Merge "Fixes missing SSL configuration for Neutron DHCP agent"
This commit is contained in:
commit
42913cf2bf
docker/services
puppet/services
releasenotes/notes
@ -36,6 +36,18 @@ parameters:
|
||||
default: {}
|
||||
description: Parameters specific to the role
|
||||
type: json
|
||||
EnableInternalTLS:
|
||||
type: boolean
|
||||
default: false
|
||||
InternalTLSCAFile:
|
||||
default: '/etc/ipa/ca.crt'
|
||||
type: string
|
||||
description: Specifies the default CA cert to use if TLS is used for
|
||||
services in the internal network.
|
||||
|
||||
conditions:
|
||||
|
||||
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
||||
|
||||
resources:
|
||||
|
||||
@ -64,6 +76,10 @@ outputs:
|
||||
map_merge:
|
||||
- get_attr: [NeutronBase, role_data, config_settings]
|
||||
- get_attr: [NeutronLogging, config_settings]
|
||||
- if:
|
||||
- internal_tls_enabled
|
||||
- tripleo::certmonger::neutron::postsave_cmd: "true" # TODO: restart the container here
|
||||
- {}
|
||||
logging_source: {get_attr: [NeutronBase, role_data, logging_source]}
|
||||
logging_groups: {get_attr: [NeutronBase, role_data, logging_groups]}
|
||||
service_config_settings: {get_attr: [NeutronBase, role_data, service_config_settings]}
|
||||
@ -110,8 +126,21 @@ outputs:
|
||||
- /lib/modules:/lib/modules:ro
|
||||
- /run/openvswitch:/run/openvswitch
|
||||
- /var/lib/neutron:/var/lib/neutron
|
||||
-
|
||||
if:
|
||||
- internal_tls_enabled
|
||||
- - /etc/pki/tls/certs/neutron.crt:/etc/pki/tls/certs/neutron.crt:ro
|
||||
- /etc/pki/tls/private/neutron.key:/etc/pki/tls/private/neutron.key:ro
|
||||
- list_join:
|
||||
- ':'
|
||||
- - {get_param: InternalTLSCAFile}
|
||||
- {get_param: InternalTLSCAFile}
|
||||
- 'ro'
|
||||
- null
|
||||
environment:
|
||||
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
||||
metadata_settings:
|
||||
get_attr: [NeutronBase, role_data, metadata_settings]
|
||||
host_prep_tasks:
|
||||
list_concat:
|
||||
- {get_attr: [NeutronLogging, host_prep_tasks]}
|
||||
|
@ -113,10 +113,14 @@ parameters:
|
||||
description: Driver or drivers to handle sending notifications.
|
||||
constraints:
|
||||
- allowed_values: [ 'messagingv2', 'noop' ]
|
||||
EnableInternalTLS:
|
||||
type: boolean
|
||||
default: false
|
||||
|
||||
conditions:
|
||||
dhcp_agents_zero: {equals : [{get_param: NeutronDhcpAgentsPerNetwork}, 0]}
|
||||
service_debug_unset: {equals : [{get_param: NeutronDebug}, '']}
|
||||
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
||||
|
||||
outputs:
|
||||
role_data:
|
||||
@ -152,3 +156,28 @@ outputs:
|
||||
- dhcp_agents_zero
|
||||
- {}
|
||||
- tripleo::profile::base::neutron::dhcp_agents_per_network: {get_param: NeutronDhcpAgentsPerNetwork}
|
||||
- if:
|
||||
- internal_tls_enabled
|
||||
- generate_service_certificates: true
|
||||
tripleo::profile::base::neutron::certificate_specs:
|
||||
service_certificate: '/etc/pki/tls/certs/neutron.crt'
|
||||
service_key: '/etc/pki/tls/private/neutron.key'
|
||||
hostname:
|
||||
str_replace:
|
||||
template: "%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "neutron/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]}
|
||||
- null
|
||||
metadata_settings:
|
||||
if:
|
||||
- internal_tls_enabled
|
||||
-
|
||||
- service: neutron
|
||||
network: {get_param: [ServiceNetMap, NeutronApiNetwork]}
|
||||
type: node
|
||||
- null
|
||||
|
@ -69,9 +69,18 @@ parameters:
|
||||
default: 'neutron.agent.linux.interface.OVSInterfaceDriver'
|
||||
description: Neutron DHCP Agent interface driver
|
||||
type: string
|
||||
EnableInternalTLS:
|
||||
type: boolean
|
||||
default: false
|
||||
InternalTLSCAFile:
|
||||
default: '/etc/ipa/ca.crt'
|
||||
type: string
|
||||
description: Specifies the default CA cert to use if TLS is used for
|
||||
services in the internal network.
|
||||
|
||||
conditions:
|
||||
service_debug_unset: {equals: [{get_param: NeutronDhcpAgentDebug}, '']}
|
||||
internal_tls_enabled: {equals: [{get_param: EnableInternalTLS}, true]}
|
||||
|
||||
resources:
|
||||
|
||||
@ -112,6 +121,12 @@ outputs:
|
||||
proto: 'udp'
|
||||
chain: 'OUTPUT'
|
||||
dport: 68
|
||||
- if:
|
||||
- internal_tls_enabled
|
||||
- neutron::agents::dhcp::ovsdb_agent_ssl_key_file: '/etc/pki/tls/private/neutron.key'
|
||||
neutron::agents::dhcp::ovsdb_agent_ssl_cert_file: '/etc/pki/tls/certs/neutron.crt'
|
||||
neutron::agents::dhcp::ovsdb_agent_ssl_ca_file: {get_param: InternalTLSCAFile}
|
||||
- {}
|
||||
service_config_settings:
|
||||
fluentd:
|
||||
tripleo_fluentd_groups_neutron_dhcp:
|
||||
@ -137,3 +152,5 @@ outputs:
|
||||
- step|int == 1
|
||||
- neutron_dhcp_agent_enabled.rc == 0
|
||||
service: name=neutron-dhcp-agent state=stopped
|
||||
metadata_settings:
|
||||
get_attr: [NeutronBase, role_data, metadata_settings]
|
||||
|
@ -160,6 +160,12 @@ outputs:
|
||||
opendaylight::tls_ca_cert_file: {get_param: InternalTLSCAFile}
|
||||
opendaylight::tls_keystore_password: {get_param: OpenDaylightTLSKeystorePassword}
|
||||
- {}
|
||||
service_config_settings:
|
||||
neutron_dhcp:
|
||||
if:
|
||||
- internal_tls_enabled
|
||||
- neutron::agents::dhcp::ovsdb_connection: 'ssl:127.0.0.1:6639'
|
||||
- neutron::agents::dhcp::ovsdb_connection: 'tcp:127.0.0.1:6639'
|
||||
step_config: |
|
||||
include tripleo::profile::base::neutron::opendaylight
|
||||
upgrade_tasks:
|
||||
|
@ -0,0 +1,6 @@
|
||||
---
|
||||
fixes:
|
||||
- |
|
||||
Fixes issue in OpenDaylight deployments where SSL between Neutron DHCP
|
||||
agent with OVS did not work due to missing SSL certificate/key
|
||||
configuration.
|
Loading…
x
Reference in New Issue
Block a user