openstack/puppet-openstack-integration
Code Issues Proposed changes

Copy ovn ssl certs and keys to config directories

Browse Source 
Currently some AVC denials are appearing in audit.log, because neutron
and octavia are not allowed to access to cert/key files in openvswitch
directories. This change ensures these cert/key files are copied to
individual config directories.

Change-Id: I79b8603fe61e42d8444dc2fee77725434da9c69c
This commit is contained in:
Takashi Kajinami 2023-04-07 00:36:52 +09:00
parent 47ea9d4991
commit a0372071ba
4 changed files with 101 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
manifests/config.pp
View File

@ -40,6 +40,7 @@ class openstack_integration::config (
$db_extra = { $db_extra = {
'ssl_ca' => $::openstack_integration::params::ca_bundle_cert_path, 'ssl_ca' => $::openstack_integration::params::ca_bundle_cert_path,
} }
$ovn_proto = 'ssl'
} else { } else {
$proto = 'http' $proto = 'http'
if $rpc_backend == 'amqp' { if $rpc_backend == 'amqp' {
@ -49,6 +50,7 @@ class openstack_integration::config (
} }
$messaging_notify_port = '5672' $messaging_notify_port = '5672'
$db_extra = {} $db_extra = {}
$ovn_proto = 'tcp'
} }
$rabbit_port = $messaging_notify_port $rabbit_port = $messaging_notify_port
@ -76,4 +78,7 @@ class openstack_integration::config (
$keystone_auth_uri = "${base_url}:5000" $keystone_auth_uri = "${base_url}:5000"
$keystone_admin_uri = "${base_url}:5000" $keystone_admin_uri = "${base_url}:5000"
$tooz_url = "redis://:a_big_secret@${ip_for_url}:6379?ssl=${::openstack_integration::config::ssl}" $tooz_url = "redis://:a_big_secret@${ip_for_url}:6379?ssl=${::openstack_integration::config::ssl}"
$ovn_nb_connection = "${ovn_proto}:${ip_for_url}:6641"
$ovn_sb_connection = "${ovn_proto}:${ip_for_url}:6642"
} }

