add ovn ssl config
Create ssl-certs for ovn deployment ssl encryption is now enabled between neutron and ovn componants. Change-Id: If8ca3f2035ada97cff248ad49771eefab95c6c23
This commit is contained in:
parent
9bbb133267
commit
556c5c6733
@ -477,14 +477,87 @@ calico_felix_sha256: 076936b985379fb8221db9b9a798714f6f97429a630da9c46da89bfcb0f
|
||||
calico_felix_validate_certs: yes
|
||||
|
||||
# OVN Defaults
|
||||
neutron_ovn_ssl: True
|
||||
ovn_proto: "{{ (neutron_ovn_ssl) | ternary('ssl','tcp') }}"
|
||||
neutron_ovn_primary_cluster_node: "{{ groups[neutron_services['neutron-ovn-northd']['group']] | first }}"
|
||||
neutron_ovn_northd_service_name: ovn-northd
|
||||
neutron_ovn_controller_service_name: ovn-controller
|
||||
neutron_ovn_l3_scheduler: leastloaded
|
||||
neutron_ovn_nb_connection: "tcp:{{ groups['neutron_ovn_northd'] | map('extract', hostvars, ['ansible_host']) | join(':6641,tcp:') }}:6641"
|
||||
neutron_ovn_sb_connection: "tcp:{{ groups['neutron_ovn_northd'] | map('extract', hostvars, ['ansible_host']) | join(':6642,tcp:') }}:6642"
|
||||
neutron_ovn_nb_connection: "{{ ovn_proto }}:{{ groups['neutron_ovn_northd'] | map('extract', hostvars, ['ansible_host']) | join(':6641,'+ ovn_proto + ':') }}:6641"
|
||||
neutron_ovn_sb_connection: "{{ ovn_proto }}:{{ groups['neutron_ovn_northd'] | map('extract', hostvars, ['ansible_host']) | join(':6642,' + ovn_proto + ':') }}:6642"
|
||||
neutron_ovsdb_manager: ptcp:6640:127.0.0.1
|
||||
|
||||
# Storage location for SSL certificate authority
|
||||
neutron_ovn_pki_dir: "{{ openstack_pki_dir }}"
|
||||
# Delegated host for operating the certificate authority
|
||||
neutron_ovn_pki_setup_host: "{{ openstack_pki_setup_host | default('localhost') }}"
|
||||
# The local address used for the neutron_ovn node
|
||||
neutron_ovn_node_address: "{{ management_address | default('127.0.0.1') }}"
|
||||
# neutron OVN server certificate
|
||||
neutron_ovn_pki_keys_path: "{{ neutron_ovn_pki_dir ~ '/certs/private/' }}"
|
||||
neutron_ovn_pki_certs_path: "{{ neutron_ovn_pki_dir ~ '/certs/certs/' }}"
|
||||
neutron_ovn_pki_intermediate_cert_name: "{{ openstack_pki_service_intermediate_cert_name }}"
|
||||
neutron_ovn_pki_intermediate_chain_path: "{{ neutron_ovn_pki_dir ~ '/roots/' ~ neutron_ovn_pki_intermediate_cert_name ~ '/certs/' ~ neutron_ovn_pki_intermediate_cert_name ~ '-chain.crt' }}"
|
||||
neutron_ovn_pki_regen_cert: ""
|
||||
neutron_ovn_pki_certificates:
|
||||
- name: "neutron_ovn_{{ ansible_facts['hostname'] }}"
|
||||
provider: ownca
|
||||
cn: "{{ ansible_facts['hostname'] }}"
|
||||
san: "{{ 'DNS:' ~ ansible_facts['hostname'] ~ ',IP:' ~ neutron_ovn_node_address }}"
|
||||
signed_by: "{{ neutron_ovn_pki_intermediate_cert_name }}"
|
||||
|
||||
# OVN destination files for SSL certificates
|
||||
neutron_ovn_ssl_cert: "neutron_ovn.pem"
|
||||
neutron_ovn_ssl_key: "neutron_ovn.key"
|
||||
neutron_ovn_ssl_ca_cert: "neutron_ovn-ca.pem"
|
||||
neutron_ovn_conf_dir: "/etc/openvswitch"
|
||||
# Installation details for SSL certificates
|
||||
neutron_ovn_pki_install_certificates:
|
||||
