Add TSN HA support

Change-Id: I9835f06d74346c6c8762bbdccb6aea2170481bef

deployment_scripts/generate_tsn_certificates.py

@@ -0,0 +1,70 @@
+#!/usr/bin/env python
+#    Copyright 2016 Mirantis, Inc.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+#
+#    This scipr is used to genereta all TSN certificates per claster
+#
+#    Example: $0 <env_id>
+#    Example: ./generate_tsn_certificates.py 1
+#
+#    By pszypowicz@mirantis.com
+
+import yaml
+import sys, os
+import logging
+from fuelclient.objects import Environment
+from subprocess import call
+
+try:
+    cluster_id = sys.argv[1]
+except Exception:
+    logging.warning('Provide cluster id as first parameter')
+    sys.exit(1)
+
+env = Environment(cluster_id)
+data = env.get_settings_data()
+
+try:
+    tor_configurations = data['editable']['contrail']['metadata']['versions'][0]['tor_agents_configurations']['value']
+except Exception:
+    logging.warning('Cannot read tor agents configuration')
+    sys.exit(2)
+
+certificate_path = '/var/lib/fuel/certificates'
+
+if not os.path.exists(certificate_path):
+    os.makedirs(certificate_path)
+
+directory = certificate_path + '/' + cluster_id + '/'
+
+#generate certificates ca
+call(['ovs-pki','init','--dir',directory])
+
+if not os.path.exists(directory + 'certs/'):
+    os.makedirs(directory + 'certs/')
+
+tor_configurations_yaml = yaml.load(tor_configurations)
+for i in tor_configurations_yaml:
+
+    #tor_agent path
+    tor_agent_directory = directory + 'certs/' + 'tor_agent_' + str(i)
+    if not os.path.exists(tor_agent_directory):
+        os.makedirs(tor_agent_directory)
+        call(['ovs-pki','req+sign','tor_agent_' + str(i),'--dir',directory],cwd=tor_agent_directory)
+
+    vtep_directory = directory + 'certs/' + 'vtep_' + str(i)
+    if not os.path.exists(vtep_directory):
+        os.makedirs(vtep_directory)
+        call(['ovs-pki','req+sign','vtep_' + str(i),'--dir',directory],cwd=vtep_directory)
+

deployment_scripts/puppet/modules/contrail/manifests/init.pp

@@ -121,11 +121,12 @@ class contrail {
   $dpdk_vf_number        = 0
 
 
-  # ToR agent settings
-  $enable_tor_agents  = $settings['enable_tor_agents']
-  $tor_agents_ssl  = $settings['tor_agents_ssl']
+  # ToR/TSN agent settings
+  $enable_tor_agents = $settings['enable_tor_agents']
   if $enable_tor_agents == true {
     $tor_agents_configurations = parseyaml($settings['tor_agents_configurations'])
+    $tor_nodes_hash            = get_nodes_hash_by_roles($network_metadata, ['primary-contrail-tsn', 'contrail-tsn'])
+    $tor_ips                   = ipsort(values(get_node_to_ipaddr_map_by_network_role($tor_nodes_hash, 'neutron/mesh')))
   }
 
   # Custom mount point for contrail-db

deployment_scripts/puppet/modules/contrail/manifests/provision/tor_agent.pp

@@ -13,15 +13,15 @@
 #    under the License.
 
