From 094e594d4009b79668b214c0c176eb5b01ce211c Mon Sep 17 00:00:00 2001
From: Tim Rozet <trozet@redhat.com>
Date: Thu, 1 Feb 2018 12:49:14 -0500
Subject: [PATCH] Adds configuration for SSL OVSDB connections

Exposes new parameters to configure SSL key, certificate, and CA
certificate files.  This allows DHCP agent to connect to OVSDB using
SSL.  Also the OVS/ovsdb_connection configuration was previously in ODL
ML2 class, which should have been in the DHCP agent to begin with as it
is not ML2 configuration.  This patch deprecates the previous behavior
and adds ovsdb_connection into DHCP agent to use its normal service
default.

Partial-Bug: 1746762

Depends-On: I19fd9dd0c72260835eb91e557a6029ec9d652179

Change-Id: I82281eefa1aa81207ccd8ea565cffc6ca0ec48de
Signed-off-by: Tim Rozet <trozet@redhat.com>
---
 manifests/agents/dhcp.pp                      | 82 ++++++++++++++-----
 manifests/plugins/ml2/opendaylight.pp         | 30 ++++---
 ...ovsdb-ssl-dhcp-agent-da3bb98540de417f.yaml |  8 ++
 spec/classes/neutron_agents_dhcp_spec.rb      | 32 ++++++++
 4 files changed, 120 insertions(+), 32 deletions(-)
 create mode 100644 releasenotes/notes/add-ovsdb-ssl-dhcp-agent-da3bb98540de417f.yaml

diff --git a/manifests/agents/dhcp.pp b/manifests/agents/dhcp.pp
index b226f021e..088b3f2eb 100644
--- a/manifests/agents/dhcp.pp
+++ b/manifests/agents/dhcp.pp
@@ -83,6 +83,22 @@
 #   (optional) Name of Open vSwitch bridge to use
 #   Defaults to $::os_service_default
 #
+# [*ovsdb_connection*]
+# (optional) The URI used to connect to the local OVSDB server
+# Defaults to $::os_service_default
+#
+# [*ovsdb_agent_ssl_key_file*]
+# (optional) The SSL key file to use for Neutron agents to connect to OVSDB
+# Defaults to $::os_service_default
+#
+# [*ovsdb_agent_ssl_cert_file*]
+# (optional) The SSL cert file to use for Neutron agents to connect to OVSDB
+# Defaults to $::os_service_default
+#
+# [*ovsdb_agent_ssl_ca_file*]
+# (optional) The SSL CA cert file to use for Neutron agents to connect to OVSDB
+# Defaults to $::os_service_default
+#
 # === Deprecated Parameters
 #
 # [*dhcp_domain*]
@@ -90,27 +106,31 @@
 #   Defaults to $::os_service_default
 #
 class neutron::agents::dhcp (
-  $package_ensure           = present,
-  $enabled                  = true,
-  $manage_service           = true,
-  $debug                    = $::os_service_default,
-  $state_path               = '/var/lib/neutron',
-  $resync_interval          = 30,
-  $interface_driver         = 'neutron.agent.linux.interface.OVSInterfaceDriver',
-  $dhcp_driver              = $::os_service_default,
-  $root_helper              = 'sudo neutron-rootwrap /etc/neutron/rootwrap.conf',
-  $dnsmasq_config_file      = $::os_service_default,
-  $dnsmasq_dns_servers      = $::os_service_default,
-  $dnsmasq_local_resolv     = $::os_service_default,
-  $enable_isolated_metadata = false,
-  $enable_force_metadata    = $::os_service_default,
-  $enable_metadata_network  = false,
-  $dhcp_broadcast_reply     = $::os_service_default,
-  $purge_config             = false,
-  $availability_zone        = $::os_service_default,
-  $ovs_integration_bridge   = $::os_service_default,
+  $package_ensure            = present,
+  $enabled                   = true,
+  $manage_service            = true,
+  $debug                     = $::os_service_default,
+  $state_path                = '/var/lib/neutron',
+  $resync_interval           = 30,
+  $interface_driver          = 'neutron.agent.linux.interface.OVSInterfaceDriver',
+  $dhcp_driver               = $::os_service_default,
+  $root_helper               = 'sudo neutron-rootwrap /etc/neutron/rootwrap.conf',
+  $dnsmasq_config_file       = $::os_service_default,
+  $dnsmasq_dns_servers       = $::os_service_default,
+  $dnsmasq_local_resolv      = $::os_service_default,
+  $enable_isolated_metadata  = false,
+  $enable_force_metadata     = $::os_service_default,
+  $enable_metadata_network   = false,
+  $dhcp_broadcast_reply      = $::os_service_default,
+  $purge_config              = false,
+  $availability_zone         = $::os_service_default,
+  $ovs_integration_bridge    = $::os_service_default,
+  $ovsdb_connection          = $::os_service_default,
+  $ovsdb_agent_ssl_key_file  = $::os_service_default,
+  $ovsdb_agent_ssl_cert_file = $::os_service_default,
+  $ovsdb_agent_ssl_ca_file   = $::os_service_default,
   # DEPRECATED PARAMETERS
-  $dhcp_domain              = $::os_service_default,
+  $dhcp_domain               = $::os_service_default,
 ) {
 
