Adds SSL/TLS everywhere for OpenDaylight
Enables TLS encryption between ODL and OVS, as well as Northbound ODL communication with Neutron. Implements: blueprint opendaylight-ssl-support Depends-On: Id579aea77bf8d679b514ef9851af36d9170e93a1 Change-Id: I7c43f1358807f3ffeef2ddf29d0085ad55151dfe Signed-off-by: Tim Rozet <trozet@redhat.com>
This commit is contained in:
parent
d5ddb1d860
commit
a8fd3214f4
@ -36,6 +36,13 @@ parameters:
|
|||||||
default: {}
|
default: {}
|
||||||
description: Parameters specific to the role
|
description: Parameters specific to the role
|
||||||
type: json
|
type: json
|
||||||
|
EnableInternalTLS:
|
||||||
|
type: boolean
|
||||||
|
default: false
|
||||||
|
|
||||||
|
conditions:
|
||||||
|
|
||||||
|
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
||||||
|
|
||||||
resources:
|
resources:
|
||||||
|
|
||||||
@ -60,6 +67,10 @@ outputs:
|
|||||||
config_settings:
|
config_settings:
|
||||||
map_merge:
|
map_merge:
|
||||||
- get_attr: [OpenDaylightBase, role_data, config_settings]
|
- get_attr: [OpenDaylightBase, role_data, config_settings]
|
||||||
|
- if:
|
||||||
|
- internal_tls_enabled
|
||||||
|
- tripleo::certmonger::opendaylight::postsave_cmd: "true" # TODO: restart the odl container here
|
||||||
|
- {}
|
||||||
logging_source: {get_attr: [OpenDaylightBase, role_data, logging_source]}
|
logging_source: {get_attr: [OpenDaylightBase, role_data, logging_source]}
|
||||||
logging_groups: {get_attr: [OpenDaylightBase, role_data, logging_groups]}
|
logging_groups: {get_attr: [OpenDaylightBase, role_data, logging_groups]}
|
||||||
# BEGIN DOCKER SETTINGS
|
# BEGIN DOCKER SETTINGS
|
||||||
@ -102,8 +113,20 @@ outputs:
|
|||||||
- /var/lib/config-data/puppet-generated/opendaylight/:/var/lib/kolla/config_files/src:ro
|
- /var/lib/config-data/puppet-generated/opendaylight/:/var/lib/kolla/config_files/src:ro
|
||||||
- /var/lib/opendaylight/journal:/opt/opendaylight/journal
|
- /var/lib/opendaylight/journal:/opt/opendaylight/journal
|
||||||
- /var/lib/opendaylight/snapshots:/opt/opendaylight/snapshots
|
- /var/lib/opendaylight/snapshots:/opt/opendaylight/snapshots
|
||||||
|
-
|
||||||
|
if:
|
||||||
|
- internal_tls_enabled
|
||||||
|
- /etc/pki/tls/certs/odl.crt:/etc/pki/tls/certs/odl.crt:ro
|
||||||
|
- ''
|
||||||
|
-
|
||||||
|
if:
|
||||||
|
- internal_tls_enabled
|
||||||
|
- /etc/pki/tls/private/odl.key:/etc/pki/tls/private/odl.key:ro
|
||||||
|
- ''
|
||||||
environment:
|
environment:
|
||||||
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
||||||
|
metadata_settings:
|
||||||
|
get_attr: [OpenDaylightBase, role_data, metadata_settings]
|
||||||
host_prep_tasks:
|
host_prep_tasks:
|
||||||
- name: create persistent directories
|
- name: create persistent directories
|
||||||
file:
|
file:
|
||||||
|
@ -34,6 +34,13 @@ parameters:
|
|||||||
description: OpenDaylight port binding controller
|
description: OpenDaylight port binding controller
|
||||||
type: string
|
type: string
|
||||||
default: 'pseudo-agentdb-binding'
|
default: 'pseudo-agentdb-binding'
|
||||||
|
EnableInternalTLS:
|
||||||
|
type: boolean
|
||||||
|
default: false
|
||||||
|
|
||||||
|
conditions:
|
||||||
|
|
||||||
|
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
||||||
|
|
||||||
resources:
|
resources:
|
||||||
|
|
||||||
@ -56,5 +63,11 @@ outputs:
|
|||||||
map_merge:
|
map_merge:
|
||||||
- get_attr: [NeutronMl2Base, role_data, config_settings]
|
- get_attr: [NeutronMl2Base, role_data, config_settings]
|
||||||
- neutron::plugins::ml2::opendaylight::port_binding_controller: {get_param: OpenDaylightPortBindingController}
|
- neutron::plugins::ml2::opendaylight::port_binding_controller: {get_param: OpenDaylightPortBindingController}
|
||||||
|
-
|
||||||
|
if:
|
||||||
|
- internal_tls_enabled
|
||||||
|
- neutron::plugins::ml2::opendaylight::ovsdb_connection: 'ssl:127.0.0.1:6639'
|
||||||
|
tripleo::profile::base::neutron::plugins::ml2::opendaylight::conn_proto: 'https'
|
||||||
|
- {}
|
||||||
step_config: |
|
step_config: |
|
||||||
include ::tripleo::profile::base::neutron::plugins::ml2
|
include ::tripleo::profile::base::neutron::plugins::ml2
|
||||||
|
@ -17,10 +17,6 @@ parameters:
|
|||||||
type: string
|
type: string
|
||||||
description: The password for the opendaylight server.
