diff --git a/docker/services/neutron-dhcp.yaml b/docker/services/neutron-dhcp.yaml index 790ae5ac8b..62ac9d5e67 100644 --- a/docker/services/neutron-dhcp.yaml +++ b/docker/services/neutron-dhcp.yaml @@ -36,6 +36,18 @@ parameters: default: {} description: Parameters specific to the role type: json + EnableInternalTLS: + type: boolean + default: false + InternalTLSCAFile: + default: '/etc/ipa/ca.crt' + type: string + description: Specifies the default CA cert to use if TLS is used for + services in the internal network. + +conditions: + + internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} resources: @@ -64,6 +76,10 @@ outputs: map_merge: - get_attr: [NeutronBase, role_data, config_settings] - get_attr: [NeutronLogging, config_settings] + - if: + - internal_tls_enabled + - tripleo::certmonger::neutron::postsave_cmd: "true" # TODO: restart the container here + - {} logging_source: {get_attr: [NeutronBase, role_data, logging_source]} logging_groups: {get_attr: [NeutronBase, role_data, logging_groups]} service_config_settings: {get_attr: [NeutronBase, role_data, service_config_settings]} @@ -110,8 +126,21 @@ outputs: - /lib/modules:/lib/modules:ro - /run/openvswitch:/run/openvswitch - /var/lib/neutron:/var/lib/neutron + - + if: + - internal_tls_enabled + - - /etc/pki/tls/certs/neutron.crt:/etc/pki/tls/certs/neutron.crt:ro + - /etc/pki/tls/private/neutron.key:/etc/pki/tls/private/neutron.key:ro + - list_join: + - ':' + - - {get_param: InternalTLSCAFile} + - {get_param: InternalTLSCAFile} + - 'ro' + - null environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + metadata_settings: + get_attr: [NeutronBase, role_data, metadata_settings] host_prep_tasks: list_concat: - {get_attr: [NeutronLogging, host_prep_tasks]} diff --git a/puppet/services/neutron-base.yaml b/puppet/services/neutron-base.yaml index e8515c5389..c92dfc0ec3 100644 --- a/puppet/services/neutron-base.yaml +++ b/puppet/services/neutron-base.yaml @@ -113,10 +113,14 @@ parameters: description: Driver or drivers to handle sending notifications. constraints: - allowed_values: [ 'messagingv2', 'noop' ] + EnableInternalTLS: + type: boolean + default: false conditions: dhcp_agents_zero: {equals : [{get_param: NeutronDhcpAgentsPerNetwork}, 0]} service_debug_unset: {equals : [{get_param: NeutronDebug}, '']} + internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} outputs: role_data: @@ -152,3 +156,28 @@ outputs: - dhcp_agents_zero - {} - tripleo::profile::base::neutron::dhcp_agents_per_network: {get_param: NeutronDhcpAgentsPerNetwork} + - if: + - internal_tls_enabled + - generate_service_certificates: true + tripleo::profile::base::neutron::certificate_specs: + service_certificate: '/etc/pki/tls/certs/neutron.crt' + service_key: '/etc/pki/tls/private/neutron.key' + hostname: + str_replace: + template: "%{hiera('fqdn_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]} + principal: + str_replace: + template: "neutron/%{hiera('fqdn_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]} + - null + metadata_settings: + if: + - internal_tls_enabled + - + - service: neutron + network: {get_param: [ServiceNetMap, NeutronApiNetwork]} + type: node + - null diff --git a/puppet/services/neutron-dhcp.yaml b/puppet/services/neutron-dhcp.yaml index 3cd910b6ae..7f2e28e015 100644 --- a/puppet/services/neutron-dhcp.yaml +++ b/puppet/services/neutron-dhcp.yaml @@ -69,9 +69,18 @@ parameters: default: 'neutron.agent.linux.interface.OVSInterfaceDriver' description: Neutron DHCP Agent interface driver type: string + EnableInternalTLS: + type: boolean + default: false + InternalTLSCAFile: + default: '/etc/ipa/ca.crt' + type: string + description: Specifies the default CA cert to use if TLS is used for + services in the internal network. conditions: service_debug_unset: {equals: [{get_param: NeutronDhcpAgentDebug}, '']} + internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} resources: @@ -112,6 +121,12 @@ outputs: proto: 'udp' chain: 'OUTPUT' dport: 68 + - if: + - internal_tls_enabled + - neutron::agents::dhcp::ovsdb_agent_ssl_key_file: '/etc/pki/tls/private/neutron.key' + neutron::agents::dhcp::ovsdb_agent_ssl_cert_file: '/etc/pki/tls/certs/neutron.crt' + neutron::agents::dhcp::ovsdb_agent_ssl_ca_file: {get_param: InternalTLSCAFile} + - {} service_config_settings: fluentd: tripleo_fluentd_groups_neutron_dhcp: @@ -137,3 +152,5 @@ outputs: - step|int == 1 - neutron_dhcp_agent_enabled.rc == 0 service: name=neutron-dhcp-agent state=stopped + metadata_settings: + get_attr: [NeutronBase, role_data, metadata_settings] diff --git a/puppet/services/opendaylight-api.yaml b/puppet/services/opendaylight-api.yaml index 8a7d2cf661..af27aab5f3 100644 --- a/puppet/services/opendaylight-api.yaml +++ b/puppet/services/opendaylight-api.yaml @@ -160,6 +160,12 @@ outputs: opendaylight::tls_ca_cert_file: {get_param: InternalTLSCAFile} opendaylight::tls_keystore_password: {get_param: OpenDaylightTLSKeystorePassword} - {} + service_config_settings: + neutron_dhcp: + if: + - internal_tls_enabled + - neutron::agents::dhcp::ovsdb_connection: 'ssl:127.0.0.1:6639' + - neutron::agents::dhcp::ovsdb_connection: 'tcp:127.0.0.1:6639' step_config: | include tripleo::profile::base::neutron::opendaylight upgrade_tasks: diff --git a/releasenotes/notes/fix-neutron-dhcp-tls-d62383530419f0bd.yaml b/releasenotes/notes/fix-neutron-dhcp-tls-d62383530419f0bd.yaml new file mode 100644 index 0000000000..c2f7c532f0 --- /dev/null +++ b/releasenotes/notes/fix-neutron-dhcp-tls-d62383530419f0bd.yaml @@ -0,0 +1,6 @@ +--- +fixes: + - | + Fixes issue in OpenDaylight deployments where SSL between Neutron DHCP + agent with OVS did not work due to missing SSL certificate/key + configuration.