openstack/tripleo-heat-templates
Code Issues Proposed changes

Adds SSL/TLS everywhere for OpenDaylight

Browse Source 
Enables TLS encryption between ODL and OVS, as well as Northbound ODL
communication with Neutron.

Implements: blueprint opendaylight-ssl-support

Depends-On: Id579aea77bf8d679b514ef9851af36d9170e93a1

Change-Id: I7c43f1358807f3ffeef2ddf29d0085ad55151dfe
Signed-off-by: Tim Rozet <trozet@redhat.com>
This commit is contained in:
Tim Rozet 2018-01-03 17:19:30 -05:00
parent d5ddb1d860
commit a8fd3214f4
5 changed files with 163 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
docker/services/opendaylight-api.yaml
View File

@ -36,6 +36,13 @@ parameters:
default: {} default: {}
description: Parameters specific to the role description: Parameters specific to the role
type: json type: json
EnableInternalTLS:
type: boolean
default: false
conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
resources: resources:
@ -60,6 +67,10 @@ outputs:
config_settings: config_settings:
map_merge: map_merge:
- get_attr: [OpenDaylightBase, role_data, config_settings] - get_attr: [OpenDaylightBase, role_data, config_settings]
- if:
- internal_tls_enabled
- tripleo::certmonger::opendaylight::postsave_cmd: "true" # TODO: restart the odl container here
- {}
logging_source: {get_attr: [OpenDaylightBase, role_data, logging_source]} logging_source: {get_attr: [OpenDaylightBase, role_data, logging_source]}
logging_groups: {get_attr: [OpenDaylightBase, role_data, logging_groups]} logging_groups: {get_attr: [OpenDaylightBase, role_data, logging_groups]}
# BEGIN DOCKER SETTINGS # BEGIN DOCKER SETTINGS
@ -102,8 +113,20 @@ outputs:
- /var/lib/config-data/puppet-generated/opendaylight/:/var/lib/kolla/config_files/src:ro - /var/lib/config-data/puppet-generated/opendaylight/:/var/lib/kolla/config_files/src:ro
- /var/lib/opendaylight/journal:/opt/opendaylight/journal - /var/lib/opendaylight/journal:/opt/opendaylight/journal
- /var/lib/opendaylight/snapshots:/opt/opendaylight/snapshots - /var/lib/opendaylight/snapshots:/opt/opendaylight/snapshots
-
if:
- internal_tls_enabled
- /etc/pki/tls/certs/odl.crt:/etc/pki/tls/certs/odl.crt:ro
- ''
-
if:
- internal_tls_enabled
- /etc/pki/tls/private/odl.key:/etc/pki/tls/private/odl.key:ro
- ''
environment: environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
metadata_settings:
get_attr: [OpenDaylightBase, role_data, metadata_settings]
host_prep_tasks: host_prep_tasks:
- name: create persistent directories - name: create persistent directories
file: file:

13
puppet/services/neutron-plugin-ml2-odl.yaml
View File

@ -34,6 +34,13 @@ parameters:
description: OpenDaylight port binding controller description: OpenDaylight port binding controller
type: string type: string
default: 'pseudo-agentdb-binding' default: 'pseudo-agentdb-binding'
EnableInternalTLS:
type: boolean
default: false
conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
resources: resources:
@ -56,5 +63,11 @@ outputs:
map_merge: map_merge:
- get_attr: [NeutronMl2Base, role_data, config_settings] - get_attr: [NeutronMl2Base, role_data, config_settings]
- neutron::plugins::ml2::opendaylight::port_binding_controller: {get_param: OpenDaylightPortBindingController} - neutron::plugins::ml2::opendaylight::port_binding_controller: {get_param: OpenDaylightPortBindingController}
-
if:
- internal_tls_enabled
- neutron::plugins::ml2::opendaylight::ovsdb_connection: 'ssl:127.0.0.1:6639'
tripleo::profile::base::neutron::plugins::ml2::opendaylight::conn_proto: 'https'
- {}
step_config: | step_config: |
include ::tripleo::profile::base::neutron::plugins::ml2 include ::tripleo::profile::base::neutron::plugins::ml2

