Description of problem: Encryption of internal API traffic has been a very high priority for RHOSP. We have been making steady progress to deliver coverage for all internal services, and need to ensure that OVN is covered as well. TripleO already has TLS/SSL support for other services and we need to add support with OVN.
Looks like first we need to land the patches that allow passing the certificates and SSL support in OVS for HA mode [0]. Once we have this, we need to include support in THT to support it [1] and configure networking-ovn [2] as well as the puppet bits [3]. [0] https://patchwork.ozlabs.org/project/openvswitch/list/?submitter=73281 [1] https://github.com/openstack/tripleo-heat-templates/blob/master/docker/services/pacemaker/ovn-dbs.yaml [2] https://github.com/openstack/networking-ovn/blob/93834508d1795846ffcda2cc179e8b02ebc8ce85/networking_ovn/common/config.py#L32-#L68 [3] https://github.com/openstack/puppet-ovn/blob/master/manifests/northd.pp#L18 https://github.com/openstack/puppet-ovn/blob/master/manifests/controller.pp#L80
Apart from what I outlined in C1, we need to support TLS connection between OVN Metadata agent and Nova which should be covered by this patch [0]. Perhaps worth opening a new BZ? [0] https://review.openstack.org/#/c/605406/
Full QE testing cycle is required along with new CI job
Anita, due to OVS verification to OVS2.11, manual regressions and upgrades QE won't be able to start with this feature during OSP16 time frame, please postpone it to next version.
Tested it and all the OVN components are using SSL/TLS
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2020:0283