openstack
/
tripleo-heat-templates
Code Issues Proposed changes

Support connecting OVN DB over SSL 

This patch introduce parameters which support using SSL to connect to
OVN_Northbound DB and OVN_Southbound DB.

Depends-On: https://review.opendev.org/#/c/683916/
Change-Id: Ib36a1b85ee33d1d06d14eaa323eba3e0f9b20f47
Signed-off-by: Kamil Sambor <ksambor@redhat.com>
This commit is contained in:
Kamil Sambor 2019-09-05 11:05:21 +02:00
parent 3a2ee11991
commit 04df15e0a7
5 changed files with 243 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
deployment/neutron/neutron-api-container-puppet.yaml
View File

@ -139,6 +139,11 @@ parameters:
description: Additional to the availability zones aware network scheduler.
default: networks
type: string
InternalTLSCAFile:
default: '/etc/ipa/ca.crt'
type: string
description: Specifies the default CA cert to use if TLS is used for
services in the internal network.
# DEPRECATED: the following options are deprecated and are currently maintained
# for backwards compatibility. They will be removed in the Ocata cycle.
NeutronL3HA:
@ -172,6 +177,7 @@ conditions:
is_ovn_in_neutron_mechanism_driver: {contains: ['ovn', {get_param: NeutronMechanismDrivers}]}
az_unset: {equals: [{get_param: NeutronDefaultAvailabilityZones}, '']}
omit_az_configs: {or: [is_ovn_in_neutron_mechanism_driver, az_unset]}
ovn_and_tls: {and: [is_ovn_in_neutron_mechanism_driver, internal_tls_enabled]}
resources:
@ -321,6 +327,32 @@ outputs:
{get_param: NeutronRouterSchedulerDriver}
neutron::server::default_availability_zones:
{get_param: NeutronDefaultAvailabilityZones}
-
if:
- ovn_and_tls
-
generate_service_certificates: true
tripleo::profile::base::neutron::plugins::ml2::ovn::protocol: 'ssl'
tripleo::profile::base::neutron::plugins::ml2::ovn::ovn_nb_private_key: '/etc/pki/tls/private/ovn_neutron_client.key'
tripleo::profile::base::neutron::plugins::ml2::ovn::ovn_nb_certificate: '/etc/pki/tls/certs/ovn_neutron_client.crt'
tripleo::profile::base::neutron::plugins::ml2::ovn::ovn_sb_private_key: '/etc/pki/tls/private/ovn_neutron_client.key'
tripleo::profile::base::neutron::plugins::ml2::ovn::ovn_sb_certificate: '/etc/pki/tls/certs/ovn_neutron_client.crt'
tripleo::profile::base::neutron::plugins::ml2::ovn::ovn_nb_ca_cert: {get_param: InternalTLSCAFile}
tripleo::profile::base::neutron::plugins::ml2::ovn::ovn_sb_ca_cert: {get_param: InternalTLSCAFile}
neutron_ovn_certificate_specs:
service_certificate: '/etc/pki/tls/certs/ovn_neutron_client.crt'
service_key: '/etc/pki/tls/private/ovn_neutron_client.key'
hostname:
str_replace:
template: "%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
principal:
str_replace:
template: "neutron_ovn/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
- {}
service_config_settings:
rsyslog:
tripleo_logging_sources_neutron_api:
@ -376,6 +408,14 @@ outputs:
- path: /var/log/neutron
owner: neutron:neutron
recurse: true
- path: /etc/pki/tls/certs/ovn_neutron_client.crt
owner: neutron:neutron
optional: true
perm: '0644'
- path: /etc/pki/tls/private/ovn_neutron_client.key
owner: neutron:neutron
optional: true
perm: '0644'
/var/lib/kolla/config_files/neutron_server_tls_proxy.json:
command: /usr/sbin/httpd -DFOREGROUND
config_files:
@ -426,6 +466,12 @@ outputs:
-
- /var/lib/kolla/config_files/neutron_api.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/neutron/:/var/lib/kolla/config_files/src:ro
- if:
- ovn_and_tls
-
- /etc/pki/tls/certs/ovn_neutron_client.crt:/etc/pki/tls/certs/ovn_neutron_client.crt
- /etc/pki/tls/private/ovn_neutron_client.key:/etc/pki/tls/private/ovn_neutron_client.key
- null
environment:
list_concat:
- {get_param: NeutronApiOptEnvVars}
@ -451,7 +497,14 @@ outputs:
- {}
host_prep_tasks: {get_attr: [NeutronLogging, host_prep_tasks]}
metadata_settings:
get_attr: [TLSProxyBase, role_data, metadata_settings]
list_concat:
- {get_attr: [TLSProxyBase, role_data, metadata_settings]}
- if:
- ovn_and_tls
- - service: neutron_ovn
network: {get_param: [ServiceNetMap, NeutronApiNetwork]}
type: node
- null
post_upgrade_tasks:
- when: step|int == 1
import_role:

