OVN IPSec

ansible/certificates.yml

@@ -3,7 +3,8 @@
   when: >-
     kolla_enable_tls_backend | default(false) | bool or
     rabbitmq_enable_tls | default(false) | bool or
-    certificates_generate_libvirt | default(libvirt_tls) | default(false) | bool
+    certificates_generate_libvirt | default(libvirt_tls) | default(false) | bool or
+    neutron_ovs_generate_certificates | default(false) | bool
 
 - name: Apply role certificates
   hosts: localhost

ansible/group_vars/all.yml

@@ -841,6 +841,7 @@ enable_octavia_driver_agent: "{{ enable_octavia | bool and neutron_plugin_agent
 enable_octavia_jobboard: "{{ enable_octavia | bool and 'amphora' in octavia_provider_drivers }}"
 enable_openvswitch: "{{ enable_neutron | bool and neutron_plugin_agent != 'linuxbridge' }}"
 enable_ovn: "{{ enable_neutron | bool and neutron_plugin_agent == 'ovn' }}"
+enable_ovn_ipsec: "no"
 enable_ovs_dpdk: "no"
 enable_osprofiler: "no"
 enable_placement: "{{ enable_nova | bool or enable_zun | bool }}"
@@ -1128,6 +1129,10 @@ neutron_ovn_availability_zones: []
 # Enable OVN agent
 neutron_enable_ovn_agent: "no"
 
+# OVS chassis certificates
+neutron_ovs_generate_certificates: "no"
+neutron_ovs_use_certificates: "{{ (enable_ovn_ipsec | bool) or (neutron_ovs_generate_certificates | bool) }}"
+
 #######################
 # Nova options
 #######################

ansible/roles/certificates/defaults/main.yml

@@ -4,6 +4,7 @@ external_dir: "{{ kolla_certificates_dir }}/private/external"
 internal_dir: "{{ kolla_certificates_dir }}/private/internal"
 backend_dir: "{{ kolla_certificates_dir }}/private/backend"
 libvirt_dir: "{{ kolla_certificates_dir }}/private/libvirt"
+ovs_dir: "{{ kolla_certificates_dir }}/private/ovs"
 
 # Whether to generate certificates for libvirt TLS.
 certificates_generate_libvirt: "{{ libvirt_tls | default(false) | bool }}"

ansible/roles/certificates/tasks/generate-ovs.yml

@@ -0,0 +1,85 @@
+---
+- name: Ensuring private neutron ovs directory exist
+  file:
+    path: "{{ ovs_dir }}"
+    state: "directory"
+    mode: "0770"
+
+- name: Ensuring neutron ovs host directory exist
+  file:
+    path: "{{ kolla_certificates_dir }}/{{ item }}"
+    state: "directory"
+    mode: "0770"
+  loop: "{{ groups['neutron-ovn-agent'] }}"
+
+- name: Ensuring private neutron ovs host directory exist
+  file:
+    path: "{{ ovs_dir }}/{{ item }}"
+    state: "directory"
+    mode: "0770"
+  loop: "{{ groups['neutron-ovn-agent'] }}"
+
+- name: Creating neutron ovs SSL configuration files
+  template:
+    src: "openssl-kolla-ovs.cnf.j2"
+    dest: "{{ kolla_certificates_dir }}/{{ item }}/openssl-kolla-ovs.cnf"
+    mode: "0660"
+  loop: "{{ groups['neutron-ovn-agent'] }}"
+
+- name: Creating neutron ovs certificate keys
+  command: >
+    openssl genrsa
+    -out "{{ ovs_dir }}/{{ item }}/openvswitch.key" 2048
+  args:
+    creates: "{{ ovs_dir }}/{{ item }}/openvswitch.key"
+  loop: "{{ groups['neutron-ovn-agent'] }}"
+
+- name: Creating neutron ovs certificate signing requests
+  command: >
+    openssl req
+    -new
+    -key "{{ ovs_dir }}/{{ item }}/openvswitch.key"
+    -out "{{ ovs_dir }}/{{ item }}/openvswitch.csr"
+    -config "{{ kolla_certificates_dir }}/{{ item }}/openssl-kolla-ovs.cnf"
+    -sha256
+  args:
+    creates: "{{ ovs_dir }}/{{ item }}/openvswitch.csr"
+  loop: "{{ groups['neutron-ovn-agent'] }}"
+
+- name: Creating neutron ovs certificates
+  command: >
+    openssl x509
+    -req
+    -in "{{ ovs_dir }}/{{ item }}/openvswitch.csr"
+    -CA "{{ root_dir }}/root.crt"
+    -CAkey "{{ root_dir }}/root.key"
+    -CAcreateserial
+    -extensions v3_req
+    -extfile "{{ kolla_certificates_dir }}/{{ item }}/openssl-kolla-ovs.cnf"
+    -out "{{ ovs_dir }}/{{ item }}/openvswitch.crt"
+    -days 500
+    -sha256
+  args:
+    creates: "{{ ovs_dir }}/{{ item }}/openvswitch.crt"
+  loop: "{{ groups['neutron-ovn-agent'] }}"
+
+- name: Setting permissions on neutron ovs keys
+  file:
+    path: "{{ ovs_dir }}/{{ item }}/openvswitch.key"
+    mode: "0660"
+    state: file
+  loop: "{{ groups['neutron-ovn-agent'] }}"
+
+- name: Copy neutron ovs cert to default configuration location
+  copy:
+    src: "{{ ovs_dir }}/{{ item }}/openvswitch.crt"
+    dest: "{{ kolla_certificates_dir }}/{{ item }}/openvswitch-cert.pem"
+    mode: "0660"
+  loop: "{{ groups['neutron-ovn-agent'] }}"
+
+- name: Copy neutron ovs key to default configuration location
+  copy:
+    src: "{{ ovs_dir }}/{{ item }}/openvswitch.key"
+    dest: "{{ kolla_certificates_dir }}/{{ item }}/openvswitch-key.pem"
+    mode: "0660"
+  loop: "{{ groups['neutron-ovn-agent'] }}"

