openstack/puppet-neutron
Code Issues Proposed changes

Fixes ODL OVS to add certs to every node

Browse Source 
Certificates were only being added to the VIP, which means only one node
would get the add certificate request.  This would work if there was a
highly available trust store, however MD-SAL lacks support in OpenFlow
Plugin and therefore we have to use a file based trust store.  Since we
are using a file based trust store, the certificate needs to be pushed
to every OpenDaylight node.

Also includes minor fix where tcp was only being force-modified to ssl
for the first ODL OVSDB URI.

Closes-Bug: 1766989

Change-Id: Ifd8401e2facdad07ccda4ec6f885a82bc0a16421
Signed-off-by: Tim Rozet <trozet@redhat.com>
This commit is contained in:
Tim Rozet 2018-04-25 18:03:33 -04:00
parent 822a428e95
commit 7c7a39da80
3 changed files with 59 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
manifests/plugins/ovs/opendaylight.pp
View File

@ -138,7 +138,7 @@ class neutron::plugins::ovs::opendaylight (
if $odl_ovsdb_iface =~ /^tcp/ {
warning('TLS enabled but odl_ovsdb_iface set to tcp. Will override to ssl')
$odl_ovsdb_iface_parsed = regsubst($odl_ovsdb_iface, '^tcp', 'ssl')
$odl_ovsdb_iface_parsed = regsubst($odl_ovsdb_iface, 'tcp:', 'ssl:', 'G')
} else {
$odl_ovsdb_iface_parsed = $odl_ovsdb_iface
}
@ -166,17 +166,9 @@ class neutron::plugins::ovs::opendaylight (
}\
}
|-END
$odl_url_prefix = $odl_check_url_parsed ? {
/^(https:\/\/.*?)\// => $1,
default => undef
}
if $odl_url_prefix == undef {
fail("Unable to parse URL prefix from ${odl_check_url_parsed}")
}
$curl_post = "curl -k -X POST -o /dev/null --fail --silent -H 'Content-Type: application/json' -H 'Cache-Control: no-cache'"
$curl_get = "curl -k -X POST --fail --silent -H 'Content-Type: application/json' -H 'Cache-Control: no-cache'"
$cert_rest_url = "${odl_url_prefix}/restconf/operations/aaa-cert-rpc:setNodeCertifcate"
$cert_rest_get = "${odl_url_prefix}/restconf/operations/aaa-cert-rpc:getNodeCertifcate"
$rest_get_data = @("END":json/L)
{\
"aaa-cert-rpc:input": {\
@ -184,14 +176,24 @@ class neutron::plugins::ovs::opendaylight (
}\
}
|-END
exec { "Add trusted cert: ${tls_cert_file}":
command => "${curl_post} -u ${odl_username}:${odl_password} -d '${rest_data}' ${cert_rest_url}",
tries => 5,
try_sleep => 30,
unless => "${curl_get} -u ${odl_username}:${odl_password} -d '${rest_get_data}' ${cert_rest_get} | grep -q ${cert_data}",
path => '/usr/sbin:/usr/bin:/sbin:/bin',
before => Exec['Set OVS Manager to OpenDaylight'],
require => Exec['Wait for NetVirt OVSDB to come up']
$ovsdb_arr = split($odl_ovsdb_iface_parsed, ' ')
$odl_rest_port = regsubst($odl_check_url_parsed, '^.*:([0-9]+)/.*$', '\1')
$ovsdb_arr.each |$ovsdb_uri| {
$odl_ip = regsubst($ovsdb_uri, 'ssl:(.+):[0-9]+', '\1')
$odl_url_prefix = "https://${odl_ip}:${odl_rest_port}"
$cert_rest_url = "${odl_url_prefix}/restconf/operations/aaa-cert-rpc:setNodeCertifcate"
$cert_rest_get = "${odl_url_prefix}/restconf/operations/aaa-cert-rpc:getNodeCertifcate"
exec { "Add trusted cert: ${tls_cert_file} to ${odl_url_prefix}":
command => "${curl_post} -u ${odl_username}:${odl_password} -d '${rest_data}' ${cert_rest_url}",
tries => 5,
try_sleep => 30,
unless => "${curl_get} -u ${odl_username}:${odl_password} -d '${rest_get_data}' ${cert_rest_get} | grep -q ${cert_data}",
path => '/usr/sbin:/usr/bin:/sbin:/bin',
before => Exec['Set OVS Manager to OpenDaylight'],
require => Exec['Wait for NetVirt OVSDB to come up']
}
}
} else {

5
releasenotes/notes/fix-odl-ovs-certificate-pushing-71f5f84074829e9f.yaml Normal file
View File

@ -0,0 +1,5 @@
---
fixes:
- |
OVS SSL/TLS certificates are now pushed to every OpenDaylight instance.
See https://bugs.launchpad.net/puppet-neutron/+bug/1766989

35
spec/classes/neutron_plugins_ovs_opendaylight_spec.rb
View File

@ -108,6 +108,25 @@ describe 'neutron::plugins::ovs::opendaylight' do
'before' => 'Exec[Set OVS Manager to OpenDaylight]'
)}
end
context 'with TLS and multiple ODLs' do
before do
File.stubs(:file?).returns(true)
File.stubs(:readlines).returns(["MIIFGjCCBAKgAwIBAgICA"])
params.merge!({
:enable_tls => true,
:tls_key_file => 'dummy.pem',
:tls_cert_file => 'dummy.crt',
:odl_ovsdb_iface => 'tcp:127.0.0.1:6640 tcp:172.0.0.1:6640'})
end
it_configures 'with TLS and ODL HA'
it {is_expected.to contain_vs_ssl('system').with(
'ensure' => 'present',
'key_file' => 'dummy.pem',
'cert_file' => 'dummy.crt',
'bootstrap' => true,
'before' => 'Exec[Set OVS Manager to OpenDaylight]'
)}
end
end
shared_examples_for 'with default parameters' do
@ -149,7 +168,7 @@ describe 'neutron::plugins::ovs::opendaylight' do
shared_examples_for 'with TLS enabled' do
it 'configures OVS for ODL' do
is_expected.to contain_exec('Add trusted cert: dummy.crt')
is_expected.to contain_exec('Add trusted cert: dummy.crt to https://127.0.0.1:8080')
is_expected.to contain_exec('Set OVS Manager to OpenDaylight').with(
:command => "ovs-vsctl set-manager pssl:6639:127.0.0.1 ssl:127.0.0.1:6640"
)
@ -160,6 +179,20 @@ describe 'neutron::plugins::ovs::opendaylight' do
end
end
shared_examples_for 'with TLS and ODL HA' do
it 'configures OVS for ODL' do
is_expected.to contain_exec('Add trusted cert: dummy.crt to https://172.0.0.1:8080')
is_expected.to contain_exec('Add trusted cert: dummy.crt to https://127.0.0.1:8080')
is_expected.to contain_exec('Set OVS Manager to OpenDaylight').with(
:command => "ovs-vsctl set-manager pssl:6639:127.0.0.1 ssl:127.0.0.1:6640 ssl:172.0.0.1:6640"
)
is_expected.to contain_vs_config('other_config:local_ip')
is_expected.not_to contain_vs_config('other_config:provider_mappings')
is_expected.to contain_vs_config('external_ids:odl_os_hostconfig_hostid')
is_expected.to contain_vs_config('external_ids:odl_os_hostconfig_config_odl_l2')
end
end
context 'on RedHat platforms' do
let :facts do
@default_facts.merge(test_facts.merge({