Browse Source

Support connecting OVN DB over SSL

This patch introduce parameters which support using SSL to connect to
OVN_Northbound DB and OVN_Southbound DB.

Depends-On: https://review.opendev.org/#/c/674603/
Change-Id: I03bda5d2e36ab168079fc7e8be220c9a4e29e44f
Signed-off-by: Kamil Sambor <ksambor@redhat.com>
changes/49/674849/17
Kamil Sambor 2 years ago
parent
commit
f5bbc3ff85
  1. 70
      manifests/certmonger/neutron_ovn.pp
  2. 70
      manifests/certmonger/ovn_controller.pp
  3. 69
      manifests/certmonger/ovn_dbs.pp
  4. 70
      manifests/certmonger/ovn_metadata.pp
  5. 82
      manifests/profile/base/certmonger_user.pp
  6. 7
      manifests/profile/base/neutron/agents/ovn.pp
  7. 33
      manifests/profile/base/neutron/ovn_metadata.pp
  8. 57
      manifests/profile/base/neutron/plugins/ml2/ovn.pp
  9. 99
      manifests/profile/pacemaker/ovn_dbs_bundle.pp
  10. 16
      releasenotes/notes/ovn-ssl-298db2d617d7cc5e.yaml
  11. 60
      spec/classes/tripleo_certmonger_ovn_dbs.rb

70
manifests/certmonger/neutron_ovn.pp

@ -0,0 +1,70 @@
# Copyright 2019 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: tripleo::certmonger::neutron_ovn
#
# Request a certificate for the ovn_controller service and do the necessary setup.
#
# === Parameters
#
# [*hostname*]
# The hostname of the node. this will be set in the CN of the certificate.
#
# [*service_certificate*]
# The path to the certificate that will be used for TLS in this service.
#
# [*service_key*]
# The path to the key that will be used for TLS in this service.
#
# [*certmonger_ca*]
# (Optional) The CA that certmonger will use to generate the certificates.
# Defaults to hiera('certmonger_ca', 'local').
#
# [*postsave_cmd*]
# (Optional) Specifies the command to execute after requesting a certificate.
#
# [*principal*]
# (Optional) The haproxy service principal that is set for neutron in kerberos.
# Defaults to undef
#
class tripleo::certmonger::neutron_ovn (
$hostname,
$service_certificate,
$service_key,
$certmonger_ca = hiera('certmonger_ca', 'local'),
$postsave_cmd = undef,
$principal = undef,
) {
include ::certmonger
certmonger_certificate { 'neutron_ovn' :
ensure => 'present',
certfile => $service_certificate,
keyfile => $service_key,
hostname => $hostname,
dnsname => $hostname,
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
wait => true,
require => Class['::certmonger'],
}
file { $service_certificate :
require => Certmonger_certificate['neutron_ovn']
}
file { $service_key :
require => Certmonger_certificate['neutron_ovn']
}
}

70
manifests/certmonger/ovn_controller.pp

@ -0,0 +1,70 @@
# Copyright 2019 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: tripleo::certmonger::ovn_controller
#
# Request a certificate for the ovn_controller service and do the necessary setup.
#
# === Parameters
#
# [*hostname*]
# The hostname of the node. this will be set in the CN of the certificate.
#
# [*service_certificate*]
# The path to the certificate that will be used for TLS in this service.
#
# [*service_key*]
# The path to the key that will be used for TLS in this service.
#
# [*certmonger_ca*]
# (Optional) The CA that certmonger will use to generate the certificates.
# Defaults to hiera('certmonger_ca', 'local').
#
# [*postsave_cmd*]
# (Optional) Specifies the command to execute after requesting a certificate.
#
# [*principal*]
# (Optional) The haproxy service principal that is set for neutron in kerberos.
# Defaults to undef
#
class tripleo::certmonger::ovn_controller (
$hostname,
$service_certificate,
$service_key,
$certmonger_ca = hiera('certmonger_ca', 'local'),
$postsave_cmd = undef,
$principal = undef,
) {
include ::certmonger
certmonger_certificate { 'ovn_clients' :
ensure => 'present',
certfile => $service_certificate,
keyfile => $service_key,
hostname => $hostname,
dnsname => $hostname,
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
wait => true,
require => Class['::certmonger'],
}
file { $service_certificate :
require => Certmonger_certificate['ovn_controller']
}
file { $service_key :
require => Certmonger_certificate['ovn_controller']
}
}

