Adds configuration for SSL OVSDB connections

Exposes new parameters to configure SSL key, certificate, and CA certificate files. This allows DHCP agent to connect to OVSDB using SSL. Also the OVS/ovsdb_connection configuration was previously in ODL ML2 class, which should have been in the DHCP agent to begin with as it is not ML2 configuration. This patch deprecates the previous behavior and adds ovsdb_connection into DHCP agent to use its normal service default. Partial-Bug: 1746762 Depends-On: I19fd9dd0c72260835eb91e557a6029ec9d652179 Change-Id: I82281eefa1aa81207ccd8ea565cffc6ca0ec48de Signed-off-by: Tim Rozet <trozet@redhat.com>
2018-02-01 12:49:14 -05:00 · 2018-02-01 12:49:14 -05:00 · 094e594d40
commit 094e594d40
parent 1a59f72dfc
4 changed files with 120 additions and 32 deletions
--- a/manifests/agents/dhcp.pp
+++ b/manifests/agents/dhcp.pp
@ -83,6 +83,22 @@
 #   (optional) Name of Open vSwitch bridge to use
 #   Defaults to $::os_service_default
 #
+# [*ovsdb_connection*]
+# (optional) The URI used to connect to the local OVSDB server
+# Defaults to $::os_service_default
+#
+# [*ovsdb_agent_ssl_key_file*]
+# (optional) The SSL key file to use for Neutron agents to connect to OVSDB
+# Defaults to $::os_service_default
+#
+# [*ovsdb_agent_ssl_cert_file*]
+# (optional) The SSL cert file to use for Neutron agents to connect to OVSDB
+# Defaults to $::os_service_default
+#
+# [*ovsdb_agent_ssl_ca_file*]
+# (optional) The SSL CA cert file to use for Neutron agents to connect to OVSDB
+# Defaults to $::os_service_default
+#
 # === Deprecated Parameters
 #
 # [*dhcp_domain*]
@ -90,27 +106,31 @@
 #   Defaults to $::os_service_default
 #
 class neutron::agents::dhcp (
-  $package_ensure           = present,
-  $enabled                  = true,
-  $manage_service           = true,
-  $debug                    = $::os_service_default,
-  $state_path               = '/var/lib/neutron',
-  $resync_interval          = 30,
-  $interface_driver         = 'neutron.agent.linux.interface.OVSInterfaceDriver',
-  $dhcp_driver              = $::os_service_default,
-  $root_helper              = 'sudo neutron-rootwrap /etc/neutron/rootwrap.conf',
-  $dnsmasq_config_file      = $::os_service_default,
-  $dnsmasq_dns_servers      = $::os_service_default,
-  $dnsmasq_local_resolv     = $::os_service_default,
-  $enable_isolated_metadata = false,
-  $enable_force_metadata    = $::os_service_default,
-  $enable_metadata_network  = false,
-  $dhcp_broadcast_reply     = $::os_service_default,
-  $purge_config             = false,
-  $availability_zone        = $::os_service_default,
-  $ovs_integration_bridge   = $::os_service_default,
+  $package_ensure            = present,
+  $enabled                   = true,
+  $manage_service            = true,
+  $debug                     = $::os_service_default,
+  $state_path                = '/var/lib/neutron',
+  $resync_interval           = 30,
+  $interface_driver          = 'neutron.agent.linux.interface.OVSInterfaceDriver',
+  $dhcp_driver               = $::os_service_default,
+  $root_helper               = 'sudo neutron-rootwrap /etc/neutron/rootwrap.conf',
+  $dnsmasq_config_file       = $::os_service_default,
+  $dnsmasq_dns_servers       = $::os_service_default,
+  $dnsmasq_local_resolv      = $::os_service_default,
+  $enable_isolated_metadata  = false,
+  $enable_force_metadata     = $::os_service_default,
+  $enable_metadata_network   = false,
+  $dhcp_broadcast_reply      = $::os_service_default,
+  $purge_config              = false,
+  $availability_zone         = $::os_service_default,
+  $ovs_integration_bridge    = $::os_service_default,
+  $ovsdb_connection          = $::os_service_default,
+  $ovsdb_agent_ssl_key_file  = $::os_service_default,
+  $ovsdb_agent_ssl_cert_file = $::os_service_default,
+  $ovsdb_agent_ssl_ca_file   = $::os_service_default,
  # DEPRECATED PARAMETERS
-  $dhcp_domain              = $::os_service_default,
+  $dhcp_domain               = $::os_service_default,
 ) {

