Merge "Support OC4.1 deployment"
diff --git a/README.rst b/README.rst
index f90f2fb..49c542f 100644
--- a/README.rst
+++ b/README.rst
@@ -122,6 +122,11 @@
address: 127.0.0.1
master:
host: 127.0.0.1
+ contrail_cache:
+ engine: redis
+ host: 127.0.0.1
+ port: 6379
+ password: guest
discovery:
host: 127.0.0.1
data_ttl: 2
@@ -168,6 +173,7 @@
cache:
engine: redis
host: 127.0.0.1
+ password: guest
port: 6379
members:
- host: 127.0.0.1
@@ -280,6 +286,11 @@
address: 127.0.0.1
master:
host: 127.0.0.1
+ contrail_cache:
+ engine: redis
+ host: 127.0.0.1
+ port: 6379
+ password: guest
discovery:
host: 127.0.0.1
data_ttl: 1
@@ -332,6 +343,7 @@
cache:
engine: redis
host: 127.0.0.1
+ password: guest
port: 6379
members:
- host: 127.0.0.1
@@ -473,6 +485,7 @@
cache:
engine: redis
host: 127.0.0.1
+ password: guest
port: 6379
members:
- host: 127.0.0.1
@@ -515,6 +528,11 @@
enabled: true
bind:
address: 127.0.0.1
+ contrail_cache:
+ engine: redis
+ host: 127.0.0.1
+ password: guest
+ port: 6379
master:
host: 127.0.0.1
discovery:
@@ -717,6 +735,43 @@
token: none
...
+XMPP Encryption
+---------------
+
+Configure encryption of XMPP
+
+Computes nodes
+~~~~~~~~~~~~~~
+
+.. code-block:: yaml
+
+ opencontrail:
+ compute:
+ xmpp:
+ tls:
+ enabled: False
+ auth:
+ enabled: False
+ (optional) cert_file: /etc/contrail/server.pem
+ (optional) key_file: /etc/contrail/privkey.pem
+ (optional) ca_cert_file: /etc/contrail/ca-cert.pem
+
+Control nodes
+~~~~~~~~~~~~~
+
+.. code-block:: yaml
+
+ opencontrail:
+ control:
+ xmpp:
+ tls:
+ enabled: False
+ auth:
+ enabled: False
+ (optional) cert_file: /etc/contrail/server.pem
+ (optional) key_file: /etc/contrail/privkey.pem
+ (optional) ca_cert_file: /etc/contrail/ca-cert.pem
+
Kubernetes support
------------------
@@ -1247,7 +1302,7 @@
- [tenant3, 7]
-If you want to remove all shares from the ip floating pool, define only empty list in
+If you want to remove all shares from the ip floating pool, define only empty list in
list of projects, like this:
.. code-block:: yaml
diff --git a/metadata/service/control/analytics.yml b/metadata/service/control/analytics.yml
index 51e3694..b51a1fe 100644
--- a/metadata/service/control/analytics.yml
+++ b/metadata/service/control/analytics.yml
@@ -9,6 +9,7 @@
opencontrail_identity_version: '2.0'
keystone_admin_password: 'none'
keystone_service_token: 'none'
+ redis_password: 'none'
openstack_region: RegionOne
opencontrail:
common:
@@ -32,6 +33,11 @@
port: 9081
master:
host: ${_param:cluster_local_address}
+ contrail_cache:
+ engine: redis
+ host: ${_param:cluster_local_address}
+ port: 6379
+ password: ${_param:redis_password}
discovery:
host: ${_param:network_vip_address}
data_ttl: 1
diff --git a/metadata/service/control/cluster.yml b/metadata/service/control/cluster.yml
index aae62cf..d98a19e 100644
--- a/metadata/service/control/cluster.yml
+++ b/metadata/service/control/cluster.yml
@@ -9,6 +9,7 @@
opencontrail_identity_version: '2.0'
keystone_admin_password: 'none'
keystone_service_token: 'none'
+ redis_password: 'none'
openstack_region: RegionOne
opencontrail:
common:
@@ -101,6 +102,11 @@
port: 9081
master:
host: ${_param:cluster_local_address}
+ contrail_cache:
+ engine: redis
+ host: ${_param:cluster_local_address}
+ port: 6379
+ password: ${_param:redis_password}
discovery:
host: ${_param:cluster_vip_address}
data_ttl: 1
