Merge "Refactor tls certs for xmpp"
diff --git a/README.rst b/README.rst
index 2a6883c..49c542f 100644
--- a/README.rst
+++ b/README.rst
@@ -735,6 +735,43 @@
token: none
...
+XMPP Encryption
+---------------
+
+Configure encryption of XMPP
+
+Computes nodes
+~~~~~~~~~~~~~~
+
+.. code-block:: yaml
+
+ opencontrail:
+ compute:
+ xmpp:
+ tls:
+ enabled: False
+ auth:
+ enabled: False
+ (optional) cert_file: /etc/contrail/server.pem
+ (optional) key_file: /etc/contrail/privkey.pem
+ (optional) ca_cert_file: /etc/contrail/ca-cert.pem
+
+Control nodes
+~~~~~~~~~~~~~
+
+.. code-block:: yaml
+
+ opencontrail:
+ control:
+ xmpp:
+ tls:
+ enabled: False
+ auth:
+ enabled: False
+ (optional) cert_file: /etc/contrail/server.pem
+ (optional) key_file: /etc/contrail/privkey.pem
+ (optional) ca_cert_file: /etc/contrail/ca-cert.pem
+
Kubernetes support
------------------
@@ -1265,7 +1302,7 @@
- [tenant3, 7]
-If you want to remove all shares from the ip floating pool, define only empty list in
+If you want to remove all shares from the ip floating pool, define only empty list in
list of projects, like this:
.. code-block:: yaml
diff --git a/opencontrail/files/3.0/contrail-control.conf b/opencontrail/files/3.0/contrail-control.conf
index cfcc314..1889a70 100644
--- a/opencontrail/files/3.0/contrail-control.conf
+++ b/opencontrail/files/3.0/contrail-control.conf
@@ -10,7 +10,7 @@
# bgp_port=179
# collectors= # Provided by discovery server
hostip={{ control.bind.address }} # Resolved IP of `hostname`
- #hostname=ctl-oc-1 # Retrieved as `hostname`
+ #hostname=ctl-oc-1 # Retrieved as `hostname`
{%- if control.name is defined %}
hostname={{ control.name }}
{%- else %}
@@ -25,11 +25,11 @@
log_level=SYS_NOTICE
log_local=1
# test_mode=0
-{%- if pillar.get('salt', {}).get('minion', {}).get('cert', {}).opencontrail_xmpp is defined %}
-xmpp_auth_enable=true
-xmpp_server_cert={{ pillar.salt.minion.cert.opencontrail_xmpp.get('cert_file', '/etc/contrail/ssl/certs/server.pem') }}
-xmpp_server_key={{ pillar.salt.minion.cert.opencontrail_xmpp.get('key_file', '/etc/contrail/ssl/private/server-privkey.pem') }}
-xmpp_ca_cert={{ pillar.salt.minion.cert.opencontrail_xmpp.get('ca_file', '/etc/contrail/ssl/certs/ca-cert.pem') }}
+{%- if control.xmpp.tls.enabled %}
+xmpp_auth_enable = {{ control.xmpp.tls.auth.enabled }}
+xmpp_server_cert = {{ control.xmpp.tls.cert_file }}
+xmpp_server_key = {{ control.xmpp.tls.key_file }}
+xmpp_ca_cert = {{ control.xmpp.tls.ca_cert_file }}
{%- endif %}
[DISCOVERY]
diff --git a/opencontrail/files/3.0/contrail-vrouter-agent.conf b/opencontrail/files/3.0/contrail-vrouter-agent.conf
index b7e861e..219561a 100644
--- a/opencontrail/files/3.0/contrail-vrouter-agent.conf
+++ b/opencontrail/files/3.0/contrail-vrouter-agent.conf
@@ -91,13 +91,12 @@
gateway_mode={{ compute.gateway_mode }}
{%- endif %}
-{%- if pillar.get('salt', {}).get('minion', {}).get('cert', {}).opencontrail_xmpp is defined %}
-xmpp_auth_enable=true
-xmpp_server_cert={{ pillar.salt.minion.cert.opencontrail_xmpp.get('cert_file', '/etc/contrail/ssl/certs/server.pem') }}
-xmpp_server_key={{ pillar.salt.minion.cert.opencontrail_xmpp.get('key_file', '/etc/contrail/ssl/private/server-privkey.pem') }}
-xmpp_ca_cert={{ pillar.salt.minion.cert.opencontrail_xmpp.get('ca_file', '/etc/contrail/ssl/certs/ca-cert.pem') }}
+{%- if compute.xmpp.tls.enabled %}