 define contrail::provision::tor_agent(
-  $ovs_port,
-  $ovs_protocol,
   $tor_device_name,
   $tor_vendor_name,
   $tor_mgmt_ip,
   $tor_tun_ip,
+  $tor_id                    = $title,
+  $ovs_port                  = $title + 9900,
+  $ovs_protocol              = $::contrail::tsn::ovs_protocol,
   $contrail_dev_ip           = $::contrail::address,
   $tsn_vip_ip                = $::contrail::address,
-  $tor_id                    = $name,
   $contrail_discovery_server = $::contrail::contrail_private_vip,
 )
 {
@@ -46,24 +46,4 @@ define contrail::provision::tor_agent(
 && touch /opt/contrail/provision-tor-agent-${name}-DONE",
     creates => "/opt/contrail/provision-tor-agent-${name}-DONE",
   }
-
-  exec { "provision-tor-${name}":
-    command => "python /opt/contrail/utils/provision_physical_device.py \
---device_name ${tor_device_name} \
---vendor_name ${tor_vendor_name} \
---device_mgmt_ip ${tor_mgmt_ip} \
---device_tunnel_ip ${tor_tun_ip} \
---device_tor_agent ${::fqdn}-${tor_id} \
---device_tsn ${::fqdn} \
---oper add \
---admin_user '${::contrail::neutron_user}' \
---admin_tenant_name '${::contrail::service_tenant}' \
---admin_password '${::contrail::service_token}' \
---api_server_ip ${::contrail::contrail_mgmt_vip} \
---api_server_port 8082 \
---openstack_ip ${::contrail::keystone_address} \
-&& touch /opt/contrail/provision-tor-${name}-DONE",
-    creates => "/opt/contrail/provision-tor-${name}-DONE",
-    require => Exec["provision-tor-agent-${name}"],
-  }
 }

deployment_scripts/puppet/modules/contrail/manifests/tor_agent.pp

@@ -12,15 +12,15 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.
 define contrail::tor_agent (
-  $ovs_port,
-  $ovs_protocol,
   $tor_device_name,
   $tor_vendor_name,
   $tor_mgmt_ip,
   $tor_tun_ip,
+  $tor_id                    = $title,
+  $ovs_port                  = $title + 9900,
+  $ovs_protocol              = $::contrail::tsn::ovs_protocol,
   $contrail_dev_ip           = $::contrail::address,
   $tsn_vip_ip                = $::contrail::address,
-  $tor_id                    = $name,
   $contrail_discovery_server = $::contrail::contrail_private_vip,
 )
 {
@@ -33,14 +33,4 @@ define contrail::tor_agent (
     content => template('contrail/contrail-tor-agent.ini.erb')
   }
 
-  if $ovs_protocol == 'pssl' {
-    exec { "generate_tor-${name}_cert":
-      provider => 'shell',
-      path     => '/usr/bin:/bin:/sbin',
-      cwd      => '/etc/contrail/',
-      command  => "ovs-pki req+sign tor-${name}",
-      creates  => "/etc/contrail/tor-${name}-cert.pem",
-      require  => Exec['generate_ca_cert'],
-    }
-  }
 }

deployment_scripts/puppet/modules/contrail/manifests/tsn.pp

@@ -11,27 +11,16 @@
 #    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 #    License for the specific language governing permissions and limitations
 #    under the License.
-class contrail::tsn () {
+class contrail::tsn (
+  $ovs_protocol = 'pssl'
+  ) {
 
 if $::contrail::enable_tor_agents == true {
 
-  if $::contrail::tor_agents_ssl == false {
-    $default_ovs_protocol = 'tcp'
-  } else {
-    $default_ovs_protocol = 'pssl'
-  }
   package {'openvswitch-common':
       ensure => present
   }
 
-  exec { 'generate_ca_cert':
-    provider => 'shell',
-    path     => '/usr/bin:/bin:/sbin',
-    command  => 'ovs-pki init --force',
-    creates  => '/var/lib/openvswitch/pki/switchca/cacert.pem',
-    require  => Package['openvswitch-common'],
-  }
-
   service {'nova-compute':
     ensure => stopped
   } ->
@@ -49,8 +38,7 @@ if $::contrail::enable_tor_agents == true {
   }
 
   $tor_agents_defaults = {
-    'notify'       => 'Service[supervisor-vrouter]',
-    'ovs_protocol' => $default_ovs_protocol,
+    'notify'       => 'Service[supervisor-vrouter]'
   }
 
   create_resources(::contrail::tor_agent, $::contrail::tor_agents_configurations, $tor_agents_defaults)

deployment_scripts/puppet/modules/contrail/manifests/vip.pp

@@ -139,4 +139,9 @@ class contrail::vip {
     balancermember_options => 'check inter 10s fastinter 2s downinter 3s rise 3 fall 3',
   }
 