@@ -167,6 +173,7 @@
engine: redis
host: ${_param:cluster_local_address}
port: 6379
+ password: ${_param:redis_password}
members:
- host: ${_param:cluster_node01_address}
id: 1
diff --git a/metadata/service/control/control.yml b/metadata/service/control/control.yml
index 7cb3521..d033ccf 100644
--- a/metadata/service/control/control.yml
+++ b/metadata/service/control/control.yml
@@ -10,6 +10,7 @@
keystone_admin_password: 'none'
keystone_service_token: 'none'
openstack_region: RegionOne
+ redis_password: 'none'
opencontrail:
common:
version: ${_param:opencontrail_version}
@@ -132,6 +133,7 @@
cache:
engine: redis
host: ${_param:cluster_local_address}
+ password: ${_param:redis_password}
port: 6379
members:
- host: ${_param:cluster_node01_address}
diff --git a/metadata/service/control/single.yml b/metadata/service/control/single.yml
index f17d610..a63f28a 100644
--- a/metadata/service/control/single.yml
+++ b/metadata/service/control/single.yml
@@ -10,6 +10,7 @@
keystone_admin_password: 'none'
keystone_service_token: 'none'
openstack_region: RegionOne
+ redis_password: 'none'
opencontrail:
common:
version: ${_param:opencontrail_version}
@@ -85,6 +86,11 @@
port: 9081
master:
host: ${_param:single_address}
+ contrail_cache:
+ engine: redis
+ host: ${_param:single_address}
+ port: 6379
+ password: ${_param:redis_password}
discovery:
host: ${_param:single_address}
data_ttl: 1
@@ -141,6 +147,7 @@
engine: redis
host: ${_param:single_address}
port: 6379
+ password: ${_param:redis_password}
members:
- host: ${_param:single_address}
id: 1
diff --git a/opencontrail/files/3.0/contrail-control.conf b/opencontrail/files/3.0/contrail-control.conf
index cfcc314..1889a70 100644
--- a/opencontrail/files/3.0/contrail-control.conf
+++ b/opencontrail/files/3.0/contrail-control.conf
@@ -10,7 +10,7 @@
# bgp_port=179
# collectors= # Provided by discovery server
hostip={{ control.bind.address }} # Resolved IP of `hostname`
- #hostname=ctl-oc-1 # Retrieved as `hostname`
+ #hostname=ctl-oc-1 # Retrieved as `hostname`
{%- if control.name is defined %}
hostname={{ control.name }}
{%- else %}
@@ -25,11 +25,11 @@
log_level=SYS_NOTICE
log_local=1
# test_mode=0
-{%- if pillar.get('salt', {}).get('minion', {}).get('cert', {}).opencontrail_xmpp is defined %}
-xmpp_auth_enable=true
-xmpp_server_cert={{ pillar.salt.minion.cert.opencontrail_xmpp.get('cert_file', '/etc/contrail/ssl/certs/server.pem') }}
-xmpp_server_key={{ pillar.salt.minion.cert.opencontrail_xmpp.get('key_file', '/etc/contrail/ssl/private/server-privkey.pem') }}
-xmpp_ca_cert={{ pillar.salt.minion.cert.opencontrail_xmpp.get('ca_file', '/etc/contrail/ssl/certs/ca-cert.pem') }}
+{%- if control.xmpp.tls.enabled %}
+xmpp_auth_enable = {{ control.xmpp.tls.auth.enabled }}
+xmpp_server_cert = {{ control.xmpp.tls.cert_file }}
+xmpp_server_key = {{ control.xmpp.tls.key_file }}
+xmpp_ca_cert = {{ control.xmpp.tls.ca_cert_file }}
{%- endif %}
[DISCOVERY]
diff --git a/opencontrail/files/3.0/contrail-vrouter-agent.conf b/opencontrail/files/3.0/contrail-vrouter-agent.conf
index b7e861e..219561a 100644
--- a/opencontrail/files/3.0/contrail-vrouter-agent.conf
+++ b/opencontrail/files/3.0/contrail-vrouter-agent.conf
@@ -91,13 +91,12 @@
gateway_mode={{ compute.gateway_mode }}
{%- endif %}
-{%- if pillar.get('salt', {}).get('minion', {}).get('cert', {}).opencontrail_xmpp is defined %}
