Support connecting OVN DB over SSL

This patch introduce parameters which support using SSL to connect to OVN_Northbound DB and OVN_Southbound DB. Depends-On: https://review.opendev.org/#/c/674603/ Change-Id: I03bda5d2e36ab168079fc7e8be220c9a4e29e44f Signed-off-by: Kamil Sambor <ksambor@redhat.com>
2019-08-06 17:36:41 +02:00 · 2019-08-06 17:36:41 +02:00 · f5bbc3ff85
commit f5bbc3ff85
parent 2189f6da4b
11 changed files with 569 additions and 64 deletions
--- a/manifests/certmonger/neutron_ovn.pp
+++ b/manifests/certmonger/neutron_ovn.pp
@ -0,0 +1,70 @@
+# Copyright 2019 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::certmonger::neutron_ovn
+#
+# Request a certificate for the ovn_controller service and do the necessary setup.
+#
+# === Parameters
+#
+# [*hostname*]
+#   The hostname of the node. this will be set in the CN of the certificate.
+#
+# [*service_certificate*]
+#   The path to the certificate that will be used for TLS in this service.
+#
+# [*service_key*]
+#   The path to the key that will be used for TLS in this service.
+#
+# [*certmonger_ca*]
+#   (Optional) The CA that certmonger will use to generate the certificates.
+#   Defaults to hiera('certmonger_ca', 'local').
+#
+# [*postsave_cmd*]
+#   (Optional) Specifies the command to execute after requesting a certificate.
+#
+# [*principal*]
+#   (Optional) The haproxy service principal that is set for neutron in kerberos.
+#   Defaults to undef
+#
+class tripleo::certmonger::neutron_ovn (
+  $hostname,
+  $service_certificate,
+  $service_key,
+  $certmonger_ca = hiera('certmonger_ca', 'local'),
+  $postsave_cmd  = undef,
+  $principal     = undef,
+) {
+  include ::certmonger
+
+  certmonger_certificate { 'neutron_ovn' :
+    ensure       => 'present',
+    certfile     => $service_certificate,
+    keyfile      => $service_key,
+    hostname     => $hostname,
+    dnsname      => $hostname,
+    principal    => $principal,
+    postsave_cmd => $postsave_cmd,
+    ca           => $certmonger_ca,
+    wait         => true,
+    require      => Class['::certmonger'],
+  }
+  file { $service_certificate :
+    require => Certmonger_certificate['neutron_ovn']
+  }
+  file { $service_key :
+    require => Certmonger_certificate['neutron_ovn']
+  }
+
+}
--- a/manifests/certmonger/ovn_controller.pp
+++ b/manifests/certmonger/ovn_controller.pp
@ -0,0 +1,70 @@
+# Copyright 2019 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::certmonger::ovn_controller
+#
+# Request a certificate for the ovn_controller service and do the necessary setup.
+#
+# === Parameters
+#
+# [*hostname*]
+#   The hostname of the node. this will be set in the CN of the certificate.
+#
+# [*service_certificate*]
+#   The path to the certificate that will be used for TLS in this service.
+#
+# [*service_key*]
+#   The path to the key that will be used for TLS in this service.
+#
+# [*certmonger_ca*]
+#   (Optional) The CA that certmonger will use to generate the certificates.
+#   Defaults to hiera('certmonger_ca', 'local').
+#
+# [*postsave_cmd*]
+#   (Optional) Specifies the command to execute after requesting a certificate.
+#
+# [*principal*]
+#   (Optional) The haproxy service principal that is set for neutron in kerberos.
+#   Defaults to undef
+#
+class tripleo::certmonger::ovn_controller (
+  $hostname,
+  $service_certificate,
+  $service_key,
+  $certmonger_ca = hiera('certmonger_ca', 'local'),
+  $postsave_cmd  = undef,
+  $principal     = undef,
+) {
+  include ::certmonger
+
+  certmonger_certificate { 'ovn_clients' :
+    ensure       => 'present',
+    certfile     => $service_certificate,
+    keyfile      => $service_key,
+    hostname     => $hostname,
+    dnsname      => $hostname,
+    principal    => $principal,
+    postsave_cmd => $postsave_cmd,
+    ca           => $certmonger_ca,
+    wait         => true,
+    require      => Class['::certmonger'],
+  }
+  file { $service_certificate :
+    require => Certmonger_certificate['ovn_controller']
+  }
+  file { $service_key :
+    require => Certmonger_certificate['ovn_controller']
+  }
+
+}
--- a/manifests/certmonger/ovn_dbs.pp
+++ b/manifests/certmonger/ovn_dbs.pp
@ -0,0 +1,69 @@
+# Copyright 2019 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::certmonger::ovn_sbdb
+#
+# Request a certificate for the ovn_sbdb service and do the necessary setup.
