From 1bfe785fd5773ab52bbe892d48ba3af5428add60 Mon Sep 17 00:00:00 2001
From: Takashi Kajinami <tkajinam@redhat.com>
Date: Thu, 1 Dec 2022 12:44:21 +0900
Subject: [PATCH] Add support for SSL connections to NB/SB DB

To allow ovn-northd to connect over SSL, the key, cert and cacert needs
to be set.

Co-Authored-By: Jake Yip <jake.yip@ardc.edu.au>
Change-Id: I574992748506e357af383588fb89b45203dee738
---
 manifests/northd.pp                           | 30 ++++++++++++++++++-
 .../ovn-northd-ssl-db-0d77bbd457a21df6.yaml   |  9 ++++++
 spec/classes/ovn_northd_spec.rb               | 20 +++++++++++--
 3 files changed, 55 insertions(+), 4 deletions(-)
 create mode 100644 releasenotes/notes/ovn-northd-ssl-db-0d77bbd457a21df6.yaml

diff --git a/manifests/northd.pp b/manifests/northd.pp
index cc2bbb4..005f7a9 100644
--- a/manifests/northd.pp
+++ b/manifests/northd.pp
@@ -23,12 +23,27 @@
 #   SB DB address(es)
 #   Defaults to undef
 #
+# [*ovn_northd_ssl_key*]
+#   OVN Northd SSL private key file
+#   Defaults to undef
+#
+# [*ovn_northd_ssl_cert*]
+#   OVN Northd SSL certificate file
+#   Defaults to undef
+#
+# [*ovn_northd_ssl_ca_cert*]
+#   OVN Northd SSL CA certificate file
+#   Defaults to undef
+#
 class ovn::northd(
   $dbs_listen_ip = '0.0.0.0',
   $dbs_cluster_local_addr = undef,
   $dbs_cluster_remote_addr = undef,
   $ovn_northd_nb_db = undef,
   $ovn_northd_sb_db = undef,
+  $ovn_northd_ssl_key = undef,
+  $ovn_northd_ssl_cert = undef,
+  $ovn_northd_ssl_ca_cert = undef,
 ) {
   include ovn::params
   include vswitch::ovs
@@ -72,11 +87,24 @@ class ovn::northd(
     default       => fail('ovn_northd_sb_db_opts must be of type String or Array[String]'),
   }
 
+  if $ovn_northd_ssl_key and $ovn_northd_ssl_cert and $ovn_northd_ssl_ca_cert {
+    $ovn_northd_ssl_opts = [
+      "--ovn-northd-ssl-key=${ovn_northd_ssl_key}",
+      "--ovn-northd-ssl-cert=${ovn_northd_ssl_cert}",
+      "--ovn-northd-ssl-ca-cert=${ovn_northd_ssl_ca_cert}"
+    ]
+  } elsif ! ($ovn_northd_ssl_key or $ovn_northd_ssl_cert or $ovn_northd_ssl_ca_cert) {
+    $ovn_northd_ssl_opts = []
+  } else {
+    fail('The ovn_northd_ssl_key, cert and ca_cert are required to use SSL.')
+  }
+
   $ovn_northd_opts = join($ovn_northd_opts_addr +
                           $ovn_northd_opts_cluster_local_addr +
                           $ovn_northd_opts_cluster_remote_addr +
                           $ovn_northd_nb_db_opts +
-                          $ovn_northd_sb_db_opts,
+                          $ovn_northd_sb_db_opts +
+                          $ovn_northd_ssl_opts,
                           ' ')
 
   augeas { 'config-ovn-northd':
diff --git a/releasenotes/notes/ovn-northd-ssl-db-0d77bbd457a21df6.yaml b/releasenotes/notes/ovn-northd-ssl-db-0d77bbd457a21df6.yaml
new file mode 100644
index 0000000..53d3485
--- /dev/null
+++ b/releasenotes/notes/ovn-northd-ssl-db-0d77bbd457a21df6.yaml
@@ -0,0 +1,9 @@
+---
+features:
+  - |
+    Add support for ovn-northd to connect via SSL to NB and SB DB. To enable
+    SSL, set the following parameters.
+
+    - ``ovn::northd::ovn_northd_ssl_key``
+    - ``ovn::northd::ovn_northd_ssl_cert``
+    - ``ovn::northd::ovn_northd_ssl_cacert``
diff --git a/spec/classes/ovn_northd_spec.rb b/spec/classes/ovn_northd_spec.rb
index 52c3063..f412365 100644
--- a/spec/classes/ovn_northd_spec.rb
+++ b/spec/classes/ovn_northd_spec.rb
@@ -19,8 +19,11 @@ describe 'ovn::northd' do
     context 'with parameters' do
       let :params do
         {
-          :ovn_northd_nb_db => 'tcp:192.0.2.1:6645,tcp:192.0.2.2:6645,tcp:192.0.2.3:6645',
-          :ovn_northd_sb_db => ['tcp:192.0.2.1:6646', 'tcp:192.0.2.2:6646', 'tcp:192.0.2.3:6646'],
+          :ovn_northd_nb_db       => 'ssl:192.0.2.1:6645,ssl:192.0.2.2:6645,ssl:192.0.2.3:6645',
+          :ovn_northd_sb_db       => ['ssl:192.0.2.1:6646', 'ssl:192.0.2.2:6646', 'ssl:192.0.2.3:6646'],
+          :ovn_northd_ssl_key     => 'key.pem',
+          :ovn_northd_ssl_cert    => 'cert.pem',
+          :ovn_northd_ssl_ca_cert => 'cacert.pem',
         }
       end
 
@@ -29,12 +32,23 @@ describe 'ovn::northd' do
           :context => platform_params[:ovn_northd_context],
           :changes => "set " + platform_params[:ovn_northd_option_name] + " '\"" +
                       "--db-nb-addr=0.0.0.0 --db-sb-addr=0.0.0.0 --db-nb-create-insecure-remote=yes --db-sb-create-insecure-remote=yes" +
-                      " --ovn-northd-nb-db=tcp:192.0.2.1:6645,tcp:192.0.2.2:6645,tcp:192.0.2.3:6645 --ovn-northd-sb-db=tcp:192.0.2.1:6646,tcp:192.0.2.2:6646,tcp:192.0.2.3:6646" +
+                      " --ovn-northd-nb-db=ssl:192.0.2.1:6645,ssl:192.0.2.2:6645,ssl:192.0.2.3:6645 --ovn-northd-sb-db=ssl:192.0.2.1:6646,ssl:192.0.2.2:6646,ssl:192.0.2.3:6646" +
+                      " --ovn-northd-ssl-key=key.pem --ovn-northd-ssl-cert=cert.pem --ovn-northd-ssl-ca-cert=cacert.pem" +
                       "\"'",
         })
       end
     end
 
+    context 'with bad ssl parameters' do
+      let :params do
+        {
+          :ovn_northd_ssl_key     => 'key.pem',
+        }
+      end
+
+      it { should raise_error(Puppet::Error, /The ovn_northd_ssl_key, cert and ca_cert are required to use SSL/) }
+    end
+
   end
 
   shared_examples_for 'ovn northd' do