|
description: The password for the opendaylight server.
|
||||||
hidden: true
|
hidden: true
|
||||||
OpenDaylightConnectionProtocol:
|
|
||||||
description: L7 protocol used for REST access
|
|
||||||
type: string
|
|
||||||
default: 'http'
|
|
||||||
OpenDaylightFeatures:
|
OpenDaylightFeatures:
|
||||||
description: List of features to install with ODL
|
description: List of features to install with ODL
|
||||||
type: comma_delimited_list
|
type: comma_delimited_list
|
||||||
@ -74,6 +70,34 @@ parameters:
|
|||||||
- allowed_values:
|
- allowed_values:
|
||||||
- file
|
- file
|
||||||
- console
|
- console
|
||||||
|
OpenDaylightTLSKeystorePassword:
|
||||||
|
default: 'opendaylight'
|
||||||
|
type: string
|
||||||
|
description: The password for the opendaylight TLS keystore.
|
||||||
|
Must be at least 6 characters.
|
||||||
|
hidden: true
|
||||||
|
EnableInternalTLS:
|
||||||
|
type: boolean
|
||||||
|
default: false
|
||||||
|
InternalTLSCAFile:
|
||||||
|
default: '/etc/ipa/ca.crt'
|
||||||
|
type: string
|
||||||
|
description: Specifies the default CA cert to use if TLS is used for
|
||||||
|
services in the internal network.
|
||||||
|
|
||||||
|
parameter_groups:
|
||||||
|
- label: deprecated
|
||||||
|
description: |
|
||||||
|
The following parameters are deprecated and will be removed. They should not
|
||||||
|
be relied on for new deployments. If you have concerns regarding deprecated
|
||||||
|
parameters, please contact the TripleO development team on IRC or the
|
||||||
|
OpenStack mailing list.
|
||||||
|
parameters:
|
||||||
|
- OpenDaylightConnectionProtocol
|
||||||
|
|
||||||
|
conditions:
|
||||||
|
|
||||||
|
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
||||||
|
|
||||||
outputs:
|
outputs:
|
||||||
role_data:
|
role_data:
|
||||||
@ -81,12 +105,13 @@ outputs:
|
|||||||
value:
|
value:
|
||||||
service_name: opendaylight_api
|
service_name: opendaylight_api
|
||||||
config_settings:
|
config_settings:
|
||||||
|
map_merge:
|
||||||
|
-
|
||||||
opendaylight::odl_rest_port: {get_param: OpenDaylightPort}
|
opendaylight::odl_rest_port: {get_param: OpenDaylightPort}
|
||||||
opendaylight::username: {get_param: OpenDaylightUsername}
|
opendaylight::username: {get_param: OpenDaylightUsername}
|
||||||
opendaylight::password: {get_param: OpenDaylightPassword}
|
opendaylight::password: {get_param: OpenDaylightPassword}
|
||||||
opendaylight::extra_features: {get_param: OpenDaylightFeatures}
|
opendaylight::extra_features: {get_param: OpenDaylightFeatures}
|
||||||
opendaylight::odl_bind_ip: {get_param: [ServiceNetMap, OpendaylightApiNetwork]}
|
opendaylight::odl_bind_ip: {get_param: [ServiceNetMap, OpendaylightApiNetwork]}
|
||||||
opendaylight::nb_connection_protocol: {get_param: OpenDaylightConnectionProtocol}
|
|
||||||
opendaylight::manage_repositories: {get_param: OpenDaylightManageRepositories}
|
opendaylight::manage_repositories: {get_param: OpenDaylightManageRepositories}
|
||||||
tripleo.opendaylight_api.firewall_rules:
|
tripleo.opendaylight_api.firewall_rules:
|
||||||
'137 opendaylight api':
|
'137 opendaylight api':
|
||||||
@ -98,6 +123,26 @@ outputs:
|
|||||||
- 8185
|
- 8185
|
||||||
opendaylight::snat_mechanism: {get_param: OpenDaylightSNATMechanism}