+#
+# === Parameters
+#
+# [*hostname*]
+#   The hostname of the node. this will be set in the CN of the certificate.
+#
+# [*service_certificate*]
+#   The path to the certificate that will be used for TLS in this service.
+#
+# [*service_key*]
+#   The path to the key that will be used for TLS in this service.
+#
+# [*certmonger_ca*]
+#   (Optional) The CA that certmonger will use to generate the certificates.
+#   Defaults to hiera('certmonger_ca', 'local').
+#
+# [*postsave_cmd*]
+#   (Optional) Specifies the command to execute after requesting a certificate.
+#
+# [*principal*]
+#   (Optional) The haproxy service principal that is set for neutron in kerberos.
+#   Defaults to undef
+#
+class tripleo::certmonger::ovn_dbs (
+  $hostname,
+  $service_certificate,
+  $service_key,
+  $certmonger_ca = hiera('certmonger_ca', 'local'),
+  $postsave_cmd  = undef,
+  $principal     = undef,
+) {
+  include ::certmonger
+
+  certmonger_certificate { 'ovn_dbs' :
+    ensure       => 'present',
+    certfile     => $service_certificate,
+    keyfile      => $service_key,
+    hostname     => $hostname,
+    dnsname      => $hostname,
+    principal    => $principal,
+    postsave_cmd => $postsave_cmd,
+    ca           => $certmonger_ca,
+    wait         => true,
+    require      => Class['::certmonger'],
+  }
+  file { $service_certificate :
+    require => Certmonger_certificate['ovn_dbs']
+  }
+  file { $service_key :
+    require => Certmonger_certificate['ovn_dbs']
+  }
+}
--- a/manifests/certmonger/ovn_metadata.pp
+++ b/manifests/certmonger/ovn_metadata.pp
@ -0,0 +1,70 @@
+# Copyright 2019 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::certmonger::ovn_metadata
+#
+# Request a certificate for the ovn_controller service and do the necessary setup.
+#
+# === Parameters
+#
+# [*hostname*]
+#   The hostname of the node. this will be set in the CN of the certificate.
+#
+# [*service_certificate*]
+#   The path to the certificate that will be used for TLS in this service.
+#
+# [*service_key*]
+#   The path to the key that will be used for TLS in this service.
+#
+# [*certmonger_ca*]
+#   (Optional) The CA that certmonger will use to generate the certificates.
+#   Defaults to hiera('certmonger_ca', 'local').
+#
+# [*postsave_cmd*]
+#   (Optional) Specifies the command to execute after requesting a certificate.
+#
+# [*principal*]
+#   (Optional) The haproxy service principal that is set for neutron in kerberos.
+#   Defaults to undef
+#
+class tripleo::certmonger::ovn_metadata (
+  $hostname,
+  $service_certificate,
+  $service_key,
+  $certmonger_ca = hiera('certmonger_ca', 'local'),
+  $postsave_cmd  = undef,
+  $principal     = undef,
+) {
+  include ::certmonger
+
+  certmonger_certificate { 'ovn_metadata' :
+    ensure       => 'present',
+    certfile     => $service_certificate,
+    keyfile      => $service_key,
+    hostname     => $hostname,
+    dnsname      => $hostname,
+    principal    => $principal,
+    postsave_cmd => $postsave_cmd,
+    ca           => $certmonger_ca,
+    wait         => true,
+    require      => Class['::certmonger'],
+  }
+  file { $service_certificate :
+    require => Certmonger_certificate['ovn_metadata']
+  }
+  file { $service_key :
+    require => Certmonger_certificate['ovn_metadata']
+  }
+
+}
--- a/manifests/profile/base/certmonger_user.pp
+++ b/manifests/profile/base/certmonger_user.pp
@ -137,6 +137,26 @@
 #   certificate is renewed.
 #   Defaults to undef
 #
+# [*ovn_dbs_certificate_specs*]
+#   (Optional) The specifications to give to certmonger for the certificate(s)
+#   it will create.