  include ::neutron::deps
@ -153,6 +173,28 @@ class neutron::agents::dhcp (
    warning('The dhcp_domain parameter is deprecated and will be removed in future releases')
  }

+  if $ovsdb_connection =~ /^ssl:/ {
+    $req_ssl_opts = {
+      'ovsdb_agent_ssl_key_file'  => $ovsdb_agent_ssl_key_file,
+      'ovsdb_agent_ssl_cert_file' => $ovsdb_agent_ssl_cert_file,
+      'ovsdb_agent_ssl_ca_file'   => $ovsdb_agent_ssl_ca_file
+    }
+    $req_ssl_opts.each |$opts| {
+      if !$opts[1] or is_service_default($opts[1]) {
+        fail(
+          "${opts[0]} must be provided when using an SSL ovsdb_connection URI"
+        )
+      }
+    }
+  }
+
+  neutron_dhcp_agent_config {
+    'OVS/ovsdb_connection': value => $ovsdb_connection;
+    'OVS/ssl_key_file':     value => $ovsdb_agent_ssl_key_file;
+    'OVS/ssl_cert_file':    value => $ovsdb_agent_ssl_cert_file;
+    'OVS/ssl_ca_cert_file': value => $ovsdb_agent_ssl_ca_file;
+  }
+
  if $::neutron::params::dhcp_agent_package {
    package { 'neutron-dhcp-agent':
      ensure => $package_ensure,
--- a/manifests/plugins/ml2/opendaylight.pp
+++ b/manifests/plugins/ml2/opendaylight.pp
@ -25,10 +25,6 @@
 # Defaults to $::os_service_default
 # Example: 'http://127.0.0.1:8080/controller/nb/v2/neutron'
 #
-# [*ovsdb_connection*]
-# (optional) The URI used to connect to the local OVSDB server
-# Defaults to 'tcp:127.0.0.1:6639'
-#
 # [*port_binding_controller*]
 # (optional) Name of the controller to be used for port binding.
 # Defaults to $::os_service_default
@ -41,15 +37,21 @@
 # (optional) List of ODL features to enable
 # Defaults to $::os_service_default
 #
+# === Deprecated Parameters
+#
+# [*ovsdb_connection*]
+# (optional) Deprecated.  The URI used to connect to the local OVSDB server
+# Defaults to 'tcp:127.0.0.1:6639'
+#
 class neutron::plugins::ml2::opendaylight (
-  $package_ensure          = 'present',
-  $odl_username            = $::os_service_default,
-  $odl_password            = $::os_service_default,
-  $odl_url                 = $::os_service_default,
-  $ovsdb_connection        = 'tcp:127.0.0.1:6639',
-  $port_binding_controller = $::os_service_default,
-  $odl_hostconf_uri        = $::os_service_default,
-  $odl_features            = $::os_service_default,
+  $package_ensure            = 'present',
+  $odl_username              = $::os_service_default,
+  $odl_password              = $::os_service_default,
+  $odl_url                   = $::os_service_default,
+  $ovsdb_connection          = 'tcp:127.0.0.1:6639',
+  $port_binding_controller   = $::os_service_default,
+  $odl_hostconf_uri          = $::os_service_default,
+  $odl_features              = $::os_service_default,
 ) {

  include ::neutron::deps
@ -71,6 +73,10 @@ class neutron::plugins::ml2::opendaylight (
    'ml2_odl/odl_features':            value => join(any2array($odl_features), ',');
  }

