diff --git a/manifests/certmonger/ovn_metadata.pp b/manifests/certmonger/ovn_metadata.pp index 93476dc14..46f84c345 100644 --- a/manifests/certmonger/ovn_metadata.pp +++ b/manifests/certmonger/ovn_metadata.pp @@ -46,7 +46,7 @@ class tripleo::certmonger::ovn_metadata ( $postsave_cmd = undef, $principal = undef, ) { - include ::certmonger + include certmonger certmonger_certificate { 'ovn_metadata' : ensure => 'present', diff --git a/manifests/certmonger/ovn_octavia.pp b/manifests/certmonger/ovn_octavia.pp new file mode 100644 index 000000000..31a812c57 --- /dev/null +++ b/manifests/certmonger/ovn_octavia.pp @@ -0,0 +1,70 @@ +# Copyright 2020 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::certmonger::ovn_octavia +# +# Request a certificate for the ovn_controller service and do the necessary setup. +# +# === Parameters +# +# [*hostname*] +# The hostname of the node. this will be set in the CN of the certificate. +# +# [*service_certificate*] +# The path to the certificate that will be used for TLS in this service. +# +# [*service_key*] +# The path to the key that will be used for TLS in this service. +# +# [*certmonger_ca*] +# (Optional) The CA that certmonger will use to generate the certificates. +# Defaults to hiera('certmonger_ca', 'local'). +# +# [*postsave_cmd*] +# (Optional) Specifies the command to execute after requesting a certificate. +# +# [*principal*] +# (Optional) The haproxy service principal that is set for neutron in kerberos. +# Defaults to undef +# +class tripleo::certmonger::ovn_octavia ( + $hostname, + $service_certificate, + $service_key, + $certmonger_ca = hiera('certmonger_ca', 'local'), + $postsave_cmd = undef, + $principal = undef, +) { + include certmonger + + certmonger_certificate { 'ovn_octavia' : + ensure => 'present', + certfile => $service_certificate, + keyfile => $service_key, + hostname => $hostname, + dnsname => $hostname, + principal => $principal, + postsave_cmd => $postsave_cmd, + ca => $certmonger_ca, + wait => true, + require => Class['::certmonger'], + } + file { $service_certificate : + require => Certmonger_certificate['ovn_octavia'] + } + file { $service_key : + require => Certmonger_certificate['ovn_octavia'] + } + +} diff --git a/manifests/profile/base/certmonger_user.pp b/manifests/profile/base/certmonger_user.pp index 79a0d1db2..676a8c386 100644 --- a/manifests/profile/base/certmonger_user.pp +++ b/manifests/profile/base/certmonger_user.pp @@ -167,6 +167,11 @@ # it will create. # Defaults to hiera('neutron_ovn_certificate_specs', {}) # +# [*ovn_octavia_certificate_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Defaults to hiera('ovn_octavia_certificate_specs', {}) +# # === Deprecated # # [*haproxy_postsave_cmd*] @@ -206,6 +211,7 @@ class tripleo::profile::base::certmonger_user ( $ovn_controller_certificate_specs = hiera('ovn_controller_certificate_specs', {}), $ovn_metadata_certificate_specs = hiera('ovn_metadata_certificate_specs', {}), $neutron_ovn_certificate_specs = hiera('neutron_ovn_certificate_specs', {}), + $ovn_octavia_certificate_specs = hiera('ovn_octavia_certificate_specs', {}), $novnc_proxy_postsave_cmd = undef, # Deprecated $haproxy_postsave_cmd = undef, @@ -314,5 +320,8 @@ class tripleo::profile::base::certmonger_user ( unless empty($neutron_ovn_certificate_specs) { ensure_resource('class', 'tripleo::certmonger::neutron_ovn', $neutron_ovn_certificate_specs) } + unless