63
puppet/services/opendaylight-api.yaml
View File

@ -17,10 +17,6 @@ parameters:
type: string type: string
description: The password for the opendaylight server. description: The password for the opendaylight server.
hidden: true hidden: true
OpenDaylightConnectionProtocol:
description: L7 protocol used for REST access
type: string
default: 'http'
OpenDaylightFeatures: OpenDaylightFeatures:
description: List of features to install with ODL description: List of features to install with ODL
type: comma_delimited_list type: comma_delimited_list
@ -74,6 +70,34 @@ parameters:
- allowed_values: - allowed_values:
- file - file
- console - console
OpenDaylightTLSKeystorePassword:
default: 'opendaylight'
type: string
description: The password for the opendaylight TLS keystore.
Must be at least 6 characters.
hidden: true
EnableInternalTLS:
type: boolean
default: false
InternalTLSCAFile:
default: '/etc/ipa/ca.crt'
type: string
description: Specifies the default CA cert to use if TLS is used for
services in the internal network.
parameter_groups:
- label: deprecated
description: |
The following parameters are deprecated and will be removed. They should not
be relied on for new deployments. If you have concerns regarding deprecated
parameters, please contact the TripleO development team on IRC or the
OpenStack mailing list.
parameters:
- OpenDaylightConnectionProtocol
conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
outputs: outputs:
role_data: role_data:
@ -81,12 +105,13 @@ outputs:
value: value:
service_name: opendaylight_api service_name: opendaylight_api
config_settings: config_settings:
map_merge:
-
opendaylight::odl_rest_port: {get_param: OpenDaylightPort} opendaylight::odl_rest_port: {get_param: OpenDaylightPort}
opendaylight::username: {get_param: OpenDaylightUsername} opendaylight::username: {get_param: OpenDaylightUsername}
opendaylight::password: {get_param: OpenDaylightPassword} opendaylight::password: {get_param: OpenDaylightPassword}
opendaylight::extra_features: {get_param: OpenDaylightFeatures} opendaylight::extra_features: {get_param: OpenDaylightFeatures}
opendaylight::odl_bind_ip: {get_param: [ServiceNetMap, OpendaylightApiNetwork]} opendaylight::odl_bind_ip: {get_param: [ServiceNetMap, OpendaylightApiNetwork]}
opendaylight::nb_connection_protocol: {get_param: OpenDaylightConnectionProtocol}
opendaylight::manage_repositories: {get_param: OpenDaylightManageRepositories} opendaylight::manage_repositories: {get_param: OpenDaylightManageRepositories}
tripleo.opendaylight_api.firewall_rules: tripleo.opendaylight_api.firewall_rules:
'137 opendaylight api': '137 opendaylight api':
@ -98,6 +123,26 @@ outputs:
- 8185 - 8185
opendaylight::snat_mechanism: {get_param: OpenDaylightSNATMechanism} opendaylight::snat_mechanism: {get_param: OpenDaylightSNATMechanism}
opendaylight::log_mechanism: {get_param: OpenDaylightLogMechanism} opendaylight::log_mechanism: {get_param: OpenDaylightLogMechanism}
-
if:
- internal_tls_enabled
- generate_service_certificates: true
tripleo::profile::base::neutron::opendaylight::certificate_specs:
service_certificate: '/etc/pki/tls/certs/odl.crt'
service_key: '/etc/pki/tls/private/odl.key'
hostname:
str_replace:
template: "%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, OpendaylightApiNetwork]}
principal:
str_replace:
template: "odl/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, OpendaylightApiNetwork]}
opendaylight::tls_ca_cert_file: {get_param: InternalTLSCAFile}
opendaylight::tls_keystore_password: {get_param: OpenDaylightTLSKeystorePassword}
- {}
step_config: | step_config: |
include tripleo::profile::base::neutron::opendaylight include tripleo::profile::base::neutron::opendaylight
upgrade_tasks: upgrade_tasks:
@ -122,3 +167,11 @@ outputs:
- snapshots - snapshots
- data - data
- journal - journal
metadata_settings:
if:
- internal_tls_enabled
-
- service: odl
network: {get_param: [ServiceNetMap, OpendaylightApiNetwork]}
type: node
- null