ansible/roles/certificates/tasks/main.yml

@@ -6,3 +6,5 @@
     - kolla_enable_tls_backend | bool or rabbitmq_enable_tls | bool
 - include_tasks: generate-libvirt.yml
   when: certificates_generate_libvirt | bool
+- include_tasks: generate-ovs.yml
+  when: neutron_ovs_generate_certificates | bool

ansible/roles/certificates/templates/openssl-kolla-ovs.cnf.j2

@@ -0,0 +1,17 @@
+[ req ]
+prompt = no
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+
+[ req_distinguished_name ]
+countryName = US
+stateOrProvinceName = NC
+localityName = RTP
+organizationalUnitName = kolla
+commonName = {{ hostvars[item].ansible_facts['hostname'] }}
+
+[ v3_req ]
+subjectAltName = @alt_names
+
+[ alt_names ]
+DNS.1 = {{ hostvars[item].ansible_facts['hostname'] }}

ansible/roles/openvswitch/defaults/main.yml

@@ -33,6 +33,23 @@ openvswitch_services:
     volumes: "{{ openvswitch_vswitchd_default_volumes + openvswitch_vswitchd_extra_volumes }}"
     dimensions: "{{ openvswitch_vswitchd_dimensions }}"
     healthcheck: "{{ openvswitch_vswitchd_healthcheck }}"
+  openvswitch-ipsec:
+    container_name: "openvswitch_ipsec"
+    image: "{{ openvswitch_ipsec_image_full }}"
+    enabled: "{{ enable_ovn_ipsec }}"
+    group: openvswitch
+    host_in_groups: >-
+      {{
+      inventory_hostname in groups['compute']
+      or (enable_manila_backend_generic | bool and inventory_hostname in groups['manila-share'])
+      or inventory_hostname in groups['neutron-dhcp-agent']
+      or inventory_hostname in groups['neutron-l3-agent']
+      or inventory_hostname in groups['neutron-metadata-agent']
+      }}
+    privileged: True
+    volumes: "{{ openvswitch_ipsec_default_volumes + openvswitch_ipsec_extra_volumes }}"
+    dimensions: "{{ openvswitch_ipsec_dimensions }}"
+    healthcheck: {}
 
 ####################
 # Docker
@@ -47,8 +64,13 @@ openvswitch_vswitchd_image: "{{ docker_registry ~ '/' if docker_registry else ''
 openvswitch_vswitchd_tag: "{{ openvswitch_tag }}"
 openvswitch_vswitchd_image_full: "{{ openvswitch_vswitchd_image }}:{{ openvswitch_vswitchd_tag }}"
 