- src: "{{ neutron_ovn_user_ssl_cert | default(neutron_ovn_pki_certs_path ~ 'neutron_ovn_' ~ ansible_facts['hostname'] ~ '-chain.crt') }}"
|
||||
|
||||
dest: "{{ [neutron_ovn_conf_dir, neutron_ovn_ssl_cert] | join('/') }}"
|
||||
owner: "{{ neutron_ovn_system_user_name }}"
|
||||
group: "{{ neutron_ovn_system_user_name }}"
|
||||
mode: "0644"
|
||||
condition: "{{ (neutron_ovn_ssl and neutron_needs_openvswitch and neutron_plugin_type == 'ml2.ovn') }}"
|
||||
- src: "{{ neutron_ovn_user_ssl_key | default(neutron_ovn_pki_keys_path ~ 'neutron_ovn_' ~ ansible_facts['hostname'] ~ '.key.pem') }}"
|
||||
dest: "{{ [neutron_ovn_conf_dir, neutron_ovn_ssl_key] | join('/') }}"
|
||||
owner: "{{ neutron_ovn_system_user_name }}"
|
||||
group: "{{ neutron_ovn_system_user_name }}"
|
||||
mode: "0600"
|
||||
condition: "{{ (neutron_ovn_ssl and neutron_needs_openvswitch) }}"
|
||||
- src: "{{ neutron_ovn_user_ssl_ca_cert | default(neutron_ovn_pki_intermediate_chain_path) }}"
|
||||
dest: "{{ [neutron_ovn_conf_dir, neutron_ovn_ssl_ca_cert] | join('/') }}"
|
||||
owner: "{{ (neutron_services['neutron-server']['group'] in group_names) | ternary( neutron_service_user_name, neutron_ovn_system_user_name) }}"
|
||||
group: "{{ (neutron_services['neutron-server']['group'] in group_names) | ternary( neutron_service_user_name, neutron_ovn_system_user_name) }}"
|
||||
mode: "0644"
|
||||
condition: "{{ (neutron_ovn_ssl and neutron_needs_openvswitch and neutron_plugin_type == 'ml2.ovn') }}"
|
||||
- src: "{{ neutron_ovn_user_ssl_cert | default(neutron_ovn_pki_certs_path ~ 'neutron_ovn_' ~ ansible_facts['hostname'] ~ '-chain.crt') }}"
|
||||
dest: "{{ [neutron_conf_version_dir, neutron_ovn_ssl_cert] | join('/') }}"
|
||||
owner: "{{ neutron_service_user_name }}"
|
||||
group: "{{ neutron_service_user_name }}"
|
||||
mode: "0644"
|
||||
condition: "{{ (neutron_ovn_ssl and neutron_plugin_type == 'ml2.ovn' and (filtered_neutron_services |length + uwsgi_neutron_services | length ) > 0) }}"
|
||||
- src: "{{ neutron_ovn_user_ssl_key | default(neutron_ovn_pki_keys_path ~ 'neutron_ovn_' ~ ansible_facts['hostname'] ~ '.key.pem') }}"
|
||||
dest: "{{ [neutron_conf_version_dir, neutron_ovn_ssl_key] | join('/') }}"
|
||||
owner: "{{ neutron_service_user_name }}"
|
||||
group: "{{ neutron_service_user_name }}"
|
||||
mode: "0600"
|
||||
condition: "{{ (neutron_ovn_ssl and neutron_plugin_type == 'ml2.ovn' and (filtered_neutron_services |length + uwsgi_neutron_services | length ) > 0) }}"
|
||||
- src: "{{ neutron_ovn_user_ssl_ca_cert | default(neutron_ovn_pki_intermediate_chain_path) }}"
|
||||
dest: "{{ [neutron_conf_version_dir, neutron_ovn_ssl_ca_cert] | join('/') }}"
|
||||
owner: "{{ neutron_service_user_name }}"
|
||||
group: "{{ neutron_service_user_name }}"
|
||||
mode: "0644"
|
||||
condition: "{{ (neutron_ovn_ssl and neutron_plugin_type == 'ml2.ovn' and (filtered_neutron_services |length + uwsgi_neutron_services | length ) > 0) }}"
|
||||
|
||||
# Define user-provided SSL certificates in:
|
||||
# /etc/openstack_deploy/user_variables.yml
|
||||
