Merge "Add Octavia OVN Provider configuration (1 of 2)" into stable/train

manifests/certmonger/ovn_metadata.pp

@@ -46,7 +46,7 @@ class tripleo::certmonger::ovn_metadata (
   $postsave_cmd  = undef,
   $principal     = undef,
 ) {
-  include ::certmonger
+  include certmonger
 
   certmonger_certificate { 'ovn_metadata' :
     ensure       => 'present',

manifests/certmonger/ovn_octavia.pp

@@ -0,0 +1,70 @@
+# Copyright 2020 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::certmonger::ovn_octavia
+#
+# Request a certificate for the ovn_controller service and do the necessary setup.
+#
+# === Parameters
+#
+# [*hostname*]
+#   The hostname of the node. this will be set in the CN of the certificate.
+#
+# [*service_certificate*]
+#   The path to the certificate that will be used for TLS in this service.
+#
+# [*service_key*]
+#   The path to the key that will be used for TLS in this service.
+#
+# [*certmonger_ca*]
+#   (Optional) The CA that certmonger will use to generate the certificates.
+#   Defaults to hiera('certmonger_ca', 'local').
+#
+# [*postsave_cmd*]
+#   (Optional) Specifies the command to execute after requesting a certificate.
+#
+# [*principal*]
+#   (Optional) The haproxy service principal that is set for neutron in kerberos.
+#   Defaults to undef
+#
+class tripleo::certmonger::ovn_octavia (
+  $hostname,
+  $service_certificate,
+  $service_key,
+  $certmonger_ca = hiera('certmonger_ca', 'local'),
+  $postsave_cmd  = undef,
+  $principal     = undef,
+) {
+  include certmonger
+
+  certmonger_certificate { 'ovn_octavia' :
+    ensure       => 'present',
+    certfile     => $service_certificate,
+    keyfile      => $service_key,
+    hostname     => $hostname,
+    dnsname      => $hostname,
+    principal    => $principal,
+    postsave_cmd => $postsave_cmd,
+    ca           => $certmonger_ca,
+    wait         => true,
+    require      => Class['::certmonger'],
+  }
+  file { $service_certificate :
+    require => Certmonger_certificate['ovn_octavia']
+  }
+  file { $service_key :
+    require => Certmonger_certificate['ovn_octavia']
+  }
+
+}

manifests/profile/base/certmonger_user.pp

@@ -167,6 +167,11 @@
 #   it will create.
 #   Defaults to hiera('neutron_ovn_certificate_specs', {})
 #
+# [*ovn_octavia_certificate_specs*]
+#   (Optional) The specifications to give to certmonger for the certificate(s)
+#   it will create.
+#   Defaults to hiera('ovn_octavia_certificate_specs', {})
+#
 # === Deprecated
 #
 # [*haproxy_postsave_cmd*]
@@ -206,6 +211,7 @@ class tripleo::profile::base::certmonger_user (
   $ovn_controller_certificate_specs   = hiera('ovn_controller_certificate_specs', {}),
   $ovn_metadata_certificate_specs     = hiera('ovn_metadata_certificate_specs', {}),
   $neutron_ovn_certificate_specs      = hiera('neutron_ovn_certificate_specs', {}),
+  $ovn_octavia_certificate_specs      = hiera('ovn_octavia_certificate_specs', {}),
   $novnc_proxy_postsave_cmd           = undef,
   # Deprecated
   $haproxy_postsave_cmd               = undef,
@@ -314,5 +320,8 @@ class tripleo::profile::base::certmonger_user (
     unless empty($neutron_ovn_certificate_specs) {
       ensure_resource('class', 'tripleo::certmonger::neutron_ovn', $neutron_ovn_certificate_specs)
     }
+    unless empty($ovn_octavia_certificate_specs) {
+      ensure_resource('class', 'tripleo::certmonger::ovn_octavia', $ovn_octavia_certificate_specs)
+    }
   }
 }

