Support connecting OVN DB over SSL
This patch introduce parameters which support using SSL to connect to OVN_Northbound DB and OVN_Southbound DB. Depends-On: https://review.opendev.org/#/c/683916/ Change-Id: Ib36a1b85ee33d1d06d14eaa323eba3e0f9b20f47 Signed-off-by: Kamil Sambor <ksambor@redhat.com>
This commit is contained in:
parent
3a2ee11991
commit
04df15e0a7
|
@ -139,6 +139,11 @@ parameters:
|
|||
description: Additional to the availability zones aware network scheduler.
|
||||
default: networks
|
||||
type: string
|
||||
InternalTLSCAFile:
|
||||
default: '/etc/ipa/ca.crt'
|
||||
type: string
|
||||
description: Specifies the default CA cert to use if TLS is used for
|
||||
services in the internal network.
|
||||
# DEPRECATED: the following options are deprecated and are currently maintained
|
||||
# for backwards compatibility. They will be removed in the Ocata cycle.
|
||||
NeutronL3HA:
|
||||
|
@ -172,6 +177,7 @@ conditions:
|
|||
is_ovn_in_neutron_mechanism_driver: {contains: ['ovn', {get_param: NeutronMechanismDrivers}]}
|
||||
az_unset: {equals: [{get_param: NeutronDefaultAvailabilityZones}, '']}
|
||||
omit_az_configs: {or: [is_ovn_in_neutron_mechanism_driver, az_unset]}
|
||||
ovn_and_tls: {and: [is_ovn_in_neutron_mechanism_driver, internal_tls_enabled]}
|
||||
|
||||
resources:
|
||||
|
||||
|
@ -321,6 +327,32 @@ outputs:
|
|||
{get_param: NeutronRouterSchedulerDriver}
|
||||
neutron::server::default_availability_zones:
|
||||
{get_param: NeutronDefaultAvailabilityZones}
|
||||
-
|
||||
if:
|
||||
- ovn_and_tls
|
||||
-
|
||||
generate_service_certificates: true
|
||||
tripleo::profile::base::neutron::plugins::ml2::ovn::protocol: 'ssl'
|
||||
tripleo::profile::base::neutron::plugins::ml2::ovn::ovn_nb_private_key: '/etc/pki/tls/private/ovn_neutron_client.key'
|
||||
tripleo::profile::base::neutron::plugins::ml2::ovn::ovn_nb_certificate: '/etc/pki/tls/certs/ovn_neutron_client.crt'
|
||||
tripleo::profile::base::neutron::plugins::ml2::ovn::ovn_sb_private_key: '/etc/pki/tls/private/ovn_neutron_client.key'
|
||||
tripleo::profile::base::neutron::plugins::ml2::ovn::ovn_sb_certificate: '/etc/pki/tls/certs/ovn_neutron_client.crt'
|
||||
tripleo::profile::base::neutron::plugins::ml2::ovn::ovn_nb_ca_cert: {get_param: InternalTLSCAFile}
|
||||
tripleo::profile::base::neutron::plugins::ml2::ovn::ovn_sb_ca_cert: {get_param: InternalTLSCAFile}
|
||||
neutron_ovn_certificate_specs:
|
||||
service_certificate: '/etc/pki/tls/certs/ovn_neutron_client.crt'
|
||||
service_key: '/etc/pki/tls/private/ovn_neutron_client.key'
|
||||
hostname:
|
||||
str_replace:
|
||||
template: "%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "neutron_ovn/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
|
||||
- {}
|
||||
service_config_settings:
|
||||
rsyslog:
|
||||
tripleo_logging_sources_neutron_api:
|
||||
|
@ -376,6 +408,14 @@ outputs:
|
|||
- path: /var/log/neutron
|
||||
owner: neutron:neutron
|
||||
recurse: true
|
||||
- path: /etc/pki/tls/certs/ovn_neutron_client.crt
|
||||
owner: neutron:neutron
|
||||
optional: true
|
||||
perm: '0644'
|
||||
- path: /etc/pki/tls/private/ovn_neutron_client.key
|
||||
owner: neutron:neutron
|
||||
optional: true
|
||||
perm: '0644'
|
||||
/var/lib/kolla/config_files/neutron_server_tls_proxy.json:
|
||||
command: /usr/sbin/httpd -DFOREGROUND