+#   Defaults to hiera('ovn_dbs_certificate_specs', {})
+#
+# [*ovn_controller_certificate_specs*]
+#   (Optional) The specifications to give to certmonger for the certificate(s)
+#   it will create.
+#   Defaults to hiera('ovn_controller_certificate_specs', {})
+#
+# [*ovn_metadata_certificate_specs*]
+#   (Optional) The specifications to give to certmonger for the certificate(s)
+#   it will create.
+#   Defaults to hiera('ovn_metadata_certificate_specs', {})
+#
+# [*neutron_ovn_certificate_specs*]
+#   (Optional) The specifications to give to certmonger for the certificate(s)
+#   it will create.
+#   Defaults to hiera('neutron_ovn_certificate_specs', {})
+#
 # === Deprecated
 #
 # [*haproxy_postsave_cmd*]
@ -150,30 +170,34 @@
 #   Defaults to undef
 #
 class tripleo::profile::base::certmonger_user (
-  $step                       = Integer(hiera('step')),
-  $certmonger_ca              = hiera('certmonger_ca', 'local'),
-  $apache_certificates_specs  = hiera('apache_certificates_specs', {}),
-  $haproxy_certificates_specs = hiera('tripleo::profile::base::haproxy::certificates_specs', {}),
-  $libvirt_certificates_specs = hiera('libvirt_certificates_specs', {}),
-  $libvirt_postsave_cmd       = undef,
-  $libvirt_vnc_certificates_specs = hiera('libvirt_vnc_certificates_specs', {}),
-  $libvirt_vnc_postsave_cmd       = undef,
-  $qemu_certificates_specs    = hiera('qemu_certificates_specs', {}),
-  $qemu_postsave_cmd          = undef,
-  $qdr_certificate_specs      = hiera('tripleo::profile::base::metrics::qdr::certificate_specs', {}),
-  $mysql_certificate_specs    = hiera('tripleo::profile::base::database::mysql::certificate_specs', {}),
-  $rabbitmq_certificate_specs = hiera('tripleo::profile::base::rabbitmq::certificate_specs', {}),
-  $redis_certificate_specs    = hiera('redis_certificate_specs', {}),
-  $etcd_certificate_specs     = hiera('tripleo::profile::base::etcd::certificate_specs', {}),
-  $odl_certificate_specs      = hiera('tripleo::profile::base::neutron::opendaylight::certificate_specs', {}),
-  $ovs_certificate_specs      = hiera('tripleo::profile::base::neutron::plugins::ovs::opendaylight::certificate_specs', {}),
-  $neutron_certificate_specs  = hiera('tripleo::profile::base::neutron::certificate_specs', {}),
-  $novnc_proxy_certificates_specs = hiera('novnc_proxy_certificates_specs',{}),
-  $ceph_grafana_certificate_specs = hiera('ceph_grafana_certificate_specs', {}),
-  $novnc_proxy_postsave_cmd   = undef,
+  $step                               = Integer(hiera('step')),
+  $certmonger_ca                      = hiera('certmonger_ca', 'local'),
+  $apache_certificates_specs          = hiera('apache_certificates_specs', {}),
+  $haproxy_certificates_specs         = hiera('tripleo::profile::base::haproxy::certificates_specs', {}),
+  $libvirt_certificates_specs         = hiera('libvirt_certificates_specs', {}),
+  $libvirt_postsave_cmd               = undef,
+  $libvirt_vnc_certificates_specs     = hiera('libvirt_vnc_certificates_specs', {}),