+  if $::contrail::enable_tor_agents {
+    $default_vip_hash = { 'order' => '208' }
+    create_resources(::contrail::vip::tor_agent, $::contrail::tor_agents_configurations, $default_vip_hash)
+  }
+
 }

deployment_scripts/puppet/modules/contrail/manifests/vip/tor_agent.pp

@@ -0,0 +1,48 @@
+#    Copyright 2016 Mirantis, Inc.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+define contrail::vip::tor_agent (
+  $order,
+  $tor_device_name,
+  $tor_vendor_name,
+  $tor_mgmt_ip,
+  $tor_tun_ip,
+  $ovs_protocol = 'pssl',
+  $ovs_port     = $title + 9900,
+  $server_names = $::contrail::tor_ips,
+  $ipaddresses  = $::contrail::tor_ips,
+  )
+{
+  if $ovs_protocol == 'pssl' {
+
+    openstack::ha::haproxy_service { "contrail-tor-${ovs_port}":
+        order                  => $order,
+        listen_port            => $ovs_port,
+        balancermember_port    => $ovs_port,
+        server_names           => $server_names,
+        ipaddresses            => $ipaddresses,
+        public                 => false,
+        internal               => true,
+        haproxy_config_options =>
+          { 'option'         => ['nolinger', 'tcp-check'],
+            'balance'        => 'source',
+            'mode'           => 'tcp',
+            'tcp-check'      => "connect port ${ovs_port}",
+            'default-server' => 'error-limit 1 on-error mark-down'
+          },
+        balancermember_options => 'check inter 2000 rise 2 fall 3',
+      }
+  }
+
+}

deployment_scripts/puppet/modules/contrail/templates/contrail-tor-agent.conf.erb

@@ -102,13 +102,13 @@ tor_ovs_protocol=<%=@ovs_protocol%>
 
 <% if @ovs_protocol == 'pssl' -%>
 # Path to ssl certificate for tor-agent, needed for pssl
-ssl_cert=/etc/contrail/tor-<%= @tor_id -%>-cert.pem
+ssl_cert= /var/lib/astute/tsn_certificates/certs/tor_agent_<%= @tor_id -%>/tor_agent_<%= @tor_id -%>-cert.pem
 
 # Path to ssl private-key for tor-agent, needed for pssl
-ssl_privkey=/etc/contrail/tor-<%= @tor_id -%>-privkey.pem
+ssl_privkey=/var/lib/astute/tsn_certificates/certs/tor_agent_<%= @tor_id -%>/tor_agent_<%= @tor_id -%>-privkey.pem
 
 # Path to ssl cacert for tor-agent, needed for pssl
-ssl_cacert=/var/lib/openvswitch/pki/switchca/cacert.pem
+ssl_cacert=/var/lib/astute/tsn_certificates/cacert.pem
 <% end -%>
 
 tsn_ip=<%= @tsn_vip_ip %>

deployment_tasks.yaml

@@ -649,58 +649,128 @@
 ##############################################################
 
 # Set proper apt pin for Contrail repository
-- id: contrail-repository-tsn
+- id: contrail_repository_tsn
   type: puppet
   version: 2.0.0
-  groups: [primary-contrail-tsn]
+  groups: [primary-contrail-tsn,contrail-tsn]
+  requires: [setup_repositories, globals]
   required_for: [tools]
-  requires: [deploy_start, globals]
   parameters:
     puppet_manifest: puppet/manifests/contrail-compute-repo.pp
     puppet_modules: puppet/modules:/etc/puppet/modules
     timeout: 720
 
