Support connecting OVN DB over SSL

This patch introduce parameters which support using SSL to connect to
OVN_Northbound DB and OVN_Southbound DB.

Change-Id: I5a03a74e68d2b8b7364341ba2ed77dfb419ebc58
Signed-off-by: Kamil Sambor <ksambor@redhat.com>

manifests/agents/ovn_metadata.pp

@@ -68,6 +68,20 @@
 #   (optional) The connection string for the OVN_Southbound OVSDB
 #   Defaults to '$::os_service_default'
 #
+# [*ovn_sb_private_key*]
+#   (optional) TThe PEM file with private key for SSL connection to OVN-SB-DB
+#   Defaults to $::os_service_default
+#
+# [*ovn_sb_certificate*]
+#   (optional) The PEM file with certificate that certifies the
+#   private key specified in ovn_sb_private_key
+#   Defaults to $::os_service_default
+#
+# [*ovn_sb_ca_cert*]
+#   (optional) TThe PEM file with CA certificate that OVN should use to
+#   verify certificates presented to it by SSL peers
+#   Defaults to $::os_service_default
+#
 # [*ovsdb_connection_timeout*]
 #   (optional) Timeout in seconds for the OVSDB connection transaction
 #   Defaults to $::os_service_default
@@ -111,6 +125,9 @@ class neutron::agents::ovn_metadata (
   $ovsdb_connection          = 'tcp:127.0.0.1:6640',
   $ovs_manager               = 'ptcp:6640:127.0.0.1',
   $ovn_sb_connection         = $::os_service_default,
+  $ovn_sb_private_key        = $::os_service_default,
+  $ovn_sb_certificate        = $::os_service_default,
+  $ovn_sb_ca_cert            = $::os_service_default,
   $ovsdb_connection_timeout  = $::os_service_default,
   $root_helper               = 'sudo neutron-rootwrap /etc/neutron/rootwrap.conf',
   $root_helper_daemon        = $::os_service_default,
@@ -144,6 +161,9 @@ class neutron::agents::ovn_metadata (
     'ovs/ovsdb_connection':                   value => $ovsdb_connection;
     'ovs/ovsdb_connection_timeout':           value => $ovsdb_connection_timeout;
     'ovn/ovn_sb_connection':                  value => $ovn_sb_connection;
+    'ovn/ovn_sb_private_key':                 value => $ovn_sb_private_key;
+    'ovn/ovn_sb_certificate':                 value => $ovn_sb_certificate;
+    'ovn/ovn_sb_ca_cert':                     value => $ovn_sb_ca_cert;
   }
 
   if $::neutron::params::ovn_metadata_agent_package {

manifests/plugins/ml2/ovn.pp

@@ -10,6 +10,34 @@
 #   (optional) The connection string for the OVN_Southbound OVSDB
 #   Defaults to 'tcp:127.0.0.1:6642'
 #
+# [*ovn_nb_private_key*]
+#   (optional) The PEM file with private key for SSL connection to OVN-NB-DB
+#   Defaults to $::os_service_default
+#
+# [*ovn_nb_certificate*]
+#   (optional) The PEM file with certificate that certifies the private
+#   key specified in ovn_nb_private_key
+#   Defaults to $::os_service_default
+#
+# [*ovn_nb_ca_cert*]
+#   (optional) The PEM file with CA certificate that OVN should use to
+#   verify certificates presented to it by SSL peers
+#   Defaults to $::os_service_default
+#
+# [*ovn_sb_private_key*]
+#   (optional) The PEM file with private key for SSL connection to OVN-SB-DB
+#   Defaults to $::os_service_default
+#
+# [*ovn_sb_certificate*]
+#   (optional) The PEM file with certificate that certifies the
+#   private key specified in ovn_sb_private_key
+#   Defaults to $::os_service_default
+#
+# [*ovn_sb_ca_cert*]
+#   (optional) The PEM file with CA certificate that OVN should use to
+#   verify certificates presented to it by SSL peers
+#   Defaults to $::os_service_default
+#
 # [*package_ensure*]
 #   (optional) The intended state of the python-networking-odl
 #   package, i.e. any of the possible values of the 'ensure'
@@ -67,6 +95,12 @@
 class neutron::plugins::ml2::ovn(
   $ovn_nb_connection        = $::os_service_default,
   $ovn_sb_connection        = $::os_service_default,
+  $ovn_nb_private_key       = $::os_service_default,
+  $ovn_nb_certificate       = $::os_service_default,
+  $ovn_nb_ca_cert           = $::os_service_default,
+  $ovn_sb_private_key       = $::os_service_default,
+  $ovn_sb_certificate       = $::os_service_default,
+  $ovn_sb_ca_cert           = $::os_service_default,
   $package_ensure           = 'present',
   $ovsdb_connection_timeout = $::os_service_default,
   $neutron_sync_mode        = $::os_service_default,
@@ -103,6 +137,12 @@ class neutron::plugins::ml2::ovn(
   neutron_plugin_ml2 {
     'ovn/ovn_nb_connection'        : value => $ovn_nb_connection;
     'ovn/ovn_sb_connection'        : value => $ovn_sb_connection;
+    'ovn/ovn_nb_private_key'       : value => $ovn_nb_private_key;
+    'ovn/ovn_nb_certificate'       : value => $ovn_nb_certificate;
+    'ovn/ovn_nb_ca_cert'           : value => $ovn_nb_ca_cert;
+    'ovn/ovn_sb_private_key'       : value => $ovn_sb_private_key;
+    'ovn/ovn_sb_certificate'       : value => $ovn_sb_certificate;
+    'ovn/ovn_sb_ca_cert'           : value => $ovn_sb_ca_cert;
     'ovn/ovsdb_connection_timeout' : value => $ovsdb_connection_timeout;
     'ovn/neutron_sync_mode'        : value => $neutron_sync_mode;
     'ovn/ovn_l3_mode'              : value => $ovn_l3_mode;