59
manifests/neutron.pp
View File

@ -53,6 +53,36 @@ class openstack_integration::neutron (
require => Package['neutron'], require => Package['neutron'],
} }
Exec['update-ca-certificates'] ~> Service<| tag == 'neutron-service' |> Exec['update-ca-certificates'] ~> Service<| tag == 'neutron-service' |>
if $driver == 'ovn' {
['ovnnb', 'ovnsb'].each |$ovndb| {
["${ovndb}-privkey.pem", "${ovndb}-cert.pem"].each |$ovn_ssl_file| {
file { "/etc/neutron/${ovn_ssl_file}":
ensure => present,
owner => 'neutron',
mode => '0600',
source => "/etc/openvswitch/${ovn_ssl_file}",
require => [
Anchor['neutron::install::end'],
Vswitch::Pki::Cert[$ovndb]
],
notify => Anchor['neutron::service::begin'],
}
}
}
file { '/etc/neutron/switchcacert.pem':
ensure => present,
owner => 'neutron',
mode => '0600',
source => '/var/lib/openvswitch/pki/switchca/cacert.pem',
require => [
Anchor['neutron::install::end'],
Class['vswitch::pki::Cacert'],
],
notify => Anchor['neutron::service::begin'],
}
}
} }
if $facts['os']['name'] == 'CentOS' { if $facts['os']['name'] == 'CentOS' {
@ -279,24 +309,19 @@ class openstack_integration::neutron (
} }
} }
'ovn': { 'ovn': {
include openstack_integration::ovn
# NOTE(tkajinam): neutron::plugins::ml2::ovn requires neutron::plugins::ml2, # NOTE(tkajinam): neutron::plugins::ml2::ovn requires neutron::plugins::ml2,
# thus it should be included after neutron::plugins::ml2. # thus it should be included after neutron::plugins::ml2.
class { 'neutron::plugins::ml2::ovn': class { 'neutron::plugins::ml2::ovn':
ovn_nb_connection => $::openstack_integration::ovn::ovn_nb_connection, ovn_nb_connection => $::openstack_integration::config::ovn_nb_connection,
ovn_nb_private_key => $::openstack_integration::ovn::ovn_nb_db_ssl_key, ovn_nb_private_key => '/etc/neutron/ovnnb-privkey.pem',
ovn_nb_certificate => $::openstack_integration::ovn::ovn_nb_db_ssl_cert, ovn_nb_certificate => '/etc/neutron/ovnnb-cert.pem',
ovn_nb_ca_cert => $::openstack_integration::ovn::ovn_nb_db_ssl_ca_cert, ovn_nb_ca_cert => '/etc/neutron/switchcacert.pem',
ovn_sb_connection => $::openstack_integration::ovn::ovn_sb_connection, ovn_sb_connection => $::openstack_integration::config::ovn_sb_connection,
ovn_sb_private_key => $::openstack_integration::ovn::ovn_sb_db_ssl_key, ovn_sb_private_key => '/etc/neutron/ovnsb-privkey.pem',
ovn_sb_certificate => $::openstack_integration::ovn::ovn_sb_db_ssl_cert, ovn_sb_certificate => '/etc/neutron/ovnsb-cert.pem',
ovn_sb_ca_cert => $::openstack_integration::ovn::ovn_sb_db_ssl_ca_cert, ovn_sb_ca_cert => '/etc/neutron/switchcacert.pem',
ovn_metadata_enabled => true, ovn_metadata_enabled => true,
} }
if $::openstack_integration::config::ssl {
File['/etc/openvswitch/ovnnb-privkey.pem'] -> Anchor['neutron::config::end']
File['/etc/openvswitch/ovnsb-privkey.pem'] -> Anchor['neutron::config::end']
}
} }
'linuxbridge': { 'linuxbridge': {
class { 'neutron::agents::ml2::linuxbridge': class { 'neutron::agents::ml2::linuxbridge':
@ -328,10 +353,10 @@ class openstack_integration::neutron (
shared_secret => 'a_big_secret', shared_secret => 'a_big_secret',
metadata_host => $metadata_host, metadata_host => $metadata_host,
metadata_protocol => $metadata_protocol, metadata_protocol => $metadata_protocol,
ovn_sb_connection => $::openstack_integration::ovn::ovn_sb_connection, ovn_sb_connection => $::openstack_integration::config::ovn_sb_connection,
ovn_sb_private_key => $::openstack_integration::ovn::ovn_sb_db_ssl_key, ovn_sb_private_key => '/etc/neutron/ovnsb-privkey.pem',
ovn_sb_certificate => $::openstack_integration::ovn::ovn_sb_db_ssl_cert, ovn_sb_certificate => '/etc/neutron/ovnsb-cert.pem',
ovn_sb_ca_cert => $::openstack_integration::ovn::ovn_sb_db_ssl_ca_cert, ovn_sb_ca_cert => '/etc/neutron/switchcacert.pem',
} }
} else { } else {
class { 'neutron::agents::metadata': class { 'neutron::agents::metadata':