19
deployment/neutron/neutron-plugin-ml2-ovn.yaml
View File

@ -85,6 +85,14 @@ parameters:
default: []
description: List of servers to use as as dns forwarders
type: comma_delimited_list
EnableInternalTLS:
type: boolean
default: false
InternalTLSCAFile:
default: '/etc/ipa/ca.crt'
type: string
description: Specifies the default CA cert to use if TLS is used for
services in the internal network.
NeutronVhostuserSocketDir:
default: ""
description: The vhost-user socket directory for OVS
@ -94,6 +102,7 @@ parameters:
conditions:
neutron_dvr_unset: {equals : [{get_param: NeutronEnableDVR}, '']}
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
vhostuser_dir_set:
or:
- {not: {equals: [{get_param: NeutronVhostuserSocketDir}, ""]}}
@ -129,6 +138,16 @@ outputs:
neutron::plugins::ml2::max_header_size: {get_param: NeutronGeneveMaxHeaderSize}
neutron::plugins::ml2::ovn::dns_servers: {get_param: OVNDnsServers}
neutron::plugins::ml2::tenant_network_types: {get_param: NeutronNetworkType}
- if:
- internal_tls_enabled
-
neutron::plugins::ml2::ovn::ovn_sb_ca_cert: {get_param: InternalTLSCAFile}
neutron::plugins::ml2::ovn::ovn_sb_certificate: '/etc/pki/tls/certs/ovn_neutron_client.crt'
neutron::plugins::ml2::ovn::ovn_sb_private_key: '/etc/pki/tls/private/ovn_neutron_client.key'
neutron::plugins::ml2::ovn::ovn_nb_ca_cert: {get_param: InternalTLSCAFile}
neutron::plugins::ml2::ovn::ovn_nb_certificate: '/etc/pki/tls/certs/ovn_neutron_client.crt'
neutron::plugins::ml2::ovn::ovn_nb_private_key: '/etc/pki/tls/private/ovn_neutron_client.key'
- {}
-
if:
- neutron_dvr_unset