69
manifests/certmonger/ovn_dbs.pp

@ -0,0 +1,69 @@
# Copyright 2019 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: tripleo::certmonger::ovn_sbdb
#
# Request a certificate for the ovn_sbdb service and do the necessary setup.
#
# === Parameters
#
# [*hostname*]
# The hostname of the node. this will be set in the CN of the certificate.
#
# [*service_certificate*]
# The path to the certificate that will be used for TLS in this service.
#
# [*service_key*]
# The path to the key that will be used for TLS in this service.
#
# [*certmonger_ca*]
# (Optional) The CA that certmonger will use to generate the certificates.
# Defaults to hiera('certmonger_ca', 'local').
#
# [*postsave_cmd*]
# (Optional) Specifies the command to execute after requesting a certificate.
#
# [*principal*]
# (Optional) The haproxy service principal that is set for neutron in kerberos.
# Defaults to undef
#
class tripleo::certmonger::ovn_dbs (
$hostname,
$service_certificate,
$service_key,
$certmonger_ca = hiera('certmonger_ca', 'local'),
$postsave_cmd = undef,
$principal = undef,
) {
include ::certmonger
certmonger_certificate { 'ovn_dbs' :
ensure => 'present',
certfile => $service_certificate,
keyfile => $service_key,
hostname => $hostname,
dnsname => $hostname,
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
wait => true,
require => Class['::certmonger'],
}
file { $service_certificate :
require => Certmonger_certificate['ovn_dbs']
}
file { $service_key :
require => Certmonger_certificate['ovn_dbs']
}
}

70
manifests/certmonger/ovn_metadata.pp

@ -0,0 +1,70 @@
# Copyright 2019 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: tripleo::certmonger::ovn_metadata
#
# Request a certificate for the ovn_controller service and do the necessary setup.
#
# === Parameters
#
# [*hostname*]
# The hostname of the node. this will be set in the CN of the certificate.
#
# [*service_certificate*]
# The path to the certificate that will be used for TLS in this service.
#
# [*service_key*]
# The path to the key that will be used for TLS in this service.
#
# [*certmonger_ca*]
# (Optional) The CA that certmonger will use to generate the certificates.
# Defaults to hiera('certmonger_ca', 'local').
#
# [*postsave_cmd*]
# (Optional) Specifies the command to execute after requesting a certificate.
#
# [*principal*]
# (Optional) The haproxy service principal that is set for neutron in kerberos.
# Defaults to undef
#
class tripleo::certmonger::ovn_metadata (
$hostname,
$service_certificate,
$service_key,
$certmonger_ca = hiera('certmonger_ca', 'local'),
$postsave_cmd = undef,
$principal = undef,
) {
include ::certmonger
certmonger_certificate { 'ovn_metadata' :
ensure => 'present',
certfile => $service_certificate,
keyfile => $service_key,
hostname => $hostname,
dnsname => $hostname,
principal => $principal,
postsave_cmd => $postsave_cmd,
ca => $certmonger_ca,
wait => true,
require => Class['::certmonger'],
}
file { $service_certificate :
require => Certmonger_certificate['ovn_metadata']
}
file { $service_key :
require => Certmonger_certificate['ovn_metadata']
}
}

