Skip to content

Commit

Permalink
Use secret for ovn DBs connection
Browse files Browse the repository at this point in the history 
This also includes adaptation for the new location of the OVN DBs
config option in the ovn-bgp-agent [1]

[1] https://review.opendev.org/c/openstack/ovn-bgp-agent/+/901597
  • Loading branch information
@luis5tb
luis5tb committed Nov 24, 2023
1 parent d6c10fc commit 3ffc4ca
Show file tree
Hide file tree
Showing 7 changed files with 58 additions and 67 deletions.
13 changes: 4 additions & 9 deletions roles/edpm_neutron_dhcp/tasks/bootstrap.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,12 +14,7 @@
# License for the specific language governing permissions and limitations
# under the License.

- name: Ensure the Openvswitch package is installed
ansible.builtin.package:
name: openvswitch
state: present

- name: Ensure the OVS service is running
ansible.builtin.systemd:
name: openvswitch
state: started
- name: Ensure Openvswitch installed and running
ansible.builtin.include_role:
name: osp.edpm.edpm_ovn
tasks_from: "bootstrap.yml"
13 changes: 4 additions & 9 deletions roles/edpm_neutron_metadata/tasks/bootstrap.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,12 +14,7 @@
# License for the specific language governing permissions and limitations
# under the License.

- name: Ensure the Openvswitch package is installed
ansible.builtin.package:
name: openvswitch
state: present

- name: Ensure the OVS service is running
ansible.builtin.systemd:
name: openvswitch
state: started
- name: Ensure Openvswitch installed and running
ansible.builtin.include_role:
name: osp.edpm.edpm_ovn
tasks_from: "bootstrap.yml"
13 changes: 4 additions & 9 deletions roles/edpm_neutron_ovn/tasks/bootstrap.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,12 +14,7 @@
# License for the specific language governing permissions and limitations
# under the License.

- name: Ensure the Openvswitch package is installed
ansible.builtin.package:
name: openvswitch
state: present

- name: Ensure the OVS service is running
ansible.builtin.systemd:
name: openvswitch
state: started
- name: Ensure Openvswitch installed and running
ansible.builtin.include_role:
name: osp.edpm.edpm_ovn
tasks_from: "bootstrap.yml"
8 changes: 1 addition & 7 deletions roles/edpm_ovn_bgp_agent/defaults/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ edpm_ovn_bgp_agent_certificate: /etc/pki/tls/certs/ovn_bgp_agent.crt
edpm_ovn_bgp_agent_ca_cert: /etc/ipa/ca.crt
edpm_ovn_bgp_agent_internal_tls_enable: false
edpm_ovn_bgp_agent_config_basedir: "/var/lib/config-data/ansible-generated/ovn-bgp-agent"
edpm_ovn_bgp_agent_neutron_ovn_config_src: /var/lib/openstack/configs/ovn-bgp-agent
edpm_ovn_bgp_agent_bgp_as: 64999
edpm_ovn_bgp_agent_clear_vrf_routes_on_startup: false
edpm_ovn_bgp_agent_bgp_nic: bgp-nic
Expand All @@ -52,9 +53,6 @@ edpm_ovn_bgp_agent_evpn_local_ip: ''
edpm_ovn_bgp_agent_evpn_nic: ''
edpm_ovn_bgp_agent_evpn_udp_dstport: '' # 4789

edpm_ovn_nb_dbs: []
edpm_ovn_nb_server_port: 6641

edpm_ovn_bgp_agent_common_volumes:
- /etc/hosts:/etc/hosts:ro
- /etc/localtime:/etc/localtime:ro
Expand Down Expand Up @@ -110,10 +108,6 @@ edpm_ovn_bgp_agent_local_ovn_ovs_external_ids:
ovn-bridge-bgp: "br-bgp"
ovn-bridge-mappings-bgp: "{{ edpm_ovn_bgp_agent_local_ovn_bridge_mappings | join(',') }}"
ovn-remote-bgp: "unix:/run/ovn/ovnsb_db.sock"
ovn-nb-remote: >-
"{%- set db_addresses = [] -%}{%- for host in edpm_ovn_nb_dbs -%}
{{ db_addresses.append([edpm_ovn_protocol, host, edpm_ovn_nb_server_port] | join(':')) }}{%- endfor -%}
{{ db_addresses | join(',') }}"

edpm_ovn_bgp_agent_local_ovn_cluster_common_volumes:
- /lib/modules:/lib/modules:ro
Expand Down
48 changes: 32 additions & 16 deletions roles/edpm_ovn_bgp_agent/tasks/configure.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,24 +14,40 @@
# License for the specific language governing permissions and limitations
# under the License.