|
opendaylight::snat_mechanism: {get_param: OpenDaylightSNATMechanism}
|
||||||
opendaylight::log_mechanism: {get_param: OpenDaylightLogMechanism}
|
opendaylight::log_mechanism: {get_param: OpenDaylightLogMechanism}
|
||||||
|
-
|
||||||
|
if:
|
||||||
|
- internal_tls_enabled
|
||||||
|
- generate_service_certificates: true
|
||||||
|
tripleo::profile::base::neutron::opendaylight::certificate_specs:
|
||||||
|
service_certificate: '/etc/pki/tls/certs/odl.crt'
|
||||||
|
service_key: '/etc/pki/tls/private/odl.key'
|
||||||
|
hostname:
|
||||||
|
str_replace:
|
||||||
|
template: "%{hiera('fqdn_NETWORK')}"
|
||||||
|
params:
|
||||||
|
NETWORK: {get_param: [ServiceNetMap, OpendaylightApiNetwork]}
|
||||||
|
principal:
|
||||||
|
str_replace:
|
||||||
|
template: "odl/%{hiera('fqdn_NETWORK')}"
|
||||||
|
params:
|
||||||
|
NETWORK: {get_param: [ServiceNetMap, OpendaylightApiNetwork]}
|
||||||
|
opendaylight::tls_ca_cert_file: {get_param: InternalTLSCAFile}
|
||||||
|
opendaylight::tls_keystore_password: {get_param: OpenDaylightTLSKeystorePassword}
|
||||||
|
- {}
|
||||||
step_config: |
|
step_config: |
|
||||||
include tripleo::profile::base::neutron::opendaylight
|
include tripleo::profile::base::neutron::opendaylight
|
||||||
upgrade_tasks:
|
upgrade_tasks:
|
||||||
@ -122,3 +167,11 @@ outputs:
|
|||||||
- snapshots
|
- snapshots
|
||||||
- data
|
- data
|
||||||
- journal
|
- journal
|
||||||
|
metadata_settings:
|
||||||
|
if:
|
||||||
|
- internal_tls_enabled
|
||||||
|
-
|
||||||
|
- service: odl
|
||||||
|
network: {get_param: [ServiceNetMap, OpendaylightApiNetwork]}
|
||||||
|
type: node
|
||||||
|
- null
|
||||||
|
@ -17,10 +17,6 @@ parameters:
|
|||||||
type: string
|
type: string
|
||||||
description: The password for the opendaylight server.
|
description: The password for the opendaylight server.
|
||||||
hidden: true
|
hidden: true
|
||||||
OpenDaylightConnectionProtocol:
|
|
||||||
description: L7 protocol used for REST access
|
|
||||||
type: string
|
|
||||||
default: 'http'
|
|
||||||
OpenDaylightCheckURL:
|
OpenDaylightCheckURL:
|
||||||
description: URL postfix to verify ODL has finished starting up
|
description: URL postfix to verify ODL has finished starting up
|
||||||
type: string
|
type: string
|
||||||
@ -96,6 +92,28 @@ parameters:
|
|||||||
description: |
|
description: |
|
||||||
Enable OVS Hardware Offload. This feature supported from OVS 2.8.0
|
Enable OVS Hardware Offload. This feature supported from OVS 2.8.0
|
||||||
type: boolean
|
type: boolean
|
||||||
|
EnableInternalTLS:
|
||||||
|
type: boolean
|
||||||
|
default: false
|
||||||
|
InternalTLSCAFile:
|
||||||
|
default: '/etc/ipa/ca.crt'
|
||||||
|
type: string
|
||||||
|
description: Specifies the default CA cert to use if TLS is used for
|
||||||
|
services in the internal network.
|
||||||
|
|
||||||
|
parameter_groups:
|
||||||
|
- label: deprecated
|
||||||
|
description: |
|
||||||
|
The following parameters are deprecated and will be removed. They should not
|
||||||
|
be relied on for new deployments. If you have concerns regarding deprecated
|
||||||
|
parameters, please contact the TripleO development team on IRC or the
|
||||||
|
OpenStack mailing list.