empty($ovn_octavia_certificate_specs) { + ensure_resource('class', 'tripleo::certmonger::ovn_octavia', $ovn_octavia_certificate_specs) + } } } diff --git a/manifests/profile/base/octavia/provider/ovn.pp b/manifests/profile/base/octavia/provider/ovn.pp new file mode 100644 index 000000000..d80bdb70f --- /dev/null +++ b/manifests/profile/base/octavia/provider/ovn.pp @@ -0,0 +1,86 @@ +# Copyright 2020 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::profile::base::octavia::provider::ovn +# +# Octavia OVN provider profile for tripleo +# +# === Parameters +# +# [*step*] +# (Optional) The current step in deployment. See tripleo-heat-templates +# for more details. +# Defaults to hiera('step') +# +# [*protocol*] +# (optional) Protocol use in communication with dbs +# Defaults to tcp +# +# [*ovn_db_host*] +# (Optional) The IP-Address where OVN DBs are listening. +# Defaults to hiera('ovn_dbs_vip') +# +# [*ovn_nb_port*] +# (Optional) Port number on which northbound database is listening +# Defaults to hiera('ovn::northbound::port') +# +# [*ovn_nb_private_key*] +# (optional) The PEM file with private key for SSL connection to OVN-NB-DB +# Defaults to $::os_service_default +# +# [*ovn_nb_certificate*] +# (optional) The PEM file with certificate that certifies the private +# key specified in ovn_nb_private_key +# Defaults to $::os_service_default +# +# [*ovn_nb_ca_cert*] +# (optional) The PEM file with CA certificate that OVN should use to +# verify certificates presented to it by SSL peers +# Defaults to $::os_service_default +# +class tripleo::profile::base::octavia::provider::ovn ( + $step = Integer(hiera('step')), + $protocol = hiera('ovn_nb_connection_protocol', 'tcp'), + $ovn_db_host = hiera('ovn_dbs_vip', undef), + $ovn_nb_port = hiera('ovn::northbound::port', undef), + $ovn_nb_private_key = $::os_service_default, + $ovn_nb_certificate = $::os_service_default, + $ovn_nb_ca_cert = $::os_service_default +) { + + include tripleo::profile::base::octavia::api + + if ($step >= 4) { + # For backward compatibility + if $::tripleo::profile::base::octavia::api::ovn_db_host and !is_service_default(::tripleo::profile::base::octavia::api::ovn_db_host) { + $ovn_db_host_real = $::tripleo::profile::base::octavia::api::ovn_db_host + $ovn_nb_port_real = $::tripleo::profile::base::octavia::api::ovn_nb_port + } + else { + $ovn_db_host_real = $ovn_db_host + $ovn_nb_port_real = $ovn_nb_port + } + + if $ovn_db_host_real { + $ovn_nb_conn_args = ["${protocol}", normalize_ip_for_uri($ovn_db_host_real), "${ovn_nb_port_real}"].filter |$c| { !$c.empty() } + $ovn_nb_connection = join($ovn_nb_conn_args, ':') + class { 'octavia::provider::ovn': + ovn_nb_connection => $ovn_nb_connection, + ovn_nb_private_key => $ovn_nb_private_key, + ovn_nb_certificate => $ovn_nb_certificate, + ovn_nb_ca_cert => $ovn_nb_ca_cert, + } + } + } +} diff --git a/releasenotes/notes/add-octavia-provider-ovn-6734aa08af4772e4.yaml b/releasenotes/notes/add-octavia-provider-ovn-6734aa08af4772e4.yaml new file mode 100644 index 000000000..fdf855b3c --- /dev/null +++ b/releasenotes/notes/add-octavia-provider-ovn-6734aa08af4772e4.yaml @@ -0,0 +1,5 @@ +--- +features: + - | + Added tripleo::profile::base::octavia::provider::ovn for configuring OVN driver + properties, including protocol. diff --git a/spec/classes/tripleo_profile_base_octavia_provider_ovn_spec.rb b/spec/classes/tripleo_profile_base_octavia_provider_ovn_spec.rb new file mode 100644 index 000000000..87f3d50ad --- /dev/null +++ b/spec/classes/tripleo_profile_base_octavia_provider_ovn_spec.rb @@ -0,0 +1,138 @@ +# +# Copyright (C) 2020 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# + +require 'spec_helper' + +describe 'tripleo::profile::base::octavia::provider::ovn' do + + let :params do + { :step => 5, + } + end + + shared_examples_for 'tripleo::profile::base::octavia::provider::ovn' do + before :each do + facts.merge!