Bug 1601926

Summary: [RFE] [OVN] TLS/SSL Support
Product: Red Hat OpenStack Reporter: Nir Yechiel <nyechiel>
Component: openstack-tripleo-heat-templatesAssignee: Kamil Sambor <ksambor>
Status: CLOSED ERRATA QA Contact: Luis Tomas Bolivar <ltomasbo>
Severity: high Docs Contact:
Priority: high    
Version: 12.0 (Pike)CC: amuller, atragler, bcafarel, ccopello, dalvarez, ekuris, jamsmith, jlibosva, ksambor, lmartins, ltomasbo, mburns, nlevinki, sclewis, scohen, sputhenp, tfreger
Target Milestone: rcKeywords: FutureFeature, Triaged
Target Release: 16.0 (Train on RHEL 8.1)   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openstack-tripleo-heat-templates-11.3.1-0.20191127041628.38ce0a5.el8ost Doc Type: Enhancement
Doc Text:
Starting with this update, OSP deployments have full encryption between all the OVN services. All OVN clients (ovn-controller, neutron-server and ovn-metadata-agent) now connect to the OVSDB server using Mutual TLS encryption.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-02-06 14:37:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1766772    

Description Nir Yechiel 2018-07-17 13:17:42 UTC 
Description of problem:

Encryption of internal API traffic has been a very high priority for RHOSP. We have been making steady progress to deliver coverage for all internal services, and need to ensure that OVN is covered as well.

TripleO already has TLS/SSL support for other services and we need to add support with OVN.
Comment 1 Daniel Alvarez Sanchez 2018-09-28 11:00:29 UTC 
Looks like first we need to land the patches that allow passing the certificates and SSL support in OVS for HA mode [0].
Once we have this, we need to include support in THT to support it [1] and configure networking-ovn [2] as well as the puppet bits [3].


[0] https://patchwork.ozlabs.org/project/openvswitch/list/?submitter=73281
[1] https://github.com/openstack/tripleo-heat-templates/blob/master/docker/services/pacemaker/ovn-dbs.yaml
[2] https://github.com/openstack/networking-ovn/blob/93834508d1795846ffcda2cc179e8b02ebc8ce85/networking_ovn/common/config.py#L32-#L68
[3] https://github.com/openstack/puppet-ovn/blob/master/manifests/northd.pp#L18
    https://github.com/openstack/puppet-ovn/blob/master/manifests/controller.pp#L80
Comment 2 Daniel Alvarez Sanchez 2018-09-28 11:02:48 UTC 
Apart from what I outlined in C1, we need to support TLS connection between OVN Metadata agent and Nova which should be covered by this patch [0].
Perhaps worth opening a new BZ?
[0] https://review.openstack.org/#/c/605406/
Comment 5 Toni Freger 2019-04-16 12:00:26 UTC 
Full QE testing cycle is required along with new CI job
Comment 15 Toni Freger 2019-11-17 10:25:04 UTC 
Anita, due to OVS verification to OVS2.11, manual regressions and upgrades QE won't be able to start with this feature during OSP16 time frame, please postpone it to next version.
Comment 20 Luis Tomas Bolivar 2019-12-05 11:45:46 UTC 
Tested it and all the OVN components are using SSL/TLS
Comment 36 errata-xmlrpc 2020-02-06 14:37:23 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2020:0283