[OVN] Default to TLS for OVN-enabled tests

OVN makes use of TLS for authorization and authentication of its peers and it does not really make sense to deploy without it. Let's reflect this fact in the functional tests. Change-Id: Ibaec2043a45c52cffba0a5ca376eaa453e62df5a Related-Bug: #1847032 Related-Bug: #1850160
2020-01-06 15:25:35 +01:00 · 2020-01-06 15:25:35 +01:00 · 03ef29b1f0
commit 03ef29b1f0
parent a1447d9e9f
3 changed files with 51 additions and 5 deletions
--- a/devstack/lib/ovn_agent
+++ b/devstack/lib/ovn_agent
@ -38,11 +38,17 @@ OVS_REPO_NAME=$(basename ${OVS_REPO} | cut -f1 -d'.')
 OVS_REPO_NAME=${OVS_REPO_NAME:-ovs}
 OVS_BRANCH=${OVS_BRANCH:-master}

+if is_service_enabled tls-proxy; then
+    OVN_PROTO=ssl
+else
+    OVN_PROTO=tcp
+fi
+
 # How to connect to ovsdb-server hosting the OVN SB database.
-OVN_SB_REMOTE=${OVN_SB_REMOTE:-tcp:$SERVICE_HOST:6642}
+OVN_SB_REMOTE=${OVN_SB_REMOTE:-$OVN_PROTO:$SERVICE_HOST:6642}

 # How to connect to ovsdb-server hosting the OVN NB database
-OVN_NB_REMOTE=${OVN_NB_REMOTE:-tcp:$SERVICE_HOST:6641}
+OVN_NB_REMOTE=${OVN_NB_REMOTE:-$OVN_PROTO:$SERVICE_HOST:6641}

 # ml2/config for neutron_sync_mode
 OVN_NEUTRON_SYNC_MODE=${OVN_NEUTRON_SYNC_MODE:-log}
@ -495,6 +501,14 @@ function configure_ovn_plugin {
        populate_ml2_config /$Q_PLUGIN_CONF_FILE ml2_type_geneve max_header_size=$OVN_GENEVE_OVERHEAD
        populate_ml2_config /$Q_PLUGIN_CONF_FILE ovn ovn_nb_connection="$OVN_NB_REMOTE"
        populate_ml2_config /$Q_PLUGIN_CONF_FILE ovn ovn_sb_connection="$OVN_SB_REMOTE"
+        if is_service_enabled tls-proxy; then
+            populate_ml2_config /$Q_PLUGIN_CONF_FILE ovn ovn_sb_ca_cert="$INT_CA_DIR/ca-chain.pem"
+            populate_ml2_config /$Q_PLUGIN_CONF_FILE ovn ovn_sb_certificate="$INT_CA_DIR/$DEVSTACK_CERT_NAME.crt"
+            populate_ml2_config /$Q_PLUGIN_CONF_FILE ovn ovn_sb_private_key="$INT_CA_DIR/private/$DEVSTACK_CERT_NAME.key"
+            populate_ml2_config /$Q_PLUGIN_CONF_FILE ovn ovn_nb_ca_cert="$INT_CA_DIR/ca-chain.pem"
+            populate_ml2_config /$Q_PLUGIN_CONF_FILE ovn ovn_nb_certificate="$INT_CA_DIR/$DEVSTACK_CERT_NAME.crt"
+            populate_ml2_config /$Q_PLUGIN_CONF_FILE ovn ovn_nb_private_key="$INT_CA_DIR/private/$DEVSTACK_CERT_NAME.key"
+        fi
        populate_ml2_config /$Q_PLUGIN_CONF_FILE ovn neutron_sync_mode="$OVN_NEUTRON_SYNC_MODE"
        populate_ml2_config /$Q_PLUGIN_CONF_FILE ovn ovn_l3_scheduler="$OVN_L3_SCHEDULER"
        populate_ml2_config /$Q_PLUGIN_CONF_FILE securitygroup enable_security_group="$Q_USE_SECGROUP"
@ -553,6 +567,14 @@ function configure_ovn {
        iniset $OVN_META_CONF DEFAULT state_path $NEUTRON_STATE_PATH
        iniset $OVN_META_CONF ovs ovsdb_connection unix:$OVS_RUNDIR/db.sock
        iniset $OVN_META_CONF ovn ovn_sb_connection $OVN_SB_REMOTE
+        if is_service_enabled tls-proxy; then
+            iniset $OVN_META_CONF ovn \
+                ovn_sb_ca_cert $INT_CA_DIR/ca-chain.pem
+            iniset $OVN_META_CONF ovn \
+                ovn_sb_certificate $INT_CA_DIR/$DEVSTACK_CERT_NAME.crt
+            iniset $OVN_META_CONF ovn \
+                ovn_sb_private_key $INT_CA_DIR/private/$DEVSTACK_CERT_NAME.key
+        fi
    fi
 }