+- id: install_openvswitch
+  type: shell
+  version: 2.0.0
+  role: master
+  requires: [deploy_start]
+  required_for: [generate_tsn_certificates]
+  parameters:
+    cmd: /usr/bin/yum install openvswitch -y
+    timeout: 180
+    cwd: /
+  condition:
+    yaql_exp: '$.contrail.enable_tor_agents'
 
-- id: contrail-tsn-network
+- id: generate_tsn_certificates
+  type: shell
+  version: 2.0.0
+  role: master
+  requires: [install_openvswitch]
+  required_for: [generate_tsn_certificates_tgz]
+  parameters:
+    cmd: /usr/bin/python /var/www/nailgun/plugins/contrail-5.0/deployment_scripts/generate_tsn_certificates.py {CLUSTER_ID}
+    timeout: 180
+    cwd: /
+  condition:
+    yaql_exp: '$.contrail.enable_tor_agents'
+
+- id: generate_tsn_certificates_tgz
+  type: shell
+  version: 2.0.0
+  role: master
+  requires: [generate_tsn_certificates]
+  required_for: [copy_tsn_certificates]
+  parameters:
+    cmd: bash -c "/usr/bin/tar -czf /var/lib/fuel/certificates/{CLUSTER_ID}/certs.tgz certs"
+    timeout: 180
+    cwd: /var/lib/fuel/certificates/{CLUSTER_ID}/
+  condition:
+    yaql_exp: '$.contrail.enable_tor_agents'
+
+- id: copy_tsn_certificates
+  type: copy_files
+  version: 2.0.0
+  groups: [primary-contrail-tsn,contrail-tsn]
+  requires: [generate_tsn_certificates_tgz]
+  required_for: [unpack_tsn_certificates]
+  cross-depends:
+    - name: generate_tsn_certificates_tgz
+      role: master
+  parameters:
+    files:
+      - src: /var/lib/fuel/certificates/{CLUSTER_ID}/certs.tgz
+        dst: /var/lib/astute/tsn_certificates/certs.tgz
+      - src: /var/lib/fuel/certificates/{CLUSTER_ID}/switchca/cacert.pem
+        dst: /var/lib/astute/tsn_certificates/cacert.pem
+    permissions: '0600'
+    dir_permissions: '0700'
+    cwd: /
+
+- id: unpack_tsn_certificates
+  type: shell
+  version: 2.0.0
+  groups: [primary-contrail-tsn,contrail-tsn]
+  requires: [copy_tsn_certificates]
+  required_for: [contrail_tsn_network]
+  parameters:
+    cmd: bash -c "/bin/tar -xzf certs.tgz"
+    timeout: 180
+    cwd: /var/lib/astute/tsn_certificates/
+
+- id: contrail_tsn_network
   type: puppet
   version: 2.0.0
-  role: [primary-contrail-tsn]
-  required_for: [post_deployment_end, contrail-tsn-vrouter]
-  requires: [post_deployment_start]
+  groups: [primary-contrail-tsn,contrail-tsn]
+  requires: [netconfig,unpack_tsn_certificates]
+  required_for: [contrail_tsn_vrouter]
   parameters:
     puppet_manifest: puppet/manifests/contrail-compute-network.pp
     puppet_modules: puppet/modules:/etc/puppet/modules
     timeout: 720
 
-- id: contrail-tsn-vrouter
+- id: contrail_tsn_vrouter
   type: puppet
   version: 2.0.0
-  role: [primary-contrail-tsn]
-  requires: [post_deployment_start, contrail-tsn-network]
-  required_for: [reconfigure-contrail-tsn-vrouter]
+  groups: [primary-contrail-tsn,contrail-tsn]
+  requires: [contrail_tsn_network]
+  required_for: [reconfigure_contrail_tsn_vrouter]
   parameters:
     puppet_manifest: puppet/manifests/contrail-compute-vrouter.pp
     puppet_modules: puppet/modules:/etc/puppet/modules
     timeout: 720
 
