openstack/puppet-ovn
Code Issues Proposed changes

Add support for SSL connections to NB/SB DB

Browse Source 
To allow ovn-northd to connect over SSL, the key, cert and cacert needs
to be set.

Co-Authored-By: Jake Yip <jake.yip@ardc.edu.au>
Change-Id: I574992748506e357af383588fb89b45203dee738
This commit is contained in:
Takashi Kajinami 2022-12-01 12:44:21 +09:00
parent 889de8b44d
commit 1bfe785fd5
3 changed files with 55 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
manifests/northd.pp
View File

@ -23,12 +23,27 @@
# SB DB address(es)
# Defaults to undef
#
# [*ovn_northd_ssl_key*]
# OVN Northd SSL private key file
# Defaults to undef
#
# [*ovn_northd_ssl_cert*]
# OVN Northd SSL certificate file
# Defaults to undef
#
# [*ovn_northd_ssl_ca_cert*]
# OVN Northd SSL CA certificate file
# Defaults to undef
#
class ovn::northd(
$dbs_listen_ip = '0.0.0.0',
$dbs_cluster_local_addr = undef,
$dbs_cluster_remote_addr = undef,
$ovn_northd_nb_db = undef,
$ovn_northd_sb_db = undef,
$ovn_northd_ssl_key = undef,
$ovn_northd_ssl_cert = undef,
$ovn_northd_ssl_ca_cert = undef,
) {
include ovn::params
include vswitch::ovs
@ -72,11 +87,24 @@ class ovn::northd(
default => fail('ovn_northd_sb_db_opts must be of type String or Array[String]'),
}
if $ovn_northd_ssl_key and $ovn_northd_ssl_cert and $ovn_northd_ssl_ca_cert {
$ovn_northd_ssl_opts = [
"--ovn-northd-ssl-key=${ovn_northd_ssl_key}",
"--ovn-northd-ssl-cert=${ovn_northd_ssl_cert}",
"--ovn-northd-ssl-ca-cert=${ovn_northd_ssl_ca_cert}"
]
} elsif ! ($ovn_northd_ssl_key or $ovn_northd_ssl_cert or $ovn_northd_ssl_ca_cert) {
$ovn_northd_ssl_opts = []
} else {
fail('The ovn_northd_ssl_key, cert and ca_cert are required to use SSL.')
}
$ovn_northd_opts = join($ovn_northd_opts_addr +
$ovn_northd_opts_cluster_local_addr +
$ovn_northd_opts_cluster_remote_addr +
$ovn_northd_nb_db_opts +
$ovn_northd_sb_db_opts,
$ovn_northd_sb_db_opts +
$ovn_northd_ssl_opts,
' ')
augeas { 'config-ovn-northd':

9
releasenotes/notes/ovn-northd-ssl-db-0d77bbd457a21df6.yaml Normal file
View File

@ -0,0 +1,9 @@
---
features:
- |
Add support for ovn-northd to connect via SSL to NB and SB DB. To enable
SSL, set the following parameters.
- ``ovn::northd::ovn_northd_ssl_key``
- ``ovn::northd::ovn_northd_ssl_cert``
- ``ovn::northd::ovn_northd_ssl_cacert``

20
spec/classes/ovn_northd_spec.rb
View File

@ -19,8 +19,11 @@ describe 'ovn::northd' do
context 'with parameters' do
let :params do
{
:ovn_northd_nb_db => 'tcp:192.0.2.1:6645,tcp:192.0.2.2:6645,tcp:192.0.2.3:6645',
:ovn_northd_sb_db => ['tcp:192.0.2.1:6646', 'tcp:192.0.2.2:6646', 'tcp:192.0.2.3:6646'],
:ovn_northd_nb_db => 'ssl:192.0.2.1:6645,ssl:192.0.2.2:6645,ssl:192.0.2.3:6645',
:ovn_northd_sb_db => ['ssl:192.0.2.1:6646', 'ssl:192.0.2.2:6646', 'ssl:192.0.2.3:6646'],
:ovn_northd_ssl_key => 'key.pem',
:ovn_northd_ssl_cert => 'cert.pem',
:ovn_northd_ssl_ca_cert => 'cacert.pem',
}
end
@ -29,12 +32,23 @@ describe 'ovn::northd' do
:context => platform_params[:ovn_northd_context],
:changes => "set " + platform_params[:ovn_northd_option_name] + " '\"" +
"--db-nb-addr=0.0.0.0 --db-sb-addr=0.0.0.0 --db-nb-create-insecure-remote=yes --db-sb-create-insecure-remote=yes" +
" --ovn-northd-nb-db=tcp:192.0.2.1:6645,tcp:192.0.2.2:6645,tcp:192.0.2.3:6645 --ovn-northd-sb-db=tcp:192.0.2.1:6646,tcp:192.0.2.2:6646,tcp:192.0.2.3:6646" +
" --ovn-northd-nb-db=ssl:192.0.2.1:6645,ssl:192.0.2.2:6645,ssl:192.0.2.3:6645 --ovn-northd-sb-db=ssl:192.0.2.1:6646,ssl:192.0.2.2:6646,ssl:192.0.2.3:6646" +
" --ovn-northd-ssl-key=key.pem --ovn-northd-ssl-cert=cert.pem --ovn-northd-ssl-ca-cert=cacert.pem" +
"\"'",
})
end
end
context 'with bad ssl parameters' do
let :params do
{
:ovn_northd_ssl_key => 'key.pem',
}
end
it { should raise_error(Puppet::Error, /The ovn_northd_ssl_key, cert and ca_cert are required to use SSL/) }
end
end
shared_examples_for 'ovn northd' do