-xmpp_auth_enable=true
-xmpp_server_cert={{ pillar.salt.minion.cert.opencontrail_xmpp.get('cert_file', '/etc/contrail/ssl/certs/server.pem') }}
-xmpp_server_key={{ pillar.salt.minion.cert.opencontrail_xmpp.get('key_file', '/etc/contrail/ssl/private/server-privkey.pem') }}
-xmpp_ca_cert={{ pillar.salt.minion.cert.opencontrail_xmpp.get('ca_file', '/etc/contrail/ssl/certs/ca-cert.pem') }}
+{%- if compute.xmpp.tls.enabled %}
+xmpp_auth_enable = {{ compute.xmpp.tls.auth.enabled }}
+xmpp_server_cert = {{ compute.xmpp.tls.cert_file }}
+xmpp_server_key = {{ compute.xmpp.tls.key_file }}
+xmpp_ca_cert = {{ compute.xmpp.tls.ca_cert_file }}
{%- endif %}
-
[DISCOVERY]
# If COLLECTOR and/or CONTROL-NODE and/or DNS is not specified this section is
# mandatory. Else this section is optional
diff --git a/opencontrail/files/4.0/config.global.js b/opencontrail/files/4.0/config.global.js
index e420435..2dd1b64 100644
--- a/opencontrail/files/4.0/config.global.js
+++ b/opencontrail/files/4.0/config.global.js
@@ -261,7 +261,7 @@
{%- else %}
config.redis_dump_file = '/var/lib/redis/dump-webui.rdb';
{%- endif %}
-config.redis_password = '';
+config.redis_password = '{{ web.cache.get("password", "") }}';
/* Cassandra Server */
config.cassandra = {};
diff --git a/opencontrail/files/4.0/contrail-alarm-gen.conf b/opencontrail/files/4.0/contrail-alarm-gen.conf
index 0be527a..b5d7cff 100644
--- a/opencontrail/files/4.0/contrail-alarm-gen.conf
+++ b/opencontrail/files/4.0/contrail-alarm-gen.conf
@@ -40,6 +40,9 @@
[REDIS]
redis_server_port=6379
redis_uve_list = {% for member in collector.database.members %}{{ member.host }}:6379 {% endfor %}
+{%- if collector.get('contrail_cache', {}).get('password') %}
+redis_password = {{ collector.contrail_cache.password }}
+{%- endif %}
[SANDESH]
#sandesh_ssl_enable=False
diff --git a/opencontrail/files/4.0/contrail-analytics-api.conf b/opencontrail/files/4.0/contrail-analytics-api.conf
index 98544ae..6743e22 100644
--- a/opencontrail/files/4.0/contrail-analytics-api.conf
+++ b/opencontrail/files/4.0/contrail-analytics-api.conf
@@ -33,6 +33,9 @@
[REDIS]
redis_query_port = 6379
redis_uve_list = {% for member in collector.database.members %}{{ member.host }}:6379 {% endfor %}
+{%- if collector.get('contrail_cache', {}).get('password') %}
+redis_password = {{ collector.contrail_cache.password }}
+{%- endif %}
[SANDESH]
#sandesh_ssl_enable=False
diff --git a/opencontrail/files/4.0/contrail-collector.conf b/opencontrail/files/4.0/contrail-collector.conf
index 466fce6..f7beae2 100644
--- a/opencontrail/files/4.0/contrail-collector.conf
+++ b/opencontrail/files/4.0/contrail-collector.conf
@@ -131,3 +131,6 @@
[REDIS]
port=6379
server=127.0.0.1
+{%- if collector.get('contrail_cache', {}).get('password') %}
+password={{ collector.contrail_cache.password }}
+{%- endif %}
diff --git a/opencontrail/files/4.0/contrail-control.conf b/opencontrail/files/4.0/contrail-control.conf
index 19bf68b..ed67242 100644
--- a/opencontrail/files/4.0/contrail-control.conf
+++ b/opencontrail/files/4.0/contrail-control.conf
@@ -27,13 +27,12 @@
log_level=SYS_NOTICE
log_local=1
# test_mode=0
-{%- if pillar.get('salt', {}).get('minion', {}).get('cert', {}).opencontrail_xmpp is defined %}
-xmpp_auth_enable=true
-xmpp_server_cert={{ pillar.salt.minion.cert.opencontrail_xmpp.get('cert_file', '/etc/contrail/ssl/certs/server.pem') }}