- name: Ensure the Openvswitch package is installed
ansible.builtin.package:
name: openvswitch
state: present

- name: Ensure the OVS service is running
ansible.builtin.systemd:
name: openvswitch
state: started
- name: Ensure Openvswitch installed and running
ansible.builtin.include_role:
name: osp.edpm.edpm_ovn
tasks_from: "bootstrap.yml"

- name: Configure OVN BGP agent
ansible.builtin.template:
src: ovn-bgp-agent.conf.j2
dest: "{{ edpm_ovn_bgp_agent_config_basedir }}/etc/ovn-bgp-agent/bgp-agent.conf"
mode: "640"
selevel: s0
setype: container_file_t
register: _ovn_bgp_agent_config_result
block:
- name: Render OVN BGP agent config files
ansible.builtin.template:
src: ovn-bgp-agent.conf.j2
dest: "{{ edpm_ovn_bgp_agent_config_basedir }}/etc/ovn-bgp-agent/bgp-agent.conf"
mode: "644"
selevel: s0
setype: container_file_t
register: _ovn_bgp_agent_config_result

- name: Discover secrets in {{ edpm_ovn_bgp_agent_neutron_ovn_config_src }}
ansible.builtin.find:
paths: "{{ edpm_ovn_bgp_agent_neutron_ovn_config_src }}"
file_type: file
recurse: true
patterns:
- "*ovn.conf"
register: edpm_neutron_ovn_secrets
delegate_to: localhost
become: false

- name: Flatten secrets into /etc/ovn-bgp-agent at {{ edpm_ovn_bgp_agent_config_basedir }}
ansible.builtin.copy:
src: "{{ item.path }}"
dest: "{{ edpm_ovn_bgp_agent_config_basedir }}/etc/ovn-bgp-agent/{{ item.path | basename }}"
setype: "container_file_t"
mode: "0644"
loop: "{{ edpm_neutron_ovn_secrets.files }}"

- name: Add OVS Manager
block:
Expand Down
13 changes: 4 additions & 9 deletions roles/edpm_ovn_bgp_agent/tasks/configure_ovn.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,15 +14,10 @@
# License for the specific language governing permissions and limitations
# under the License.

- name: Ensure the Openvswitch package is installed
ansible.builtin.package:
name: openvswitch
state: present

- name: Ensure the OVS service is running
ansible.builtin.systemd:
name: openvswitch
state: started
- name: Ensure Openvswitch installed and running
ansible.builtin.include_role:
name: osp.edpm.edpm_ovn
tasks_from: "bootstrap.yml"

- name: Configure OVS external_ids
ansible.builtin.shell: >
Expand Down
17 changes: 9 additions & 8 deletions roles/edpm_ovn_bgp_agent/templates/ovn-bgp-agent.conf.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,14 +9,6 @@ bgp_nic={{ edpm_ovn_bgp_agent_bgp_nic }}
bgp_vrf={{ edpm_ovn_bgp_agent_bgp_vrf }}
bgp_vrf_table_id={{ edpm_ovn_bgp_agent_bgp_vrf_table_id }}
ovsdb_connection={{ edpm_ovn_bgp_agent_ovsdb_connection }}
{% if edpm_ovn_bgp_agent_internal_tls_enable %}
ovn_sb_private_key={{ edpm_ovn_bgp_agent_private_key }}
ovn_sb_certificate={{ edpm_ovn_bgp_agent_certificate }}
ovn_sb_ca_cert={{ edpm_ovn_bgp_agent_ca_cert }}
ovn_nb_private_key={{ edpm_ovn_bgp_agent_private_key }}
ovn_nb_certificate={{ edpm_ovn_bgp_agent_certificate }}
ovn_nb_ca_cert={{ edpm_ovn_bgp_agent_ca_cert }}
{% endif %}
{% if edpm_ovn_bgp_agent_exposing_method %}
exposing_method={{ edpm_ovn_bgp_agent_exposing_method }}
{% endif %}
Expand All @@ -39,6 +31,15 @@ evpn_nic={{ edpm_ovn_bgp_agent_evpn_nic }}
evpn_udp_dstport={{ edpm_ovn_bgp_agent_evpn_udp_dstport }}
{% endif %}

[ovn]
{% if edpm_ovn_bgp_agent_internal_tls_enable %}
ovn_sb_private_key={{ edpm_ovn_bgp_agent_private_key }}
ovn_sb_certificate={{ edpm_ovn_bgp_agent_certificate }}
ovn_sb_ca_cert={{ edpm_ovn_bgp_agent_ca_cert }}
ovn_nb_private_key={{ edpm_ovn_bgp_agent_private_key }}
ovn_nb_certificate={{ edpm_ovn_bgp_agent_certificate }}
ovn_nb_ca_cert={{ edpm_ovn_bgp_agent_ca_cert }}
{% endif %}
{% if edpm_ovn_bgp_agent_ovn_sb_connection %}
ovn_sb_connection{{ edpm_ovn_bgp_agent_ovn_sb_connection }}
{% endif %}
Expand Down

0 comments on commit 3ffc4ca

Please sign in to comment.