+  if $ovsdb_connection != 'tcp:127.0.0.1:6639' {
+    warning('The ovsdb_connection parameter is deprecated and will be removed in future releases')
+  }
+
  neutron_config {
    'OVS/ovsdb_connection': value => $ovsdb_connection;
  }
--- a/releasenotes/notes/add-ovsdb-ssl-dhcp-agent-da3bb98540de417f.yaml
+++ b/releasenotes/notes/add-ovsdb-ssl-dhcp-agent-da3bb98540de417f.yaml
@ -0,0 +1,8 @@
+---
+features:
+  - |
+    Adds the ability to configure SSL OVSDB connection for Neutron DHCP Agent.
+deprecations:
+  - |
+    Deprecates using neutron::plugins::ml2::opendaylight::ovsdb_connection.
+    The configuration is now moved to neutron::agents::dhcp::ovsdb_connection.
--- a/spec/classes/neutron_agents_dhcp_spec.rb
+++ b/spec/classes/neutron_agents_dhcp_spec.rb
@ -50,6 +50,10 @@ describe 'neutron::agents::dhcp' do
      is_expected.to contain_neutron_dhcp_agent_config('DEFAULT/ovs_integration_bridge').with_value('<SERVICE DEFAULT>');
      is_expected.to contain_neutron_dhcp_agent_config('DEFAULT/dnsmasq_local_resolv').with_value('<SERVICE DEFAULT>');
      is_expected.to contain_neutron_dhcp_agent_config('AGENT/availability_zone').with_value('<SERVICE DEFAULT>');
+      is_expected.to contain_neutron_dhcp_agent_config('OVS/ovsdb_connection').with_value('<SERVICE DEFAULT>');
+      is_expected.to contain_neutron_dhcp_agent_config('OVS/ssl_key_file').with_value('<SERVICE DEFAULT>');
+      is_expected.to contain_neutron_dhcp_agent_config('OVS/ssl_cert_file').with_value('<SERVICE DEFAULT>');
+      is_expected.to contain_neutron_dhcp_agent_config('OVS/ssl_ca_cert_file').with_value('<SERVICE DEFAULT>');
    end

    it 'installs neutron dhcp agent package' do
@ -151,6 +155,34 @@ describe 'neutron::agents::dhcp' do
        is_expected.to contain_neutron_dhcp_agent_config('AGENT/availability_zone').with_value(p[:availability_zone]);
      end
    end
+
+    context 'with SSL configuration' do
+      before do
+        params.merge!({
+          :ovsdb_connection          => 'ssl:127.0.0.1:6639',
+          :ovsdb_agent_ssl_key_file  => '/tmp/dummy.pem',
+          :ovsdb_agent_ssl_cert_file => '/tmp/dummy.crt',
+          :ovsdb_agent_ssl_ca_file   => '/tmp/ca.crt'
+        })
+      end
+      it 'configures neutron SSL settings' do
+        is_expected.to contain_neutron_dhcp_agent_config('OVS/ovsdb_connection').with_value(params[:ovsdb_connection])
+        is_expected.to contain_neutron_dhcp_agent_config('OVS/ssl_key_file').with_value(params[:ovsdb_agent_ssl_key_file])
+        is_expected.to contain_neutron_dhcp_agent_config('OVS/ssl_cert_file').with_value(params[:ovsdb_agent_ssl_cert_file])
+        is_expected.to contain_neutron_dhcp_agent_config('OVS/ssl_ca_cert_file').with_value(params[:ovsdb_agent_ssl_ca_file])
+      end
+    end
+
+    context 'with SSL enabled, but missing file config' do
+      before do
+        params.merge!({
+          :ovsdb_connection => 'ssl:127.0.0.1:6639'
+        })
+      end
+      it 'fails to configure' do
+        is_expected.to raise_error(Puppet::Error)
+      end
+    end
  end

  shared_examples_for 'neutron dhcp agent with dnsmasq_config_file specified' do