51
manifests/octavia.pp
View File

@ -27,6 +27,36 @@ class openstack_integration::octavia (
require => Package['octavia'], require => Package['octavia'],
} }
Exec['update-ca-certificates'] ~> Service['httpd'] Exec['update-ca-certificates'] ~> Service['httpd']
if $provider_driver == 'ovn' {
['ovnnb', 'ovnsb'].each |$ovndb| {
["${ovndb}-privkey.pem", "${ovndb}-cert.pem"].each |$ovn_ssl_file| {
file { "/etc/octavia/${ovn_ssl_file}":
ensure => present,
owner => 'octavia',
mode => '0600',
source => "/etc/openvswitch/${ovn_ssl_file}",
require => [
Anchor['octavia::install::end'],
Vswitch::Pki::Cert[$ovndb]
],
notify => Anchor['octavia::service::begin'],
}
}
}
file { '/etc/octavia/switchcacert.pem':
ensure => present,
owner => 'octavia',
mode => '0600',
source => '/var/lib/openvswitch/pki/switchca/cacert.pem',
require => [
Anchor['octavia::install::end'],
Class['vswitch::pki::Cacert'],
],
notify => Anchor['octavia::service::begin'],
}
}
} }
class { 'octavia::logging': class { 'octavia::logging':
@ -129,20 +159,15 @@ class openstack_integration::octavia (
} }
$enabled_provider_agents = 'ovn' $enabled_provider_agents = 'ovn'
include openstack_integration::ovn
class { 'octavia::provider::ovn': class { 'octavia::provider::ovn':
ovn_nb_connection => $::openstack_integration::ovn::ovn_nb_connection, ovn_nb_connection => $::openstack_integration::config::ovn_nb_connection,
ovn_nb_private_key => $::openstack_integration::ovn::ovn_nb_db_ssl_key, ovn_nb_private_key => '/etc/octavia/ovnnb-privkey.pem',
ovn_nb_certificate => $::openstack_integration::ovn::ovn_nb_db_ssl_cert, ovn_nb_certificate => '/etc/octavia/ovnnb-cert.pem',
ovn_nb_ca_cert => $::openstack_integration::ovn::ovn_nb_db_ssl_ca_cert, ovn_nb_ca_cert => '/etc/octavia/switchcacert.pem',
ovn_sb_connection => $::openstack_integration::ovn::ovn_sb_connection, ovn_sb_connection => $::openstack_integration::config::ovn_sb_connection,
ovn_sb_private_key => $::openstack_integration::ovn::ovn_sb_db_ssl_key, ovn_sb_private_key => '/etc/octavia/ovnsb-privkey.pem',
ovn_sb_certificate => $::openstack_integration::ovn::ovn_sb_db_ssl_cert, ovn_sb_certificate => '/etc/octavia/ovnsb-cert.pem',
ovn_sb_ca_cert => $::openstack_integration::ovn::ovn_sb_db_ssl_ca_cert, ovn_sb_ca_cert => '/etc/octavia/switchcacert.pem',
}
if $::openstack_integration::config::ssl {
File['/etc/openvswitch/ovnnb-privkey.pem'] -> Anchor['octavia::config::end']
File['/etc/openvswitch/ovnsb-privkey.pem'] -> Anchor['octavia::config::end']
} }
} else{ } else{
$enabled_provider_drivers = undef $enabled_provider_drivers = undef