({ :step => params[:step] }) + end + + let(:pre_condition) do + <<-eos + class { 'tripleo::profile::base::octavia' : + step => #{params[:step]}, + oslomsg_rpc_username => 'bugs', + oslomsg_rpc_password => 'rabbits_R_c00l', + oslomsg_rpc_hosts => ['hole.field.com'] + } + class { 'octavia::db::mysql': + password => 'some_password' + } + class { 'tripleo::profile::base::octavia::api' : + step => #{params[:step]}, + bootstrap_node => 'notbootstrap.example.com', + } +eos + end + + context 'with step less than 3' do + before do + params.merge!({ + :step => 2, + }) + end + + it 'should not do anything' do + is_expected.to_not contain_class('octavia::provider::ovn') + end + end + + context 'with step 4 without ovn_db_host' do + before do + params.merge!({ + :step => 4, + :protocol => 'tcp', + :ovn_nb_port => '6641', + }) + end + + it 'should not do anything' do + is_expected.to_not contain_class('octavia::provider::ovn') + end + end + + context 'with step 4 with ovn default protocol' do + before do + params.merge!({ + :step => 4, + :ovn_db_host => '127.0.0.1', + :ovn_nb_port => '6641', + }) + end + + it 'should set octavia provider ovn nb connection using tcp' do + is_expected.to contain_class('octavia::provider::ovn').with(:ovn_nb_connection => 'tcp:127.0.0.1:6641') + is_expected.to contain_class('octavia::provider::ovn').with(:ovn_nb_private_key => '') + is_expected.to contain_class('octavia::provider::ovn').with(:ovn_nb_certificate => '') + is_expected.to contain_class('octavia::provider::ovn').with(:ovn_nb_ca_cert => '') + end + end + + context 'with step 4 with ovn and tls/ssl' do + before do + params.merge!({ + :step => 4, + :protocol => 'ssl', + :ovn_db_host => '192.168.123.111', + :ovn_nb_port => '6641', + :ovn_nb_private_key => '/foo.key', + :ovn_nb_certificate => '/foo.pem', + :ovn_nb_ca_cert => '/ca_foo.pem', + }) + end + + it 'should set octavia provider ovn nb connection using ssl' do + is_expected.to contain_class('octavia::provider::ovn').with(:ovn_nb_connection => 'ssl:192.168.123.111:6641') + is_expected.to contain_class('octavia::provider::ovn').with(:ovn_nb_private_key => '/foo.key') + is_expected.to contain_class('octavia::provider::ovn').with(:ovn_nb_certificate => '/foo.pem') + is_expected.to contain_class('octavia::provider::ovn').with(:ovn_nb_ca_cert => '/ca_foo.pem') + end + end + + context 'with step 4 with ovn and unix socket (no ovn_nb_port)' do + before do + params.merge!({ + :step => 4, + :protocol => 'punix', + :ovn_db_host => '/run/ovn/ovnnb_db.sock', + }) + end + + it 'should set octavia provider ovn nb connection using unix socket' do + is_expected.to contain_class('octavia::provider::ovn').with(:ovn_nb_connection => 'punix:/run/ovn/ovnnb_db.sock') + end + end + + end + + on_supported_os.each do |os, facts| + context "on #{os}" do + let(:facts) do + facts.merge({ :hostname => 'node.example.com' }) + end + it_behaves_like 'tripleo::profile::base::octavia::provider::ovn' + end + end +end +