Enable SSL in OVN

This introduces the settings required to enable SSL in OVN NB DB, SB DB and controller. Depends-on: https://review.opendev.org/875311 Depends-on: https://review.opendev.org/874997 Change-Id: I2ede76684d149f1abbda2fa7b8f2e4b2345df839
2023-02-26 21:02:19 +09:00 · 2023-02-26 21:02:19 +09:00 · 51e8df7633
commit 51e8df7633
parent 5314aabd92
4 changed files with 128 additions and 27 deletions
--- a/copy_logs.sh
+++ b/copy_logs.sh
@ -193,27 +193,36 @@ elif is_fedora; then
 fi

 # openvswitch
+if [ -d /etc/openvswitch ] ; then
+    sudo cp -r /etc/openvswitch $LOG_DIR/etc/
+fi
 if [ -d /var/log/openvswitch ] ; then
    sudo cp -r /var/log/openvswitch $LOG_DIR/
 fi

 # ovn
 if [ -d /var/log/ovn ] ; then
-    sudo ovn-nbctl show > $LOG_DIR/ovn-nbctl_show.txt
-    sudo ovn-nbctl get-connection > $LOG_DIR/ovn-nbctl_get-connection.txt
-    sudo ovn-sbctl show > $LOG_DIR/ovn-sbctl_show.txt
-    sudo ovn-sbctl get-connection > $LOG_DIR/ovn-sbctl_get-connection.txt
+    mkdir -p $LOG_DIR/ovn
+    for db in nb sb ; do
+        sudo ovn-${db}ctl show > $LOG_DIR/ovn/ovn-${db}ctl_show.txt
+        sudo ovn-${db}ctl get-connection > $LOG_DIR/ovn/ovn-${db}ctl_get-connection.txt
+        sudo ovn-${db}ctl get-ssl > $LOG_DIR/ovn/ovn-${db}ctl_get-ssl.txt
+    done
 fi
 if uses_debs ; then
-    if [ -f /etc/default/ovn-central ]; then
-        mkdir -p $LOG_DIR/etc/default
-        sudo cp /etc/default/ovn-central $LOG_DIR/etc/default/
-    fi
+    for f in ovn-central ovn-host ; do
+        if [ -f /etc/default/$f ]; then
+            mkdir -p $LOG_DIR/etc/default
+            sudo cp /etc/default/$f $LOG_DIR/etc/default/
+        fi
+    done
 elif is_fedora; then
-    if [ -f /etc/sysconfig/ovn-northd ]; then
-        mkdir -p $LOG_DIR/etc/sysconfig
-        sudo cp /etc/sysconfig/ovn-northd $LOG_DIR/etc/sysconfig/
-    fi
+    for f in ovn-northd ovn-controller ; do
+        if [ -f /etc/sysconfig/ovn-northd ]; then
+            mkdir -p $LOG_DIR/etc/sysconfig
+            sudo cp /etc/sysconfig/$f $LOG_DIR/etc/sysconfig/
+        fi
+    done
 fi

 # sudo config
--- a/manifests/neutron.pp
+++ b/manifests/neutron.pp
@ -278,13 +278,24 @@ class openstack_integration::neutron (
      }
    }
    'ovn': {
+      include openstack_integration::ovn
      # NOTE(tkajinam): neutron::plugins::ml2::ovn requires neutron::plugins::ml2,
      #                 thus it should be included after neutron::plugins::ml2.
      class { 'neutron::plugins::ml2::ovn':
-        ovn_nb_connection    => "tcp:${::openstack_integration::config::ip_for_url}:6641",
-        ovn_sb_connection    => "tcp:${::openstack_integration::config::ip_for_url}:6642",
+        ovn_nb_connection    => $::openstack_integration::ovn::ovn_nb_connection,
+        ovn_nb_private_key   => $::openstack_integration::ovn::ovn_nb_db_ssl_key,
+        ovn_nb_certificate   => $::openstack_integration::ovn::ovn_nb_db_ssl_cert,
+        ovn_nb_ca_cert       => $::openstack_integration::ovn::ovn_nb_db_ssl_ca_cert,
+        ovn_sb_connection    => $::openstack_integration::ovn::ovn_sb_connection,
+        ovn_sb_private_key   => $::openstack_integration::ovn::ovn_sb_db_ssl_key,
+        ovn_sb_certificate   => $::openstack_integration::ovn::ovn_sb_db_ssl_cert,
+        ovn_sb_ca_cert       => $::openstack_integration::ovn::ovn_sb_db_ssl_ca_cert,
        ovn_metadata_enabled => true,
      }
+      if $::openstack_integration::config::ssl {
+        File['/etc/openvswitch/ovnnb-privkey.pem'] -> Anchor['neutron::config::end']
+        File['/etc/openvswitch/ovnsb-privkey.pem'] -> Anchor['neutron::config::end']
+      }
    }
    'linuxbridge': {
      class { 'neutron::agents::ml2::linuxbridge':
@ -312,11 +323,14 @@ class openstack_integration::neutron (

