Adds SSL/TLS everywhere for OpenDaylight
Enables TLS encryption between ODL and OVS, as well as Northbound ODL communication with Neutron. Implements: blueprint opendaylight-ssl-support Depends-On: Id579aea77bf8d679b514ef9851af36d9170e93a1 Change-Id: I7c43f1358807f3ffeef2ddf29d0085ad55151dfe Signed-off-by: Tim Rozet <trozet@redhat.com>
This commit is contained in:
parent
d5ddb1d860
commit
a8fd3214f4
@ -36,6 +36,13 @@ parameters:
|
||||
default: {}
|
||||
description: Parameters specific to the role
|
||||
type: json
|
||||
EnableInternalTLS:
|
||||
type: boolean
|
||||
default: false
|
||||
|
||||
conditions:
|
||||
|
||||
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
||||
|
||||
resources:
|
||||
|
||||
@ -60,6 +67,10 @@ outputs:
|
||||
config_settings:
|
||||
map_merge:
|
||||
- get_attr: [OpenDaylightBase, role_data, config_settings]
|
||||
- if:
|
||||
- internal_tls_enabled
|
||||
- tripleo::certmonger::opendaylight::postsave_cmd: "true" # TODO: restart the odl container here
|
||||
- {}
|
||||
logging_source: {get_attr: [OpenDaylightBase, role_data, logging_source]}
|
||||
logging_groups: {get_attr: [OpenDaylightBase, role_data, logging_groups]}
|
||||
# BEGIN DOCKER SETTINGS
|
||||
@ -102,8 +113,20 @@ outputs:
|
||||
- /var/lib/config-data/puppet-generated/opendaylight/:/var/lib/kolla/config_files/src:ro
|
||||
- /var/lib/opendaylight/journal:/opt/opendaylight/journal
|
||||
- /var/lib/opendaylight/snapshots:/opt/opendaylight/snapshots
|
||||
-
|
||||
if:
|
||||
- internal_tls_enabled
|
||||
- /etc/pki/tls/certs/odl.crt:/etc/pki/tls/certs/odl.crt:ro
|
||||
- ''
|
||||
-
|
||||
if:
|
||||
- internal_tls_enabled
|
||||
- /etc/pki/tls/private/odl.key:/etc/pki/tls/private/odl.key:ro
|
||||
- ''
|
||||
environment:
|
||||
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
||||
metadata_settings:
|
||||
get_attr: [OpenDaylightBase, role_data, metadata_settings]
|
||||
host_prep_tasks:
|
||||
- name: create persistent directories
|
||||
file:
|
||||
|
@ -34,6 +34,13 @@ parameters:
|
||||
description: OpenDaylight port binding controller
|
||||
type: string
|
||||
default: 'pseudo-agentdb-binding'
|
||||
EnableInternalTLS:
|
||||
type: boolean
|
||||
default: false
|
||||
|
||||
conditions:
|
||||
|
||||
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
||||
|
||||
resources:
|
||||
|
||||
@ -56,5 +63,11 @@ outputs:
|
||||
map_merge:
|
||||
- get_attr: [NeutronMl2Base, role_data, config_settings]
|
||||
- neutron::plugins::ml2::opendaylight::port_binding_controller: {get_param: OpenDaylightPortBindingController}
|
||||
-
|
||||
if:
|
||||
- internal_tls_enabled
|
||||
- neutron::plugins::ml2::opendaylight::ovsdb_connection: 'ssl:127.0.0.1:6639'
|
||||
tripleo::profile::base::neutron::plugins::ml2::opendaylight::conn_proto: 'https'
|
||||
- {}
|
||||
step_config: |
|
||||
include ::tripleo::profile::base::neutron::plugins::ml2
|
||||
|
@ -17,10 +17,6 @@ parameters:
|
||||
type: string
|
||||
description: The password for the opendaylight server.
|
||||
hidden: true
|
||||
OpenDaylightConnectionProtocol:
|
||||
description: L7 protocol used for REST access
|
||||
type: string
|
||||
default: 'http'
|
||||
OpenDaylightFeatures:
|
||||
description: List of features to install with ODL
|
||||
type: comma_delimited_list
|
||||
@ -74,6 +70,34 @@ parameters:
|
||||
- allowed_values:
|
||||
- file
|
||||
- console
|
||||
OpenDaylightTLSKeystorePassword:
|
||||
default: 'opendaylight'
|
||||
type: string
|
||||
description: The password for the opendaylight TLS keystore.
|
||||
Must be at least 6 characters.