82
manifests/profile/base/certmonger_user.pp

@ -137,6 +137,26 @@
# certificate is renewed.
# Defaults to undef
#
# [*ovn_dbs_certificate_specs*]
# (Optional) The specifications to give to certmonger for the certificate(s)
# it will create.
# Defaults to hiera('ovn_dbs_certificate_specs', {})
#
# [*ovn_controller_certificate_specs*]
# (Optional) The specifications to give to certmonger for the certificate(s)
# it will create.
# Defaults to hiera('ovn_controller_certificate_specs', {})
#
# [*ovn_metadata_certificate_specs*]
# (Optional) The specifications to give to certmonger for the certificate(s)
# it will create.
# Defaults to hiera('ovn_metadata_certificate_specs', {})
#
# [*neutron_ovn_certificate_specs*]
# (Optional) The specifications to give to certmonger for the certificate(s)
# it will create.
# Defaults to hiera('neutron_ovn_certificate_specs', {})
#
# === Deprecated
#
# [*haproxy_postsave_cmd*]
@ -150,30 +170,34 @@
# Defaults to undef
#
class tripleo::profile::base::certmonger_user (
$step = Integer(hiera('step')),
$certmonger_ca = hiera('certmonger_ca', 'local'),
$apache_certificates_specs = hiera('apache_certificates_specs', {}),
$haproxy_certificates_specs = hiera('tripleo::profile::base::haproxy::certificates_specs', {}),
$libvirt_certificates_specs = hiera('libvirt_certificates_specs', {}),
$libvirt_postsave_cmd = undef,
$libvirt_vnc_certificates_specs = hiera('libvirt_vnc_certificates_specs', {}),
$libvirt_vnc_postsave_cmd = undef,
$qemu_certificates_specs = hiera('qemu_certificates_specs', {}),
$qemu_postsave_cmd = undef,
$qdr_certificate_specs = hiera('tripleo::profile::base::metrics::qdr::certificate_specs', {}),
$mysql_certificate_specs = hiera('tripleo::profile::base::database::mysql::certificate_specs', {}),
$rabbitmq_certificate_specs = hiera('tripleo::profile::base::rabbitmq::certificate_specs', {}),
$redis_certificate_specs = hiera('redis_certificate_specs', {}),
$etcd_certificate_specs = hiera('tripleo::profile::base::etcd::certificate_specs', {}),
$odl_certificate_specs = hiera('tripleo::profile::base::neutron::opendaylight::certificate_specs', {}),
$ovs_certificate_specs = hiera('tripleo::profile::base::neutron::plugins::ovs::opendaylight::certificate_specs', {}),
$neutron_certificate_specs = hiera('tripleo::profile::base::neutron::certificate_specs', {}),
$novnc_proxy_certificates_specs = hiera('novnc_proxy_certificates_specs',{}),
$ceph_grafana_certificate_specs = hiera('ceph_grafana_certificate_specs', {}),
$novnc_proxy_postsave_cmd = undef,
$step = Integer(hiera('step')),
$certmonger_ca = hiera('certmonger_ca', 'local'),
$apache_certificates_specs = hiera('apache_certificates_specs', {}),
$haproxy_certificates_specs = hiera('tripleo::profile::base::haproxy::certificates_specs', {}),
$libvirt_certificates_specs = hiera('libvirt_certificates_specs', {}),
$libvirt_postsave_cmd = undef,
$libvirt_vnc_certificates_specs = hiera('libvirt_vnc_certificates_specs', {}),
$libvirt_vnc_postsave_cmd = undef,
$qemu_certificates_specs = hiera('qemu_certificates_specs', {}),
$qemu_postsave_cmd = undef,
$qdr_certificate_specs = hiera('tripleo::profile::base::metrics::qdr::certificate_specs', {}),
$mysql_certificate_specs = hiera('tripleo::profile::base::database::mysql::certificate_specs', {}),
$rabbitmq_certificate_specs = hiera('tripleo::profile::base::rabbitmq::certificate_specs', {}),
$redis_certificate_specs = hiera('redis_certificate_specs', {}),
$etcd_certificate_specs = hiera('tripleo::profile::base::etcd::certificate_specs', {}),
$odl_certificate_specs = hiera('tripleo::profile::base::neutron::opendaylight::certificate_specs', {}),
$ovs_certificate_specs = hiera('tripleo::profile::base::neutron::plugins::ovs::opendaylight::certificate_specs', {}),
$neutron_certificate_specs = hiera('tripleo::profile::base::neutron::certificate_specs', {}),
$novnc_proxy_certificates_specs = hiera('novnc_proxy_certificates_specs',{}),
$ceph_grafana_certificate_specs = hiera('ceph_grafana_certificate_specs', {}),
$ovn_dbs_certificate_specs = hiera('ovn_dbs_certificate_specs', {}),
$ovn_controller_certificate_specs = hiera('ovn_controlle_rcertificate_specs', {}),
$ovn_metadata_certificate_specs = hiera('ovn_metadata_certificate_specs', {}),
$neutron_ovn_certificate_specs = hiera('neutron_ovn_certificate_specs', {}),
$novnc_proxy_postsave_cmd = undef,
# Deprecated
$haproxy_postsave_cmd = undef,
$apache_postsave_cmd = undef,
$haproxy_postsave_cmd = undef,
$apache_postsave_cmd = undef,
) {
include ::certmonger
@ -260,5 +284,17 @@ class tripleo::profile::base::certmonger_user (
unless empty($ceph_grafana_certificate_specs) {
ensure_resource('class', 'tripleo::certmonger::ceph_grafana', $ceph_grafana_certificate_specs)
}
unless empty($ovn_dbs_certificate_specs) {
ensure_resource('class', 'tripleo::certmonger::ovn_dbs', $ovn_dbs_certificate_specs)
}
unless empty($ovn_controller_certificate_specs) {
ensure_resource('class', 'tripleo::certmonger::ovn_controller', $ovn_controller_certificate_specs)
}
unless empty($ovn_metadata_certificate_specs) {
ensure_resource('class', 'tripleo::certmonger::ovn_metadata', $ovn_metadata_certificate_specs)
}
unless empty($neutron_ovn_certificate_specs) {
ensure_resource('class', 'tripleo::certmonger::neutron_ovn', $neutron_ovn_certificate_specs)
}
}
}