+  $libvirt_vnc_postsave_cmd           = undef,
+  $qemu_certificates_specs            = hiera('qemu_certificates_specs', {}),
+  $qemu_postsave_cmd                  = undef,
+  $qdr_certificate_specs              = hiera('tripleo::profile::base::metrics::qdr::certificate_specs', {}),
+  $mysql_certificate_specs            = hiera('tripleo::profile::base::database::mysql::certificate_specs', {}),
+  $rabbitmq_certificate_specs         = hiera('tripleo::profile::base::rabbitmq::certificate_specs', {}),
+  $redis_certificate_specs            = hiera('redis_certificate_specs', {}),
+  $etcd_certificate_specs             = hiera('tripleo::profile::base::etcd::certificate_specs', {}),
+  $odl_certificate_specs              = hiera('tripleo::profile::base::neutron::opendaylight::certificate_specs', {}),
+  $ovs_certificate_specs              = hiera('tripleo::profile::base::neutron::plugins::ovs::opendaylight::certificate_specs', {}),
+  $neutron_certificate_specs          = hiera('tripleo::profile::base::neutron::certificate_specs', {}),
+  $novnc_proxy_certificates_specs     = hiera('novnc_proxy_certificates_specs',{}),
+  $ceph_grafana_certificate_specs     = hiera('ceph_grafana_certificate_specs', {}),
+  $ovn_dbs_certificate_specs          = hiera('ovn_dbs_certificate_specs', {}),
+  $ovn_controller_certificate_specs   = hiera('ovn_controlle_rcertificate_specs', {}),
+  $ovn_metadata_certificate_specs     = hiera('ovn_metadata_certificate_specs', {}),
+  $neutron_ovn_certificate_specs      = hiera('neutron_ovn_certificate_specs', {}),
+  $novnc_proxy_postsave_cmd           = undef,
  # Deprecated
-  $haproxy_postsave_cmd       = undef,
-  $apache_postsave_cmd        = undef,
+  $haproxy_postsave_cmd               = undef,
+  $apache_postsave_cmd                = undef,
 ) {
  include ::certmonger

@ -260,5 +284,17 @@ class tripleo::profile::base::certmonger_user (
    unless empty($ceph_grafana_certificate_specs) {
      ensure_resource('class', 'tripleo::certmonger::ceph_grafana', $ceph_grafana_certificate_specs)
    }
+    unless empty($ovn_dbs_certificate_specs) {
+      ensure_resource('class', 'tripleo::certmonger::ovn_dbs', $ovn_dbs_certificate_specs)
+    }
+    unless empty($ovn_controller_certificate_specs) {
+      ensure_resource('class', 'tripleo::certmonger::ovn_controller', $ovn_controller_certificate_specs)
+    }
+    unless empty($ovn_metadata_certificate_specs) {
+      ensure_resource('class', 'tripleo::certmonger::ovn_metadata', $ovn_metadata_certificate_specs)
+    }
+    unless empty($neutron_ovn_certificate_specs) {
+      ensure_resource('class', 'tripleo::certmonger::neutron_ovn', $neutron_ovn_certificate_specs)
+    }
  }
 }
--- a/manifests/profile/base/neutron/agents/ovn.pp
+++ b/manifests/profile/base/neutron/agents/ovn.pp
@ -24,6 +24,10 @@
 #   (Optional) Port number on which southbound database is listening
 #   Defaults to hiera('ovn::southbound::port')
 #
+# [*protocol*]