@ -601,6 +623,12 @@ function _start_ovs {
        _run_process ovsdb-server "$dbcmd"

        echo "Configuring OVSDB"
+        if is_service_enabled tls-proxy; then
+            ovs-vsctl --no-wait set-ssl \
+                $INT_CA_DIR/private/$DEVSTACK_CERT_NAME.key \
+                $INT_CA_DIR/$DEVSTACK_CERT_NAME.crt \
+                $INT_CA_DIR/ca-chain.pem
+        fi
        ovs-vsctl --no-wait set open_vswitch . system-type="devstack"
        ovs-vsctl --no-wait set open_vswitch . external-ids:system-id="$OVN_UUID"
        ovs-vsctl --no-wait set open_vswitch . external-ids:ovn-remote="$OVN_SB_REMOTE"
@ -672,12 +700,24 @@ function start_ovn {
    fi

    if is_service_enabled ovn-northd ; then
-        local cmd="/bin/bash $SCRIPTDIR/ovn-ctl --no-monitor start_northd"
+        if is_service_enabled tls-proxy; then
+            local tls_args="\
+                --ovn-nb-db-ssl-ca-cert=$INT_CA_DIR/ca-chain.pem \
+                --ovn-nb-db-ssl-cert=$INT_CA_DIR/$DEVSTACK_CERT_NAME.crt \
+                --ovn-nb-db-ssl-key=$INT_CA_DIR/private/$DEVSTACK_CERT_NAME.key \
+                --ovn-sb-db-ssl-ca-cert=$INT_CA_DIR/ca-chain.pem \
+                --ovn-sb-db-ssl-cert=$INT_CA_DIR/$DEVSTACK_CERT_NAME.crt \
+                --ovn-sb-db-ssl-key=$INT_CA_DIR/private/$DEVSTACK_CERT_NAME.key \
+                "
+        else
+            local tls_args=""
+        fi
+        local cmd="/bin/bash $SCRIPTDIR/ovn-ctl --no-monitor $tls_args start_northd"
        local stop_cmd="/bin/bash $SCRIPTDIR/ovn-ctl stop_northd"

        _run_process ovn-northd "$cmd" "$stop_cmd"
-        ovn-nbctl --db=unix:$OVS_RUNDIR/ovnnb_db.sock set-connection ptcp:6641:$SERVICE_LISTEN_ADDRESS -- set connection . inactivity_probe=60000
-        ovn-sbctl --db=unix:$OVS_RUNDIR/ovnsb_db.sock set-connection ptcp:6642:$SERVICE_LISTEN_ADDRESS -- set connection . inactivity_probe=60000
+        ovn-nbctl --db=unix:$OVS_RUNDIR/ovnnb_db.sock set-connection p${OVN_PROTO}:6641:$SERVICE_LISTEN_ADDRESS -- set connection . inactivity_probe=60000
+        ovn-sbctl --db=unix:$OVS_RUNDIR/ovnsb_db.sock set-connection p${OVN_PROTO}:6642:$SERVICE_LISTEN_ADDRESS -- set connection . inactivity_probe=60000
        sudo ovs-appctl -t $OVS_RUNDIR/ovnnb_db.ctl vlog/set console:off syslog:$OVN_DBS_LOG_LEVEL file:$OVN_DBS_LOG_LEVEL
        sudo ovs-appctl -t $OVS_RUNDIR/ovnsb_db.ctl vlog/set console:off syslog:$OVN_DBS_LOG_LEVEL file:$OVN_DBS_LOG_LEVEL
    fi
--- a/zuul.d/tempest-multinode.yaml
+++ b/zuul.d/tempest-multinode.yaml
@ -117,6 +117,7 @@
        ADVANCED_INSTANCE_TYPE: ds512M
        ADVANCED_INSTANCE_USER: ubuntu
        BUILD_TIMEOUT: 784
+        ENABLE_TLS: True
      devstack_plugins:
        neutron: https://opendev.org/openstack/neutron
        neutron-tempest-plugin: https://opendev.org/openstack/neutron-tempest-plugin
@ -152,6 +153,7 @@
        s-container: false
        s-object: false
        s-proxy: false
+        tls-proxy: true
    group-vars:
      subnode:
        devstack_services:
@ -170,6 +172,7 @@
          q-meta: false
          q-metering: false
          q-ovn-metadata-agent: true
+          tls-proxy: true
        devstack_localrc:
          Q_AGENT: ovn
          Q_ML2_PLUGIN_MECHANISM_DRIVERS: ovn,logger
@ -179,6 +182,7 @@
          ENABLE_CHASSIS_AS_GW: false
          OVN_DBS_LOG_LEVEL: dbg
          USE_PYTHON3: True
+          ENABLE_TLS: True


 - job:
--- a/zuul.d/tempest-singlenode.yaml
+++ b/zuul.d/tempest-singlenode.yaml
@ -208,6 +208,7 @@
        ADVANCED_INSTANCE_TYPE: ds512M
        ADVANCED_INSTANCE_USER: ubuntu
        BUILD_TIMEOUT: 784
+        ENABLE_TLS: True
      devstack_plugins:
        neutron: https://opendev.org/openstack/neutron
        neutron-tempest-plugin: https://opendev.org/openstack/neutron-tempest-plugin
@ -258,6 +259,7 @@
        s-container: false
        s-object: false
        s-proxy: false
+        tls-proxy: true

 - job:
    name: neutron-ovn-tempest-ovs-master