   include ::neutron::deps
@@ -153,6 +173,28 @@ class neutron::agents::dhcp (
     warning('The dhcp_domain parameter is deprecated and will be removed in future releases')
   }
 
+  if $ovsdb_connection =~ /^ssl:/ {
+    $req_ssl_opts = {
+      'ovsdb_agent_ssl_key_file'  => $ovsdb_agent_ssl_key_file,
+      'ovsdb_agent_ssl_cert_file' => $ovsdb_agent_ssl_cert_file,
+      'ovsdb_agent_ssl_ca_file'   => $ovsdb_agent_ssl_ca_file
+    }
+    $req_ssl_opts.each |$opts| {
+      if !$opts[1] or is_service_default($opts[1]) {
+        fail(
+          "${opts[0]} must be provided when using an SSL ovsdb_connection URI"
+        )
+      }
+    }
+  }
+
+  neutron_dhcp_agent_config {
+    'OVS/ovsdb_connection': value => $ovsdb_connection;
+    'OVS/ssl_key_file':     value => $ovsdb_agent_ssl_key_file;
+    'OVS/ssl_cert_file':    value => $ovsdb_agent_ssl_cert_file;
+    'OVS/ssl_ca_cert_file': value => $ovsdb_agent_ssl_ca_file;
+  }
+
   if $::neutron::params::dhcp_agent_package {
     package { 'neutron-dhcp-agent':
       ensure => $package_ensure,
diff --git a/manifests/plugins/ml2/opendaylight.pp b/manifests/plugins/ml2/opendaylight.pp
index be2173312..6e706d329 100644
--- a/manifests/plugins/ml2/opendaylight.pp
+++ b/manifests/plugins/ml2/opendaylight.pp
@@ -25,10 +25,6 @@
 # Defaults to $::os_service_default
 # Example: 'http://127.0.0.1:8080/controller/nb/v2/neutron'
 #
-# [*ovsdb_connection*]
-# (optional) The URI used to connect to the local OVSDB server
-# Defaults to 'tcp:127.0.0.1:6639'
-#
 # [*port_binding_controller*]
 # (optional) Name of the controller to be used for port binding.
 # Defaults to $::os_service_default
@@ -41,15 +37,21 @@
 # (optional) List of ODL features to enable
 # Defaults to $::os_service_default
 #
+# === Deprecated Parameters
+#
+# [*ovsdb_connection*]
+# (optional) Deprecated.  The URI used to connect to the local OVSDB server
+# Defaults to 'tcp:127.0.0.1:6639'
+#
 class neutron::plugins::ml2::opendaylight (
-  $package_ensure          = 'present',
-  $odl_username            = $::os_service_default,
-  $odl_password            = $::os_service_default,
-  $odl_url                 = $::os_service_default,
-  $ovsdb_connection        = 'tcp:127.0.0.1:6639',
-  $port_binding_controller = $::os_service_default,
-  $odl_hostconf_uri        = $::os_service_default,
-  $odl_features            = $::os_service_default,
+  $package_ensure            = 'present',
+  $odl_username              = $::os_service_default,
+  $odl_password              = $::os_service_default,
+  $odl_url                   = $::os_service_default,
+  $ovsdb_connection          = 'tcp:127.0.0.1:6639',
+  $port_binding_controller   = $::os_service_default,
+  $odl_hostconf_uri          = $::os_service_default,
+  $odl_features              = $::os_service_default,
 ) {
 
   include ::neutron::deps
@@ -71,6 +73,10 @@ class neutron::plugins::ml2::opendaylight (
     'ml2_odl/odl_features':            value => join(any2array($odl_features), ',');
   }
 