74
deployment/ovn/ovn-controller-container-puppet.yaml
View File

@ -78,9 +78,18 @@ parameters:
description: Probe interval in ms
type: number
default: 60000
EnableInternalTLS:
type: boolean
default: false
InternalTLSCAFile:
default: '/etc/ipa/ca.crt'
type: string
description: Specifies the default CA cert to use if TLS is used for
services in the internal network.
conditions:
force_config_drive: {equals: [{get_param: OVNMetadataEnabled}, false]}
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
resources:
@ -134,6 +143,25 @@ outputs:
- force_config_drive
- nova::compute::force_config_drive: true
- {}
-
if:
- internal_tls_enabled
- generate_service_certificates: true
tripleo::profile::base::neutron::agents::ovn::protocol: 'ssl'
ovn_controller_certificate_specs:
service_certificate: '/etc/pki/tls/certs/ovn_controller.crt'
service_key: '/etc/pki/tls/private/ovn_controller.key'
hostname:
str_replace:
template: "%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
principal:
str_replace:
template: "ovn_controller/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
- {}
service_config_settings: {}
# BEGIN DOCKER SETTINGS
puppet_config:
@ -154,11 +182,28 @@ outputs:
- /etc/sysconfig/modules:/etc/sysconfig/modules
kolla_config:
/var/lib/kolla/config_files/ovn_controller.json:
command: /usr/bin/ovn-controller --pidfile --log-file unix:/run/openvswitch/db.sock
command:
list_join:
- ' '
- - /usr/bin/ovn-controller --pidfile --log-file unix:/run/openvswitch/db.sock
- if:
- internal_tls_enabled
- list_join:
- ' '
- - -p /etc/pki/tls/private/ovn_controller.key -c /etc/pki/tls/certs/ovn_controller.crt -C
- {get_param: InternalTLSCAFile}
- ''
permissions:
- path: /var/log/openvswitch
owner: root:root
recurse: true
metadata_settings:
if:
- internal_tls_enabled
- - service: ovn_controller
network: {get_param: [ServiceNetMap, OvnDbsNetwork]}
type: node
- null
docker_config:
step_4:
configure_cms_options:
@ -192,13 +237,26 @@ outputs:
data:
port: {get_param: OVNSouthboundServerPort}
volumes:
- /var/lib/kolla/config_files/ovn_controller.json:/var/lib/kolla/config_files/config.json:ro
- /lib/modules:/lib/modules:ro
# TODO(numans): This is temporary. Mount /run/openvswitch once
# openvswitch systemd script is fixed to not delete /run/openvswitch
# folder in the host when openvswitch service is stopped.
- /run:/run
- /var/log/containers/openvswitch:/var/log/openvswitch:z
list_concat:
-
- /var/lib/kolla/config_files/ovn_controller.json:/var/lib/kolla/config_files/config.json:ro
- /lib/modules:/lib/modules:ro
# TODO(numans): This is temporary. Mount /run/openvswitch once
# openvswitch systemd script is fixed to not delete /run/openvswitch
# folder in the host when openvswitch service is stopped.
- /run:/run
- /var/log/containers/openvswitch:/var/log/openvswitch:z
- if:
- internal_tls_enabled
-
- list_join:
- ':'
- - {get_param: InternalTLSCAFile}
- {get_param: InternalTLSCAFile}
- 'ro'
- /etc/pki/tls/certs/ovn_controller.crt:/etc/pki/tls/certs/ovn_controller.crt
- /etc/pki/tls/private/ovn_controller.key:/etc/pki/tls/private/ovn_controller.key
- null
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
host_prep_tasks:

57
deployment/ovn/ovn-dbs-pacemaker-puppet.yaml
View File

@ -60,10 +60,20 @@ parameters:
description: >
Setting this to a unique value will re-run any deployment tasks which
perform configuration on a Heat stack-update.
EnableInternalTLS:
type: boolean
default: false
InternalTLSCAFile:
default: '/etc/ipa/ca.crt'
type: string
description: Specifies the default CA cert to use if TLS is used for
services in the internal network.
conditions:
puppet_debug_enabled: {get_param: ConfigDebug}
docker_enabled: {equals: [{get_param: ContainerCli}, 'docker']}
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
resources:
@ -109,6 +119,27 @@ outputs:
- 3125
- {get_param: OVNNorthboundServerPort}
- {get_param: OVNSouthboundServerPort}
- if:
- internal_tls_enabled
- generate_service_certificates: true
tripleo::profile::pacemaker::ovn_dbs_bundle::ca_file:
get_param: InternalTLSCAFile
tripleo::profile::base::neutron::agents::ovn::protocol: 'ssl'
tripleo::profile::pacemaker::ovn_dbs_bundle::enable_internal_tls: true
ovn_dbs_certificate_specs:
service_certificate: '/etc/pki/tls/certs/ovn_dbs.crt'
service_key: '/etc/pki/tls/private/ovn_dbs.key'
hostname:
str_replace:
template: "%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
principal:
str_replace:
template: "ovn_dbs/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
- {}
service_config_settings: {}
# BEGIN DOCKER SETTINGS
puppet_config:
@ -130,6 +161,16 @@ outputs:
preserve_properties: true
optional: true
container_config_scripts: {get_attr: [ContainersCommon, container_config_scripts]}
metadata_settings:
if:
- internal_tls_enabled
- - service: ovn_dbs
network: {get_param: [ServiceNetMap, OvnDbsNetwork]}
type: vip
- service: ovn_dbs
network: {get_param: [ServiceNetMap, OvnDbsNetwork]}
type: node
- null
docker_config:
step_3:
ovn_dbs_restart_bundle:
@ -143,7 +184,15 @@ outputs:
- TRIPLEO_MINOR_UPDATE
command: /pacemaker_restart_bundle.sh ovn-dbs-bundle ovn_dbs
image: {get_param: ContainerOvnDbsConfigImage}
volumes: {get_attr: [ContainersCommon, pacemaker_restart_volumes]}
volumes:
list_concat:
- {get_attr: [ContainersCommon, pacemaker_restart_volumes]}
- if:
- internal_tls_enabled
-
- /etc/pki/tls/certs/ovn_dbs.crt:/etc/pki/tls/certs/ovn_dbs.crt:ro
- /etc/pki/tls/private/ovn_dbs.key:/etc/pki/tls/private/ovn_dbs.key:ro
- null
ovn_dbs_init_bundle:
start_order: 1
detach: false
@ -169,6 +218,12 @@ outputs:
- docker_enabled
- - /etc/corosync/corosync.conf:/etc/corosync/corosync.conf:ro
- null
- if:
- internal_tls_enabled
-
- /etc/pki/tls/certs/ovn_dbs.crt:/etc/pki/tls/certs/ovn_dbs.crt:ro
- /etc/pki/tls/private/ovn_dbs.key:/etc/pki/tls/private/ovn_dbs.key:ro
- null
environment:
# NOTE: this should force this container to re-run on each
# update (scale-out, etc.)