7
manifests/profile/base/neutron/agents/ovn.pp

@ -24,6 +24,10 @@
# (Optional) Port number on which southbound database is listening
# Defaults to hiera('ovn::southbound::port')
#
# [*protocol*]
# (optional) Protocol use in communication with dbs
# Defaults to tcp
#
# [*step*]
# (Optional) The current step in deployment. See tripleo-heat-templates
# for more details.
@ -32,11 +36,12 @@
class tripleo::profile::base::neutron::agents::ovn (
$ovn_db_host = hiera('ovn_dbs_vip'),
$ovn_sbdb_port = hiera('ovn::southbound::port'),
$protocol = 'tcp',
$step = Integer(hiera('step'))
) {
if $step >= 4 {
class { '::ovn::controller':
ovn_remote => join(['tcp', normalize_ip_for_uri($ovn_db_host), "${ovn_sbdb_port}"], ':'),
ovn_remote => join([$protocol, normalize_ip_for_uri($ovn_db_host), "${ovn_sbdb_port}"], ':'),
}
}
}

33
manifests/profile/base/neutron/ovn_metadata.pp

@ -26,20 +26,45 @@
# (Optional) Port number on which southbound database is listening
# Defaults to hiera('ovn::southbound::port')
#
# [*ovn_sb_private_key*]
# (optional) The PEM file with private key for SSL connection to OVN-SB-DB
# Defaults to $::os_service_default
#
# [*ovn_sb_certificate*]
# (optional) The PEM file with certificate that certifies the
# private key specified in ovn_sb_private_key
# Defaults to $::os_service_default
#
# [*ovn_sb_ca_cert*]
# (optional) The PEM file with CA certificate that OVN should use to
# verify certificates presented to it by SSL peers
# Defaults to $::os_service_default
#
# [*protocol*]
# (optional) Protocol use in communication with dbs
# Defaults to tcp
#
# [*step*]
# (Optional) The current step in deployment. See tripleo-heat-templates
# for more details.
# Defaults to hiera('step')
#
class tripleo::profile::base::neutron::ovn_metadata (
$ovn_db_host = hiera('ovn_dbs_vip'),
$ovn_sb_port = hiera('ovn::southbound::port'),
$step = Integer(hiera('step')),
$ovn_db_host = hiera('ovn_dbs_vip'),
$ovn_sb_port = hiera('ovn::southbound::port'),
$ovn_sb_private_key = $::os_service_default,
$ovn_sb_certificate = $::os_service_default,
$ovn_sb_ca_cert = $::os_service_default,
$protocol = 'tcp',
$step = Integer(hiera('step')),
) {
if $step >= 4 {
include ::tripleo::profile::base::neutron
class { '::neutron::agents::ovn_metadata':
ovn_sb_connection => join(['tcp', normalize_ip_for_uri($ovn_db_host), "${ovn_sb_port}"], ':'),
ovn_sb_connection => join(["${protocol}", normalize_ip_for_uri($ovn_db_host), "${ovn_sb_port}"], ':'),
ovn_sb_private_key => $ovn_sb_private_key,
ovn_sb_certificate => $ovn_sb_certificate,
ovn_sb_ca_cert => $ovn_sb_ca_cert,
}
Service<| title == 'controller' |> -> Service<| title == 'ovn-metadata' |>
}