+xmpp_auth_enable = {{ compute.xmpp.tls.auth.enabled }}
+xmpp_server_cert = {{ compute.xmpp.tls.cert_file }}
+xmpp_server_key = {{ compute.xmpp.tls.key_file }}
+xmpp_ca_cert = {{ compute.xmpp.tls.ca_cert_file }}
{%- endif %}
-
[DISCOVERY]
# If COLLECTOR and/or CONTROL-NODE and/or DNS is not specified this section is
# mandatory. Else this section is optional
diff --git a/opencontrail/files/4.0/contrail-control.conf b/opencontrail/files/4.0/contrail-control.conf
index 19bf68b..ed67242 100644
--- a/opencontrail/files/4.0/contrail-control.conf
+++ b/opencontrail/files/4.0/contrail-control.conf
@@ -27,13 +27,12 @@
log_level=SYS_NOTICE
log_local=1
# test_mode=0
-{%- if pillar.get('salt', {}).get('minion', {}).get('cert', {}).opencontrail_xmpp is defined %}
-xmpp_auth_enable=true
-xmpp_server_cert={{ pillar.salt.minion.cert.opencontrail_xmpp.get('cert_file', '/etc/contrail/ssl/certs/server.pem') }}
-xmpp_server_key={{ pillar.salt.minion.cert.opencontrail_xmpp.get('key_file', '/etc/contrail/ssl/private/server-privkey.pem') }}
-xmpp_ca_cert={{ pillar.salt.minion.cert.opencontrail_xmpp.get('ca_file', '/etc/contrail/ssl/certs/ca-cert.pem') }}
+{%- if control.xmpp.tls.enabled %}
+xmpp_auth_enable = {{ control.xmpp.tls.auth.enabled }}
+xmpp_server_cert = {{ control.xmpp.tls.cert_file }}
+xmpp_server_key = {{ control.xmpp.tls.key_file }}
+xmpp_ca_cert = {{ control.xmpp.tls.ca_cert_file }}
{%- endif %}
-
# Sandesh send rate limit can be used to throttle system logs transmitted per
# second. System logs are dropped if the sending rate is exceeded
# sandesh_send_rate_limit=
diff --git a/opencontrail/files/4.0/contrail-vrouter-agent.conf b/opencontrail/files/4.0/contrail-vrouter-agent.conf
index 6724afa..ce2b28e 100644
--- a/opencontrail/files/4.0/contrail-vrouter-agent.conf
+++ b/opencontrail/files/4.0/contrail-vrouter-agent.conf
@@ -60,7 +60,7 @@
# Local log file name
log_file=/var/log/contrail/contrail-vrouter-agent.log
-# Log severity levels. Possible values are SYS_EMERG, SYS_ALERT, SYS_CRIT,
+# Log severity levels. Possible values are SYS_EMERG, SYS_ALERT, SYS_CRIT,
# SYS_ERR, SYS_WARN, SYS_NOTICE, SYS_INFO and SYS_DEBUG. Default is SYS_DEBUG
log_level=SYS_NOTICE
@@ -88,13 +88,12 @@
# sandesh_send_rate_limit=
# Enable/Disable SSL based XMPP Authentication
-{%- if pillar.get('salt', {}).get('minion', {}).get('cert', {}).opencontrail_xmpp is defined %}
-xmpp_auth_enable=true
-xmpp_server_cert={{ pillar.salt.minion.cert.opencontrail_xmpp.get('cert_file', '/etc/contrail/ssl/certs/server.pem') }}
-xmpp_server_key={{ pillar.salt.minion.cert.opencontrail_xmpp.get('key_file', '/etc/contrail/ssl/private/server-privkey.pem') }}
-xmpp_ca_cert={{ pillar.salt.minion.cert.opencontrail_xmpp.get('ca_file', '/etc/contrail/ssl/certs/ca-cert.pem') }}
+{%- if compute.xmpp.tls.enabled %}
+xmpp_auth_enable = {{ compute.xmpp.tls.auth.enabled }}
+xmpp_server_cert = {{ compute.xmpp.tls.cert_file }}
+xmpp_server_key = {{ compute.xmpp.tls.key_file }}
+xmpp_ca_cert = {{ compute.xmpp.tls.ca_cert_file }}
{%- endif %}
-
# Gateway mode : can be server/ vcpe (default is none)
# gateway_mode=
{%- if compute.gateway_mode is defined %}
@@ -252,7 +251,7 @@
# (like metadata...)
#compute_node_address = 10.204.216.28
-# We can have multiple gateway sections with different indices in the
+# We can have multiple gateway sections with different indices in the
# following format
[GATEWAY-0]