#neutron_ovnnb_user_ssl_cert: <path to cert on ansible deployment host>
|
||||
#neutron_ovnnb_user_ssl_key: <path to cert on ansible deployment host>
|
||||
#neutron_ovnsb_user_ssl_cert: <path to cert on ansible deployment host>
|
||||
#neutron_ovnsb_user_ssl_key: <path to cert on ansible deployment host>
|
||||
|
||||
###
|
||||
### DPDK Configuration
|
||||
###
|
||||
|
11
releasenotes/notes/ovn-ssl-e9cb73e0713cf8bc.yaml
Normal file
11
releasenotes/notes/ovn-ssl-e9cb73e0713cf8bc.yaml
Normal file
@ -0,0 +1,11 @@
|
||||
---
|
||||
features:
|
||||
- |
|
||||
OVN is now protected via SSL. you can disable it via `neutron_ovn_ssl`. It
|
||||
is not supported to switch from non-ssl to ssl.
|
||||
upgrade:
|
||||
- |
|
||||
OVN is now configured with SSL enabled by default, upgrading existing ovn
|
||||
deployment is not tested. When upgrading it might be wise to set `neutron_ovn_ssl`
|
||||
to `false` and manage the ssl configuration at a later stage.
|
||||
|
@ -123,6 +123,25 @@
|
||||
tags:
|
||||
- neutron-config
|
||||
|
||||
# create the ssl certs before the installation of the services.
|
||||
- name: Create and install SSL certificates
|
||||
include_role:
|
||||
name: pki
|
||||
tasks_from: main_certs.yml
|
||||
vars:
|
||||
pki_setup_host: "{{ neutron_ovn_pki_setup_host }}"
|
||||
pki_dir: "{{ neutron_ovn_pki_dir }}"
|
||||
pki_create_certificates: "{{ neutron_ovn_user_ssl_cert is not defined and neutron_ovn_user_ssl_key is not defined }}"
|
||||
pki_regen_cert: "{{ neutron_ovn_pki_regen_cert }}"
|
||||
pki_certificates: "{{ neutron_ovn_pki_certificates }}"
|
||||
pki_install_certificates: "{{ neutron_ovn_pki_install_certificates }}"
|
||||
when:
|
||||
- neutron_ovn_ssl
|
||||
- (neutron_services['neutron-ovn-controller']['group'] in group_names) or (neutron_services['neutron-ovn-northd']['group'] in group_names) or (neutron_services['neutron-server']['group'] in group_names)
|
||||
tags:
|
||||
- neutron_ovn-config
|
||||
- pki
|
||||
|
||||
# Include provider specific config(s)
|
||||
- include_tasks: "{{ item }}"
|
||||
with_first_found:
|
||||
|
@ -72,6 +72,7 @@
|
||||
- path: "{{ neutron_system_home_folder }}"
|
||||
mode: "0755"
|
||||
- path: "{{ neutron_system_home_folder }}/ha_confs"
|
||||
state: "{{ (neutron_plugin_type == 'ml2.ovn') | ternary('absent','directory') }}"
|
||||
|
||||
- name: Add dependency repos for Neutron
|
||||
package:
|
||||
|
@ -45,8 +45,10 @@
|
||||
args:
|
||||
executable: /bin/bash
|
||||
ignore_errors: true
|
||||
delegate_to: "{{ item }}"
|
||||
delegate_to: "{{ container }}"
|
||||
with_items: "{{ groups['neutron_ovn_northd'] }}"
|
||||
loop_control:
|
||||
loop_var: container
|
||||
run_once: true
|
||||
failed_when: false
|
||||
register: _find_leader
|
||||
@ -56,7 +58,7 @@
|
||||
# set leader_node variable
|
||||
- name: Set leader_node fact
|
||||
set_fact:
|
||||
leader_node: "{{ (_find_leader.results | selectattr('stdout', 'search', 'leader')) | map(attribute='item') | list }}"
|
||||
leader_node: "{{ (_find_leader.results | selectattr('stdout', 'search', 'leader')) | map(attribute='container') | list }}"
