openstack/tripleo-heat-templates
Code Issues Proposed changes
tripleo-heat-templates/docker/services/neutron-dhcp.yaml
Tim Rozet 2adb2b6f57 Fixes missing SSL configuration for Neutron DHCP agent 
Currently when deploying with TLS for internal API traffic, Neutron is
not configured to securely communicate with OVSDB.  In regular OVS agent
deployments OVS listens on ptcp and accepts any incoming connection.  In
ODL deployments OVS is configured to only listen for pssl connections.
To allow Neutron agents to communicate with OVSDB in pssl, Neutron needs
to be configured with SSL key/certificate in order to connect to OVS.

This patch adds key/certificate generation for NeutronBase service to be
consumed by any agent.  The only agent required with ODL is DHCP, so
this patch only addresses configuring SSL there.  However, a future
patch could enable SSL for default ML2/OVS agent deployments as well by
building off of this change.

Note, by default OVSDB listens on port 6640.  This does not work in ODL
deployments when ODL is on the control node because ODL also listens
on port 6640.  Therefore from the ODL service, the ovsdb_connection
setting for DHCP agent is modified when ODL is deployed.

Depends-On: I82281eefa1aa81207ccd8ea565cffc6ca0ec48de
Depends-On: I4bbaf00f0776cab0be34d814a541fb2fd1e64326

Closes-Bug: 1746762

Change-Id: I97352027d7f750d0820610fb9e06f82b47e77056
Signed-off-by: Tim Rozet <trozet@redhat.com>
2018-02-13 12:28:27 -05:00

168 lines
6.0 KiB
YAML
Raw Blame History

heat_template_version: queens
description: >
OpenStack containerized Neutron DHCP service
parameters:
DockerNeutronDHCPImage:
description: image
type: string
DockerNeutronConfigImage:
description: The container image to use for the neutron config_volume
type: string
EndpointMap:
default: {}
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
ServiceData:
default: {}
description: Dictionary packing service data
type: json
ServiceNetMap:
default: {}
description: Mapping of service_name -> network name. Typically set
via parameter_defaults in the resource registry. This
mapping overrides those in ServiceNetMapDefaults.
type: json
DefaultPasswords:
default: {}
type: json
RoleName:
default: ''
description: Role name on which the service is applied
type: string
RoleParameters:
default: {}
description: Parameters specific to the role
type: json
EnableInternalTLS:
type: boolean
default: false
InternalTLSCAFile:
default: '/etc/ipa/ca.crt'
type: string
description: Specifies the default CA cert to use if TLS is used for
services in the internal network.
conditions:
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
resources:
ContainersCommon:
type: ./containers-common.yaml
NeutronBase:
type: ../../puppet/services/neutron-dhcp.yaml
properties:
EndpointMap: {get_param: EndpointMap}
ServiceData: {get_param: ServiceData}
ServiceNetMap: {get_param: ServiceNetMap}
DefaultPasswords: {get_param: DefaultPasswords}
RoleName: {get_param: RoleName}
RoleParameters: {get_param: RoleParameters}
NeutronLogging:
type: OS::TripleO::Services::Logging::NeutronCommon
outputs:
role_data:
description: Role data for the Neutron DHCP role.
value:
service_name: {get_attr: [NeutronBase, role_data, service_name]}
config_settings:
map_merge:
- get_attr: [NeutronBase, role_data, config_settings]
- get_attr: [NeutronLogging, config_settings]
- if:
- internal_tls_enabled
- tripleo::certmonger::neutron::postsave_cmd: "true" # TODO: restart the container here
- {}
logging_source: {get_attr: [NeutronBase, role_data, logging_source]}
logging_groups: {get_attr: [NeutronBase, role_data, logging_groups]}
service_config_settings: {get_attr: [NeutronBase, role_data, service_config_settings]}
# BEGIN DOCKER SETTINGS
puppet_config:
config_volume: neutron
puppet_tags: neutron_config,neutron_dhcp_agent_config
step_config:
get_attr: [NeutronBase, role_data, step_config]
config_image: {get_param: DockerNeutronConfigImage}
kolla_config:
/var/lib/kolla/config_files/neutron_dhcp.json:
command: /usr/bin/neutron-dhcp-agent --config-file /usr/share/neutron/neutron-dist.conf --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/dhcp_agent.ini --config-dir /etc/neutron/conf.d/common --config-dir /etc/neutron/conf.d/neutron-dhcp-agent
config_files:
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
permissions:
- path: /var/log/neutron
owner: neutron:neutron
recurse: true
- path: /var/lib/neutron
owner: neutron:neutron
recurse: true
docker_config:
step_4:
neutron_dhcp:
start_order: 10
image: {get_param: DockerNeutronDHCPImage}
net: host
pid: host
privileged: true
restart: always
healthcheck:
test: /openstack/healthcheck
volumes:
list_concat:
- {get_attr: [ContainersCommon, volumes]}
- {get_attr: [NeutronLogging, volumes]}
-
- /var/lib/kolla/config_files/neutron_dhcp.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/neutron/:/var/lib/kolla/config_files/src:ro
- /lib/modules:/lib/modules:ro
- /run/openvswitch:/run/openvswitch
- /var/lib/neutron:/var/lib/neutron
-
if:
- internal_tls_enabled
- - /etc/pki/tls/certs/neutron.crt:/etc/pki/tls/certs/neutron.crt:ro
- /etc/pki/tls/private/neutron.key:/etc/pki/tls/private/neutron.key:ro
- list_join:
- ':'
- - {get_param: InternalTLSCAFile}
- {get_param: InternalTLSCAFile}
- 'ro'
- null
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
metadata_settings:
get_attr: [NeutronBase, role_data, metadata_settings]
host_prep_tasks:
list_concat:
- {get_attr: [NeutronLogging, host_prep_tasks]}
- - name: create /var/lib/neutron
file:
path: /var/lib/neutron
state: directory
upgrade_tasks:
- name: Check if neutron_dhcp_agent is deployed
command: systemctl is-enabled --quiet neutron-dhcp-agent
tags: common
ignore_errors: True
register: neutron_dhcp_agent_enabled
- name: "PreUpgrade step0,validation: Check service neutron-dhcp-agent is running"
command: systemctl is-active --quiet neutron-dhcp-agent
when:
- step|int == 0
- neutron_dhcp_agent_enabled.rc == 0
tags: validation
- name: Stop and disable neutron_dhcp service
when:
- step|int == 2
- neutron_dhcp_agent_enabled.rc == 0
service: name=neutron-dhcp-agent state=stopped enabled=no
View Git Blame Copy Permalink