+#   (optional) Protocol use in communication with dbs
+#   Defaults to tcp
+#
 # [*step*]
 #   (Optional) The current step in deployment. See tripleo-heat-templates
 #   for more details.
@ -32,11 +36,12 @@
 class tripleo::profile::base::neutron::agents::ovn (
  $ovn_db_host    = hiera('ovn_dbs_vip'),
  $ovn_sbdb_port  = hiera('ovn::southbound::port'),
+  $protocol       = 'tcp',
  $step           = Integer(hiera('step'))
 ) {
  if $step >= 4 {
    class { '::ovn::controller':
-      ovn_remote     => join(['tcp', normalize_ip_for_uri($ovn_db_host), "${ovn_sbdb_port}"], ':'),
+      ovn_remote     => join([$protocol, normalize_ip_for_uri($ovn_db_host), "${ovn_sbdb_port}"], ':'),
    }
  }
 }
--- a/manifests/profile/base/neutron/ovn_metadata.pp
+++ b/manifests/profile/base/neutron/ovn_metadata.pp
@ -26,20 +26,45 @@
 #   (Optional) Port number on which southbound database is listening
 #   Defaults to hiera('ovn::southbound::port')
 #
+# [*ovn_sb_private_key*]
+#   (optional) The PEM file with private key for SSL connection to OVN-SB-DB
+#   Defaults to $::os_service_default
+#
+# [*ovn_sb_certificate*]
+#   (optional) The PEM file with certificate that certifies the
+#   private key specified in ovn_sb_private_key
+#   Defaults to $::os_service_default
+#
+# [*ovn_sb_ca_cert*]
+#   (optional) The PEM file with CA certificate that OVN should use to
+#   verify certificates presented to it by SSL peers
+#   Defaults to $::os_service_default
+#
+# [*protocol*]
+#   (optional) Protocol use in communication with dbs
+#   Defaults to tcp
+#
 # [*step*]
 #   (Optional) The current step in deployment. See tripleo-heat-templates
 #   for more details.
 #   Defaults to hiera('step')
 #
 class tripleo::profile::base::neutron::ovn_metadata (
-  $ovn_db_host = hiera('ovn_dbs_vip'),
-  $ovn_sb_port = hiera('ovn::southbound::port'),
-  $step = Integer(hiera('step')),
+  $ovn_db_host             = hiera('ovn_dbs_vip'),
+  $ovn_sb_port             = hiera('ovn::southbound::port'),
+  $ovn_sb_private_key      = $::os_service_default,
+  $ovn_sb_certificate      = $::os_service_default,
+  $ovn_sb_ca_cert          = $::os_service_default,
+  $protocol                = 'tcp',
+  $step                    = Integer(hiera('step')),
 ) {
  if $step >= 4 {
    include ::tripleo::profile::base::neutron
    class { '::neutron::agents::ovn_metadata':
-        ovn_sb_connection => join(['tcp', normalize_ip_for_uri($ovn_db_host), "${ovn_sb_port}"], ':'),
+        ovn_sb_connection  => join(["${protocol}", normalize_ip_for_uri($ovn_db_host), "${ovn_sb_port}"], ':'),
+        ovn_sb_private_key => $ovn_sb_private_key,
+        ovn_sb_certificate => $ovn_sb_certificate,
+        ovn_sb_ca_cert     => $ovn_sb_ca_cert,
    }
    Service<| title == 'controller' |> -> Service<| title == 'ovn-metadata' |>
  }
--- a/manifests/profile/base/neutron/plugins/ml2/ovn.pp
+++ b/manifests/profile/base/neutron/plugins/ml2/ovn.pp
@ -28,21 +28,66 @@
 #   (Optional) Port number on which southbound database is listening
 #   Defaults to hiera('ovn::southbound::port')
 #
+# [*ovn_nb_private_key*]
+#   (optional) The PEM file with private key for SSL connection to OVN-NB-DB
+#   Defaults to $::os_service_default
+#
+# [*ovn_nb_certificate*]
+#   (optional) The PEM file with certificate that certifies the private
+#   key specified in ovn_nb_private_key
+#   Defaults to $::os_service_default
+#
+# [*ovn_nb_ca_cert*]
+#   (optional) The PEM file with CA certificate that OVN should use to
+#   verify certificates presented to it by SSL peers
+#   Defaults to $::os_service_default
+#
+# [*ovn_sb_private_key*]
+#   (optional) The PEM file with private key for SSL connection to OVN-SB-DB
+#   Defaults to $::os_service_default
+#
+# [*ovn_sb_certificate*]
+#   (optional) The PEM file with certificate that certifies the
+#   private key specified in ovn_sb_private_key
+#   Defaults to $::os_service_default
+#
+# [*ovn_sb_ca_cert*]
+#   (optional) The PEM file with CA certificate that OVN should use to
+#   verify certificates presented to it by SSL peers
+#   Defaults to $::os_service_default
+#
+# [*protocol*]
