Overview

This charm provides the Northbound and Southbound OVSDB Databases and the Open Virtual Network (OVN) central control daemon (ovn-northd).

Note

: The OVN charms are considered preview charms.

Usage

OVN makes use of Public Key Infrastructure (PKI) to authenticate and authorize control plane communication. The charm requires a Certificate Authority to be present in the model as represented by the certificates relation.

There is a OVN overlay bundle for use in conjunction with the OpenStack Base bundle which give an example of how you can automate certificate lifecycle management with the help from Vault.

Please refer to the Open Virtual Network section of the OpenStack Charms Deployment Guide for information about deploying OVN with OpenStack.

Network Spaces support

This charm supports the use of Juju Network Spaces.

By binding the ovsdb, ovsdb-cms and ovsdb-peer endpoints you can influence which interface will be used for communication with consumers of the Southbound DB, Cloud Management Systems (CMS) and cluster internal communication.

juju deploy ovn-central --bind "''=oam-space ovsdb=data-space"

OVN RBAC and securing the OVN services

The charm enables RBAC in the OVN Southbound database by default. The RBAC feature enforces authorization of individual chassis connecting to the database, and also restricts database operations.

In the event of a individual chassis being compromised, RBAC will make it more difficult to leverage database access for compromising other parts of the network.

Note

: Due to how RBAC is implemented in ovsdb-server the charm opens up a separate listener at port 16642 for connections from ovn-northd.

The charm automatically enables the firewall and will allow traffic from its cluster peers to port 6641, 6643, 6644 and 16642. CMS clients will be allowed to talk to port 6641.

Anyone will be allowed to connect to port 6642.

Bugs

Please report bugs on Launchpad.

For general questions please refer to the OpenStack Charm Guide.