|
||||
hidden: true
|
||||
EnableInternalTLS:
|
||||
type: boolean
|
||||
default: false
|
||||
InternalTLSCAFile:
|
||||
default: '/etc/ipa/ca.crt'
|
||||
type: string
|
||||
description: Specifies the default CA cert to use if TLS is used for
|
||||
services in the internal network.
|
||||
|
||||
parameter_groups:
|
||||
- label: deprecated
|
||||
description: |
|
||||
The following parameters are deprecated and will be removed. They should not
|
||||
be relied on for new deployments. If you have concerns regarding deprecated
|
||||
parameters, please contact the TripleO development team on IRC or the
|
||||
OpenStack mailing list.
|
||||
parameters:
|
||||
- OpenDaylightConnectionProtocol
|
||||
|
||||
conditions:
|
||||
|
||||
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
||||
|
||||
outputs:
|
||||
role_data:
|
||||
@ -81,14 +105,15 @@ outputs:
|
||||
value:
|
||||
service_name: opendaylight_api
|
||||
config_settings:
|
||||
opendaylight::odl_rest_port: {get_param: OpenDaylightPort}
|
||||
opendaylight::username: {get_param: OpenDaylightUsername}
|
||||
opendaylight::password: {get_param: OpenDaylightPassword}
|
||||
opendaylight::extra_features: {get_param: OpenDaylightFeatures}
|
||||
opendaylight::odl_bind_ip: {get_param: [ServiceNetMap, OpendaylightApiNetwork]}
|
||||
opendaylight::nb_connection_protocol: {get_param: OpenDaylightConnectionProtocol}
|
||||
opendaylight::manage_repositories: {get_param: OpenDaylightManageRepositories}
|
||||
tripleo.opendaylight_api.firewall_rules:
|
||||
map_merge:
|
||||
-
|
||||
opendaylight::odl_rest_port: {get_param: OpenDaylightPort}
|
||||
opendaylight::username: {get_param: OpenDaylightUsername}
|
||||
opendaylight::password: {get_param: OpenDaylightPassword}
|
||||
opendaylight::extra_features: {get_param: OpenDaylightFeatures}
|
||||
opendaylight::odl_bind_ip: {get_param: [ServiceNetMap, OpendaylightApiNetwork]}
|
||||
opendaylight::manage_repositories: {get_param: OpenDaylightManageRepositories}
|
||||
tripleo.opendaylight_api.firewall_rules:
|
||||
'137 opendaylight api':
|
||||
dport:
|
||||
- {get_param: OpenDaylightPort}
|
||||
@ -96,8 +121,28 @@ outputs:
|
||||
- 6653
|
||||
- 2550
|
||||
- 8185
|
||||
opendaylight::snat_mechanism: {get_param: OpenDaylightSNATMechanism}
|
||||
opendaylight::log_mechanism: {get_param: OpenDaylightLogMechanism}
|
||||
opendaylight::snat_mechanism: {get_param: OpenDaylightSNATMechanism}
|
||||
opendaylight::log_mechanism: {get_param: OpenDaylightLogMechanism}
|
||||
-
|
||||
if:
|
||||
- internal_tls_enabled
|
||||
- generate_service_certificates: true
|
||||
tripleo::profile::base::neutron::opendaylight::certificate_specs:
|
||||
service_certificate: '/etc/pki/tls/certs/odl.crt'
|
||||
service_key: '/etc/pki/tls/private/odl.key'
|
||||
hostname:
|
||||
str_replace:
|
||||
template: "%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, OpendaylightApiNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "odl/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, OpendaylightApiNetwork]}
|
||||
opendaylight::tls_ca_cert_file: {get_param: InternalTLSCAFile}
|
||||
opendaylight::tls_keystore_password: {get_param: OpenDaylightTLSKeystorePassword}
|
||||
- {}
|
||||
step_config: |
|
||||
include tripleo::profile::base::neutron::opendaylight
|
||||
upgrade_tasks:
|
||||
@ -122,3 +167,11 @@ outputs:
|
||||
- snapshots
|
||||
- data
|
||||
- journal
|
||||
metadata_settings:
|
||||
if:
|
||||
- internal_tls_enabled
|
||||
-
|
||||
- service: odl
|
||||
network: {get_param: [ServiceNetMap, OpendaylightApiNetwork]}
|
||||
type: node
|
||||
- null
|
||||
|
@ -17,10 +17,6 @@ parameters:
|
||||
type: string
|
||||
description: The password for the opendaylight server.