57
manifests/profile/base/neutron/plugins/ml2/ovn.pp

@ -28,21 +28,66 @@
# (Optional) Port number on which southbound database is listening
# Defaults to hiera('ovn::southbound::port')
#
# [*ovn_nb_private_key*]
# (optional) The PEM file with private key for SSL connection to OVN-NB-DB
# Defaults to $::os_service_default
#
# [*ovn_nb_certificate*]
# (optional) The PEM file with certificate that certifies the private
# key specified in ovn_nb_private_key
# Defaults to $::os_service_default
#
# [*ovn_nb_ca_cert*]
# (optional) The PEM file with CA certificate that OVN should use to
# verify certificates presented to it by SSL peers
# Defaults to $::os_service_default
#
# [*ovn_sb_private_key*]
# (optional) The PEM file with private key for SSL connection to OVN-SB-DB
# Defaults to $::os_service_default
#
# [*ovn_sb_certificate*]
# (optional) The PEM file with certificate that certifies the
# private key specified in ovn_sb_private_key
# Defaults to $::os_service_default
#
# [*ovn_sb_ca_cert*]
# (optional) The PEM file with CA certificate that OVN should use to
# verify certificates presented to it by SSL peers
# Defaults to $::os_service_default
#
# [*protocol*]
# (optional) Protocol use in communication with dbs
# Defaults to tcp
#
# [*step*]
# (Optional) The current step in deployment. See tripleo-heat-templates
# for more details.
# Defaults to hiera('step')
#
class tripleo::profile::base::neutron::plugins::ml2::ovn (
$ovn_db_host = hiera('ovn_dbs_vip'),
$ovn_nb_port = hiera('ovn::northbound::port'),
$ovn_sb_port = hiera('ovn::southbound::port'),
$step = Integer(hiera('step'))
$ovn_db_host = hiera('ovn_dbs_vip'),
$ovn_nb_port = hiera('ovn::northbound::port'),
$ovn_sb_port = hiera('ovn::southbound::port'),
$ovn_nb_private_key = $::os_service_default,
$ovn_nb_certificate = $::os_service_default,
$ovn_nb_ca_cert = $::os_service_default,
$ovn_sb_private_key = $::os_service_default,
$ovn_sb_certificate = $::os_service_default,
$ovn_sb_ca_cert = $::os_service_default,
$protocol = 'tcp',
$step = Integer(hiera('step'))
) {
if $step >= 4 {
class { '::neutron::plugins::ml2::ovn':
ovn_nb_connection => join(['tcp', normalize_ip_for_uri($ovn_db_host), "${ovn_nb_port}"], ':'),
ovn_sb_connection => join(['tcp', normalize_ip_for_uri($ovn_db_host), "${ovn_sb_port}"], ':'),
ovn_nb_connection => join(["${protocol}", normalize_ip_for_uri($ovn_db_host), "${ovn_nb_port}"], ':'),
ovn_sb_connection => join(["${protocol}", normalize_ip_for_uri($ovn_db_host), "${ovn_sb_port}"], ':'),
ovn_nb_private_key => $ovn_nb_private_key,
ovn_nb_certificate => $ovn_nb_certificate,
ovn_nb_ca_cert => $ovn_nb_ca_cert,
ovn_sb_private_key => $ovn_sb_private_key,
ovn_sb_certificate => $ovn_sb_certificate,
ovn_sb_ca_cert => $ovn_sb_ca_cert,
}
}
}