49
deployment/ovn/ovn-metadata-container-puppet.yaml
View File

@ -102,6 +102,11 @@ parameters:
EnableInternalTLS:
type: boolean
default: false
InternalTLSCAFile:
default: '/etc/ipa/ca.crt'
type: string
description: Specifies the default CA cert to use if TLS is used for
services in the internal network.
DockerAdditionalSockets:
default: ['/var/lib/openstack/docker.sock']
description: Additional domain sockets for the docker daemon to bind to (useful for mounting
@ -176,6 +181,27 @@ outputs:
- neutron_workers_unset
- {}
- neutron::agents::ovn_metadata::metadata_workers: {get_param: NeutronWorkers}
- if:
- internal_tls_enabled
- tripleo::profile::base::neutron::ovn_metadata::ovn_sb_ca_cert: {get_param: InternalTLSCAFile}
tripleo::profile::base::neutron::ovn_metadata::protocol: 'ssl'
tripleo::profile::base::neutron::ovn_metadata::ovn_sb_certificate: '/etc/pki/tls/certs/ovn_metadata.crt'
tripleo::profile::base::neutron::ovn_metadata::ovn_sb_private_key: '/etc/pki/tls/private/ovn_metadata.key'
generate_service_certificates: true
ovn_metadata_certificate_specs:
service_certificate: '/etc/pki/tls/certs/ovn_metadata.crt'
service_key: '/etc/pki/tls/private/ovn_metadata.key'
hostname:
str_replace:
template: "%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
principal:
str_replace:
template: "ovn_metadata/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, OvnDbsNetwork]}
- {}
puppet_config:
puppet_tags: neutron_config,ovn_metadata_agent_config
@ -205,6 +231,14 @@ outputs:
- path: /var/lib/neutron
owner: neutron:neutron
recurse: true
- path: /etc/pki/tls/certs/ovn_metadata.crt
owner: neutron:neutron
optional: true
perm: '0644'
- path: /etc/pki/tls/private/ovn_metadata.key
owner: neutron:neutron
optional: true
perm: '0644'
container_config_scripts: {get_attr: [ContainersCommon, container_config_scripts]}
deploy_steps_tasks:
- when: step|int == 1
@ -296,10 +330,23 @@ outputs:
- haproxy_wrapper_enabled
- - /var/lib/neutron/ovn_metadata_haproxy_wrapper:/usr/local/bin/haproxy:ro
- null
- if:
- internal_tls_enabled
-
- /etc/pki/tls/certs/ovn_metadata.crt:/etc/pki/tls/certs/ovn_metadata.crt
- /etc/pki/tls/private/ovn_metadata.key:/etc/pki/tls/private/ovn_metadata.key
- null
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
metadata_settings:
get_attr: [NeutronBase, role_data, metadata_settings]
list_concat:
- {get_attr: [NeutronBase, role_data, metadata_settings]}
- if:
- internal_tls_enabled
- - service: ovn_metadata
network: {get_param: [ServiceNetMap, OvnDbsNetwork]}
type: node
- null
host_prep_tasks:
list_concat:
- {get_attr: [NeutronLogging, host_prep_tasks]}