|
||||
config_files:
|
||||
|
@ -426,6 +466,12 @@ outputs:
|
|||
-
|
||||
- /var/lib/kolla/config_files/neutron_api.json:/var/lib/kolla/config_files/config.json:ro
|
||||
- /var/lib/config-data/puppet-generated/neutron/:/var/lib/kolla/config_files/src:ro
|
||||
- if:
|
||||
- ovn_and_tls
|
||||
-
|
||||
- /etc/pki/tls/certs/ovn_neutron_client.crt:/etc/pki/tls/certs/ovn_neutron_client.crt
|
||||
- /etc/pki/tls/private/ovn_neutron_client.key:/etc/pki/tls/private/ovn_neutron_client.key
|
||||
- null
|
||||
environment:
|
||||
list_concat:
|
||||
- {get_param: NeutronApiOptEnvVars}
|
||||
|
@ -451,7 +497,14 @@ outputs:
|
|||
- {}
|
||||
host_prep_tasks: {get_attr: [NeutronLogging, host_prep_tasks]}
|
||||
metadata_settings:
|
||||
get_attr: [TLSProxyBase, role_data, metadata_settings]
|
||||
list_concat:
|
||||
- {get_attr: [TLSProxyBase, role_data, metadata_settings]}
|
||||
- if:
|
||||
- ovn_and_tls
|
||||
- - service: neutron_ovn
|
||||
network: {get_param: [ServiceNetMap, NeutronApiNetwork]}
|
||||
type: node
|
||||
- null
|
||||
post_upgrade_tasks:
|
||||
- when: step|int == 1
|
||||
import_role:
|
||||
|
|
|
@ -85,6 +85,14 @@ parameters:
|
|||
default: []
|
||||
description: List of servers to use as as dns forwarders
|
||||
type: comma_delimited_list
|
||||
EnableInternalTLS:
|
||||
type: boolean
|
||||
default: false
|
||||
InternalTLSCAFile:
|
||||
default: '/etc/ipa/ca.crt'
|
||||
type: string
|
||||
description: Specifies the default CA cert to use if TLS is used for
|
||||
services in the internal network.
|
||||
NeutronVhostuserSocketDir:
|
||||
default: ""
|
||||
description: The vhost-user socket directory for OVS
|
||||
|
@ -94,6 +102,7 @@ parameters:
|
|||
|
||||
conditions:
|
||||
neutron_dvr_unset: {equals : [{get_param: NeutronEnableDVR}, '']}
|
||||
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
||||
vhostuser_dir_set:
|
||||
or:
|
||||
- {not: {equals: [{get_param: NeutronVhostuserSocketDir}, ""]}}
|
||||
|
@ -129,6 +138,16 @@ outputs:
|
|||
neutron::plugins::ml2::max_header_size: {get_param: NeutronGeneveMaxHeaderSize}
|
||||
neutron::plugins::ml2::ovn::dns_servers: {get_param: OVNDnsServers}
|
||||
neutron::plugins::ml2::tenant_network_types: {get_param: NeutronNetworkType}
|
||||
- if:
|
||||
- internal_tls_enabled
|
||||
-
|
||||
neutron::plugins::ml2::ovn::ovn_sb_ca_cert: {get_param: InternalTLSCAFile}
|
||||
neutron::plugins::ml2::ovn::ovn_sb_certificate: '/etc/pki/tls/certs/ovn_neutron_client.crt'
|
||||
neutron::plugins::ml2::ovn::ovn_sb_private_key: '/etc/pki/tls/private/ovn_neutron_client.key'
|
||||
neutron::plugins::ml2::ovn::ovn_nb_ca_cert: {get_param: InternalTLSCAFile}
|
||||
neutron::plugins::ml2::ovn::ovn_nb_certificate: '/etc/pki/tls/certs/ovn_neutron_client.crt'
|
||||
neutron::plugins::ml2::ovn::ovn_nb_private_key: '/etc/pki/tls/private/ovn_neutron_client.key'
|
||||
- {}
|
||||
-
|
||||
if:
|
||||
- neutron_dvr_unset
|
||||
|
|
|
@ -78,9 +78,18 @@ parameters:
|
|||
description: Probe interval in ms
|
||||
type: number
|
||||
default: 60000
|
||||
EnableInternalTLS:
|
||||
type: boolean
|
||||
default: false
|
||||
InternalTLSCAFile:
|
||||
default: '/etc/ipa/ca.crt'
|
||||
type: string
|
||||
description: Specifies the default CA cert to use if TLS is used for
|
||||
services in the internal network.