# Name of the routing_instance for which the gateway is being configured
@@ -389,4 +388,3 @@
# Fallback time in seconds to find EOC in case config inactivity is not seen.
# config_fallback_time=
# config_inactivity_time=
-
diff --git a/opencontrail/map.jinja b/opencontrail/map.jinja
index 7fa87e8..139b23b 100644
--- a/opencontrail/map.jinja
+++ b/opencontrail/map.jinja
@@ -60,6 +60,14 @@
{%- else %}
['contrail-vrouter-agent', 'contrail-vrouter-nodemgr']
{%- endif %}
+ xmpp:
+ tls:
+ enabled: False
+ auth:
+ enabled: False
+ cert_file: /etc/contrail/ssl/certs/server.pem
+ key_file: /etc/contrail/ssl/private/server-privkey.pem
+ ca_cert_file: /etc/contrail/ssl/certs/ca-cert.pem
dpdk:
enabled: False
RedHat:
@@ -71,6 +79,14 @@
{%- else %}
['contrail-vrouter-agent', 'contrail-vrouter-nodemgr']
{%- endif %}
+ xmpp:
+ tls:
+ enabled: False
+ auth:
+ enabled: False
+ cert_file: /etc/contrail/ssl/certs/server.pem
+ key_file: /etc/contrail/ssl/private/server-privkey.pem
+ ca_cert_file: /etc/contrail/ssl/certs/ca-cert.pem
dpdk:
enabled: False
config:
@@ -118,6 +134,14 @@
container_name:
{{ pillar.docker.client.compose.opencontrail.service.controller.container_name }}
{%- endif%}
+ xmpp:
+ tls:
+ enabled: False
+ auth:
+ enabled: False
+ cert_file: /etc/contrail/ssl/certs/server.pem
+ key_file: /etc/contrail/ssl/private/server-privkey.pem
+ ca_cert_file: /etc/contrail/ssl/certs/ca-cert.pem
RedHat:
pkgs:
['contrail-openstack-control']
@@ -131,6 +155,14 @@
container_name:
{{ pillar.docker.client.compose.opencontrail.service.controller.container_name }}
{%- endif%}
+ xmpp:
+ tls:
+ enabled: False
+ auth:
+ enabled: False
+ cert_file: /etc/contrail/ssl/certs/server.pem
+ key_file: /etc/contrail/ssl/private/server-privkey.pem
+ ca_cert_file: /etc/contrail/ssl/certs/ca-cert.pem
database:
Debian:
pkgs:
diff --git a/tests/pillar/control3.sls b/tests/pillar/control3.sls
index 7492795..dff472e 100644
--- a/tests/pillar/control3.sls
+++ b/tests/pillar/control3.sls
@@ -88,6 +88,14 @@
id: 2
- host: 127.0.0.1
id: 3
+ xmpp:
+ tls:
+ enabled: True
+ auth:
+ enabled: True
+ cert_file: /etc/contrail/server.pem
+ key_file: /etc/contrail/privkey.pem
+ ca_cert_file: /etc/contrail/ca-cert.pem
database:
version: 3.0
cassandra:
diff --git a/tests/pillar/control40.sls b/tests/pillar/control40.sls
index 5351ef8..f98a28f 100644
--- a/tests/pillar/control40.sls
+++ b/tests/pillar/control40.sls
@@ -98,6 +98,14 @@
id: 2
- host: 127.0.0.1
id: 3
+ xmpp:
+ tls:
+ enabled: True
+ auth:
+ enabled: True
+ cert_file: /etc/contrail/server.pem
+ key_file: /etc/contrail/privkey.pem
+ ca_cert_file: /etc/contrail/ca-cert.pem
database:
version: 4.0
config_only: true
diff --git a/tests/pillar/vrouter3.sls b/tests/pillar/vrouter3.sls
index 807b510..fbf2550 100644
--- a/tests/pillar/vrouter3.sls
+++ b/tests/pillar/vrouter3.sls
@@ -48,3 +48,11 @@
user: admin
password: "supersecretpassword123"
tenant: admin
+ xmpp:
+ tls:
+ enabled: True
+ auth:
+ enabled: True
+ cert_file: /etc/contrail/server.pem
+ key_file: /etc/contrail/privkey.pem
+ ca_cert_file: /etc/contrail/ca-cert.pem
\ No newline at end of file
diff --git a/tests/pillar/vrouter40.sls b/tests/pillar/vrouter40.sls
index 16cdcff..e1ebc84 100644
--- a/tests/pillar/vrouter40.sls
+++ b/tests/pillar/vrouter40.sls
@@ -52,3 +52,11 @@
user: admin
password: "supersecretpassword123"
tenant: admin
+ xmpp:
+ tls:
+ enabled: True
+ auth:
+ enabled: True
+ cert_file: /etc/contrail/server.pem
+ key_file: /etc/contrail/privkey.pem
+ ca_cert_file: /etc/contrail/ca-cert.pem
\ No newline at end of file