-- id: reconfigure-contrail-tsn-vrouter
+- id: reconfigure_contrail_tsn_vrouter
   type: puppet
   version: 2.0.0
-  role: [primary-contrail-tsn]
-  requires: [contrail-tsn-vrouter]
-  required_for: [provision-tsn-vrouter]
+  groups: [primary-contrail-tsn,contrail-tsn]
+  requires: [contrail_tsn_vrouter]
+  required_for: [provision_tsn_vrouter]
+  cross-depends:
+   - name: contrail-config-primary
+   - name: contrail-config-provision-primary
   parameters:
     puppet_manifest: puppet/manifests/reconfigure-contrail-tsn-vrouter.pp
     puppet_modules: puppet/modules:/etc/puppet/modules
     timeout: 720
 
-
-- id: provision-tsn-vrouter
+- id: provision_tsn_vrouter
   type: puppet
   version: 2.0.0
-  role: [primary-contrail-tsn]
-  required_for: [post_deployment_end]
-  requires: [reconfigure-contrail-tsn-vrouter]
+  groups: [primary-contrail-tsn,contrail-tsn]
+  requires: [reconfigure_contrail_tsn_vrouter]
+  required_for: [deploy_end]
   cross-depends:
     - name: /contrail-config-provision(-all|-primary)/
   parameters:
@@ -708,8 +778,6 @@
     puppet_modules: puppet/modules:/etc/puppet/modules
     timeout: 720
 
-
-
 ##############################################################
 #  Compute tasks section
 ##############################################################

doc/source/contrail_tsn.rst

@@ -48,6 +48,20 @@ To configure TSN in your network, you need TOR switch.
 
     \clearpage
 
+HA implementation details
+-------------------------
+
+Contrail TSN in HA mode is implemented for default SSL mode.
+
+All required certificates will be located on CONTRAIL-TSN node in location:
+::
+
+  /var/lib/astute/tsn_certificates/certs
+
+There will be two folders per TOR service. Folder named tor_agent_<@id> contain certs
+for tor agent service. Folder named vtep_<@id> contain certificates which should be delivered
+to ToR Switch.
+
 Configure TSN
 -------------
 
@@ -55,24 +69,27 @@ Configure TSN
 
     .. image:: images/tsn_settings.png
 
-#.  Enable tor agent SSL certifications creation (optional)
-
 #.  Provide Tor Agents configuration in YAML format, based on example
     ::
 
       01:
-        ovs_port: 6286
-        ovs_protocol: tcp
         tor_mgmt_ip: 10.109.4.150
         tor_tun_ip: 10.109.4.150
         tor_device_name: ovs1
         tor_vendor_name: ovs
       02:
-        ovs_port: 6286
-        ovs_protocol: pssl
         tor_mgmt_ip: 10.109.4.151
         tor_tun_ip: 10.109.4.151
         tor_device_name: ovs2
         tor_vendor_name: ovs
 
+#.  Deploy additional node/nodes with CONTRAIL-TSN role
+
+    .. image:: images/contrail-tsn-nodes.png
+
+#.  Configure ToR Switches with SSL certificates located on TSN node in:
+    ::
+
+      /var/lib/astute/tsn_certificates/certs
+
 #.  Verify working TSN by going to Contrail web UI

environment_config.yaml

@@ -132,15 +132,6 @@ attributes:
     description: "Enable this option to unlock the Tor Agent configuration feature."
     weight: 230
     type: "checkbox"
-  tor_agents_ssl:
-    value: false
-    label: "Enable ToR agents ssl mode"
-    description: "Enable this option to generate ssl certificates and configure them for tor agents."
-    weight: 240
-    type: "checkbox"
-    restrictions:
-      - condition: "settings:contrail.enable_tor_agents.value == false"
-        action: "hide"
   tor_agents_configurations:
     value: ""
     label: "Configuration for TOR agents"

node_roles.yaml

@@ -95,6 +95,9 @@ contrail-tsn:
   has_primary: true
   public_ip_required: false
   weight: 100
+  limits:
+    min: 1
+    recommended: 2
   conflicts:
     - contrail-analytics
     - contrail-control