diff --git a/manifests/config.pp b/manifests/config.pp index 86cd21dd7..c25261c8e 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -40,6 +40,7 @@ class openstack_integration::config ( $db_extra = { 'ssl_ca' => $::openstack_integration::params::ca_bundle_cert_path, } + $ovn_proto = 'ssl' } else { $proto = 'http' if $rpc_backend == 'amqp' { @@ -49,6 +50,7 @@ class openstack_integration::config ( } $messaging_notify_port = '5672' $db_extra = {} + $ovn_proto = 'tcp' } $rabbit_port = $messaging_notify_port @@ -76,4 +78,7 @@ class openstack_integration::config ( $keystone_auth_uri = "${base_url}:5000" $keystone_admin_uri = "${base_url}:5000" $tooz_url = "redis://:a_big_secret@${ip_for_url}:6379?ssl=${::openstack_integration::config::ssl}" + + $ovn_nb_connection = "${ovn_proto}:${ip_for_url}:6641" + $ovn_sb_connection = "${ovn_proto}:${ip_for_url}:6642" } diff --git a/manifests/neutron.pp b/manifests/neutron.pp index 625f2d343..4a6484b58 100644 --- a/manifests/neutron.pp +++ b/manifests/neutron.pp @@ -53,6 +53,36 @@ class openstack_integration::neutron ( require => Package['neutron'], } Exec['update-ca-certificates'] ~> Service<| tag == 'neutron-service' |> + + if $driver == 'ovn' { + ['ovnnb', 'ovnsb'].each |$ovndb| { + ["${ovndb}-privkey.pem", "${ovndb}-cert.pem"].each |$ovn_ssl_file| { + file { "/etc/neutron/${ovn_ssl_file}": + ensure => present, + owner => 'neutron', + mode => '0600', + source => "/etc/openvswitch/${ovn_ssl_file}", + require => [ + Anchor['neutron::install::end'], + Vswitch::Pki::Cert[$ovndb] + ], + notify => Anchor['neutron::service::begin'], + } + } + } + + file { '/etc/neutron/switchcacert.pem': + ensure => present, + owner => 'neutron', + mode => '0600', + source => '/var/lib/openvswitch/pki/switchca/cacert.pem', + require => [ + Anchor['neutron::install::end'], + Class['vswitch::pki::Cacert'], + ], + notify => Anchor['neutron::service::begin'], + } + } } if $facts['os']['name'] == 'CentOS' { @@ -279,24 +309,19 @@ class openstack_integration::neutron ( } } 'ovn': { - include openstack_integration::ovn # NOTE(tkajinam): neutron::plugins::ml2::ovn requires neutron::plugins::ml2, # thus it should be included after neutron::plugins::ml2. class { 'neutron::plugins::ml2::ovn': - ovn_nb_connection => $::openstack_integration::ovn::ovn_nb_connection, - ovn_nb_private_key => $::openstack_integration::ovn::ovn_nb_db_ssl_key, - ovn_nb_certificate => $::openstack_integration::ovn::ovn_nb_db_ssl_cert, - ovn_nb_ca_cert => $::openstack_integration::ovn::ovn_nb_db_ssl_ca_cert, - ovn_sb_connection => $::openstack_integration::ovn::ovn_sb_connection, - ovn_sb_private_key => $::openstack_integration::ovn::ovn_sb_db_ssl_key, - ovn_sb_certificate => $::openstack_integration::ovn::ovn_sb_db_ssl_cert, - ovn_sb_ca_cert => $::openstack_integration::ovn::ovn_sb_db_ssl_ca_cert, + ovn_nb_connection => $::openstack_integration::config::ovn_nb_connection, + ovn_nb_private_key => '/etc/neutron/ovnnb-privkey.pem', + ovn_nb_certificate => '/etc/neutron/ovnnb-cert.pem', + ovn_nb_ca_cert => '/etc/neutron/switchcacert.pem', + ovn_sb_connection => $::openstack_integration::config::ovn_sb_connection, + ovn_sb_private_key => '/etc/neutron/ovnsb-privkey.pem', + ovn_sb_certificate => '/etc/neutron/ovnsb-cert.pem', + ovn_sb_ca_cert => '/etc/neutron/switchcacert.pem', ovn_metadata_enabled => true, } - if $::openstack_integration::config::ssl { - File['/etc/openvswitch/ovnnb-privkey.pem'] -> Anchor['neutron::config::end'] - File['/etc/openvswitch/ovnsb-privkey.pem'] -> Anchor['neutron::config::end'] - } } 'linuxbridge': { class { 'neutron::agents::ml2::linuxbridge': @@ -328,10 +353,10 @@ class openstack_integration::neutron ( shared_secret => 'a_big_secret', metadata_host => $metadata_host, metadata_protocol => $metadata_protocol, - ovn_sb_connection => $::openstack_integration::ovn::ovn_sb_connection, - ovn_sb_private_key => $::openstack_integration::ovn::ovn_sb_db_ssl_key, - ovn_sb_certificate => $::openstack_integration::ovn::ovn_sb_db_ssl_cert, - ovn_sb_ca_cert => $::openstack_integration::ovn::ovn_sb_db_ssl_ca_cert, + ovn_sb_connection => $::openstack_integration::config::ovn_sb_connection, + ovn_sb_private_key => '/etc/neutron/ovnsb-privkey.pem', + ovn_sb_certificate => '/etc/neutron/ovnsb-cert.pem', + ovn_sb_ca_cert => '/etc/neutron/switchcacert.pem', } } else { class { 'neutron::agents::metadata': diff --git a/manifests/octavia.pp b/manifests/octavia.pp index b9863646e..b88214432 100644 --- a/manifests/octavia.pp +++ b/manifests/octavia.pp @@ -27,6 +27,36 @@ class openstack_integration::octavia ( require => Package['octavia'], } Exec['update-ca-certificates'] ~> Service['httpd'] + + if $provider_driver == 'ovn' { + ['ovnnb', 'ovnsb'].each |$ovndb| { + ["${ovndb}-privkey.pem", "${ovndb}-cert.pem"].each |$ovn_ssl_file| { + file { "/etc/octavia/${ovn_ssl_file}": + ensure => present, + owner => 'octavia', + mode => '0600', + source => "/etc/openvswitch/${ovn_ssl_file}", + require => [ + Anchor['octavia::install::end'], + Vswitch::Pki::Cert[$ovndb] + ], + notify => Anchor['octavia::service::begin'], + } + } + } + + file { '/etc/octavia/switchcacert.pem': + ensure => present, + owner => 'octavia', + mode => '0600', + source => '/var/lib/openvswitch/pki/switchca/cacert.pem', + require => [ + Anchor['octavia::install::end'], + Class['vswitch::pki::Cacert'], + ], + notify => Anchor['octavia::service::begin'], + } + } } class { 'octavia::logging': @@ -129,20 +159,15 @@ class openstack_integration::octavia ( } $enabled_provider_agents = 'ovn' - include openstack_integration::ovn class { 'octavia::provider::ovn': - ovn_nb_connection => $::openstack_integration::ovn::ovn_nb_connection, - ovn_nb_private_key => $::openstack_integration::ovn::ovn_nb_db_ssl_key, - ovn_nb_certificate => $::openstack_integration::ovn::ovn_nb_db_ssl_cert, - ovn_nb_ca_cert => $::openstack_integration::ovn::ovn_nb_db_ssl_ca_cert, - ovn_sb_connection => $::openstack_integration::ovn::ovn_sb_connection, - ovn_sb_private_key => $::openstack_integration::ovn::ovn_sb_db_ssl_key, - ovn_sb_certificate => $::openstack_integration::ovn::ovn_sb_db_ssl_cert, - ovn_sb_ca_cert => $::openstack_integration::ovn::ovn_sb_db_ssl_ca_cert, - } - if $::openstack_integration::config::ssl { - File['/etc/openvswitch/ovnnb-privkey.pem'] -> Anchor['octavia::config::end'] - File['/etc/openvswitch/ovnsb-privkey.pem'] -> Anchor['octavia::config::end'] + ovn_nb_connection => $::openstack_integration::config::ovn_nb_connection, + ovn_nb_private_key => '/etc/octavia/ovnnb-privkey.pem', + ovn_nb_certificate => '/etc/octavia/ovnnb-cert.pem', + ovn_nb_ca_cert => '/etc/octavia/switchcacert.pem', + ovn_sb_connection => $::openstack_integration::config::ovn_sb_connection, + ovn_sb_private_key => '/etc/octavia/ovnsb-privkey.pem', + ovn_sb_certificate => '/etc/octavia/ovnsb-cert.pem', + ovn_sb_ca_cert => '/etc/octavia/switchcacert.pem', } } else{ $enabled_provider_drivers = undef diff --git a/manifests/ovn.pp b/manifests/ovn.pp index db70d234b..3ce12ee90 100644 --- a/manifests/ovn.pp +++ b/manifests/ovn.pp @@ -10,8 +10,6 @@ class openstack_integration::ovn( class { 'vswitch::pki::cacert': } vswitch::pki::cert { ['ovnnb', 'ovnsb', 'ovncontroller']: } - $proto = 'ssl' - $ovn_nb_db_ssl_key = '/etc/openvswitch/ovnnb-privkey.pem' $ovn_nb_db_ssl_cert = '/etc/openvswitch/ovnnb-cert.pem' $ovn_nb_db_ssl_ca_cert = '/var/lib/openvswitch/pki/switchca/cacert.pem' @@ -23,31 +21,25 @@ class openstack_integration::ovn( $ovn_controller_ssl_cert = '/etc/openvswitch/ovncontroller-cert.pem' $ovn_controller_ssl_ca_cert = '/var/lib/openvswitch/pki/switchca/cacert.pem' - # NOTE(tkajinam): ovn-pki generates a private key with 0600, owned by root - # but that does not allow access by ovn/neutron/octavia. - file { '/etc/openvswitch/ovnnb-privkey.pem': - ensure => present, - mode => '0644', - subscribe => Exec['ovs-req-and-sign-cert-ovnnb'], - } - file { '/etc/openvswitch/ovnsb-privkey.pem': - ensure => present, - mode => '0644', - subscribe => Exec['ovs-req-and-sign-cert-ovnsb'], - } - file { '/etc/openvswitch/ovncontroller-privkey.pem': - ensure => present, - mode => '0644', - subscribe => Exec['ovs-req-and-sign-cert-ovncontroller'], + ['ovnnb', 'ovnsb'].each |$ovndb| { + file { "/etc/openvswitch/${ovndb}-privkey.pem": + ensure => present, + mode => '0600', + owner => 'openvswitch', + group => 'openvswitch', + require => Vswitch::Pki::Cert[$ovndb], + } ~> Service['northd'] } - File['/etc/openvswitch/ovnnb-privkey.pem'] -> Service['northd'] - File['/etc/openvswitch/ovnsb-privkey.pem'] -> Service['northd'] - File['/etc/openvswitch/ovncontroller-privkey.pem'] -> Service['controller'] + file { '/etc/openvswitch/ovncontroller-privkey.pem': + ensure => present, + mode => '0600', + owner => 'openvswitch', + group => 'openvswitch', + require => Vswitch::Pki::Cert['ovncontroller'], + } ~> Service['controller'] } else { - $proto = 'tcp' - $ovn_nb_db_ssl_key = undef $ovn_nb_db_ssl_cert = undef $ovn_nb_db_ssl_ca_cert = undef @@ -60,9 +52,6 @@ class openstack_integration::ovn( $ovn_controller_ssl_ca_cert = undef } - $ovn_nb_connection = "${proto}:${::openstack_integration::config::ip_for_url}:6641" - $ovn_sb_connection = "${proto}:${::openstack_integration::config::ip_for_url}:6642" - class { 'ovn::northd': dbs_listen_ip => $::openstack_integration::config::ip_for_url, ovn_nb_db_ssl_key => $ovn_nb_db_ssl_key, @@ -73,7 +62,7 @@ class openstack_integration::ovn( ovn_sb_db_ssl_ca_cert => $ovn_sb_db_ssl_ca_cert, } class { 'ovn::controller': - ovn_remote => $ovn_sb_connection, + ovn_remote => $::openstack_integration::config::ovn_sb_connection, ovn_encap_ip => $::openstack_integration::config::host, ovn_bridge_mappings => ['external:br-ex'], ovn_cms_options => 'enable-chassis-as-gw',