From a8fd3214f4f831c2a9c38ac274c1f6ee3f633eab Mon Sep 17 00:00:00 2001 From: Tim Rozet Date: Wed, 3 Jan 2018 17:19:30 -0500 Subject: [PATCH] Adds SSL/TLS everywhere for OpenDaylight Enables TLS encryption between ODL and OVS, as well as Northbound ODL communication with Neutron. Implements: blueprint opendaylight-ssl-support Depends-On: Id579aea77bf8d679b514ef9851af36d9170e93a1 Change-Id: I7c43f1358807f3ffeef2ddf29d0085ad55151dfe Signed-off-by: Tim Rozet --- docker/services/opendaylight-api.yaml | 23 ++++++ puppet/services/neutron-plugin-ml2-odl.yaml | 13 +++ puppet/services/opendaylight-api.yaml | 81 +++++++++++++++---- puppet/services/opendaylight-ovs.yaml | 55 +++++++++++-- .../odl-enable-tls-377fbbfff6f67230.yaml | 10 +++ 5 files changed, 163 insertions(+), 19 deletions(-) create mode 100644 releasenotes/notes/odl-enable-tls-377fbbfff6f67230.yaml diff --git a/docker/services/opendaylight-api.yaml b/docker/services/opendaylight-api.yaml index 2b66f6f817..dd83e2f601 100644 --- a/docker/services/opendaylight-api.yaml +++ b/docker/services/opendaylight-api.yaml @@ -36,6 +36,13 @@ parameters: default: {} description: Parameters specific to the role type: json + EnableInternalTLS: + type: boolean + default: false + +conditions: + + internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} resources: @@ -60,6 +67,10 @@ outputs: config_settings: map_merge: - get_attr: [OpenDaylightBase, role_data, config_settings] + - if: + - internal_tls_enabled + - tripleo::certmonger::opendaylight::postsave_cmd: "true" # TODO: restart the odl container here + - {} logging_source: {get_attr: [OpenDaylightBase, role_data, logging_source]} logging_groups: {get_attr: [OpenDaylightBase, role_data, logging_groups]} # BEGIN DOCKER SETTINGS @@ -102,8 +113,20 @@ outputs: - /var/lib/config-data/puppet-generated/opendaylight/:/var/lib/kolla/config_files/src:ro - /var/lib/opendaylight/journal:/opt/opendaylight/journal - /var/lib/opendaylight/snapshots:/opt/opendaylight/snapshots + - + if: + - internal_tls_enabled + - /etc/pki/tls/certs/odl.crt:/etc/pki/tls/certs/odl.crt:ro + - '' + - + if: + - internal_tls_enabled + - /etc/pki/tls/private/odl.key:/etc/pki/tls/private/odl.key:ro + - '' environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS + metadata_settings: + get_attr: [OpenDaylightBase, role_data, metadata_settings] host_prep_tasks: - name: create persistent directories file: diff --git a/puppet/services/neutron-plugin-ml2-odl.yaml b/puppet/services/neutron-plugin-ml2-odl.yaml index 2207326e57..b72ddc200d 100644 --- a/puppet/services/neutron-plugin-ml2-odl.yaml +++ b/puppet/services/neutron-plugin-ml2-odl.yaml @@ -34,6 +34,13 @@ parameters: description: OpenDaylight port binding controller type: string default: 'pseudo-agentdb-binding' + EnableInternalTLS: + type: boolean + default: false + +conditions: + + internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} resources: @@ -56,5 +63,11 @@ outputs: map_merge: - get_attr: [NeutronMl2Base, role_data, config_settings] - neutron::plugins::ml2::opendaylight::port_binding_controller: {get_param: OpenDaylightPortBindingController} + - + if: + - internal_tls_enabled + - neutron::plugins::ml2::opendaylight::ovsdb_connection: 'ssl:127.0.0.1:6639' + tripleo::profile::base::neutron::plugins::ml2::opendaylight::conn_proto: 'https' + - {} step_config: | include ::tripleo::profile::base::neutron::plugins::ml2 diff --git a/puppet/services/opendaylight-api.yaml b/puppet/services/opendaylight-api.yaml index a572f8c8af..6ffdcf3656 100644 --- a/puppet/services/opendaylight-api.yaml +++ b/puppet/services/opendaylight-api.yaml @@ -17,10 +17,6 @@ parameters: type: string