99
manifests/profile/pacemaker/ovn_dbs_bundle.pp

@ -60,6 +60,15 @@
# (optional) Sets PCMK_tls_priorities in /etc/sysconfig/pacemaker when set
# Defaults to hiera('tripleo::pacemaker::tls_priorities', undef)
#
# [*enable_internal_tls*]
# (Optional) Whether TLS in the internal network is enabled or not.
# Defaults to hiera('enable_internal_tls', false)
#
# [*ca_file*]
# (Optional) The path to the CA file that will be used for the TLS
# configuration. It's only used if internal TLS is enabled.
# Defaults to undef
#
class tripleo::profile::pacemaker::ovn_dbs_bundle (
$ovn_dbs_docker_image = hiera('tripleo::profile::pacemaker::ovn_dbs_bundle::ovn_dbs_docker_image', undef),
@ -72,6 +81,8 @@ class tripleo::profile::pacemaker::ovn_dbs_bundle (
$sb_db_port = 6642,
$container_backend = 'docker',
$tls_priorities = hiera('tripleo::pacemaker::tls_priorities', undef),
$enable_internal_tls = hiera('enable_internal_tls', false),
$ca_file = undef,
) {
if $::hostname == downcase($bootstrap_node) {
@ -86,7 +97,33 @@ class tripleo::profile::pacemaker::ovn_dbs_bundle (
$ovndb_servers_resource_name = 'ovndb_servers'
$ovndb_servers_ocf_name = 'ovn:ovndb-servers'
$ovndb_vip_resource_name = "ip-${ovn_dbs_vip}"
$storage_maps = {
'ovn-dbs-cfg-files' => {
'source-dir' => '/var/lib/kolla/config_files/ovn_dbs.json',
'target-dir' => '/var/lib/kolla/config_files/config.json',
'options' => 'ro',
},
'ovn-dbs-mod-files' => {
'source-dir' => '/lib/modules',
'target-dir' => '/lib/modules',
'options' => 'ro',
},
'ovn-dbs-run-files' => {
'source-dir' => '/var/lib/openvswitch/ovn',
'target-dir' => '/run/openvswitch',
'options' => 'rw',
},
'ovn-dbs-log-files' => {
'source-dir' => '/var/log/containers/openvswitch',
'target-dir' => '/var/log/openvswitch',
'options' => 'rw',
},
'ovn-dbs-db-path' => {
'source-dir' => '/var/lib/openvswitch/ovn',
'target-dir' => '/etc/openvswitch',
'options' => 'rw',
},
}
$ovn_dbs_short_node_names = hiera('ovn_dbs_short_node_names')
$ovn_dbs_nodes_count = count($ovn_dbs_short_node_names)
$ovn_dbs_short_node_names.each |String $node_name| {
@ -99,6 +136,8 @@ class tripleo::profile::pacemaker::ovn_dbs_bundle (
}
}
$ovn_dbs_vip_norm = normalize_ip_for_uri($ovn_dbs_vip)
$resource_params = "master_ip=${ovn_dbs_vip_norm} nb_master_port=${nb_db_port} \
sb_master_port=${sb_db_port} manage_northd=yes inactive_probe_interval=180000"
$ovn_dbs_location_rule = {
resource_discovery => 'exclusive',
score => 0,
@ -110,6 +149,33 @@ class tripleo::profile::pacemaker::ovn_dbs_bundle (
$tls_priorities_real = ''
}
if $enable_internal_tls {
$ovn_storage_maps_tls = {
'ovn-dbs-pki-' => {
'source-dir' => '/etc/pki/tls/private/ovn_dbs.key',
'target-dir' => '/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/ovn_dbs.key',
'options' => 'ro',
},
'ovn-dbs-cert' => {
'source-dir' => '/etc/pki/tls/certs/ovn_dbs.crt',
'target-dir' => '/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/ovn_dbs.crt',
'options' => 'ro',
},
'ovn-dbs-cacert' => {
'source-dir' => '/etc/pki/tls/certs/ovn_dbs.crt',
'target-dir' => '/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/cacert.pem',
'options' => 'ro',
},
}
$tls_params = " ovn_nb_db_privkey=/etc/pki/tls/private/ovn_dbs.key ovn_nb_db_cert=/etc/pki/tls/certs/ovn_dbs.crt \
ovn_nb_db_cacert=${ca_file} ovn_sb_db_privkey=/etc/pki/tls/private/ovn_dbs.key \
ovn_sb_db_cert=/etc/pki/tls/certs/ovn_dbs.crt ovn_sb_db_cacert=${ca_file} \
nb_master_protocol=ssl sb_master_protocol=ssl"
} else {
$tls_params = ''
$ovn_storage_maps_tls = {}
}
$resource_map = "${resource_params}${tls_params}"
pacemaker::resource::bundle { 'ovn-dbs-bundle':
image => $ovn_dbs_docker_image,
replicas => $ovn_dbs_nodes_count,
@ -119,33 +185,7 @@ class tripleo::profile::pacemaker::ovn_dbs_bundle (
options => "--log-driver=journald -e KOLLA_CONFIG_STRATEGY=COPY_ALWAYS${tls_priorities_real}",
run_command => '/bin/bash /usr/local/bin/kolla_start',
network => "control-port=${ovn_dbs_control_port}",
storage_maps => {
'ovn-dbs-cfg-files' => {
'source-dir' => '/var/lib/kolla/config_files/ovn_dbs.json',
'target-dir' => '/var/lib/kolla/config_files/config.json',
'options' => 'ro',
},
'ovn-dbs-mod-files' => {
'source-dir' => '/lib/modules',
'target-dir' => '/lib/modules',
'options' => 'ro',
},
'ovn-dbs-run-files' => {
'source-dir' => '/var/lib/openvswitch/ovn',
'target-dir' => '/run/openvswitch',
'options' => 'rw',
},
'ovn-dbs-log-files' => {
'source-dir' => '/var/log/containers/openvswitch',
'target-dir' => '/var/log/openvswitch',
'options' => 'rw',
},
'ovn-dbs-db-path' => {
'source-dir' => '/var/lib/openvswitch/ovn',
'target-dir' => '/etc/openvswitch',
'options' => 'rw',
},
},
storage_maps => merge($storage_maps, $ovn_storage_maps_tls),
container_backend => $container_backend,
tries => $pcs_tries,
}
@ -154,8 +194,7 @@ class tripleo::profile::pacemaker::ovn_dbs_bundle (
ocf_agent_name => "${ovndb_servers_ocf_name}",
master_params => '',
op_params => 'start timeout=200s stop timeout=200s',
resource_params => "master_ip=${ovn_dbs_vip_norm} nb_master_port=${nb_db_port} \
sb_master_port=${sb_db_port} manage_northd=yes inactive_probe_interval=180000",
resource_params => $resource_map,
tries => $pcs_tries,
location_rule => $ovn_dbs_location_rule,
meta_params => 'notify=true container-attribute-target=host',