|
||||
|
||||
# This play only run first time to build cluster using primary node.
|
||||
- name: Setup ovn cluster using primary node.
|
||||
@ -67,9 +69,33 @@
|
||||
- "inventory_hostname == neutron_ovn_primary_cluster_node"
|
||||
- _check_cluster_db.rc != 0
|
||||
- not leader_node
|
||||
notify:
|
||||
- start ovn service
|
||||
- restart ovn service
|
||||
register: ovn_northd_opts
|
||||
|
||||
- name: Start ovn service
|
||||
service:
|
||||
name: "{{ neutron_ovn_northd_service_name }}"
|
||||
state: started
|
||||
when:
|
||||
- "inventory_hostname == neutron_ovn_primary_cluster_node"
|
||||
- _check_cluster_db.rc != 0
|
||||
- not leader_node
|
||||
- ovn_northd_opts.changed
|
||||
|
||||
- name: set ssl for ovn-nb and ovn-sb
|
||||
command: "{{ cmd }}"
|
||||
with_items:
|
||||
- "ovn-nbctl set-connection pssl:6641"
|
||||
- "ovn-sbctl set-connection pssl:6642"
|
||||
when:
|
||||
- neutron_ovn_ssl
|
||||
- "inventory_hostname == neutron_ovn_primary_cluster_node"
|
||||
- _check_cluster_db.rc != 0
|
||||
- not leader_node
|
||||
- ovn_northd_opts.changed
|
||||
loop_control:
|
||||
loop_var: cmd
|
||||
tags:
|
||||
- neutron_ovn-config
|
||||
|
||||
# This play will add nodes in existing cluster using leader_node var.
|
||||
- name: Join new nodes to ovn cluster using leader node
|
||||
|
@ -40,6 +40,15 @@
|
||||
when:
|
||||
- neutron_services['neutron-ovn-controller']['group'] in group_names
|
||||
|
||||
- name: Configure ovn-controller
|
||||
template:
|
||||
src: ovn-controller-opts.j2
|
||||
dest: "{{ neutron_ovn_controller_opts_file }}"
|
||||
register: ovn_controller_config
|
||||
when:
|
||||
- neutron_services['neutron-ovn-controller']['group'] in group_names
|
||||
- neutron_ovn_ssl
|
||||
|
||||
- name: Ensure ovn-northd service is started and enabled
|
||||
systemd:
|
||||
name: "{{ neutron_ovn_northd_service_name }}"
|
||||
@ -51,7 +60,7 @@
|
||||
- name: Ensure ovn-controller service is started and enabled
|
||||
systemd:
|
||||
name: "{{ neutron_ovn_controller_service_name }}"
|
||||
state: started
|
||||
state: "{{ (ovn_controller_config.changed) | ternary('restarted','started') }}"
|
||||
enabled: yes
|
||||
when:
|
||||
- neutron_services['neutron-ovn-controller']['group'] in group_names
|
||||
|
9
templates/ovn-controller-opts.j2
Normal file
9
templates/ovn-controller-opts.j2
Normal file
@ -0,0 +1,9 @@
|
||||
# {{ ansible_managed }}
|
||||
|
||||
# OVN controller parameters
|
||||
|
||||
