Fix running with SERVICE_IP_VERSION=6
- There are some locations where we need the raw IPv6 address instead of the
url-quoted version enclosed in brackets.
- Make nova-api-metadata service listen on IPv6 when we need that.
- Use SERVICE_HOST instead of HOST_IP for TLS_IP.
Change-Id: Id074be38ee95754e88b7219de7d9beb06f796fad
Partial-Bug: 1656329
diff --git a/lib/tls b/lib/tls
index a72b708..e3ed3cc 100644
--- a/lib/tls
+++ b/lib/tls
@@ -37,7 +37,7 @@
if is_service_enabled tls-proxy; then
# TODO(dtroyer): revisit this below after the search for HOST_IP has been done
- TLS_IP=${TLS_IP:-$SERVICE_IP}
+ TLS_IP=${TLS_IP:-$(ipv6_unquote $SERVICE_HOST)}
fi
DEVSTACK_HOSTNAME=$(hostname -f)
@@ -67,9 +67,9 @@
# build common config file
# Verify ``TLS_IP`` is good
- if [[ -n "$HOST_IP" && "$HOST_IP" != "$TLS_IP" ]]; then
+ if [[ -n "$SERVICE_HOST" && "$(ipv6_unquote $SERVICE_HOST)" != "$TLS_IP" ]]; then
# auto-discover has changed the IP
- TLS_IP=$HOST_IP
+ TLS_IP=$(ipv6_unquote $SERVICE_HOST)
fi
}
@@ -228,6 +228,7 @@
if [[ ! -r $DEVSTACK_CERT ]]; then
if [[ -n "$TLS_IP" ]]; then
# Lie to let incomplete match routines work
+ # see https://bugs.python.org/issue23239
TLS_IP="DNS:$TLS_IP,IP:$TLS_IP"
fi
make_cert $INT_CA_DIR $DEVSTACK_CERT_NAME $DEVSTACK_HOSTNAME "$TLS_IP"
@@ -246,11 +247,6 @@
local alt_names=$4
if [ "$common_name" != "$SERVICE_HOST" ]; then
- if [[ -z "$alt_names" ]]; then
- alt_names="DNS:$SERVICE_HOST"
- else
- alt_names="$alt_names,DNS:$SERVICE_HOST"
- fi
if is_ipv4_address "$SERVICE_HOST" ; then
alt_names="$alt_names,IP:$SERVICE_HOST"
fi