  if $driver == 'ovn' {
    class { 'neutron::agents::ovn_metadata':
-      debug             => true,
-      shared_secret     => 'a_big_secret',
-      metadata_host     => $metadata_host,
-      metadata_protocol => $metadata_protocol,
-      ovn_sb_connection => "tcp:${::openstack_integration::config::ip_for_url}:6642",
+      debug              => true,
+      shared_secret      => 'a_big_secret',
+      metadata_host      => $metadata_host,
+      metadata_protocol  => $metadata_protocol,
+      ovn_sb_connection  => $::openstack_integration::ovn::ovn_sb_connection,
+      ovn_sb_private_key => $::openstack_integration::ovn::ovn_sb_db_ssl_key,
+      ovn_sb_certificate => $::openstack_integration::ovn::ovn_sb_db_ssl_cert,
+      ovn_sb_ca_cert     => $::openstack_integration::ovn::ovn_sb_db_ssl_ca_cert,
    }
  } else {
    class { 'neutron::agents::metadata':
--- a/manifests/octavia.pp
+++ b/manifests/octavia.pp
@ -127,9 +127,21 @@ class openstack_integration::octavia (
      'ovn'     => 'OVN provider driver.'
    }
    $enabled_provider_agents = 'ovn'
+
+    include openstack_integration::ovn
    class { 'octavia::provider::ovn':
-      ovn_nb_connection => "tcp:${::openstack_integration::config::ip_for_url}:6641",
-      ovn_sb_connection => "tcp:${::openstack_integration::config::ip_for_url}:6642",
+      ovn_nb_connection  => $::openstack_integration::ovn::ovn_nb_connection,
+      ovn_nb_private_key => $::openstack_integration::ovn::ovn_nb_db_ssl_key,
+      ovn_nb_certificate => $::openstack_integration::ovn::ovn_nb_db_ssl_cert,
+      ovn_nb_ca_cert     => $::openstack_integration::ovn::ovn_nb_db_ssl_ca_cert,
+      ovn_sb_connection  => $::openstack_integration::ovn::ovn_sb_connection,
+      ovn_sb_private_key => $::openstack_integration::ovn::ovn_sb_db_ssl_key,
+      ovn_sb_certificate => $::openstack_integration::ovn::ovn_sb_db_ssl_cert,
+      ovn_sb_ca_cert     => $::openstack_integration::ovn::ovn_sb_db_ssl_ca_cert,
+    }
+    if $::openstack_integration::config::ssl {
+      File['/etc/openvswitch/ovnnb-privkey.pem'] -> Anchor['octavia::config::end']
+      File['/etc/openvswitch/ovnsb-privkey.pem'] -> Anchor['octavia::config::end']
    }
  } else{
    $enabled_provider_drivers = undef
--- a/manifests/ovn.pp
+++ b/manifests/ovn.pp
@ -6,14 +6,80 @@ class openstack_integration::ovn(
  include openstack_integration::config
  include openstack_integration::params