{{ neutron_ovn_controller_opts }}="--ovn-controller-ssl-key={{ [neutron_ovn_conf_dir, neutron_ovn_ssl_key] | join('/') }} \
|
||||
--ovn-controller-ssl-cert={{ [neutron_ovn_conf_dir, neutron_ovn_ssl_cert] | join('/') }} \
|
||||
--ovn-controller-ssl-ca-cert={{ [neutron_ovn_conf_dir, neutron_ovn_ssl_ca_cert] | join('/') }} \
|
||||
"
|
||||
|
@ -2,8 +2,8 @@
|
||||
|
||||
# OVN cluster parameters
|
||||
{{ neutron_ovn_northd_opts }}=" \
|
||||
--db-nb-create-insecure-remote=yes \
|
||||
--db-sb-create-insecure-remote=yes \
|
||||
--db-nb-create-insecure-remote={{ (neutron_ovn_ssl) | ternary('no','yes') }} \
|
||||
--db-sb-create-insecure-remote={{ (neutron_ovn_ssl) | ternary('no','yes') }} \
|
||||
--db-nb-addr={{ ansible_host }} \
|
||||
--db-sb-addr={{ ansible_host }} \
|
||||
--db-nb-cluster-local-addr={{ ansible_host }} \
|
||||
@ -12,6 +12,21 @@
|
||||
--db-nb-cluster-remote-addr={% for item in leader_node %}{{ item }} {% endfor %} \
|
||||
--db-sb-cluster-remote-addr={% for item in leader_node %}{{ item }} {% endfor %} \
|
||||
{% endif %}
|
||||
--ovn-northd-nb-db=tcp:{{ groups['neutron_ovn_northd'] | map('extract', hostvars, ['ansible_host']) | join(':6641,tcp:') }}:6641 \
|
||||
--ovn-northd-sb-db=tcp:{{ groups['neutron_ovn_northd'] | map('extract', hostvars, ['ansible_host']) | join(':6642,tcp:') }}:6642 \
|
||||
--ovn-northd-nb-db={{ neutron_ovn_nb_connection }} \
|
||||
--ovn-northd-sb-db={{ neutron_ovn_sb_connection }} \
|
||||
{% if neutron_ovn_ssl %}
|
||||
--db-nb-cluster-remote-proto=ssl \
|
||||
--db-sb-cluster-remote-proto=ssl \
|
||||
--db-nb-cluster-local-proto=ssl \
|
||||
--db-sb-cluster-local-proto=ssl \
|
||||
--ovn-northd-ssl-key={{ [neutron_ovn_conf_dir, neutron_ovn_ssl_key] | join('/') }} \
|
||||
--ovn-northd-ssl-cert={{ [neutron_ovn_conf_dir, neutron_ovn_ssl_cert] | join('/') }} \
|
||||
--ovn-northd-ssl-ca-cert={{ [neutron_ovn_conf_dir, neutron_ovn_ssl_ca_cert] | join('/') }} \
|
||||
--ovn-nb-db-ssl-key={{ [neutron_ovn_conf_dir, neutron_ovn_ssl_key] | join('/') }} \
|
||||
--ovn-nb-db-ssl-cert={{ [neutron_ovn_conf_dir, neutron_ovn_ssl_cert] | join('/') }} \
|
||||
--ovn-nb-db-ssl-ca-cert={{ [neutron_ovn_conf_dir, neutron_ovn_ssl_ca_cert] | join('/') }} \
|
||||
--ovn-sb-db-ssl-key={{ [neutron_ovn_conf_dir, neutron_ovn_ssl_key] | join('/') }} \
|
||||
--ovn-sb-db-ssl-cert={{ [neutron_ovn_conf_dir, neutron_ovn_ssl_cert] | join('/') }} \
|
||||
--ovn-sb-db-ssl-ca-cert={{ [neutron_ovn_conf_dir, neutron_ovn_ssl_ca_cert] | join('/') }} \
|
||||
{% endif %}
|
||||
"