releasenotes/notes/ovn-ssl-f41da14a9eaa6fe3.yaml

@@ -0,0 +1,15 @@
+---
+features:
+  - |
+    This patch introduce parameters which support SSL to connect to
+    OVN_Northbound DB and OVN_Southbound DB. This can be set by:
+    * 'ovn_nb_private_key': The PEM file with private key for SSL connection to OVN-NB-DB
+    * 'ovn_nb_certificate': The PEM file with certificate that certifies the private
+    key specified in ovn_nb_private_key
+    * 'ovn_nb_ca_cert': The PEM file with CA certificate that OVN should use to
+    verify certificates presented to it by SSL peers
+    * 'ovn_sb_private_key': The PEM file with private key for SSL connection to OVN-SB-DBt,
+    * 'ovn_sb_certificate': The PEM file with certificate that certifies the
+    private key specified in ovn_sb_private_key'
+    * 'ovn_sb_ca_cert': The PEM file with CA certificate that OVN should use to
+    verify certificates presented to it by SSL peers

spec/classes/neutron_plugins_ml2_ovn_spec.rb

@@ -13,6 +13,12 @@ describe 'neutron::plugins::ml2::ovn' do
     {
        :ovn_nb_connection        => 'tcp:127.0.0.1:6641',
        :ovn_sb_connection        => 'tcp:127.0.0.1:6642',
+       :ovn_nb_private_key       => 'nb_key',
+       :ovn_nb_certificate       => 'nb_cert',
+       :ovn_nb_ca_cert           => 'nb_ca_cert',
+       :ovn_sb_private_key       => 'sb_key',
+       :ovn_sb_certificate       => 'sb_cert',
+       :ovn_sb_ca_cert           => 'sb_ca_cert',
        :ovsdb_connection_timeout => '60',
        :neutron_sync_mode        => 'log',
        :ovn_l3_mode              => true,
@@ -35,6 +41,12 @@ describe 'neutron::plugins::ml2::ovn' do
     it 'should perform default configuration of' do
       should contain_neutron_plugin_ml2('ovn/ovn_nb_connection').with_value(params[:ovn_nb_connection])
       should contain_neutron_plugin_ml2('ovn/ovn_sb_connection').with_value(params[:ovn_sb_connection])
+      should contain_neutron_plugin_ml2('ovn/ovn_nb_private_key').with_value(params[:ovn_nb_private_key])
+      should contain_neutron_plugin_ml2('ovn/ovn_nb_certificate').with_value(params[:ovn_nb_certificate])
+      should contain_neutron_plugin_ml2('ovn/ovn_nb_ca_cert').with_value(params[:ovn_nb_ca_cert])
+      should contain_neutron_plugin_ml2('ovn/ovn_sb_private_key').with_value(params[:ovn_sb_private_key])
+      should contain_neutron_plugin_ml2('ovn/ovn_sb_certificate').with_value(params[:ovn_sb_certificate])
+      should contain_neutron_plugin_ml2('ovn/ovn_sb_ca_cert').with_value(params[:ovn_sb_ca_cert])
       should contain_neutron_plugin_ml2('ovn/ovsdb_connection_timeout').with_value(params[:ovsdb_connection_timeout])
       should contain_neutron_plugin_ml2('ovn/neutron_sync_mode').with_value(params[:neutron_sync_mode])
       should contain_neutron_plugin_ml2('ovn/ovn_l3_mode').with_value(params[:ovn_l3_mode])