Adds SSL/TLS everywhere for OpenDaylight

Enables TLS encryption between ODL and OVS, as well as Northbound ODL
communication with Neutron.

Implements: blueprint opendaylight-ssl-support

Depends-On: Id579aea77bf8d679b514ef9851af36d9170e93a1

Change-Id: I7c43f1358807f3ffeef2ddf29d0085ad55151dfe
Signed-off-by: Tim Rozet <trozet@redhat.com>
This commit is contained in:
Tim Rozet 2018-01-03 17:19:30 -05:00
parent d5ddb1d860
commit a8fd3214f4
5 changed files with 163 additions and 19 deletions

View File

@ -36,6 +36,13 @@ parameters:
default: {}
description: Parameters specific to the role
type: json
EnableInternalTLS:
type: boolean
default: false
conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
resources:
@ -60,6 +67,10 @@ outputs:
config_settings:
map_merge:
- get_attr: [OpenDaylightBase, role_data, config_settings]
- if:
- internal_tls_enabled
- tripleo::certmonger::opendaylight::postsave_cmd: "true" # TODO: restart the odl container here
- {}
logging_source: {get_attr: [OpenDaylightBase, role_data, logging_source]}
logging_groups: {get_attr: [OpenDaylightBase, role_data, logging_groups]}
# BEGIN DOCKER SETTINGS
@ -102,8 +113,20 @@ outputs:
- /var/lib/config-data/puppet-generated/opendaylight/:/var/lib/kolla/config_files/src:ro
- /var/lib/opendaylight/journal:/opt/opendaylight/journal
- /var/lib/opendaylight/snapshots:/opt/opendaylight/snapshots
-
if:
- internal_tls_enabled
- /etc/pki/tls/certs/odl.crt:/etc/pki/tls/certs/odl.crt:ro
- ''
-
if:
- internal_tls_enabled
- /etc/pki/tls/private/odl.key:/etc/pki/tls/private/odl.key:ro
- ''
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
metadata_settings:
get_attr: [OpenDaylightBase, role_data, metadata_settings]
host_prep_tasks:
- name: create persistent directories
file:

View File

@ -34,6 +34,13 @@ parameters:
description: OpenDaylight port binding controller
type: string
default: 'pseudo-agentdb-binding'
EnableInternalTLS:
type: boolean
default: false
conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
resources:
@ -56,5 +63,11 @@ outputs:
map_merge:
- get_attr: [NeutronMl2Base, role_data, config_settings]
- neutron::plugins::ml2::opendaylight::port_binding_controller: {get_param: OpenDaylightPortBindingController}
-
if:
- internal_tls_enabled
- neutron::plugins::ml2::opendaylight::ovsdb_connection: 'ssl:127.0.0.1:6639'
tripleo::profile::base::neutron::plugins::ml2::opendaylight::conn_proto: 'https'
- {}
step_config: |
include ::tripleo::profile::base::neutron::plugins::ml2

View File

@ -17,10 +17,6 @@ parameters:
type: string
description: The password for the opendaylight server.
hidden: true
OpenDaylightConnectionProtocol:
description: L7 protocol used for REST access
type: string
default: 'http'
OpenDaylightFeatures:
description: List of features to install with ODL
type: comma_delimited_list
@ -74,6 +70,34 @@ parameters:
- allowed_values:
- file
- console
OpenDaylightTLSKeystorePassword:
default: 'opendaylight'
type: string
description: The password for the opendaylight TLS keystore.
Must be at least 6 characters.
hidden: true
EnableInternalTLS:
type: boolean
default: false
InternalTLSCAFile:
default: '/etc/ipa/ca.crt'
type: string
description: Specifies the default CA cert to use if TLS is used for
services in the internal network.
parameter_groups:
- label: deprecated
description: |
The following parameters are deprecated and will be removed. They should not
be relied on for new deployments. If you have concerns regarding deprecated
parameters, please contact the TripleO development team on IRC or the
OpenStack mailing list.
parameters:
- OpenDaylightConnectionProtocol
conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
outputs:
role_data:
@ -81,14 +105,15 @@ outputs:
value:
service_name: opendaylight_api
config_settings:
opendaylight::odl_rest_port: {get_param: OpenDaylightPort}
opendaylight::username: {get_param: OpenDaylightUsername}
opendaylight::password: {get_param: OpenDaylightPassword}
opendaylight::extra_features: {get_param: OpenDaylightFeatures}
opendaylight::odl_bind_ip: {get_param: [ServiceNetMap, OpendaylightApiNetwork]}
opendaylight::nb_connection_protocol: {get_param: OpenDaylightConnectionProtocol}
opendaylight::manage_repositories: {get_param: OpenDaylightManageRepositories}
tripleo.opendaylight_api.firewall_rules:
map_merge:
-
opendaylight::odl_rest_port: {get_param: OpenDaylightPort}
opendaylight::username: {get_param: OpenDaylightUsername}
opendaylight::password: {get_param: OpenDaylightPassword}
opendaylight::extra_features: {get_param: OpenDaylightFeatures}
opendaylight::odl_bind_ip: {get_param: [ServiceNetMap, OpendaylightApiNetwork]}
opendaylight::manage_repositories: {get_param: OpenDaylightManageRepositories}
tripleo.opendaylight_api.firewall_rules:
'137 opendaylight api':
dport:
- {get_param: OpenDaylightPort}
@ -96,8 +121,28 @@ outputs:
- 6653
- 2550
- 8185
opendaylight::snat_mechanism: {get_param: OpenDaylightSNATMechanism}
opendaylight::log_mechanism: {get_param: OpenDaylightLogMechanism}
opendaylight::snat_mechanism: {get_param: OpenDaylightSNATMechanism}
opendaylight::log_mechanism: {get_param: OpenDaylightLogMechanism}
-
if:
- internal_tls_enabled
- generate_service_certificates: true
tripleo::profile::base::neutron::opendaylight::certificate_specs:
service_certificate: '/etc/pki/tls/certs/odl.crt'
service_key: '/etc/pki/tls/private/odl.key'
hostname:
str_replace:
template: "%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, OpendaylightApiNetwork]}
principal:
str_replace:
template: "odl/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, OpendaylightApiNetwork]}
opendaylight::tls_ca_cert_file: {get_param: InternalTLSCAFile}
opendaylight::tls_keystore_password: {get_param: OpenDaylightTLSKeystorePassword}
- {}
step_config: |
include tripleo::profile::base::neutron::opendaylight
upgrade_tasks:
@ -122,3 +167,11 @@ outputs:
- snapshots
- data
- journal
metadata_settings:
if:
- internal_tls_enabled
-
- service: odl
network: {get_param: [ServiceNetMap, OpendaylightApiNetwork]}
type: node
- null