+  if $ovsdb_connection != 'tcp:127.0.0.1:6639' {
+    warning('The ovsdb_connection parameter is deprecated and will be removed in future releases')
+  }
+
   neutron_config {
     'OVS/ovsdb_connection': value => $ovsdb_connection;
   }
diff --git a/releasenotes/notes/add-ovsdb-ssl-dhcp-agent-da3bb98540de417f.yaml b/releasenotes/notes/add-ovsdb-ssl-dhcp-agent-da3bb98540de417f.yaml
new file mode 100644
index 000000000..60f70f3f8
--- /dev/null
+++ b/releasenotes/notes/add-ovsdb-ssl-dhcp-agent-da3bb98540de417f.yaml
@@ -0,0 +1,8 @@
+---
+features:
+  - |
+    Adds the ability to configure SSL OVSDB connection for Neutron DHCP Agent.
+deprecations:
+  - |
+    Deprecates using neutron::plugins::ml2::opendaylight::ovsdb_connection.
+    The configuration is now moved to neutron::agents::dhcp::ovsdb_connection.
diff --git a/spec/classes/neutron_agents_dhcp_spec.rb b/spec/classes/neutron_agents_dhcp_spec.rb
index 2d9ed79c3..e1fedff0d 100644
--- a/spec/classes/neutron_agents_dhcp_spec.rb
+++ b/spec/classes/neutron_agents_dhcp_spec.rb
@@ -50,6 +50,10 @@ describe 'neutron::agents::dhcp' do
       is_expected.to contain_neutron_dhcp_agent_config('DEFAULT/ovs_integration_bridge').with_value('<SERVICE DEFAULT>');
       is_expected.to contain_neutron_dhcp_agent_config('DEFAULT/dnsmasq_local_resolv').with_value('<SERVICE DEFAULT>');
       is_expected.to contain_neutron_dhcp_agent_config('AGENT/availability_zone').with_value('<SERVICE DEFAULT>');
+      is_expected.to contain_neutron_dhcp_agent_config('OVS/ovsdb_connection').with_value('<SERVICE DEFAULT>');
+      is_expected.to contain_neutron_dhcp_agent_config('OVS/ssl_key_file').with_value('<SERVICE DEFAULT>');
+      is_expected.to contain_neutron_dhcp_agent_config('OVS/ssl_cert_file').with_value('<SERVICE DEFAULT>');
+      is_expected.to contain_neutron_dhcp_agent_config('OVS/ssl_ca_cert_file').with_value('<SERVICE DEFAULT>');
     end
 
     it 'installs neutron dhcp agent package' do
@@ -151,6 +155,34 @@ describe 'neutron::agents::dhcp' do
         is_expected.to contain_neutron_dhcp_agent_config('AGENT/availability_zone').with_value(p[:availability_zone]);
       end
     end
+
+    context 'with SSL configuration' do
+      before do
+        params.merge!({
+          :ovsdb_connection          => 'ssl:127.0.0.1:6639',
+          :ovsdb_agent_ssl_key_file  => '/tmp/dummy.pem',
+          :ovsdb_agent_ssl_cert_file => '/tmp/dummy.crt',
+          :ovsdb_agent_ssl_ca_file   => '/tmp/ca.crt'
+        })
+      end
+      it 'configures neutron SSL settings' do
+        is_expected.to contain_neutron_dhcp_agent_config('OVS/ovsdb_connection').with_value(params[:ovsdb_connection])
+        is_expected.to contain_neutron_dhcp_agent_config('OVS/ssl_key_file').with_value(params[:ovsdb_agent_ssl_key_file])
+        is_expected.to contain_neutron_dhcp_agent_config('OVS/ssl_cert_file').with_value(params[:ovsdb_agent_ssl_cert_file])
+        is_expected.to contain_neutron_dhcp_agent_config('OVS/ssl_ca_cert_file').with_value(params[:ovsdb_agent_ssl_ca_file])
+      end
+    end
+
+    context 'with SSL enabled, but missing file config' do
+      before do
+        params.merge!({
+          :ovsdb_connection => 'ssl:127.0.0.1:6639'
+        })
+      end
+      it 'fails to configure' do
+        is_expected.to raise_error(Puppet::Error)
+      end
+    end
   end
 
   shared_examples_for 'neutron dhcp agent with dnsmasq_config_file specified' do