | 6 ++++++ .../charts/osh/openstack-compute-kit/nova.yaml | 6 ++++++ .../osh_nova_metadata_proxy_shared_secret.yaml | 11 +++++++++++ .../osh_nova_metadata_proxy_shared_secret.yaml | 11 +++++++++++ .../osh_nova_metadata_proxy_shared_secret.yaml | 11 +++++++++++ 5 files changed, 45 insertions(+) create mode 100644 site/airship-seaworthy/secrets/passphrases/osh_nova_metadata_proxy_shared_secret.yaml create mode 100644 site/airskiff/secrets/passphrases/osh_nova_metadata_proxy_shared_secret.yaml create mode 100644 site/airsloop/secrets/passphrases/osh_nova_metadata_proxy_shared_secret.yaml diff --git a/global/software/charts/osh/openstack-compute-kit/neutron.yaml b/global/software/charts/osh/openstack-compute-kit/neutron.yaml index 68c90bf9a..cfbc5a015 100644 --- a/global/software/charts/osh/openstack-compute-kit/neutron.yaml +++ b/global/software/charts/osh/openstack-compute-kit/neutron.yaml @@ -169,6 +169,12 @@ metadata: schema: deckhand/Passphrase/v1 name: osh_oslo_cache_secret_key path: . + - dest: + path: .values.conf.metadata_agent.DEFAULT.metadata_proxy_shared_secret + src: + schema: deckhand/Passphrase/v1 + name: osh_nova_metadata_proxy_shared_secret + path: . # Interfaces for neutron configuration - src: diff --git a/global/software/charts/osh/openstack-compute-kit/nova.yaml b/global/software/charts/osh/openstack-compute-kit/nova.yaml index b50d1b4ae..ec4a5cddb 100644 --- a/global/software/charts/osh/openstack-compute-kit/nova.yaml +++ b/global/software/charts/osh/openstack-compute-kit/nova.yaml @@ -269,6 +269,12 @@ metadata: schema: deckhand/Passphrase/v1 name: osh_oslo_cache_secret_key path: . + - dest: + path: .values.conf.nova.neutron.metadata_proxy_shared_secret + src: + schema: deckhand/Passphrase/v1 + name: osh_nova_metadata_proxy_shared_secret + path: . data: chart_name: nova release: nova diff --git a/site/airship-seaworthy/secrets/passphrases/osh_nova_metadata_proxy_shared_secret.yaml b/site/airship-seaworthy/secrets/passphrases/osh_nova_metadata_proxy_shared_secret.yaml new file mode 100644 index 000000000..37d5c627c --- /dev/null +++ b/site/airship-seaworthy/secrets/passphrases/osh_nova_metadata_proxy_shared_secret.yaml @@ -0,0 +1,11 @@ +--- +schema: deckhand/Passphrase/v1 +metadata: + schema: metadata/Document/v1 + name: osh_nova_metadata_proxy_shared_secret + layeringDefinition: + abstract: false + layer: site + storagePolicy: cleartext +data: password123 +... diff --git a/site/airskiff/secrets/passphrases/osh_nova_metadata_proxy_shared_secret.yaml b/site/airskiff/secrets/passphrases/osh_nova_metadata_proxy_shared_secret.yaml new file mode 100644 index 000000000..37d5c627c --- /dev/null +++ b/site/airskiff/secrets/passphrases/osh_nova_metadata_proxy_shared_secret.yaml @@ -0,0 +1,11 @@ +--- +schema: deckhand/Passphrase/v1 +metadata: + schema: metadata/Document/v1 + name: osh_nova_metadata_proxy_shared_secret + layeringDefinition: + abstract: false + layer: site + storagePolicy: cleartext +data: password123 +... diff --git a/site/airsloop/secrets/passphrases/osh_nova_metadata_proxy_shared_secret.yaml b/site/airsloop/secrets/passphrases/osh_nova_metadata_proxy_shared_secret.yaml new file mode 100644 index 000000000..37d5c627c --- /dev/null +++ b/site/airsloop/secrets/passphrases/osh_nova_metadata_proxy_shared_secret.yaml @@ -0,0 +1,11 @@ +--- +schema: deckhand/Passphrase/v1 +metadata: + schema: metadata/Document/v1 + name: osh_nova_metadata_proxy_shared_secret + layeringDefinition: + abstract: false + layer: site + storagePolicy: cleartext +data: password123 +...