|
||||
|
||||
conditions:
|
||||
force_config_drive: {equals: [{get_param: OVNMetadataEnabled}, false]}
|
||||
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
||||
|
||||
resources:
|
||||
|
||||
|
@ -134,6 +143,25 @@ outputs:
|
|||
- force_config_drive
|
||||
- nova::compute::force_config_drive: true
|
||||
- {}
|
||||
-
|
||||
if:
|
||||
- internal_tls_enabled
|
||||
- generate_service_certificates: true
|
||||
tripleo::profile::base::neutron::agents::ovn::protocol: 'ssl'
|
||||
ovn_controller_certificate_specs:
|
||||
service_certificate: '/etc/pki/tls/certs/ovn_controller.crt'
|
||||
service_key: '/etc/pki/tls/private/ovn_controller.key'
|
||||
hostname:
|
||||
str_replace:
|
||||
template: "%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "ovn_controller/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
||||
- {}
|
||||
service_config_settings: {}
|
||||
# BEGIN DOCKER SETTINGS
|
||||
puppet_config:
|
||||
|
@ -154,11 +182,28 @@ outputs:
|
|||
- /etc/sysconfig/modules:/etc/sysconfig/modules
|
||||
kolla_config:
|
||||
/var/lib/kolla/config_files/ovn_controller.json:
|
||||
command: /usr/bin/ovn-controller --pidfile --log-file unix:/run/openvswitch/db.sock
|
||||
command:
|
||||
list_join:
|
||||
- ' '
|
||||
- - /usr/bin/ovn-controller --pidfile --log-file unix:/run/openvswitch/db.sock
|
||||
- if:
|
||||
- internal_tls_enabled
|
||||
- list_join:
|
||||
- ' '
|
||||
- - -p /etc/pki/tls/private/ovn_controller.key -c /etc/pki/tls/certs/ovn_controller.crt -C
|
||||
- {get_param: InternalTLSCAFile}
|
||||
- ''
|
||||
permissions:
|
||||
- path: /var/log/openvswitch
|
||||
owner: root:root
|
||||
recurse: true
|
||||
metadata_settings:
|
||||
if:
|
||||
- internal_tls_enabled
|
||||
- - service: ovn_controller
|
||||
network: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
||||
type: node
|
||||
- null
|
||||
docker_config:
|
||||
step_4:
|
||||
configure_cms_options:
|
||||
|
@ -192,13 +237,26 @@ outputs:
|
|||
data:
|
||||
port: {get_param: OVNSouthboundServerPort}
|
||||
volumes:
|
||||
- /var/lib/kolla/config_files/ovn_controller.json:/var/lib/kolla/config_files/config.json:ro
|
||||
- /lib/modules:/lib/modules:ro
|
||||
# TODO(numans): This is temporary. Mount /run/openvswitch once
|
||||
# openvswitch systemd script is fixed to not delete /run/openvswitch
|
||||
# folder in the host when openvswitch service is stopped.
|
||||
- /run:/run
|
||||
- /var/log/containers/openvswitch:/var/log/openvswitch:z
|
||||
list_concat:
|
||||
-
|
||||
- /var/lib/kolla/config_files/ovn_controller.json:/var/lib/kolla/config_files/config.json:ro
|
||||
- /lib/modules:/lib/modules:ro
|
||||
# TODO(numans): This is temporary. Mount /run/openvswitch once
|
||||
# openvswitch systemd script is fixed to not delete /run/openvswitch
|
||||
# folder in the host when openvswitch service is stopped.
|
||||
- /run:/run
|
||||
- /var/log/containers/openvswitch:/var/log/openvswitch:z
|
||||
- if:
|
||||
- internal_tls_enabled
|
||||
-
|
||||
- list_join:
|
||||
- ':'
|
||||
- - {get_param: InternalTLSCAFile}
|
||||
- {get_param: InternalTLSCAFile}
|
||||
- 'ro'
|
||||
- /etc/pki/tls/certs/ovn_controller.crt:/etc/pki/tls/certs/ovn_controller.crt
|
||||
- /etc/pki/tls/private/ovn_controller.key:/etc/pki/tls/private/ovn_controller.key
|
||||
- null
|
||||
environment:
|
||||
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
||||
host_prep_tasks:
|
||||
|
|
|
@ -60,10 +60,20 @@ parameters:
|
|||
description: >
|
||||
Setting this to a unique value will re-run any deployment tasks which
|
||||
perform configuration on a Heat stack-update.
