From 3bf8661826e20d3e69c1c47bf24ea84874f03e26 Mon Sep 17 00:00:00 2001 From: rajeshP524 Date: Mon, 16 Sep 2024 16:31:59 +0530 Subject: [PATCH] Add support for OVN monitoring when TLS enabled Added OVNSB and OVNNB cert secrets to ospperf namespace and mounted them on to collectd container. Ovsdb-client uses these mounted ssl certificates to connect with ovsdb-server from within collectd pod. Change-Id: Id89b495a73350b7cb25ce23f069a49d3a9ff49d9 --- .../collectd-rhoso/files/collectd_deploy.yaml | 32 +++++++++++++++++++ .../roles/collectd-rhoso/tasks/main.yml | 7 ++++ .../collectd-rhoso/files/ovn_monitoring.sh | 12 ++++++- 3 files changed, 50 insertions(+), 1 deletion(-) diff --git a/ansible/install/roles/collectd-rhoso/files/collectd_deploy.yaml b/ansible/install/roles/collectd-rhoso/files/collectd_deploy.yaml index af6157bbe..2d4fe5970 100644 --- a/ansible/install/roles/collectd-rhoso/files/collectd_deploy.yaml +++ b/ansible/install/roles/collectd-rhoso/files/collectd_deploy.yaml @@ -91,6 +91,30 @@ spec: securityContext: privileged: true volumeMounts: + - mountPath: /etc/pki/ovnsb/tls/certs/ovndb.crt + name: ovsdbserver-sb-tls-certs + readOnly: true + subPath: tls.crt + - mountPath: /etc/pki/ovnsb/tls/private/ovndb.key + name: ovsdbserver-sb-tls-certs + readOnly: true + subPath: tls.key + - mountPath: /etc/pki/ovnsb/tls/certs/ovndbca.crt + name: ovsdbserver-sb-tls-certs + readOnly: true + subPath: ca.crt + - mountPath: /etc/pki/ovnnb/tls/certs/ovndb.crt + name: ovsdbserver-nb-tls-certs + readOnly: true + subPath: tls.crt + - mountPath: /etc/pki/ovnnb/tls/private/ovndb.key + name: ovsdbserver-nb-tls-certs + readOnly: true + subPath: tls.key + - mountPath: /etc/pki/ovnnb/tls/certs/ovndbca.crt + name: ovsdbserver-nb-tls-certs + readOnly: true + subPath: ca.crt - name: varlogpods mountPath: "/var/log/pods" - name: varlogcontainer @@ -109,6 +133,14 @@ spec: - configMapRef: name: collectd-env-vars volumes: + - name: ovsdbserver-sb-tls-certs + secret: + defaultMode: 256 + secretName: cert-ovndbcluster-sb-ovndbs + - name: ovsdbserver-nb-tls-certs + secret: + defaultMode: 256 + secretName: cert-ovndbcluster-nb-ovndbs - name: config-files configMap: name: collectd-configs diff --git a/ansible/install/roles/collectd-rhoso/tasks/main.yml b/ansible/install/roles/collectd-rhoso/tasks/main.yml index c827089f3..2fa8c9ee4 100644 --- a/ansible/install/roles/collectd-rhoso/tasks/main.yml +++ b/ansible/install/roles/collectd-rhoso/tasks/main.yml @@ -105,6 +105,13 @@ config_files: "{{ worker_nodes.stdout_lines | map('regex_replace', '^', '/tmp/') | map('regex_replace', '$', '.conf') }}" - block: + - name: Copy cert secrets from openstack ns to ospperf + shell: | + oc get secret {{ item }} -n openstack -o yaml | sed 's/namespace: openstack/namespace: ospperf/' | oc apply -n ospperf -f - + loop: + - cert-ovndbcluster-sb-ovndbs + - cert-ovndbcluster-nb-ovndbs + - name: Create configmaps for collectd configs shell: | oc create -n ospperf configmap collectd-configs --from-file={{ config_files | join(' --from-file=') }} diff --git a/browbeat-containers/collectd-rhoso/files/ovn_monitoring.sh b/browbeat-containers/collectd-rhoso/files/ovn_monitoring.sh index f3984d55c..c833fdfe7 100755 --- a/browbeat-containers/collectd-rhoso/files/ovn_monitoring.sh +++ b/browbeat-containers/collectd-rhoso/files/ovn_monitoring.sh @@ -5,13 +5,23 @@ INTERVAL="${COLLECTD_INTERVAL:-15}" if [ "$1" = "sb" ]; then IP=$OVN_SBDB_IP PORT=$OVN_SBDB_PORT + DB="ovnsb" else IP=$OVN_NBDB_IP PORT=$OVN_NBDB_PORT + DB="ovnnb" fi +PRIVATE_KEY="/etc/pki/$DB/tls/private/ovndb.key" +CERTIFICATE="/etc/pki/$DB/tls/certs/ovndb.crt" +CA_CERT="/etc/pki/$DB/tls/certs/ovndbca.crt" + while sleep "$INTERVAL"; do - VALUE=$(sudo ovsdb-client dump --no-headings tcp:$IP:$PORT $2 | wc -l) + VALUE=$(sudo ovsdb-client dump --no-headings ssl:$IP:$PORT \ + --private-key=$PRIVATE_KEY \ + --certificate=$CERTIFICATE \ + --ca-cert=$CA_CERT \ + $2 | wc -l) VALUE=$[VALUE-1] echo "PUTVAL \"$HOSTNAME/ovn-$1db-$2/gauge-ovn_$1db_$2\" interval=$INTERVAL N:$VALUE" done