manifests/profile/base/octavia/provider/ovn.pp

@@ -0,0 +1,86 @@
+# Copyright 2020 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::profile::base::octavia::provider::ovn
+#
+# Octavia OVN provider profile for tripleo
+#
+# === Parameters
+#
+# [*step*]
+#   (Optional) The current step in deployment. See tripleo-heat-templates
+#   for more details.
+#   Defaults to hiera('step')
+#
+# [*protocol*]
+#   (optional) Protocol use in communication with dbs
+#   Defaults to tcp
+#
+# [*ovn_db_host*]
+#   (Optional) The IP-Address where OVN DBs are listening.
+#   Defaults to hiera('ovn_dbs_vip')
+#
+# [*ovn_nb_port*]
+#   (Optional) Port number on which northbound database is listening
+#   Defaults to hiera('ovn::northbound::port')
+#
+# [*ovn_nb_private_key*]
+#   (optional) The PEM file with private key for SSL connection to OVN-NB-DB
+#   Defaults to $::os_service_default
+#
+# [*ovn_nb_certificate*]
+#   (optional) The PEM file with certificate that certifies the private
+#   key specified in ovn_nb_private_key
+#   Defaults to $::os_service_default
+#
+# [*ovn_nb_ca_cert*]
+#   (optional) The PEM file with CA certificate that OVN should use to
+#   verify certificates presented to it by SSL peers
+#   Defaults to $::os_service_default
+#
+class tripleo::profile::base::octavia::provider::ovn (
+  $step               = Integer(hiera('step')),
+  $protocol           = hiera('ovn_nb_connection_protocol', 'tcp'),
+  $ovn_db_host        = hiera('ovn_dbs_vip', undef),
+  $ovn_nb_port        = hiera('ovn::northbound::port', undef),
+  $ovn_nb_private_key = $::os_service_default,
+  $ovn_nb_certificate = $::os_service_default,
+  $ovn_nb_ca_cert     = $::os_service_default
+) {
+
+  include tripleo::profile::base::octavia::api
+
+  if ($step >= 4) {
+    # For backward compatibility
+    if $::tripleo::profile::base::octavia::api::ovn_db_host and !is_service_default(::tripleo::profile::base::octavia::api::ovn_db_host) {
+      $ovn_db_host_real = $::tripleo::profile::base::octavia::api::ovn_db_host
+      $ovn_nb_port_real = $::tripleo::profile::base::octavia::api::ovn_nb_port
+    }
+    else {
+      $ovn_db_host_real = $ovn_db_host
+      $ovn_nb_port_real = $ovn_nb_port
+    }
+
+    if $ovn_db_host_real {
+      $ovn_nb_conn_args = ["${protocol}", normalize_ip_for_uri($ovn_db_host_real), "${ovn_nb_port_real}"].filter |$c| { !$c.empty() }
+      $ovn_nb_connection = join($ovn_nb_conn_args, ':')
+      class { 'octavia::provider::ovn':
+        ovn_nb_connection  => $ovn_nb_connection,
+        ovn_nb_private_key => $ovn_nb_private_key,
+        ovn_nb_certificate => $ovn_nb_certificate,
+        ovn_nb_ca_cert     => $ovn_nb_ca_cert,
+      }
+    }
+  }
+}

releasenotes/notes/add-octavia-provider-ovn-6734aa08af4772e4.yaml

@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    Added tripleo::profile::base::octavia::provider::ovn for configuring OVN driver
+    properties, including protocol.