|
||||
hidden: true
|
||||
OpenDaylightConnectionProtocol:
|
||||
description: L7 protocol used for REST access
|
||||
type: string
|
||||
default: 'http'
|
||||
OpenDaylightCheckURL:
|
||||
description: URL postfix to verify ODL has finished starting up
|
||||
type: string
|
||||
@ -96,6 +92,28 @@ parameters:
|
||||
description: |
|
||||
Enable OVS Hardware Offload. This feature supported from OVS 2.8.0
|
||||
type: boolean
|
||||
EnableInternalTLS:
|
||||
type: boolean
|
||||
default: false
|
||||
InternalTLSCAFile:
|
||||
default: '/etc/ipa/ca.crt'
|
||||
type: string
|
||||
description: Specifies the default CA cert to use if TLS is used for
|
||||
services in the internal network.
|
||||
|
||||
parameter_groups:
|
||||
- label: deprecated
|
||||
description: |
|
||||
The following parameters are deprecated and will be removed. They should not
|
||||
be relied on for new deployments. If you have concerns regarding deprecated
|
||||
parameters, please contact the TripleO development team on IRC or the
|
||||
OpenStack mailing list.
|
||||
parameters:
|
||||
- OpenDaylightConnectionProtocol
|
||||
|
||||
conditions:
|
||||
|
||||
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
||||
|
||||
resources:
|
||||
Ovs:
|
||||
@ -146,7 +164,6 @@ outputs:
|
||||
neutron::plugins::ovs::opendaylight::odl_username: {get_param: OpenDaylightUsername}
|
||||
neutron::plugins::ovs::opendaylight::odl_password: {get_param: OpenDaylightPassword}
|
||||
opendaylight_check_url: {get_param: OpenDaylightCheckURL}
|
||||
opendaylight::nb_connection_protocol: {get_param: OpenDaylightConnectionProtocol}
|
||||
neutron::agents::ml2::ovs::local_ip: {get_param: [ServiceNetMap, NeutronTenantNetwork]}
|
||||
tripleo.opendaylight_ovs.firewall_rules:
|
||||
'118 neutron vxlan networks':
|
||||
@ -154,6 +171,26 @@ outputs:
|
||||
dport: 4789
|
||||
'136 neutron gre networks':
|
||||
proto: 'gre'
|
||||
-
|
||||
if:
|
||||
- internal_tls_enabled
|
||||
- generate_service_certificates: true
|
||||
tripleo::profile::base::neutron::plugins::ovs::opendaylight::certificate_specs:
|
||||
service_certificate: '/etc/pki/tls/certs/ovs.crt'
|
||||
service_key: '/etc/pki/tls/private/ovs.key'
|
||||
hostname:
|
||||
str_replace:
|
||||
template: "%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, OpendaylightApiNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "ovs/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, OpendaylightApiNetwork]}
|
||||
neutron::plugins::ovs::opendaylight::tls_ca_cert_file: {get_param: InternalTLSCAFile}
|
||||
tripleo::profile::base::neutron::plugins::ovs::opendaylight::conn_proto: 'https'
|
||||
- {}
|
||||
- get_attr: [Ovs, role_data, config_settings]
|
||||
- get_attr: [RoleParametersValue, value]
|
||||
step_config: |
|
||||
@ -174,3 +211,11 @@ outputs:
|
||||
- name: Stop openvswitch service
|
||||
when: (openvswitch_enabled.rc == 0) and (step|int == 1)
|
||||
service: name=openvswitch state=stopped
|
||||
metadata_settings:
|
||||
if:
|
||||
- internal_tls_enabled
|
||||
-
|
||||
- service: ovs
|
||||
network: {get_param: [ServiceNetMap, OpendaylightApiNetwork]}
|
||||
type: node
|
||||
- null
|
||||
|
10
releasenotes/notes/odl-enable-tls-377fbbfff6f67230.yaml
Normal file
10
releasenotes/notes/odl-enable-tls-377fbbfff6f67230.yaml
Normal file
@ -0,0 +1,10 @@
|
||||
---
|
||||
features:
|
||||
- |
|
||||
Enables deploying OpenDaylight with TLS. Open vSwitch is also
|
||||
configured to communicate with OpenDaylight via TLS.
|
||||
deprecations:
|
||||
- |
|
||||
Deprecates the OpenDaylightConnectionProtocol heat parameter.
|
||||
This parameter is now decided based on using TLS or non-TLS
|
||||
deployments.
|
Loading…
Reference in New Issue
Block a user