55
puppet/services/opendaylight-ovs.yaml
View File

@ -17,10 +17,6 @@ parameters:
type: string type: string
description: The password for the opendaylight server. description: The password for the opendaylight server.
hidden: true hidden: true
OpenDaylightConnectionProtocol:
description: L7 protocol used for REST access
type: string
default: 'http'
OpenDaylightCheckURL: OpenDaylightCheckURL:
description: URL postfix to verify ODL has finished starting up description: URL postfix to verify ODL has finished starting up
type: string type: string
@ -96,6 +92,28 @@ parameters:
description: | description: |
Enable OVS Hardware Offload. This feature supported from OVS 2.8.0 Enable OVS Hardware Offload. This feature supported from OVS 2.8.0
type: boolean type: boolean
EnableInternalTLS:
type: boolean
default: false
InternalTLSCAFile:
default: '/etc/ipa/ca.crt'
type: string
description: Specifies the default CA cert to use if TLS is used for
services in the internal network.
parameter_groups:
- label: deprecated
description: |
The following parameters are deprecated and will be removed. They should not
be relied on for new deployments. If you have concerns regarding deprecated
parameters, please contact the TripleO development team on IRC or the
OpenStack mailing list.
parameters:
- OpenDaylightConnectionProtocol
conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
resources: resources:
Ovs: Ovs:
@ -146,7 +164,6 @@ outputs:
neutron::plugins::ovs::opendaylight::odl_username: {get_param: OpenDaylightUsername} neutron::plugins::ovs::opendaylight::odl_username: {get_param: OpenDaylightUsername}
neutron::plugins::ovs::opendaylight::odl_password: {get_param: OpenDaylightPassword} neutron::plugins::ovs::opendaylight::odl_password: {get_param: OpenDaylightPassword}
opendaylight_check_url: {get_param: OpenDaylightCheckURL} opendaylight_check_url: {get_param: OpenDaylightCheckURL}
opendaylight::nb_connection_protocol: {get_param: OpenDaylightConnectionProtocol}
neutron::agents::ml2::ovs::local_ip: {get_param: [ServiceNetMap, NeutronTenantNetwork]} neutron::agents::ml2::ovs::local_ip: {get_param: [ServiceNetMap, NeutronTenantNetwork]}
tripleo.opendaylight_ovs.firewall_rules: tripleo.opendaylight_ovs.firewall_rules:
'118 neutron vxlan networks': '118 neutron vxlan networks':
@ -154,6 +171,26 @@ outputs:
dport: 4789 dport: 4789
'136 neutron gre networks': '136 neutron gre networks':
proto: 'gre' proto: 'gre'
-
if:
- internal_tls_enabled
- generate_service_certificates: true
tripleo::profile::base::neutron::plugins::ovs::opendaylight::certificate_specs:
service_certificate: '/etc/pki/tls/certs/ovs.crt'
service_key: '/etc/pki/tls/private/ovs.key'
hostname:
str_replace:
template: "%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, OpendaylightApiNetwork]}
principal:
str_replace:
template: "ovs/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, OpendaylightApiNetwork]}
neutron::plugins::ovs::opendaylight::tls_ca_cert_file: {get_param: InternalTLSCAFile}
tripleo::profile::base::neutron::plugins::ovs::opendaylight::conn_proto: 'https'
- {}
- get_attr: [Ovs, role_data, config_settings] - get_attr: [Ovs, role_data, config_settings]
- get_attr: [RoleParametersValue, value] - get_attr: [RoleParametersValue, value]
step_config: | step_config: |
@ -174,3 +211,11 @@ outputs:
- name: Stop openvswitch service - name: Stop openvswitch service
when: (openvswitch_enabled.rc == 0) and (step|int == 1) when: (openvswitch_enabled.rc == 0) and (step|int == 1)
service: name=openvswitch state=stopped service: name=openvswitch state=stopped
metadata_settings:
if:
- internal_tls_enabled
-
- service: ovs
network: {get_param: [ServiceNetMap, OpendaylightApiNetwork]}
type: node
- null

10
releasenotes/notes/odl-enable-tls-377fbbfff6f67230.yaml Normal file
View File

@ -0,0 +1,10 @@
---
features:
- |
Enables deploying OpenDaylight with TLS. Open vSwitch is also
configured to communicate with OpenDaylight via TLS.
deprecations:
- |
Deprecates the OpenDaylightConnectionProtocol heat parameter.
This parameter is now decided based on using TLS or non-TLS
deployments.