16
releasenotes/notes/ovn-ssl-298db2d617d7cc5e.yaml

@ -0,0 +1,16 @@
---
features:
- |
This patch introduces parameters which support SSL to connect to
OVN_Northbound DB and OVN_Southbound DB. This can be set by:
* 'ovn_nb_private_key': The PEM file with private key for SSL connection to OVN-NB-DB
* 'ovn_nb_certificate': The PEM file with certificate that certifies the private
key specified in ovn_nb_private_key
* 'ovn_nb_ca_cert': The PEM file with CA certificate that OVN should use to
verify certificates presented to it by SSL peers
* 'ovn_sb_private_key': The PEM file with private key for SSL connection to OVN-SB-DB,
* 'ovn_sb_certificate': The PEM file with certificate that certifies the
private key specified in ovn_sb_private_key'
* 'ovn_sb_ca_cert': The PEM file with CA certificate that OVN should use to
verify certificates presented to it by SSL peers
* 'protocol': Protocol use in communication with dbs

60
spec/classes/tripleo_certmonger_ovn_dbs.rb

@ -0,0 +1,60 @@
#
# Copyright (C) 2019 Red Hat Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# Unit tests for tripleo
#
require 'spec_helper'
describe 'tripleo::certmonger::ovn_dbs' do
shared_examples_for 'tripleo::certmonger::ovn_dbs' do
let :params do
{
:hostname => 'localhost',
:service_certificate => '/etc/pki/cert.crt',
:service_key => '/etc/pki/key.pem',
}
end
it 'should include the base for using certmonger' do
is_expected.to contain_class('certmonger')
end
it 'should request a certificate' do
is_expected.to contain_certmonger_certificate('ovn_dbs').with(
:ensure => 'present',
:certfile => '/etc/pki/cert.crt',
:keyfile => '/etc/pki/key.pem',
:hostname => 'localhost',
:dnsname => 'localhost',
:ca => 'local',
:wait => true,
)
is_expected.to contain_file('/etc/pki/cert.crt')
is_expected.to contain_file('/etc/pki/key.pem')
end
end
on_supported_os.each do |os, facts|
context "on #{os}" do
let(:facts) do
facts.merge({})
end
it_behaves_like 'tripleo::certmonger::ovn_dbs'
end
end
end
Loading…
Cancel
Save