|
||||||
|
parameters:
|
||||||
|
- OpenDaylightConnectionProtocol
|
||||||
|
|
||||||
|
conditions:
|
||||||
|
|
||||||
|
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
||||||
|
|
||||||
resources:
|
resources:
|
||||||
Ovs:
|
Ovs:
|
||||||
@ -146,7 +164,6 @@ outputs:
|
|||||||
neutron::plugins::ovs::opendaylight::odl_username: {get_param: OpenDaylightUsername}
|
neutron::plugins::ovs::opendaylight::odl_username: {get_param: OpenDaylightUsername}
|
||||||
neutron::plugins::ovs::opendaylight::odl_password: {get_param: OpenDaylightPassword}
|
neutron::plugins::ovs::opendaylight::odl_password: {get_param: OpenDaylightPassword}
|
||||||
opendaylight_check_url: {get_param: OpenDaylightCheckURL}
|
opendaylight_check_url: {get_param: OpenDaylightCheckURL}
|
||||||
opendaylight::nb_connection_protocol: {get_param: OpenDaylightConnectionProtocol}
|
|
||||||
neutron::agents::ml2::ovs::local_ip: {get_param: [ServiceNetMap, NeutronTenantNetwork]}
|
neutron::agents::ml2::ovs::local_ip: {get_param: [ServiceNetMap, NeutronTenantNetwork]}
|
||||||
tripleo.opendaylight_ovs.firewall_rules:
|
tripleo.opendaylight_ovs.firewall_rules:
|
||||||
'118 neutron vxlan networks':
|
'118 neutron vxlan networks':
|
||||||
@ -154,6 +171,26 @@ outputs:
|
|||||||
dport: 4789
|
dport: 4789
|
||||||
'136 neutron gre networks':
|
'136 neutron gre networks':
|
||||||
proto: 'gre'
|
proto: 'gre'
|
||||||
|
-
|
||||||
|
if:
|
||||||
|
- internal_tls_enabled
|
||||||
|
- generate_service_certificates: true
|
||||||
|
tripleo::profile::base::neutron::plugins::ovs::opendaylight::certificate_specs:
|
||||||
|
service_certificate: '/etc/pki/tls/certs/ovs.crt'
|
||||||
|
service_key: '/etc/pki/tls/private/ovs.key'
|
||||||
|
hostname:
|
||||||
|
str_replace:
|
||||||
|
template: "%{hiera('fqdn_NETWORK')}"
|
||||||
|
params:
|
||||||
|
NETWORK: {get_param: [ServiceNetMap, OpendaylightApiNetwork]}
|
||||||
|
principal:
|
||||||
|
str_replace:
|
||||||
|
template: "ovs/%{hiera('fqdn_NETWORK')}"
|
||||||
|
params:
|
||||||
|
NETWORK: {get_param: [ServiceNetMap, OpendaylightApiNetwork]}
|
||||||
|
neutron::plugins::ovs::opendaylight::tls_ca_cert_file: {get_param: InternalTLSCAFile}
|
||||||
|
tripleo::profile::base::neutron::plugins::ovs::opendaylight::conn_proto: 'https'
|
||||||
|
- {}
|
||||||
- get_attr: [Ovs, role_data, config_settings]
|
- get_attr: [Ovs, role_data, config_settings]
|
||||||
- get_attr: [RoleParametersValue, value]
|
- get_attr: [RoleParametersValue, value]
|
||||||
step_config: |
|
step_config: |
|
||||||
@ -174,3 +211,11 @@ outputs:
|
|||||||
- name: Stop openvswitch service
|
- name: Stop openvswitch service
|
||||||
when: (openvswitch_enabled.rc == 0) and (step|int == 1)
|
when: (openvswitch_enabled.rc == 0) and (step|int == 1)
|
||||||
service: name=openvswitch state=stopped
|
service: name=openvswitch state=stopped
|
||||||
|
metadata_settings:
|
||||||
|
if:
|
||||||
|
- internal_tls_enabled
|
||||||
|
-
|
||||||
|
- service: ovs
|
||||||
|
network: {get_param: [ServiceNetMap, OpendaylightApiNetwork]}
|
||||||
|
type: node
|
||||||
|
- null
|
||||||
|
10
releasenotes/notes/odl-enable-tls-377fbbfff6f67230.yaml
Normal file
10
releasenotes/notes/odl-enable-tls-377fbbfff6f67230.yaml
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
---
|
||||||
|
features:
|
||||||
|
- |
|
||||||
|
Enables deploying OpenDaylight with TLS. Open vSwitch is also
|
||||||
|
configured to communicate with OpenDaylight via TLS.
|
||||||
|
deprecations:
|
||||||
|
- |
|
||||||
|
Deprecates the OpenDaylightConnectionProtocol heat parameter.
|
||||||
|
This parameter is now decided based on using TLS or non-TLS
|
||||||
|
deployments.
|
Loading…
Reference in New Issue
Block a user