+  if $::openstack_integration::config::ssl {
+    class { 'vswitch::pki::cacert': }
+    vswitch::pki::cert { ['ovnnb', 'ovnsb', 'ovncontroller']: }
+
+    $proto = 'ssl'
+
+    $ovn_nb_db_ssl_key     = '/etc/openvswitch/ovnnb-privkey.pem'
+    $ovn_nb_db_ssl_cert    = '/etc/openvswitch/ovnnb-cert.pem'
+    $ovn_nb_db_ssl_ca_cert = '/var/lib/openvswitch/pki/switchca/cacert.pem'
+    $ovn_sb_db_ssl_key     = '/etc/openvswitch/ovnsb-privkey.pem'
+    $ovn_sb_db_ssl_cert    = '/etc/openvswitch/ovnsb-cert.pem'
+    $ovn_sb_db_ssl_ca_cert = '/var/lib/openvswitch/pki/switchca/cacert.pem'
+
+    $ovn_controller_ssl_key     = '/etc/openvswitch/ovncontroller-privkey.pem'
+    $ovn_controller_ssl_cert    = '/etc/openvswitch/ovncontroller-cert.pem'
+    $ovn_controller_ssl_ca_cert = '/var/lib/openvswitch/pki/switchca/cacert.pem'
+
+    # NOTE(tkajinam): ovn-pki generates a private key with 0600, owned by root
+    #                 but that does not allow access by ovn/neutron/octavia.
+    file { '/etc/openvswitch/ovnnb-privkey.pem':
+      ensure    => present,
+      mode      => '0644',
+      subscribe => Exec['ovs-req-and-sign-cert-ovnnb'],
+    }
+    file { '/etc/openvswitch/ovnsb-privkey.pem':
+      ensure    => present,
+      mode      => '0644',
+      subscribe => Exec['ovs-req-and-sign-cert-ovnsb'],
+    }
+    file { '/etc/openvswitch/ovncontroller-privkey.pem':
+      ensure    => present,
+      mode      => '0644',
+      subscribe => Exec['ovs-req-and-sign-cert-ovncontroller'],
+    }
+
+    File['/etc/openvswitch/ovnnb-privkey.pem'] -> Service['northd']
+    File['/etc/openvswitch/ovnsb-privkey.pem'] -> Service['northd']
+    File['/etc/openvswitch/ovncontroller-privkey.pem'] -> Service['controller']
+
+  } else {
+    $proto = 'tcp'
+
+    $ovn_nb_db_ssl_key     = undef
+    $ovn_nb_db_ssl_cert    = undef
+    $ovn_nb_db_ssl_ca_cert = undef
+    $ovn_sb_db_ssl_key     = undef
+    $ovn_sb_db_ssl_cert    = undef
+    $ovn_sb_db_ssl_ca_cert = undef
+
+    $ovn_controller_ssl_key     = undef
+    $ovn_controller_ssl_cert    = undef
+    $ovn_controller_ssl_ca_cert = undef
+  }
+
+  $ovn_nb_connection = "${proto}:${::openstack_integration::config::ip_for_url}:6641"
+  $ovn_sb_connection = "${proto}:${::openstack_integration::config::ip_for_url}:6642"
+
  class { 'ovn::northd':
-    dbs_listen_ip => $::openstack_integration::config::ip_for_url,
+    dbs_listen_ip         => $::openstack_integration::config::ip_for_url,
+    ovn_nb_db_ssl_key     => $ovn_nb_db_ssl_key,
+    ovn_nb_db_ssl_cert    => $ovn_nb_db_ssl_cert,
+    ovn_nb_db_ssl_ca_cert => $ovn_nb_db_ssl_ca_cert,
+    ovn_sb_db_ssl_key     => $ovn_sb_db_ssl_key,
+    ovn_sb_db_ssl_cert    => $ovn_sb_db_ssl_cert,
+    ovn_sb_db_ssl_ca_cert => $ovn_sb_db_ssl_ca_cert,
  }
  class { 'ovn::controller':
-    ovn_remote          => "tcp:${::openstack_integration::config::ip_for_url}:6642",
-    ovn_encap_ip        => $::openstack_integration::config::host,
-    ovn_bridge_mappings => ['external:br-ex'],
-    ovn_cms_options     => 'enable-chassis-as-gw',
-    manage_ovs_bridge   => false,
+    ovn_remote                 => $ovn_sb_connection,
+    ovn_encap_ip               => $::openstack_integration::config::host,
+    ovn_bridge_mappings        => ['external:br-ex'],
+    ovn_cms_options            => 'enable-chassis-as-gw',
+    manage_ovs_bridge          => false,
+    ovn_controller_ssl_key     => $ovn_controller_ssl_key,
+    ovn_controller_ssl_cert    => $ovn_controller_ssl_cert,
+    ovn_controller_ssl_ca_cert => $ovn_controller_ssl_ca_cert,
  }
 }