Add Octavia OVN Provider configuration (1 of 2)

This is part 1 of 2, where ovn provider info located in
tripleo::profile::base::octavia::api will move
to newly created octavia::provider::ovn.
But that has to be split into 2 parts to avoid breaking the
CI until the THT+pupple-tripleo changes merges [1].

[1]: https://review.opendev.org/#/q/topic:bug/1861886+(status:open+OR+status:merged)

This patch enhances Octavia's OVN driver config, so it can connect to
OVN_Northbound DB using TLS.

Depends-On: https://review.opendev.org/#/c/711333/

Change-Id: I85049de9960586a1069aa750c8d727c6e37cec73
Related-Bug: #1861886
This commit is contained in:
Flavio Fernandes 2020-03-02 18:36:45 -05:00
parent 3e8e98dde3
commit c68aa2e140
5 changed files with 308 additions and 0 deletions

View File

@ -0,0 +1,70 @@
# Copyright 2020 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: tripleo::certmonger::ovn_octavia
#
# Request a certificate for the ovn_controller service and do the necessary setup.
#
# === Parameters
#
# [*hostname*]
# The hostname of the node. this will be set in the CN of the certificate.
#
# [*service_certificate*]
# The path to the certificate that will be used for TLS in this service.
#
# [*service_key*]
# The path to the key that will be used for TLS in this service.
#
# [*certmonger_ca*]
# (Optional) The CA that certmonger will use to generate the certificates.
# Defaults to hiera('certmonger_ca', 'local').
#
# [*postsave_cmd*]
# (Optional) Specifies the command to execute after requesting a certificate.
#
# [*principal*]
# (Optional) The haproxy service principal that is set for neutron in kerberos.
# Defaults to undef
#
class tripleo::certmonger::ovn_octavia (
$hostname,
$service_certificate,
$service_key,
$certmonger_ca = hiera('certmonger_ca', 'local'),
$postsave_cmd = undef,
$principal = undef,
) {
include certmonger
certmonger_certificate { 'ovn_octavia' :
ensure => 'present',
certfile => $service_certificate,
keyfile => $service_key,
hostname => $hostname,
dnsname => $hostname,
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
wait => true,
require => Class['::certmonger'],
}
file { $service_certificate :
require => Certmonger_certificate['ovn_octavia']
}
file { $service_key :
require => Certmonger_certificate['ovn_octavia']
}
}

View File

@ -167,6 +167,11 @@
# it will create.
# Defaults to hiera('neutron_ovn_certificate_specs', {})
#
# [*ovn_octavia_certificate_specs*]
# (Optional) The specifications to give to certmonger for the certificate(s)
# it will create.
# Defaults to hiera('ovn_octavia_certificate_specs', {})
#
# === Deprecated
#
# [*haproxy_postsave_cmd*]
@ -206,6 +211,7 @@ class tripleo::profile::base::certmonger_user (
$ovn_controller_certificate_specs = hiera('ovn_controller_certificate_specs', {}),
$ovn_metadata_certificate_specs = hiera('ovn_metadata_certificate_specs', {}),
$neutron_ovn_certificate_specs = hiera('neutron_ovn_certificate_specs', {}),
$ovn_octavia_certificate_specs = hiera('ovn_octavia_certificate_specs', {}),
$novnc_proxy_postsave_cmd = undef,
# Deprecated
$haproxy_postsave_cmd = undef,
@ -314,5 +320,8 @@ class tripleo::profile::base::certmonger_user (
unless empty($neutron_ovn_certificate_specs) {
ensure_resource('class', 'tripleo::certmonger::neutron_ovn', $neutron_ovn_certificate_specs)
}
unless empty($ovn_octavia_certificate_specs) {
ensure_resource('class', 'tripleo::certmonger::ovn_octavia', $ovn_octavia_certificate_specs)
}
}
}

View File

@ -0,0 +1,86 @@
# Copyright 2020 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: tripleo::profile::base::octavia::provider::ovn
#
# Octavia OVN provider profile for tripleo
#
# === Parameters
#
# [*step*]
# (Optional) The current step in deployment. See tripleo-heat-templates
# for more details.
# Defaults to hiera('step')
#
# [*protocol*]
# (optional) Protocol use in communication with dbs
# Defaults to tcp
#
# [*ovn_db_host*]
# (Optional) The IP-Address where OVN DBs are listening.
# Defaults to hiera('ovn_dbs_vip')
#
# [*ovn_nb_port*]
# (Optional) Port number on which northbound database is listening
# Defaults to hiera('ovn::northbound::port')
#
# [*ovn_nb_private_key*]
# (optional) The PEM file with private key for SSL connection to OVN-NB-DB
# Defaults to $::os_service_default
#
# [*ovn_nb_certificate*]
# (optional) The PEM file with certificate that certifies the private
# key specified in ovn_nb_private_key
# Defaults to $::os_service_default
#
# [*ovn_nb_ca_cert*]
# (optional) The PEM file with CA certificate that OVN should use to
# verify certificates presented to it by SSL peers
# Defaults to $::os_service_default
#
class tripleo::profile::base::octavia::provider::ovn (
$step = Integer(hiera('step')),
$protocol = hiera('ovn_nb_connection_protocol', 'tcp'),
$ovn_db_host = hiera('ovn_dbs_vip', undef),
$ovn_nb_port = hiera('ovn::northbound::port', undef),
$ovn_nb_private_key = $::os_service_default,
$ovn_nb_certificate = $::os_service_default,
$ovn_nb_ca_cert = $::os_service_default
) {
include tripleo::profile::base::octavia::api
if ($step >= 4) {
# For backward compatibility
if $::tripleo::profile::base::octavia::api::ovn_db_host and !is_service_default(::tripleo::profile::base::octavia::api::ovn_db_host) {
$ovn_db_host_real = $::tripleo::profile::base::octavia::api::ovn_db_host
$ovn_nb_port_real = $::tripleo::profile::base::octavia::api::ovn_nb_port
}
else {
$ovn_db_host_real = $ovn_db_host
$ovn_nb_port_real = $ovn_nb_port
}
if $ovn_db_host_real {
$ovn_nb_conn_args = ["${protocol}", normalize_ip_for_uri($ovn_db_host_real), "${ovn_nb_port_real}"].filter |$c| { !$c.empty() }
$ovn_nb_connection = join($ovn_nb_conn_args, ':')
class { 'octavia::provider::ovn':
ovn_nb_connection => $ovn_nb_connection,
ovn_nb_private_key => $ovn_nb_private_key,
ovn_nb_certificate => $ovn_nb_certificate,
ovn_nb_ca_cert => $ovn_nb_ca_cert,
}
}
}
}

