Always use TLS for cluster

olliewalsh · Oct 4, 2024 · 235576f · 235576f
1 parent ad6e4d4
commit 235576f
Show file tree

Hide file tree

Showing 7 changed files with 46 additions and 35 deletions.
diff --git a/api/bases/ovn.openstack.org_ovndbclusters.yaml b/api/bases/ovn.openstack.org_ovndbclusters.yaml
@@ -57,6 +57,10 @@ spec:
                 description: DBType - NB or SB
                 pattern: ^NB|SB$
                 type: string
+              disableNonTLSListeners:
+                default: true
+                description: DisableNonTLSListeners
+                type: boolean
               electionTimer:
                 default: 10000
                 description: OVN Northbound and Southbound RAFT db election timer
@@ -166,6 +170,7 @@ spec:
             - containerImage
             - dbType
             - storageRequest
+            - tls
             type: object
           status:
             description: OVNDBClusterStatus defines the observed state of OVNDBCluster

diff --git a/api/v1beta1/ovndbcluster_types.go b/api/v1beta1/ovndbcluster_types.go
@@ -118,10 +118,15 @@ type OVNDBClusterSpecCore struct {
 	// If specified the IP address of this network is used as the dbAddress connection.
 	NetworkAttachment string `json:"networkAttachment"`
 
-	// +kubebuilder:validation:Optional
+	// +kubebuilder:validation:Required
 	// +operator-sdk:csv:customresourcedefinitions:type=spec
 	// TLS - Parameters related to TLS
-	TLS tls.SimpleService `json:"tls,omitempty"`
+	TLS tls.SimpleService `json:"tls"`
+
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default=true
+	// DisableNonTLSListeners
+	DisableNonTLSListeners bool `json:"disableNonTLSListeners,omitempty"`
 }
 
 // OVNDBClusterStatus defines the observed state of OVNDBCluster

diff --git a/config/crd/bases/ovn.openstack.org_ovndbclusters.yaml b/config/crd/bases/ovn.openstack.org_ovndbclusters.yaml
@@ -57,6 +57,10 @@ spec:
                 description: DBType - NB or SB
                 pattern: ^NB|SB$
                 type: string
+              disableNonTLSListeners:
+                default: true
+                description: DisableNonTLSListeners
+                type: boolean
               electionTimer:
                 default: 10000
                 description: OVN Northbound and Southbound RAFT db election timer
@@ -166,6 +170,7 @@ spec:
             - containerImage
             - dbType
             - storageRequest
+            - tls
             type: object
           status:
             description: OVNDBClusterStatus defines the observed state of OVNDBCluster

diff --git a/controllers/ovndbcluster_controller.go b/controllers/ovndbcluster_controller.go
@@ -424,7 +424,7 @@ func (r *OVNDBClusterReconciler) reconcileNormal(ctx context.Context, instance *
 	}
 
 	// Validate service cert secret
-	if instance.Spec.TLS.Enabled() {
+	if true {
 		hash, err := instance.Spec.TLS.ValidateCertSecret(ctx, helper, instance.Namespace)
 		if err != nil {
 			if k8s_errors.IsNotFound(err) {
@@ -592,9 +592,9 @@ func (r *OVNDBClusterReconciler) reconcileNormal(ctx context.Context, instance *
 		instance.Status.Conditions.MarkTrue(condition.ExposeServiceReadyCondition, condition.ExposeServiceReadyMessage)
 		internalDbAddress := []string{}
 		var svcPort int32
-		scheme := "tcp"
-		if instance.Spec.TLS.Enabled() {
-			scheme = "ssl"
+		scheme := "ssl"
+		if !instance.Spec.DisableNonTLSListeners {
+			scheme = "tcp"
 		}
 		for _, svc := range svcList.Items {
 			svcPort = svc.Spec.Ports[0].Port
@@ -776,9 +776,9 @@ func (r *OVNDBClusterReconciler) reconcileServices(
 		}
 	}
 	// dbAddress will contain ovsdbserver-(nb|sb).openstack.svc or empty
-	scheme := "tcp"
-	if instance.Spec.TLS.Enabled() {
-		scheme = "ssl"
+	scheme := "ssl"
+	if !instance.Spec.DisableNonTLSListeners {
+		scheme = "tcp"
 	}
 	instance.Status.DBAddress = ovndbcluster.GetDBAddress(svc, serviceName, instance.Namespace, scheme)
 