-xmpp_server_key={{ pillar.salt.minion.cert.opencontrail_xmpp.get('key_file', '/etc/contrail/ssl/private/server-privkey.pem') }}
-xmpp_ca_cert={{ pillar.salt.minion.cert.opencontrail_xmpp.get('ca_file', '/etc/contrail/ssl/certs/ca-cert.pem') }}
+{%- if control.xmpp.tls.enabled %}
+xmpp_auth_enable = {{ control.xmpp.tls.auth.enabled }}
+xmpp_server_cert = {{ control.xmpp.tls.cert_file }}
+xmpp_server_key = {{ control.xmpp.tls.key_file }}
+xmpp_ca_cert = {{ control.xmpp.tls.ca_cert_file }}
{%- endif %}
-
# Sandesh send rate limit can be used to throttle system logs transmitted per
# second. System logs are dropped if the sending rate is exceeded
# sandesh_send_rate_limit=
diff --git a/opencontrail/files/4.0/contrail-query-engine.conf b/opencontrail/files/4.0/contrail-query-engine.conf
index 3cc9ef6..1e797bb 100644
--- a/opencontrail/files/4.0/contrail-query-engine.conf
+++ b/opencontrail/files/4.0/contrail-query-engine.conf
@@ -31,6 +31,9 @@
[REDIS]
port=6379
server=127.0.0.1
+{%- if collector.get('contrail_cache', {}).get('password') %}
+password={{ collector.contrail_cache.password }}
+{%- endif %}
[SANDESH]
# sandesh_ssl_enable=false
diff --git a/opencontrail/files/4.0/contrail-vrouter-agent.conf b/opencontrail/files/4.0/contrail-vrouter-agent.conf
index d0f2191..3d244cc 100644
--- a/opencontrail/files/4.0/contrail-vrouter-agent.conf
+++ b/opencontrail/files/4.0/contrail-vrouter-agent.conf
@@ -60,7 +60,7 @@
# Local log file name
log_file=/var/log/contrail/contrail-vrouter-agent.log
-# Log severity levels. Possible values are SYS_EMERG, SYS_ALERT, SYS_CRIT,
+# Log severity levels. Possible values are SYS_EMERG, SYS_ALERT, SYS_CRIT,
# SYS_ERR, SYS_WARN, SYS_NOTICE, SYS_INFO and SYS_DEBUG. Default is SYS_DEBUG
log_level=SYS_NOTICE
@@ -88,13 +88,12 @@
# sandesh_send_rate_limit=
# Enable/Disable SSL based XMPP Authentication
-{%- if pillar.get('salt', {}).get('minion', {}).get('cert', {}).opencontrail_xmpp is defined %}
-xmpp_auth_enable=true
-xmpp_server_cert={{ pillar.salt.minion.cert.opencontrail_xmpp.get('cert_file', '/etc/contrail/ssl/certs/server.pem') }}
-xmpp_server_key={{ pillar.salt.minion.cert.opencontrail_xmpp.get('key_file', '/etc/contrail/ssl/private/server-privkey.pem') }}
-xmpp_ca_cert={{ pillar.salt.minion.cert.opencontrail_xmpp.get('ca_file', '/etc/contrail/ssl/certs/ca-cert.pem') }}
+{%- if compute.xmpp.tls.enabled %}
+xmpp_auth_enable = {{ compute.xmpp.tls.auth.enabled }}
+xmpp_server_cert = {{ compute.xmpp.tls.cert_file }}
+xmpp_server_key = {{ compute.xmpp.tls.key_file }}
+xmpp_ca_cert = {{ compute.xmpp.tls.ca_cert_file }}
{%- endif %}
-
# Gateway mode : can be server/ vcpe (default is none)
# gateway_mode=
{%- if compute.gateway_mode is defined %}
@@ -254,7 +253,7 @@
# (like metadata...)
#compute_node_address = 10.204.216.28
-# We can have multiple gateway sections with different indices in the
+# We can have multiple gateway sections with different indices in the
# following format
[GATEWAY-0]
# Name of the routing_instance for which the gateway is being configured
@@ -391,4 +390,3 @@
# Fallback time in seconds to find EOC in case config inactivity is not seen.
# config_fallback_time=
# config_inactivity_time=
-
diff --git a/opencontrail/files/4.0/redis.conf b/opencontrail/files/4.0/redis.conf