description: The password for the opendaylight server. hidden: true - OpenDaylightConnectionProtocol: - description: L7 protocol used for REST access - type: string - default: 'http' OpenDaylightFeatures: description: List of features to install with ODL type: comma_delimited_list @@ -74,6 +70,34 @@ parameters: - allowed_values: - file - console + OpenDaylightTLSKeystorePassword: + default: 'opendaylight' + type: string + description: The password for the opendaylight TLS keystore. + Must be at least 6 characters. + hidden: true + EnableInternalTLS: + type: boolean + default: false + InternalTLSCAFile: + default: '/etc/ipa/ca.crt' + type: string + description: Specifies the default CA cert to use if TLS is used for + services in the internal network. + +parameter_groups: +- label: deprecated + description: | + The following parameters are deprecated and will be removed. They should not + be relied on for new deployments. If you have concerns regarding deprecated + parameters, please contact the TripleO development team on IRC or the + OpenStack mailing list. + parameters: + - OpenDaylightConnectionProtocol + +conditions: + + internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} outputs: role_data: @@ -81,14 +105,15 @@ outputs: value: service_name: opendaylight_api config_settings: - opendaylight::odl_rest_port: {get_param: OpenDaylightPort} - opendaylight::username: {get_param: OpenDaylightUsername} - opendaylight::password: {get_param: OpenDaylightPassword} - opendaylight::extra_features: {get_param: OpenDaylightFeatures} - opendaylight::odl_bind_ip: {get_param: [ServiceNetMap, OpendaylightApiNetwork]} - opendaylight::nb_connection_protocol: {get_param: OpenDaylightConnectionProtocol} - opendaylight::manage_repositories: {get_param: OpenDaylightManageRepositories} - tripleo.opendaylight_api.firewall_rules: + map_merge: + - + opendaylight::odl_rest_port: {get_param: OpenDaylightPort} + opendaylight::username: {get_param: OpenDaylightUsername} + opendaylight::password: {get_param: OpenDaylightPassword} + opendaylight::extra_features: {get_param: OpenDaylightFeatures} + opendaylight::odl_bind_ip: {get_param: [ServiceNetMap, OpendaylightApiNetwork]} + opendaylight::manage_repositories: {get_param: OpenDaylightManageRepositories} + tripleo.opendaylight_api.firewall_rules: '137 opendaylight api': dport: - {get_param: OpenDaylightPort} @@ -96,8 +121,28 @@ outputs: - 6653 - 2550 - 8185 - opendaylight::snat_mechanism: {get_param: OpenDaylightSNATMechanism} - opendaylight::log_mechanism: {get_param: OpenDaylightLogMechanism} + opendaylight::snat_mechanism: {get_param: OpenDaylightSNATMechanism} + opendaylight::log_mechanism: {get_param: OpenDaylightLogMechanism} + - + if: + - internal_tls_enabled + - generate_service_certificates: true + tripleo::profile::base::neutron::opendaylight::certificate_specs: + service_certificate: '/etc/pki/tls/certs/odl.crt' + service_key: '/etc/pki/tls/private/odl.key' + hostname: + str_replace: + template: "%{hiera('fqdn_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, OpendaylightApiNetwork]} + principal: + str_replace: + template: "odl/%{hiera('fqdn_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, OpendaylightApiNetwork]} + opendaylight::tls_ca_cert_file: {get_param: InternalTLSCAFile} + opendaylight::tls_keystore_password: {get_param: OpenDaylightTLSKeystorePassword} + - {} step_config: | include tripleo::profile::base::neutron::opendaylight upgrade_tasks: @@ -122,3 +167,11 @@ outputs: - snapshots - data - journal + metadata_settings: + if: + - internal_tls_enabled + - + - service: odl + network: {get_param: [ServiceNetMap, OpendaylightApiNetwork]} + type: node + - null diff --git a/puppet/services/opendaylight-ovs.yaml b/puppet/services/opendaylight-ovs.yaml index 83706128d7..656051bbbf 100644 --- a/puppet/services/opendaylight-ovs.yaml +++ b/puppet/services/opendaylight-ovs.yaml @@ -17,10 +17,6 @@ parameters: type: string description: The password for the opendaylight server. hidden: true - OpenDaylightConnectionProtocol: - description: L7 protocol used for REST access - type: string - default: 'http' OpenDaylightCheckURL: description: URL postfix to verify ODL has finished starting up type: string @@ -96,6 +92,28 @@ parameters: description: | Enable OVS Hardware Offload. This feature supported from OVS 2.8.0 type: boolean + EnableInternalTLS: + type: boolean + default: false + InternalTLSCAFile: + default: '/etc/ipa/ca.crt' + type: string + description: Specifies the default CA cert to use if TLS is used for + services in the internal network. + +parameter_groups: +- label: deprecated + description: | + The following parameters are deprecated and will be removed. They should not + be relied on for new deployments. If you have concerns regarding deprecated + parameters, please contact the TripleO development team on IRC or the + OpenStack mailing list. + parameters: + - OpenDaylightConnectionProtocol + +conditions: + + internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]} resources: Ovs: @@ -146,7 +164,6 @@ outputs: neutron::plugins::ovs::opendaylight::odl_username: {get_param: OpenDaylightUsername} neutron::plugins::ovs::opendaylight::odl_password: {get_param: OpenDaylightPassword} opendaylight_check_url: {get_param: OpenDaylightCheckURL} - opendaylight::nb_connection_protocol: {get_param: OpenDaylightConnectionProtocol} neutron::agents::ml2::ovs::local_ip: {get_param: [ServiceNetMap, NeutronTenantNetwork]} tripleo.opendaylight_ovs.firewall_rules: '118 neutron vxlan networks': @@ -154,6 +171,26 @@ outputs: dport: 4789 '136 neutron gre networks': proto: 'gre' + - + if: + - internal_tls_enabled + - generate_service_certificates: true + tripleo::profile::base::neutron::plugins::ovs::opendaylight::certificate_specs: + service_certificate: '/etc/pki/tls/certs/ovs.crt' + service_key: '/etc/pki/tls/private/ovs.key' + hostname: + str_replace: + template: "%{hiera('fqdn_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, OpendaylightApiNetwork]} + principal: + str_replace: + template: "ovs/%{hiera('fqdn_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, OpendaylightApiNetwork]} + neutron::plugins::ovs::opendaylight::tls_ca_cert_file: {get_param: InternalTLSCAFile} + tripleo::profile::base::neutron::plugins::ovs::opendaylight::conn_proto: 'https' + - {} - get_attr: [Ovs, role_data, config_settings] - get_attr: [RoleParametersValue, value] step_config: | @@ -174,3 +211,11 @@ outputs: - name: Stop openvswitch service when: (openvswitch_enabled.rc == 0) and (step|int == 1) service: name=openvswitch state=stopped + metadata_settings: + if: + - internal_tls_enabled + - + - service: ovs + network: {get_param: [ServiceNetMap, OpendaylightApiNetwork]} + type: node + - null diff --git a/releasenotes/notes/odl-enable-tls-377fbbfff6f67230.yaml b/releasenotes/notes/odl-enable-tls-377fbbfff6f67230.yaml new file mode 100644 index 0000000000..1b714755ae --- /dev/null +++ b/releasenotes/notes/odl-enable-tls-377fbbfff6f67230.yaml @@ -0,0 +1,10 @@ +--- +features: + - | + Enables deploying OpenDaylight with TLS. Open vSwitch is also + configured to communicate with OpenDaylight via TLS. +deprecations: + - | + Deprecates the OpenDaylightConnectionProtocol heat parameter. + This parameter is now decided based on using TLS or non-TLS + deployments.