spec/classes/tripleo_profile_base_octavia_provider_ovn_spec.rb

@@ -0,0 +1,138 @@
+#
+# Copyright (C) 2020 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+
+require 'spec_helper'
+
+describe 'tripleo::profile::base::octavia::provider::ovn' do
+
+  let :params do
+    { :step => 5,
+    }
+  end
+
+  shared_examples_for 'tripleo::profile::base::octavia::provider::ovn' do
+    before :each do
+      facts.merge!({ :step => params[:step] })
+    end
+
+    let(:pre_condition) do
+      <<-eos
+      class { 'tripleo::profile::base::octavia' :
+        step => #{params[:step]},
+        oslomsg_rpc_username => 'bugs',
+        oslomsg_rpc_password => 'rabbits_R_c00l',
+        oslomsg_rpc_hosts    => ['hole.field.com']
+      }
+      class { 'octavia::db::mysql':
+        password => 'some_password'
+      }
+      class { 'tripleo::profile::base::octavia::api' :
+        step => #{params[:step]},
+        bootstrap_node  => 'notbootstrap.example.com',
+      }
+eos
+    end
+
+    context 'with step less than 3' do
+      before do
+        params.merge!({
+          :step => 2,
+        })
+      end
+
+      it 'should not do anything' do
+        is_expected.to_not contain_class('octavia::provider::ovn')
+      end
+    end
+
+    context 'with step 4 without ovn_db_host' do
+      before do
+        params.merge!({
+          :step        => 4,
+          :protocol    => 'tcp',
+          :ovn_nb_port => '6641',
+        })
+      end
+
+      it 'should not do anything' do
+        is_expected.to_not contain_class('octavia::provider::ovn')
+      end
+    end
+
+    context 'with step 4 with ovn default protocol' do
+      before do
+        params.merge!({
+          :step        => 4,
+          :ovn_db_host => '127.0.0.1',
+          :ovn_nb_port => '6641',
+        })
+      end
+
+      it 'should set octavia provider ovn nb connection using tcp' do
+        is_expected.to contain_class('octavia::provider::ovn').with(:ovn_nb_connection  => 'tcp:127.0.0.1:6641')
+        is_expected.to contain_class('octavia::provider::ovn').with(:ovn_nb_private_key => '<SERVICE DEFAULT>')
+        is_expected.to contain_class('octavia::provider::ovn').with(:ovn_nb_certificate => '<SERVICE DEFAULT>')
+        is_expected.to contain_class('octavia::provider::ovn').with(:ovn_nb_ca_cert     => '<SERVICE DEFAULT>')
+      end
+    end
+
+    context 'with step 4 with ovn and tls/ssl' do
+      before do
+        params.merge!({
+          :step               => 4,
+          :protocol           => 'ssl',
+          :ovn_db_host        => '192.168.123.111',
+          :ovn_nb_port        => '6641',
+          :ovn_nb_private_key => '/foo.key',
+          :ovn_nb_certificate => '/foo.pem',
+          :ovn_nb_ca_cert     => '/ca_foo.pem',
+        })
+      end
+
+      it 'should set octavia provider ovn nb connection using ssl' do
+        is_expected.to contain_class('octavia::provider::ovn').with(:ovn_nb_connection  => 'ssl:192.168.123.111:6641')
+        is_expected.to contain_class('octavia::provider::ovn').with(:ovn_nb_private_key => '/foo.key')
+        is_expected.to contain_class('octavia::provider::ovn').with(:ovn_nb_certificate => '/foo.pem')
+        is_expected.to contain_class('octavia::provider::ovn').with(:ovn_nb_ca_cert     => '/ca_foo.pem')
+      end
+    end
+
+    context 'with step 4 with ovn and unix socket (no ovn_nb_port)' do
+      before do
+        params.merge!({
+          :step        => 4,
+          :protocol    => 'punix',
+          :ovn_db_host => '/run/ovn/ovnnb_db.sock',
+        })
+      end
+
+      it 'should set octavia provider ovn nb connection using unix socket' do
+        is_expected.to contain_class('octavia::provider::ovn').with(:ovn_nb_connection => 'punix:/run/ovn/ovnnb_db.sock')
+      end
+    end
+
+  end
+
+  on_supported_os.each do |os, facts|
+    context "on #{os}" do
+      let(:facts) do
+        facts.merge({ :hostname => 'node.example.com' })
+      end
+      it_behaves_like 'tripleo::profile::base::octavia::provider::ovn'
+    end
+  end
+end
+