|
||||
|
@ -44,17 +44,24 @@ max_header_size = 38
|
||||
|
||||
{% endif %}
|
||||
|
||||
{% if neutron_plugin_type == 'ml2.ovn' and (neutron_services['neutron-server']['group'] or neutron_services['neutron-ovn-controller']['group'] in group_names) %}
|
||||
|
||||
{% if neutron_plugin_type == 'ml2.ovn' %}
|
||||
{% if (neutron_services['neutron-server']['group'] in group_names or neutron_services['neutron-ovn-controller']['group'] in group_names) %}
|
||||
[ovn]
|
||||
ovn_native_dhcp = True
|
||||
ovn_nb_connection = {{ neutron_ovn_nb_connection }}
|
||||
ovn_sb_connection = {{ neutron_ovn_sb_connection }}
|
||||
ovn_l3_scheduler = {{ neutron_ovn_l3_scheduler }}
|
||||
ovn_metadata_enabled = True
|
||||
|
||||
{% endif %}
|
||||
|
||||
{% if neutron_ovn_ssl and (neutron_services['neutron-server']['group'] in group_names or neutron_services['neutron-ovn-controller']['group'] in group_names) %}
|
||||
ovn_sb_ca_cert={{ [neutron_conf_version_dir, neutron_ovn_ssl_ca_cert] | join('/') }}
|
||||
ovn_sb_certificate={{ [neutron_conf_version_dir, neutron_ovn_ssl_cert] | join('/') }}
|
||||
ovn_sb_private_key={{ [neutron_conf_version_dir, neutron_ovn_ssl_key] | join('/') }}
|
||||
ovn_nb_ca_cert={{ [neutron_conf_version_dir, neutron_ovn_ssl_ca_cert] | join('/') }}
|
||||
ovn_nb_certificate={{ [neutron_conf_version_dir, neutron_ovn_ssl_cert] | join('/') }}
|
||||
ovn_nb_private_key={{ [neutron_conf_version_dir, neutron_ovn_ssl_key] | join('/') }}
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
# Security groups
|
||||
[securitygroup]
|
||||
enable_security_group = True
|
||||
|
@ -29,6 +29,12 @@ neutron_ovn_northd_opts: "OVN_CTL_OPTS"
|
||||
|
||||
neutron_ovn_northd_opts_file: "/etc/default/ovn-central"
|
||||
|
||||
neutron_ovn_controller_opts: "OVN_CTL_OPTS"
|
||||
|
||||
neutron_ovn_controller_opts_file: "/etc/default/ovn-host"
|
||||
|
||||
neutron_ovn_system_user_name: root
|
||||
|
||||
neutron_ovs_dpdk_required_packages:
|
||||
- openvswitch-common
|
||||
- openvswitch-switch-dpdk
|
||||
|
@ -36,6 +36,12 @@ neutron_ovn_northd_opts: "OVN_NORTHD_OPTS"
|
||||
|
||||
neutron_ovn_northd_opts_file: "/etc/sysconfig/ovn-northd"
|
||||
|
||||
neutron_ovn_controller_opts: "OVN_CONTROLLER_OPTS"
|
||||
|
||||
neutron_ovn_controller_opts_file: "/etc/sysconfig/ovn-controller"
|
||||
|
||||
neutron_ovn_system_user_name: openvswitch
|
||||
|
||||
neutron_distro_packages:
|
||||
- conntrack-tools
|
||||
- dnsmasq
|
||||
|
Loading…
Reference in New Issue
Block a user