+#   (optional) Protocol use in communication with dbs
+#   Defaults to tcp
+#
 # [*step*]
 #   (Optional) The current step in deployment. See tripleo-heat-templates
 #   for more details.
 #   Defaults to hiera('step')
 #
 class tripleo::profile::base::neutron::plugins::ml2::ovn (
-  $ovn_db_host = hiera('ovn_dbs_vip'),
-  $ovn_nb_port = hiera('ovn::northbound::port'),
-  $ovn_sb_port = hiera('ovn::southbound::port'),
-  $step        = Integer(hiera('step'))
+  $ovn_db_host              = hiera('ovn_dbs_vip'),
+  $ovn_nb_port              = hiera('ovn::northbound::port'),
+  $ovn_sb_port              = hiera('ovn::southbound::port'),
+  $ovn_nb_private_key       = $::os_service_default,
+  $ovn_nb_certificate       = $::os_service_default,
+  $ovn_nb_ca_cert           = $::os_service_default,
+  $ovn_sb_private_key       = $::os_service_default,
+  $ovn_sb_certificate       = $::os_service_default,
+  $ovn_sb_ca_cert           = $::os_service_default,
+  $protocol                 = 'tcp',
+  $step                     = Integer(hiera('step'))
 ) {
  if $step >= 4 {
    class { '::neutron::plugins::ml2::ovn':
-      ovn_nb_connection => join(['tcp', normalize_ip_for_uri($ovn_db_host), "${ovn_nb_port}"], ':'),
-      ovn_sb_connection => join(['tcp', normalize_ip_for_uri($ovn_db_host), "${ovn_sb_port}"], ':'),
+      ovn_nb_connection  => join(["${protocol}", normalize_ip_for_uri($ovn_db_host), "${ovn_nb_port}"], ':'),
+      ovn_sb_connection  => join(["${protocol}", normalize_ip_for_uri($ovn_db_host), "${ovn_sb_port}"], ':'),
+      ovn_nb_private_key => $ovn_nb_private_key,
+      ovn_nb_certificate => $ovn_nb_certificate,
+      ovn_nb_ca_cert     => $ovn_nb_ca_cert,
+      ovn_sb_private_key => $ovn_sb_private_key,
+      ovn_sb_certificate => $ovn_sb_certificate,
+      ovn_sb_ca_cert     => $ovn_sb_ca_cert,
    }
  }
 }
--- a/manifests/profile/pacemaker/ovn_dbs_bundle.pp
+++ b/manifests/profile/pacemaker/ovn_dbs_bundle.pp
@ -60,6 +60,15 @@
 #   (optional) Sets PCMK_tls_priorities in /etc/sysconfig/pacemaker when set
 #   Defaults to hiera('tripleo::pacemaker::tls_priorities', undef)
 #
+# [*enable_internal_tls*]
+#   (Optional) Whether TLS in the internal network is enabled or not.
+#   Defaults to hiera('enable_internal_tls', false)
+#
+# [*ca_file*]
+#   (Optional) The path to the CA file that will be used for the TLS
+#   configuration. It's only used if internal TLS is enabled.
+#   Defaults to undef
+#

 class tripleo::profile::pacemaker::ovn_dbs_bundle (
  $ovn_dbs_docker_image = hiera('tripleo::profile::pacemaker::ovn_dbs_bundle::ovn_dbs_docker_image', undef),
@ -72,6 +81,8 @@ class tripleo::profile::pacemaker::ovn_dbs_bundle (
  $sb_db_port           = 6642,
  $container_backend    = 'docker',
  $tls_priorities       = hiera('tripleo::pacemaker::tls_priorities', undef),
+  $enable_internal_tls  = hiera('enable_internal_tls', false),
+  $ca_file              = undef,
 ) {

  if $::hostname == downcase($bootstrap_node) {
@ -86,7 +97,33 @@ class tripleo::profile::pacemaker::ovn_dbs_bundle (
      $ovndb_servers_resource_name = 'ovndb_servers'
      $ovndb_servers_ocf_name      = 'ovn:ovndb-servers'
      $ovndb_vip_resource_name     = "ip-${ovn_dbs_vip}"
-
+      $storage_maps = {
+        'ovn-dbs-cfg-files' => {
+          'source-dir' => '/var/lib/kolla/config_files/ovn_dbs.json',
+          'target-dir' => '/var/lib/kolla/config_files/config.json',
+          'options'    => 'ro',
+        },
+        'ovn-dbs-mod-files' => {
+          'source-dir' => '/lib/modules',
+          'target-dir' => '/lib/modules',
+          'options'    => 'ro',
+        },
+        'ovn-dbs-run-files' => {