|
||||
EnableInternalTLS:
|
||||
type: boolean
|
||||
default: false
|
||||
InternalTLSCAFile:
|
||||
default: '/etc/ipa/ca.crt'
|
||||
type: string
|
||||
description: Specifies the default CA cert to use if TLS is used for
|
||||
services in the internal network.
|
||||
|
||||
|
||||
conditions:
|
||||
puppet_debug_enabled: {get_param: ConfigDebug}
|
||||
docker_enabled: {equals: [{get_param: ContainerCli}, 'docker']}
|
||||
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
||||
|
||||
resources:
|
||||
|
||||
|
@ -109,6 +119,27 @@ outputs:
|
|||
- 3125
|
||||
- {get_param: OVNNorthboundServerPort}
|
||||
- {get_param: OVNSouthboundServerPort}
|
||||
- if:
|
||||
- internal_tls_enabled
|
||||
- generate_service_certificates: true
|
||||
tripleo::profile::pacemaker::ovn_dbs_bundle::ca_file:
|
||||
get_param: InternalTLSCAFile
|
||||
tripleo::profile::base::neutron::agents::ovn::protocol: 'ssl'
|
||||
tripleo::profile::pacemaker::ovn_dbs_bundle::enable_internal_tls: true
|
||||
ovn_dbs_certificate_specs:
|
||||
service_certificate: '/etc/pki/tls/certs/ovn_dbs.crt'
|
||||
service_key: '/etc/pki/tls/private/ovn_dbs.key'
|
||||
hostname:
|
||||
str_replace:
|
||||
template: "%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "ovn_dbs/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
||||
- {}
|
||||
service_config_settings: {}
|
||||
# BEGIN DOCKER SETTINGS
|
||||
puppet_config:
|
||||
|
@ -130,6 +161,16 @@ outputs:
|
|||
preserve_properties: true
|
||||
optional: true
|
||||
container_config_scripts: {get_attr: [ContainersCommon, container_config_scripts]}
|
||||
metadata_settings:
|
||||
if:
|
||||
- internal_tls_enabled
|
||||
- - service: ovn_dbs
|
||||
network: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
||||
type: vip
|
||||
- service: ovn_dbs
|
||||
network: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
||||
type: node
|
||||
- null
|
||||
docker_config:
|
||||
step_3:
|
||||
ovn_dbs_restart_bundle:
|
||||
|
@ -143,7 +184,15 @@ outputs:
|
|||
- TRIPLEO_MINOR_UPDATE
|
||||
command: /pacemaker_restart_bundle.sh ovn-dbs-bundle ovn_dbs
|
||||
image: {get_param: ContainerOvnDbsConfigImage}
|
||||
volumes: {get_attr: [ContainersCommon, pacemaker_restart_volumes]}
|
||||
volumes:
|
||||
list_concat:
|
||||
- {get_attr: [ContainersCommon, pacemaker_restart_volumes]}
|
||||
- if:
|
||||
- internal_tls_enabled
|
||||
-
|
||||
- /etc/pki/tls/certs/ovn_dbs.crt:/etc/pki/tls/certs/ovn_dbs.crt:ro
|
||||
- /etc/pki/tls/private/ovn_dbs.key:/etc/pki/tls/private/ovn_dbs.key:ro
|
||||
- null
|
||||
ovn_dbs_init_bundle:
|
||||
start_order: 1
|
||||
detach: false
|
||||
|
@ -169,6 +218,12 @@ outputs:
|
|||
- docker_enabled
|
||||
- - /etc/corosync/corosync.conf:/etc/corosync/corosync.conf:ro
|
||||
- null
|
||||
- if:
|
||||
- internal_tls_enabled
|
||||
-
|
||||
- /etc/pki/tls/certs/ovn_dbs.crt:/etc/pki/tls/certs/ovn_dbs.crt:ro
|
||||
- /etc/pki/tls/private/ovn_dbs.key:/etc/pki/tls/private/ovn_dbs.key:ro
|
||||
- null
|
||||
environment:
|
||||
# NOTE: this should force this container to re-run on each
|
||||
# update (scale-out, etc.)
|
||||
|
|
|
@ -102,6 +102,11 @@ parameters:
|
|||
EnableInternalTLS:
|
||||
type: boolean
|
||||
default: false
|
||||
InternalTLSCAFile:
|
||||
default: '/etc/ipa/ca.crt'
|
||||
type: string
|
||||
description: Specifies the default CA cert to use if TLS is used for
|
||||
services in the internal network.
|
||||
DockerAdditionalSockets:
|
||||
default: ['/var/lib/openstack/docker.sock']
|
||||
description: Additional domain sockets for the docker daemon to bind to (useful for mounting
|
||||
|
@ -176,6 +181,27 @@ outputs:
|
|||
- neutron_workers_unset
|
||||
- {}
|
||||
- neutron::agents::ovn_metadata::metadata_workers: {get_param: NeutronWorkers}
|
||||
- if:
|
||||
- internal_tls_enabled
|
||||
- tripleo::profile::base::neutron::ovn_metadata::ovn_sb_ca_cert: {get_param: InternalTLSCAFile}
|
||||
tripleo::profile::base::neutron::ovn_metadata::protocol: 'ssl'
|
||||
tripleo::profile::base::neutron::ovn_metadata::ovn_sb_certificate: '/etc/pki/tls/certs/ovn_metadata.crt'
|
||||
tripleo::profile::base::neutron::ovn_metadata::ovn_sb_private_key: '/etc/pki/tls/private/ovn_metadata.key'
|
||||
generate_service_certificates: true
|
||||
ovn_metadata_certificate_specs:
|
||||
service_certificate: '/etc/pki/tls/certs/ovn_metadata.crt'
|
||||
service_key: '/etc/pki/tls/private/ovn_metadata.key'
|
||||
hostname:
|
||||
str_replace:
|
||||
template: "%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "ovn_metadata/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
||||
- {}
|
||||
|
||||
puppet_config:
|
||||
puppet_tags: neutron_config,ovn_metadata_agent_config
|
||||
|
@ -205,6 +231,14 @@ outputs:
|
|||
- path: /var/lib/neutron
|
||||
owner: neutron:neutron
|
||||
recurse: true
|
||||
- path: /etc/pki/tls/certs/ovn_metadata.crt
|
||||
owner: neutron:neutron
|
||||
optional: true
|
||||
perm: '0644'
|
||||
- path: /etc/pki/tls/private/ovn_metadata.key
|
||||
owner: neutron:neutron
|
||||
optional: true
|
||||
perm: '0644'
|
||||
container_config_scripts: {get_attr: [ContainersCommon, container_config_scripts]}
|
||||
deploy_steps_tasks:
|
||||
- when: step|int == 1
|
||||
|
@ -296,10 +330,23 @@ outputs:
|
|||
- haproxy_wrapper_enabled
|
||||
- - /var/lib/neutron/ovn_metadata_haproxy_wrapper:/usr/local/bin/haproxy:ro
|
||||
- null
|
||||
- if:
|
||||
- internal_tls_enabled
|
||||
-
|
||||
- /etc/pki/tls/certs/ovn_metadata.crt:/etc/pki/tls/certs/ovn_metadata.crt
|
||||
- /etc/pki/tls/private/ovn_metadata.key:/etc/pki/tls/private/ovn_metadata.key
|
||||
- null
|
||||
environment:
|
||||
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
||||
metadata_settings:
|
||||
get_attr: [NeutronBase, role_data, metadata_settings]
|
||||
list_concat:
|
||||
- {get_attr: [NeutronBase, role_data, metadata_settings]}
|
||||
- if:
|
||||
- internal_tls_enabled
|
||||
- - service: ovn_metadata
|
||||
network: {get_param: [ServiceNetMap, OvnDbsNetwork]}
|
||||
type: node
|
||||
- null
|
||||
host_prep_tasks:
|
||||
list_concat:
|
||||
- {get_attr: [NeutronLogging, host_prep_tasks]}
|
||||
|
|
Loading…
Reference in New Issue