Add support for OVN monitoring when TLS enabled

Added OVNSB and OVNNB cert secrets to ospperf namespace and mounted
them on to collectd container. Ovsdb-client uses these mounted ssl
certificates to connect with ovsdb-server from within collectd pod.

Change-Id: Id89b495a73350b7cb25ce23f069a49d3a9ff49d9

ansible/install/roles/collectd-rhoso/files/collectd_deploy.yaml

@@ -91,6 +91,30 @@ spec:
         securityContext:
           privileged: true
         volumeMounts:
+        - mountPath: /etc/pki/ovnsb/tls/certs/ovndb.crt
+          name: ovsdbserver-sb-tls-certs
+          readOnly: true
+          subPath: tls.crt
+        - mountPath: /etc/pki/ovnsb/tls/private/ovndb.key
+          name: ovsdbserver-sb-tls-certs
+          readOnly: true
+          subPath: tls.key
+        - mountPath: /etc/pki/ovnsb/tls/certs/ovndbca.crt
+          name: ovsdbserver-sb-tls-certs
+          readOnly: true
+          subPath: ca.crt
+        - mountPath: /etc/pki/ovnnb/tls/certs/ovndb.crt
+          name: ovsdbserver-nb-tls-certs
+          readOnly: true
+          subPath: tls.crt
+        - mountPath: /etc/pki/ovnnb/tls/private/ovndb.key
+          name: ovsdbserver-nb-tls-certs
+          readOnly: true
+          subPath: tls.key
+        - mountPath: /etc/pki/ovnnb/tls/certs/ovndbca.crt
+          name: ovsdbserver-nb-tls-certs
+          readOnly: true
+          subPath: ca.crt
         - name: varlogpods
           mountPath: "/var/log/pods"
         - name: varlogcontainer
@@ -109,6 +133,14 @@ spec:
         - configMapRef:
             name: collectd-env-vars
       volumes:
+      - name: ovsdbserver-sb-tls-certs
+        secret:
+          defaultMode: 256
+          secretName: cert-ovndbcluster-sb-ovndbs
+      - name: ovsdbserver-nb-tls-certs
+        secret:
+          defaultMode: 256
+          secretName: cert-ovndbcluster-nb-ovndbs
       - name: config-files
         configMap:
           name: collectd-configs

ansible/install/roles/collectd-rhoso/tasks/main.yml

@@ -105,6 +105,13 @@
     config_files: "{{ worker_nodes.stdout_lines | map('regex_replace', '^', '/tmp/') | map('regex_replace', '$', '.conf') }}"
 
 - block:
+    - name: Copy cert secrets from openstack ns to ospperf
+      shell: |
+        oc get secret {{ item }} -n openstack -o yaml | sed 's/namespace: openstack/namespace: ospperf/' | oc apply -n ospperf -f -
+      loop:
+        - cert-ovndbcluster-sb-ovndbs
+        - cert-ovndbcluster-nb-ovndbs
+
     - name: Create configmaps for collectd configs
       shell: |
         oc create -n ospperf configmap collectd-configs --from-file={{ config_files | join(' --from-file=') }}

browbeat-containers/collectd-rhoso/files/ovn_monitoring.sh

@@ -5,13 +5,23 @@ INTERVAL="${COLLECTD_INTERVAL:-15}"
 if [ "$1" = "sb" ]; then
   IP=$OVN_SBDB_IP
   PORT=$OVN_SBDB_PORT
+  DB="ovnsb"
 else
   IP=$OVN_NBDB_IP
   PORT=$OVN_NBDB_PORT
+  DB="ovnnb"
 fi
 
+PRIVATE_KEY="/etc/pki/$DB/tls/private/ovndb.key"
+CERTIFICATE="/etc/pki/$DB/tls/certs/ovndb.crt"
+CA_CERT="/etc/pki/$DB/tls/certs/ovndbca.crt"
+
 while sleep "$INTERVAL"; do
-  VALUE=$(sudo ovsdb-client dump --no-headings tcp:$IP:$PORT $2 | wc -l)
+  VALUE=$(sudo ovsdb-client dump --no-headings ssl:$IP:$PORT \
+    --private-key=$PRIVATE_KEY \
+    --certificate=$CERTIFICATE \
+    --ca-cert=$CA_CERT \
+    $2 | wc -l)
   VALUE=$[VALUE-1]
   echo "PUTVAL \"$HOSTNAME/ovn-$1db-$2/gauge-ovn_$1db_$2\" interval=$INTERVAL N:$VALUE"
 done