View File

@ -17,10 +17,6 @@ parameters:
type: string
description: The password for the opendaylight server.
hidden: true
OpenDaylightConnectionProtocol:
description: L7 protocol used for REST access
type: string
default: 'http'
OpenDaylightCheckURL:
description: URL postfix to verify ODL has finished starting up
type: string
@ -96,6 +92,28 @@ parameters:
description: |
Enable OVS Hardware Offload. This feature supported from OVS 2.8.0
type: boolean
EnableInternalTLS:
type: boolean
default: false
InternalTLSCAFile:
default: '/etc/ipa/ca.crt'
type: string
description: Specifies the default CA cert to use if TLS is used for
services in the internal network.
parameter_groups:
- label: deprecated
description: |
The following parameters are deprecated and will be removed. They should not
be relied on for new deployments. If you have concerns regarding deprecated
parameters, please contact the TripleO development team on IRC or the
OpenStack mailing list.
parameters:
- OpenDaylightConnectionProtocol
conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
resources:
Ovs:
@ -146,7 +164,6 @@ outputs:
neutron::plugins::ovs::opendaylight::odl_username: {get_param: OpenDaylightUsername}
neutron::plugins::ovs::opendaylight::odl_password: {get_param: OpenDaylightPassword}
opendaylight_check_url: {get_param: OpenDaylightCheckURL}
opendaylight::nb_connection_protocol: {get_param: OpenDaylightConnectionProtocol}
neutron::agents::ml2::ovs::local_ip: {get_param: [ServiceNetMap, NeutronTenantNetwork]}
tripleo.opendaylight_ovs.firewall_rules:
'118 neutron vxlan networks':
@ -154,6 +171,26 @@ outputs:
dport: 4789
'136 neutron gre networks':
proto: 'gre'
-
if:
- internal_tls_enabled
- generate_service_certificates: true
tripleo::profile::base::neutron::plugins::ovs::opendaylight::certificate_specs:
service_certificate: '/etc/pki/tls/certs/ovs.crt'
service_key: '/etc/pki/tls/private/ovs.key'
hostname:
str_replace:
template: "%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, OpendaylightApiNetwork]}
principal:
str_replace:
template: "ovs/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, OpendaylightApiNetwork]}
neutron::plugins::ovs::opendaylight::tls_ca_cert_file: {get_param: InternalTLSCAFile}
tripleo::profile::base::neutron::plugins::ovs::opendaylight::conn_proto: 'https'
- {}
- get_attr: [Ovs, role_data, config_settings]
- get_attr: [RoleParametersValue, value]
step_config: |
@ -174,3 +211,11 @@ outputs:
- name: Stop openvswitch service
when: (openvswitch_enabled.rc == 0) and (step|int == 1)
service: name=openvswitch state=stopped
metadata_settings:
if:
- internal_tls_enabled
-
- service: ovs
network: {get_param: [ServiceNetMap, OpendaylightApiNetwork]}
type: node
- null

View File

@ -0,0 +1,10 @@
---
features:
- |
Enables deploying OpenDaylight with TLS. Open vSwitch is also
configured to communicate with OpenDaylight via TLS.
deprecations:
- |
Deprecates the OpenDaylightConnectionProtocol heat parameter.
This parameter is now decided based on using TLS or non-TLS
deployments.