39
manifests/ovn.pp
View File

@ -10,8 +10,6 @@ class openstack_integration::ovn(
class { 'vswitch::pki::cacert': } class { 'vswitch::pki::cacert': }
vswitch::pki::cert { ['ovnnb', 'ovnsb', 'ovncontroller']: } vswitch::pki::cert { ['ovnnb', 'ovnsb', 'ovncontroller']: }
$proto = 'ssl'
$ovn_nb_db_ssl_key = '/etc/openvswitch/ovnnb-privkey.pem' $ovn_nb_db_ssl_key = '/etc/openvswitch/ovnnb-privkey.pem'
$ovn_nb_db_ssl_cert = '/etc/openvswitch/ovnnb-cert.pem' $ovn_nb_db_ssl_cert = '/etc/openvswitch/ovnnb-cert.pem'
$ovn_nb_db_ssl_ca_cert = '/var/lib/openvswitch/pki/switchca/cacert.pem' $ovn_nb_db_ssl_ca_cert = '/var/lib/openvswitch/pki/switchca/cacert.pem'
@ -23,31 +21,25 @@ class openstack_integration::ovn(
$ovn_controller_ssl_cert = '/etc/openvswitch/ovncontroller-cert.pem' $ovn_controller_ssl_cert = '/etc/openvswitch/ovncontroller-cert.pem'
$ovn_controller_ssl_ca_cert = '/var/lib/openvswitch/pki/switchca/cacert.pem' $ovn_controller_ssl_ca_cert = '/var/lib/openvswitch/pki/switchca/cacert.pem'
# NOTE(tkajinam): ovn-pki generates a private key with 0600, owned by root ['ovnnb', 'ovnsb'].each |$ovndb| {
# but that does not allow access by ovn/neutron/octavia. file { "/etc/openvswitch/${ovndb}-privkey.pem":
file { '/etc/openvswitch/ovnnb-privkey.pem':
ensure => present, ensure => present,
mode => '0644', mode => '0600',
subscribe => Exec['ovs-req-and-sign-cert-ovnnb'], owner => 'openvswitch',
} group => 'openvswitch',
file { '/etc/openvswitch/ovnsb-privkey.pem': require => Vswitch::Pki::Cert[$ovndb],
ensure => present, } ~> Service['northd']
mode => '0644',
subscribe => Exec['ovs-req-and-sign-cert-ovnsb'],
} }
file { '/etc/openvswitch/ovncontroller-privkey.pem': file { '/etc/openvswitch/ovncontroller-privkey.pem':
ensure => present, ensure => present,
mode => '0644', mode => '0600',
subscribe => Exec['ovs-req-and-sign-cert-ovncontroller'], owner => 'openvswitch',
} group => 'openvswitch',
require => Vswitch::Pki::Cert['ovncontroller'],
File['/etc/openvswitch/ovnnb-privkey.pem'] -> Service['northd'] } ~> Service['controller']
File['/etc/openvswitch/ovnsb-privkey.pem'] -> Service['northd']
File['/etc/openvswitch/ovncontroller-privkey.pem'] -> Service['controller']
} else { } else {
$proto = 'tcp'
$ovn_nb_db_ssl_key = undef $ovn_nb_db_ssl_key = undef
$ovn_nb_db_ssl_cert = undef $ovn_nb_db_ssl_cert = undef
$ovn_nb_db_ssl_ca_cert = undef $ovn_nb_db_ssl_ca_cert = undef
@ -60,9 +52,6 @@ class openstack_integration::ovn(
$ovn_controller_ssl_ca_cert = undef $ovn_controller_ssl_ca_cert = undef
} }
$ovn_nb_connection = "${proto}:${::openstack_integration::config::ip_for_url}:6641"
$ovn_sb_connection = "${proto}:${::openstack_integration::config::ip_for_url}:6642"
class { 'ovn::northd': class { 'ovn::northd':
dbs_listen_ip => $::openstack_integration::config::ip_for_url, dbs_listen_ip => $::openstack_integration::config::ip_for_url,
ovn_nb_db_ssl_key => $ovn_nb_db_ssl_key, ovn_nb_db_ssl_key => $ovn_nb_db_ssl_key,
@ -73,7 +62,7 @@ class openstack_integration::ovn(
ovn_sb_db_ssl_ca_cert => $ovn_sb_db_ssl_ca_cert, ovn_sb_db_ssl_ca_cert => $ovn_sb_db_ssl_ca_cert,
} }
class { 'ovn::controller': class { 'ovn::controller':
ovn_remote => $ovn_sb_connection, ovn_remote => $::openstack_integration::config::ovn_sb_connection,
ovn_encap_ip => $::openstack_integration::config::host, ovn_encap_ip => $::openstack_integration::config::host,
ovn_bridge_mappings => ['external:br-ex'], ovn_bridge_mappings => ['external:br-ex'],
ovn_cms_options => 'enable-chassis-as-gw', ovn_cms_options => 'enable-chassis-as-gw',