+openvswitch_ipsec_image: "{{ docker_registry ~ '/' if docker_registry else '' }}{{ docker_namespace }}/openvswitch-ipsec"
+openvswitch_ipsec_tag: "{{ openvswitch_tag }}"
+openvswitch_ipsec_image_full: "{{ openvswitch_ipsec_image }}:{{ openvswitch_ipsec_tag }}"
+
 openvswitch_db_dimensions: "{{ default_container_dimensions }}"
 openvswitch_vswitchd_dimensions: "{{ default_container_dimensions }}"
+openvswitch_ipsec_dimensions: "{{ default_container_dimensions }}"
 
 openvswitch_db_enable_healthchecks: "{{ enable_container_healthchecks }}"
 openvswitch_db_healthcheck_interval: "{{ default_container_healthcheck_interval }}"
@@ -91,10 +113,18 @@ openvswitch_vswitchd_default_volumes:
   - "/lib/modules:/lib/modules:ro"
   - "/run/openvswitch:/run/openvswitch:shared"
   - "kolla_logs:/var/log/kolla/"
+openvswitch_ipsec_default_volumes:
+  - "{{ node_config_directory }}/openvswitch-ipsec/:{{ container_config_directory }}/:ro"
+  - "/etc/localtime:/etc/localtime:ro"
+  - "{{ '/etc/timezone:/etc/timezone:ro' if ansible_facts.os_family == 'Debian' else '' }}"
+  - "/lib/modules:/lib/modules:ro"
+  - "/run/openvswitch:/run/openvswitch:shared"
+  - "kolla_logs:/var/log/kolla/"
 
 openvswitch_extra_volumes: "{{ default_extra_volumes }}"
 openvswitch_db_extra_volumes: "{{ openvswitch_extra_volumes }}"
 openvswitch_vswitchd_extra_volumes: "{{ openvswitch_extra_volumes }}"
+openvswitch_ipsec_extra_volumes: "{{ openvswitch_extra_volumes }}"
 
 openvswitch_ovs_vsctl_wrapper_enabled: false
 

ansible/roles/openvswitch/files/ovn_ipsec_supervisor_event_handler.py

@@ -0,0 +1,59 @@
+#!/usr/bin/env python3
+import os
+import sys
+import xmlrpc.client
+
+
+def write_stdout(s):
+    # Only event listener protocol messages may be sent to stdout
+    sys.stdout.write(s)
+    sys.stdout.flush()
+
+
+def write_stderr(s):
+    sys.stderr.write(s)
+    sys.stderr.flush()
+
+
+def get_rpc_interface():
+    # Extract required environment variables
+    supervisor_server_url = "http://localhost:9001/RPC2"
+    username = os.getenv('SUPERVISOR_USERNAME', None)
+    password = os.getenv('SUPERVISOR_PASSWORD', None)
+
+    if username and password:
+        return xmlrpc.client.ServerProxy(f'http://{username}:{password}@{supervisor_server_url}')
+    else:
+        return xmlrpc.client.ServerProxy(supervisor_server_url)
+
+
+def main():
+    rpc = get_rpc_interface()
+
+    while True:
+        # Transition from ACKNOWLEDGED to READY
+        write_stdout('READY\n')
+
+        # Read header line and print it to stderr
+        line = sys.stdin.readline()
+        write_stderr(line)
+
+        # Read event payload and print it to stderr
+        headers = dict([x.split(':') for x in line.split()])
+        data = sys.stdin.read(int(headers['len']))
+        write_stderr(data)
+
+        event_type = headers.get('eventname')
+        if event_type in ("PROCESS_STATE_STOPPED", "PROCESS_STATE_EXITED"):
+            process_name = headers.get('processname')
+            write_stderr(f"Process {process_name} has stopped or exited. Stopping all processes.\n")
+
+            # Stop all processes managed by Supervisor
+            rpc.supervisor.stopAllProcesses()
+
+        # Transition from READY to ACKNOWLEDGED
+        write_stdout('RESULT 2\nOK\n')
+
+
+if __name__ == '__main__':
+    main()

ansible/roles/openvswitch/handlers/main.yml

@@ -42,3 +42,19 @@
     healthcheck: "{{ service.healthcheck }}"
   when:
     - kolla_action != "config"
+
+- name: Restart openvswitch-ipsec container
+  vars:
+    service_name: "openvswitch-ipsec"
+    service: "{{ openvswitch_services[service_name] }}"
+  become: true
+  kolla_container:
+    action: "recreate_or_restart_container"
+    common_options: "{{ docker_common_options }}"
+    name: "{{ service.container_name }}"
+    image: "{{ service.image }}"
+    volumes: "{{ service.volumes }}"
+    privileged: "{{ service.privileged | default(False) }}"
+    dimensions: "{{ service.dimensions }}"
+  when:
+    - kolla_action != "config"