+          'source-dir' => '/var/lib/openvswitch/ovn',
+          'target-dir' => '/run/openvswitch',
+          'options'    => 'rw',
+        },
+        'ovn-dbs-log-files' => {
+          'source-dir' => '/var/log/containers/openvswitch',
+          'target-dir' => '/var/log/openvswitch',
+          'options'    => 'rw',
+        },
+        'ovn-dbs-db-path'   => {
+          'source-dir' => '/var/lib/openvswitch/ovn',
+          'target-dir' => '/etc/openvswitch',
+          'options'    => 'rw',
+        },
+      }
      $ovn_dbs_short_node_names = hiera('ovn_dbs_short_node_names')
      $ovn_dbs_nodes_count = count($ovn_dbs_short_node_names)
      $ovn_dbs_short_node_names.each |String $node_name| {
@ -99,6 +136,8 @@ class tripleo::profile::pacemaker::ovn_dbs_bundle (
        }
      }
      $ovn_dbs_vip_norm = normalize_ip_for_uri($ovn_dbs_vip)
+      $resource_params = "master_ip=${ovn_dbs_vip_norm} nb_master_port=${nb_db_port} \
+sb_master_port=${sb_db_port} manage_northd=yes inactive_probe_interval=180000"
      $ovn_dbs_location_rule = {
        resource_discovery => 'exclusive',
        score              => 0,
@ -110,6 +149,33 @@ class tripleo::profile::pacemaker::ovn_dbs_bundle (
        $tls_priorities_real = ''
      }

+      if $enable_internal_tls {
+        $ovn_storage_maps_tls = {
+          'ovn-dbs-pki-'  => {
+            'source-dir' => '/etc/pki/tls/private/ovn_dbs.key',
+            'target-dir' => '/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/ovn_dbs.key',
+            'options'    => 'ro',
+          },
+          'ovn-dbs-cert' => {
+            'source-dir' => '/etc/pki/tls/certs/ovn_dbs.crt',
+            'target-dir' => '/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/ovn_dbs.crt',
+            'options'    => 'ro',
+          },
+          'ovn-dbs-cacert' => {
+            'source-dir' => '/etc/pki/tls/certs/ovn_dbs.crt',
+            'target-dir' => '/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/cacert.pem',
+            'options'    => 'ro',
+          },
+        }
+        $tls_params = " ovn_nb_db_privkey=/etc/pki/tls/private/ovn_dbs.key  ovn_nb_db_cert=/etc/pki/tls/certs/ovn_dbs.crt \
+ovn_nb_db_cacert=${ca_file} ovn_sb_db_privkey=/etc/pki/tls/private/ovn_dbs.key  \
+ovn_sb_db_cert=/etc/pki/tls/certs/ovn_dbs.crt ovn_sb_db_cacert=${ca_file} \
+nb_master_protocol=ssl sb_master_protocol=ssl"
+      } else {
+        $tls_params = ''
+        $ovn_storage_maps_tls = {}
+      }
+      $resource_map = "${resource_params}${tls_params}"
      pacemaker::resource::bundle { 'ovn-dbs-bundle':
        image             => $ovn_dbs_docker_image,
        replicas          => $ovn_dbs_nodes_count,
@ -119,33 +185,7 @@ class tripleo::profile::pacemaker::ovn_dbs_bundle (
        options           => "--log-driver=journald -e KOLLA_CONFIG_STRATEGY=COPY_ALWAYS${tls_priorities_real}",
        run_command       => '/bin/bash /usr/local/bin/kolla_start',
        network           => "control-port=${ovn_dbs_control_port}",
-        storage_maps      => {
-          'ovn-dbs-cfg-files' => {
-            'source-dir' => '/var/lib/kolla/config_files/ovn_dbs.json',
-            'target-dir' => '/var/lib/kolla/config_files/config.json',
-            'options'    => 'ro',
-          },
-          'ovn-dbs-mod-files' => {
-            'source-dir' => '/lib/modules',
-            'target-dir' => '/lib/modules',
-            'options'    => 'ro',
-          },
-          'ovn-dbs-run-files' => {
-            'source-dir' => '/var/lib/openvswitch/ovn',
-            'target-dir' => '/run/openvswitch',
-            'options'    => 'rw',