index db9c433..3439922 100644
--- a/opencontrail/files/4.0/redis.conf
+++ b/opencontrail/files/4.0/redis.conf
@@ -193,6 +193,9 @@
# refuse the slave request.
#
# masterauth <master-password>
+{%- if collector.get('contrail_cache', {}).get("password") %}
+masterauth {{ collector.contrail_cache.password }}
+{%- endif %}
# When a slave loses its connection with the master, or when the replication
# is still in progress, the slave can act in two different ways:
@@ -329,6 +332,9 @@
# use a very strong password otherwise it will be very easy to break.
#
# requirepass foobared
+{%- if collector.get('contrail_cache', {}).get("password") %}
+requirepass {{ collector.contrail_cache.password }}
+{%- endif %}
# Command renaming.
#
diff --git a/opencontrail/map.jinja b/opencontrail/map.jinja
index e19ed66..6a972f5 100644
--- a/opencontrail/map.jinja
+++ b/opencontrail/map.jinja
@@ -60,6 +60,14 @@
{%- else %}
['contrail-vrouter-agent', 'contrail-vrouter-nodemgr']
{%- endif %}
+ xmpp:
+ tls:
+ enabled: False
+ auth:
+ enabled: False
+ cert_file: /etc/contrail/ssl/certs/server.pem
+ key_file: /etc/contrail/ssl/private/server-privkey.pem
+ ca_cert_file: /etc/contrail/ssl/certs/ca-cert.pem
dpdk:
enabled: False
RedHat:
@@ -71,6 +79,14 @@
{%- else %}
['contrail-vrouter-agent', 'contrail-vrouter-nodemgr']
{%- endif %}
+ xmpp:
+ tls:
+ enabled: False
+ auth:
+ enabled: False
+ cert_file: /etc/contrail/ssl/certs/server.pem
+ key_file: /etc/contrail/ssl/private/server-privkey.pem
+ ca_cert_file: /etc/contrail/ssl/certs/ca-cert.pem
dpdk:
enabled: False
config:
@@ -118,6 +134,14 @@
container_name:
{{ pillar.docker.client.compose.opencontrail.service.controller.container_name }}
{%- endif%}
+ xmpp:
+ tls:
+ enabled: False
+ auth:
+ enabled: False
+ cert_file: /etc/contrail/ssl/certs/server.pem
+ key_file: /etc/contrail/ssl/private/server-privkey.pem
+ ca_cert_file: /etc/contrail/ssl/certs/ca-cert.pem
RedHat:
pkgs:
['contrail-openstack-control']
@@ -131,6 +155,14 @@
container_name:
{{ pillar.docker.client.compose.opencontrail.service.controller.container_name }}
{%- endif%}
+ xmpp:
+ tls:
+ enabled: False
+ auth:
+ enabled: False
+ cert_file: /etc/contrail/ssl/certs/server.pem
+ key_file: /etc/contrail/ssl/private/server-privkey.pem
+ ca_cert_file: /etc/contrail/ssl/certs/ca-cert.pem
database:
Debian:
pkgs:
diff --git a/tests/pillar/control3.sls b/tests/pillar/control3.sls
index 7492795..dff472e 100644
--- a/tests/pillar/control3.sls
+++ b/tests/pillar/control3.sls
@@ -88,6 +88,14 @@
id: 2
- host: 127.0.0.1
id: 3
+ xmpp:
+ tls:
+ enabled: True
+ auth:
+ enabled: True
+ cert_file: /etc/contrail/server.pem
+ key_file: /etc/contrail/privkey.pem
+ ca_cert_file: /etc/contrail/ca-cert.pem
database:
version: 3.0
cassandra:
diff --git a/tests/pillar/control40.sls b/tests/pillar/control40.sls
index 5351ef8..f98a28f 100644
--- a/tests/pillar/control40.sls
+++ b/tests/pillar/control40.sls
@@ -98,6 +98,14 @@
id: 2
- host: 127.0.0.1
id: 3
+ xmpp:
+ tls:
+ enabled: True
+ auth:
+ enabled: True
+ cert_file: /etc/contrail/server.pem
+ key_file: /etc/contrail/privkey.pem
+ ca_cert_file: /etc/contrail/ca-cert.pem
database:
version: 4.0
config_only: true
diff --git a/tests/pillar/vrouter3.sls b/tests/pillar/vrouter3.sls
index 807b510..fbf2550 100644
--- a/tests/pillar/vrouter3.sls
+++ b/tests/pillar/vrouter3.sls
@@ -48,3 +48,11 @@
user: admin
password: "supersecretpassword123"
tenant: admin
+ xmpp:
+ tls:
+ enabled: True
+ auth:
+ enabled: True
+ cert_file: /etc/contrail/server.pem
+ key_file: /etc/contrail/privkey.pem
+ ca_cert_file: /etc/contrail/ca-cert.pem
\ No newline at end of file
diff --git a/tests/pillar/vrouter40.sls b/tests/pillar/vrouter40.sls
index 16cdcff..e1ebc84 100644
--- a/tests/pillar/vrouter40.sls
+++ b/tests/pillar/vrouter40.sls
@@ -52,3 +52,11 @@
user: admin
password: "supersecretpassword123"
tenant: admin
+ xmpp:
+ tls:
+ enabled: True
+ auth:
+ enabled: True
+ cert_file: /etc/contrail/server.pem
+ key_file: /etc/contrail/privkey.pem
+ ca_cert_file: /etc/contrail/ca-cert.pem
\ No newline at end of file