View File

@ -0,0 +1,5 @@
---
features:
- |
Added tripleo::profile::base::octavia::provider::ovn for configuring OVN driver
properties, including protocol.

View File

@ -0,0 +1,138 @@
#
# Copyright (C) 2020 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
require 'spec_helper'
describe 'tripleo::profile::base::octavia::provider::ovn' do
let :params do
{ :step => 5,
}
end
shared_examples_for 'tripleo::profile::base::octavia::provider::ovn' do
before :each do
facts.merge!({ :step => params[:step] })
end
let(:pre_condition) do
<<-eos
class { 'tripleo::profile::base::octavia' :
step => #{params[:step]},
oslomsg_rpc_username => 'bugs',
oslomsg_rpc_password => 'rabbits_R_c00l',
oslomsg_rpc_hosts => ['hole.field.com']
}
class { 'octavia::db::mysql':
password => 'some_password'
}
class { 'tripleo::profile::base::octavia::api' :
step => #{params[:step]},
bootstrap_node => 'notbootstrap.example.com',
}
eos
end
context 'with step less than 3' do
before do
params.merge!({
:step => 2,
})
end
it 'should not do anything' do
is_expected.to_not contain_class('octavia::provider::ovn')
end
end
context 'with step 4 without ovn_db_host' do
before do
params.merge!({
:step => 4,
:protocol => 'tcp',
:ovn_nb_port => '6641',
})
end
it 'should not do anything' do
is_expected.to_not contain_class('octavia::provider::ovn')
end
end
context 'with step 4 with ovn default protocol' do
before do
params.merge!({
:step => 4,
:ovn_db_host => '127.0.0.1',
:ovn_nb_port => '6641',
})
end
it 'should set octavia provider ovn nb connection using tcp' do
is_expected.to contain_class('octavia::provider::ovn').with(:ovn_nb_connection => 'tcp:127.0.0.1:6641')
is_expected.to contain_class('octavia::provider::ovn').with(:ovn_nb_private_key => '<SERVICE DEFAULT>')
is_expected.to contain_class('octavia::provider::ovn').with(:ovn_nb_certificate => '<SERVICE DEFAULT>')
is_expected.to contain_class('octavia::provider::ovn').with(:ovn_nb_ca_cert => '<SERVICE DEFAULT>')
end
end
context 'with step 4 with ovn and tls/ssl' do
before do
params.merge!({
:step => 4,
:protocol => 'ssl',
:ovn_db_host => '192.168.123.111',
:ovn_nb_port => '6641',
:ovn_nb_private_key => '/foo.key',
:ovn_nb_certificate => '/foo.pem',
:ovn_nb_ca_cert => '/ca_foo.pem',
})
end
it 'should set octavia provider ovn nb connection using ssl' do
is_expected.to contain_class('octavia::provider::ovn').with(:ovn_nb_connection => 'ssl:192.168.123.111:6641')
is_expected.to contain_class('octavia::provider::ovn').with(:ovn_nb_private_key => '/foo.key')
is_expected.to contain_class('octavia::provider::ovn').with(:ovn_nb_certificate => '/foo.pem')
is_expected.to contain_class('octavia::provider::ovn').with(:ovn_nb_ca_cert => '/ca_foo.pem')
end
end
context 'with step 4 with ovn and unix socket (no ovn_nb_port)' do
before do
params.merge!({
:step => 4,
:protocol => 'punix',
:ovn_db_host => '/run/ovn/ovnnb_db.sock',
})
end
it 'should set octavia provider ovn nb connection using unix socket' do
is_expected.to contain_class('octavia::provider::ovn').with(:ovn_nb_connection => 'punix:/run/ovn/ovnnb_db.sock')
end
end
end
on_supported_os.each do |os, facts|
context "on #{os}" do
let(:facts) do
facts.merge({ :hostname => 'node.example.com' })
end
it_behaves_like 'tripleo::profile::base::octavia::provider::ovn'
end
end
end