x/browbeat
Code Issues Proposed changes

Add support for OVN monitoring when TLS enabled

Browse Source 
Added OVNSB and OVNNB cert secrets to ospperf namespace and mounted
them on to collectd container. Ovsdb-client uses these mounted ssl
certificates to connect with ovsdb-server from within collectd pod.

Change-Id: Id89b495a73350b7cb25ce23f069a49d3a9ff49d9
This commit is contained in:
rajeshP524 2024-09-16 16:31:59 +05:30
parent 7d2e5b7488
commit 3bf8661826
3 changed files with 50 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
ansible/install/roles/collectd-rhoso/files/collectd_deploy.yaml
View File

@ -91,6 +91,30 @@ spec:
securityContext: securityContext:
privileged: true privileged: true
volumeMounts: volumeMounts:
- mountPath: /etc/pki/ovnsb/tls/certs/ovndb.crt
name: ovsdbserver-sb-tls-certs
readOnly: true
subPath: tls.crt
- mountPath: /etc/pki/ovnsb/tls/private/ovndb.key
name: ovsdbserver-sb-tls-certs
readOnly: true
subPath: tls.key
- mountPath: /etc/pki/ovnsb/tls/certs/ovndbca.crt
name: ovsdbserver-sb-tls-certs
readOnly: true
subPath: ca.crt
- mountPath: /etc/pki/ovnnb/tls/certs/ovndb.crt
name: ovsdbserver-nb-tls-certs
readOnly: true
subPath: tls.crt
- mountPath: /etc/pki/ovnnb/tls/private/ovndb.key
name: ovsdbserver-nb-tls-certs
readOnly: true
subPath: tls.key
- mountPath: /etc/pki/ovnnb/tls/certs/ovndbca.crt
name: ovsdbserver-nb-tls-certs
readOnly: true
subPath: ca.crt
- name: varlogpods - name: varlogpods
mountPath: "/var/log/pods" mountPath: "/var/log/pods"
- name: varlogcontainer - name: varlogcontainer
@ -109,6 +133,14 @@ spec:
- configMapRef: - configMapRef:
name: collectd-env-vars name: collectd-env-vars
volumes: volumes:
- name: ovsdbserver-sb-tls-certs
secret:
defaultMode: 256
secretName: cert-ovndbcluster-sb-ovndbs
- name: ovsdbserver-nb-tls-certs
secret:
defaultMode: 256
secretName: cert-ovndbcluster-nb-ovndbs
- name: config-files - name: config-files
configMap: configMap:
name: collectd-configs name: collectd-configs

7
ansible/install/roles/collectd-rhoso/tasks/main.yml
View File

@ -105,6 +105,13 @@
config_files: "{{ worker_nodes.stdout_lines | map('regex_replace', '^', '/tmp/') | map('regex_replace', '$', '.conf') }}" config_files: "{{ worker_nodes.stdout_lines | map('regex_replace', '^', '/tmp/') | map('regex_replace', '$', '.conf') }}"
- block: - block:
- name: Copy cert secrets from openstack ns to ospperf
shell: |
oc get secret {{ item }} -n openstack -o yaml | sed 's/namespace: openstack/namespace: ospperf/' | oc apply -n ospperf -f -
loop:
- cert-ovndbcluster-sb-ovndbs
- cert-ovndbcluster-nb-ovndbs
- name: Create configmaps for collectd configs - name: Create configmaps for collectd configs
shell: | shell: |
oc create -n ospperf configmap collectd-configs --from-file={{ config_files | join(' --from-file=') }} oc create -n ospperf configmap collectd-configs --from-file={{ config_files | join(' --from-file=') }}

12
browbeat-containers/collectd-rhoso/files/ovn_monitoring.sh
View File

@ -5,13 +5,23 @@ INTERVAL="${COLLECTD_INTERVAL:-15}"
if [ "$1" = "sb" ]; then if [ "$1" = "sb" ]; then
IP=$OVN_SBDB_IP IP=$OVN_SBDB_IP
PORT=$OVN_SBDB_PORT PORT=$OVN_SBDB_PORT
DB="ovnsb"
else else
IP=$OVN_NBDB_IP IP=$OVN_NBDB_IP
PORT=$OVN_NBDB_PORT PORT=$OVN_NBDB_PORT
DB="ovnnb"
fi fi
PRIVATE_KEY="/etc/pki/$DB/tls/private/ovndb.key"
CERTIFICATE="/etc/pki/$DB/tls/certs/ovndb.crt"
CA_CERT="/etc/pki/$DB/tls/certs/ovndbca.crt"
while sleep "$INTERVAL"; do while sleep "$INTERVAL"; do
VALUE=$(sudo ovsdb-client dump --no-headings tcp:$IP:$PORT $2 | wc -l) VALUE=$(sudo ovsdb-client dump --no-headings ssl:$IP:$PORT \
--private-key=$PRIVATE_KEY \
--certificate=$CERTIFICATE \
--ca-cert=$CA_CERT \
$2 | wc -l)
VALUE=$[VALUE-1] VALUE=$[VALUE-1]
echo "PUTVAL \"$HOSTNAME/ovn-$1db-$2/gauge-ovn_$1db_$2\" interval=$INTERVAL N:$VALUE" echo "PUTVAL \"$HOSTNAME/ovn-$1db-$2/gauge-ovn_$1db_$2\" interval=$INTERVAL N:$VALUE"
done done