feat: bridge metadata with haproxy#183
Merged
Merged
Conversation
There was a problem hiding this comment.
Pull request overview
This PR replaces the local nova-api-metadata script-based endpoint with an HAProxy-based “metadata bridge” that keeps Neutron talking to a host-local metadata endpoint while forwarding requests to the Nova metadata ingress URL (HTTP/HTTPS), including optional TLS verification with a provided CA bundle.
Changes:
- Add a new HAProxy config template for bridging local metadata requests to a Nova metadata ingress URL, including HTTPS + CA verification support.
- Update hook context building to parse the ingress URL into HAProxy backend settings and adjust which templates/services are rendered/started.
- Update unit tests to validate the new URL parsing and template/service behavior (including trailing newline preservation).
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
openstack_hypervisor/hooks.py |
Adds URL parsing into context, changes required config for nova-api-metadata, adds haproxy dir/template wiring, and stops generating metadata secrets. |
openstack_hypervisor/services.py |
Replaces nova-api-metadata execution with launching HAProxy using the rendered config. |
templates/nova_metadata_haproxy.cfg.j2 |
New HAProxy config template that binds locally and forwards to the ingress backend (optionally with TLS verification). |
templates/neutron_ovn_metadata_agent.ini.j2 |
Points Neutron OVN metadata agent to the new local metadata host/port settings. |
tests/unit/test_hooks.py |
Adds unit coverage for ingress URL parsing and updates readiness checks. |
tests/unit/test_services.py |
Adds unit coverage for the new HAProxy-based metadata service runner behavior. |
tests/unit/test_templates.py |
Extends template render context and adds assertions for the new HAProxy template and Neutron metadata agent config. |
snap/snapcraft.yaml |
Makes libvirt patch application conditional to avoid failing on inapplicable patches. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
gboutry
force-pushed
the
feat/metadata-proxy
branch
from
a906dd2 to
9d2d51b
Compare
Run the local Nova metadata endpoint with HAProxy instead of the removed nova-api-metadata script. Neutron continues to call a snap-internal loopback metadata endpoint while HAProxy forwards requests to the Nova metadata ingress route and preserves the metadata request path. Parse the metadata ingress URL into HAProxy backend settings, support HTTP and HTTPS upstreams, and verify HTTPS upstream certificates using the received CA bundle when one is configured. Reject ingress URLs with userinfo and build the upstream Host header explicitly. Require both the Nova metadata ingress URL and metadata proxy shared secret from relation data. The hypervisor must not generate its own metadata secret because Nova validates requests with the secret owned by nova-k8s. Assisted-By: Codex (gpt-5-5)
gboutry
force-pushed
the
feat/metadata-proxy
branch
from
9d2d51b to
04e1c86
Compare
MylesJP
approved these changes
May 22, 2026
MylesJP
left a comment
MylesJP
left a comment
There was a problem hiding this comment.
Looks sensible to me. I'll give Hemanth a chance to weigh in but the change to HAProxy makes sense.
hemanthnakkina
approved these changes
May 25, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Run the local Nova metadata endpoint with HAProxy instead of the removed nova-api-metadata script. Neutron continues to call the host-local metadata endpoint while HAProxy forwards requests to the Nova metadata ingress route and preserves the metadata request path.
Parse the metadata ingress URL into HAProxy backend settings, support HTTP and HTTPS upstreams, and verify HTTPS upstream certificates using the received CA bundle when one is configured. Keep response headers compatible with the Neutron metadata proxy path.
Require both the Nova metadata ingress URL and metadata proxy shared secret from relation data. The hypervisor must not generate its own metadata secret because Nova validates requests with the secret owned by nova-k8s.