-          },
-          'ovn-dbs-log-files' => {
-            'source-dir' => '/var/log/containers/openvswitch',
-            'target-dir' => '/var/log/openvswitch',
-            'options'    => 'rw',
-          },
-          'ovn-dbs-db-path'   => {
-            'source-dir' => '/var/lib/openvswitch/ovn',
-            'target-dir' => '/etc/openvswitch',
-            'options'    => 'rw',
-          },
-        },
+        storage_maps      => merge($storage_maps, $ovn_storage_maps_tls),
        container_backend => $container_backend,
        tries             => $pcs_tries,
      }
@ -154,8 +194,7 @@ class tripleo::profile::pacemaker::ovn_dbs_bundle (
        ocf_agent_name  => "${ovndb_servers_ocf_name}",
        master_params   => '',
        op_params       => 'start timeout=200s stop timeout=200s',
-        resource_params => "master_ip=${ovn_dbs_vip_norm} nb_master_port=${nb_db_port} \
-sb_master_port=${sb_db_port} manage_northd=yes inactive_probe_interval=180000",
+        resource_params => $resource_map,
        tries           => $pcs_tries,
        location_rule   => $ovn_dbs_location_rule,
        meta_params     => 'notify=true container-attribute-target=host',
--- a/releasenotes/notes/ovn-ssl-298db2d617d7cc5e.yaml
+++ b/releasenotes/notes/ovn-ssl-298db2d617d7cc5e.yaml
@ -0,0 +1,16 @@
+---
+features:
+  - |
+    This patch introduces parameters which support SSL to connect to
+    OVN_Northbound DB and OVN_Southbound DB. This can be set by:
+    * 'ovn_nb_private_key': The PEM file with private key for SSL connection to OVN-NB-DB
+    * 'ovn_nb_certificate': The PEM file with certificate that certifies the private
+    key specified in ovn_nb_private_key
+    * 'ovn_nb_ca_cert': The PEM file with CA certificate that OVN should use to
+    verify certificates presented to it by SSL peers
+    * 'ovn_sb_private_key': The PEM file with private key for SSL connection to OVN-SB-DB,
+    * 'ovn_sb_certificate': The PEM file with certificate that certifies the
+    private key specified in ovn_sb_private_key'
+    * 'ovn_sb_ca_cert': The PEM file with CA certificate that OVN should use to
+    verify certificates presented to it by SSL peers
+    * 'protocol': Protocol use in communication with dbs
--- a/spec/classes/tripleo_certmonger_ovn_dbs.rb
+++ b/spec/classes/tripleo_certmonger_ovn_dbs.rb
@ -0,0 +1,60 @@
+#
+# Copyright (C) 2019 Red Hat Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# Unit tests for tripleo
+#
+
+require 'spec_helper'
+
+describe 'tripleo::certmonger::ovn_dbs' do
+
+  shared_examples_for 'tripleo::certmonger::ovn_dbs' do
+    let :params do
+      {
+        :hostname            => 'localhost',
+        :service_certificate => '/etc/pki/cert.crt',
+        :service_key         => '/etc/pki/key.pem',
+      }
+    end
+
+    it 'should include the base for using certmonger' do
+      is_expected.to contain_class('certmonger')
+    end
+
+    it 'should request a certificate' do
+      is_expected.to contain_certmonger_certificate('ovn_dbs').with(
+        :ensure       => 'present',
+        :certfile     => '/etc/pki/cert.crt',
+        :keyfile      => '/etc/pki/key.pem',
+        :hostname     => 'localhost',
+        :dnsname      => 'localhost',
+        :ca           => 'local',
+        :wait         => true,
+      )
+      is_expected.to contain_file('/etc/pki/cert.crt')
+      is_expected.to contain_file('/etc/pki/key.pem')
+    end
+  end
+
+  on_supported_os.each do |os, facts|
+    context "on #{os}" do
+      let(:facts) do
+        facts.merge({})
+      end
+
+      it_behaves_like 'tripleo::certmonger::ovn_dbs'
+    end
+  end
+end