@@ -812,7 +812,7 @@ func (r *OVNDBClusterReconciler) generateServiceConfigMaps(
 	templateParameters["OVN_ELECTION_TIMER"] = instance.Spec.ElectionTimer
 	templateParameters["OVN_INACTIVITY_PROBE"] = instance.Spec.InactivityProbe
 	templateParameters["OVN_PROBE_INTERVAL_TO_ACTIVE"] = instance.Spec.ProbeIntervalToActive
-	templateParameters["TLS"] = instance.Spec.TLS.Enabled()
+	templateParameters["TLS"] = instance.Spec.DisableNonTLSListeners
 	templateParameters["OVNDB_CERT_PATH"] = ovn_common.OVNDbCertPath
 	templateParameters["OVNDB_KEY_PATH"] = ovn_common.OVNDbKeyPath
 	templateParameters["OVNDB_CACERT_PATH"] = ovn_common.OVNDbCaCertPath

diff --git a/templates/ovndbcluster/bin/cleanup.sh b/templates/ovndbcluster/bin/cleanup.sh
@@ -16,25 +16,10 @@
 set -ex
 source $(dirname $0)/functions
 
-DB_NAME="OVN_Northbound"
-if [[ "${DB_TYPE}" == "sb" ]]; then
-    DB_NAME="OVN_Southbound"
-fi
-
 # There is nothing special about -0 pod, except that it's always guaranteed to
 # exist, assuming any replicas are ordered.
 if [[ "$(hostname)" != "{{ .SERVICE_NAME }}-0" ]]; then
-    ovs-appctl -t /tmp/ovn${DB_TYPE}_db.ctl cluster/leave ${DB_NAME}
-
-    # wait for when the leader confirms we left the cluster
-    while true; do
-        # TODO: is there a better way to detect the cluster left state?..
-        STATUS=$(ovs-appctl -t /tmp/ovn${DB_TYPE}_db.ctl cluster/status ${DB_NAME} | grep Status: | awk -e '{print $2}')
-        if [ -z "$STATUS" -o "x$STATUS" = "xleft cluster" ]; then
-            break
-        fi
-        sleep 1
-    done
+    leave_cluster
 fi
 
 # If replicas are 0 and *all* pods are removed, we still want to retain the

diff --git a/templates/ovndbcluster/bin/functions b/templates/ovndbcluster/bin/functions
@@ -14,6 +14,24 @@
 
 DB_TYPE="{{ .DB_TYPE }}"
 DB_FILE=/etc/ovn/ovn${DB_TYPE}_db.db
+DB_NAME="OVN_Northbound"
+if [[ "${DB_TYPE}" == "sb" ]]; then
+    DB_NAME="OVN_Southbound"
+fi
+
+function leave_cluster() {
+    ovs-appctl -t /tmp/ovn${DB_TYPE}_db.ctl cluster/leave ${DB_NAME}
+
+    # wait for when the leader confirms we left the cluster
+    while true; do
+        # TODO: is there a better way to detect the cluster left state?..
+        STATUS=$(ovs-appctl -t /tmp/ovn${DB_TYPE}_db.ctl cluster/status ${DB_NAME} | grep Status: | awk -e '{print $2}')
+        if [ -z "$STATUS" -o "x$STATUS" = "xleft cluster" ]; then
+            break
+        fi
+        sleep 1
+    done
+}
 
 function cleanup_db_file() {
     rm -f $DB_FILE

diff --git a/templates/ovndbcluster/bin/setup.sh b/templates/ovndbcluster/bin/setup.sh
@@ -25,10 +25,6 @@ DB_SCHEME="ptcp"
 RAFT_PORT="{{ .RAFT_PORT }}"
 NAMESPACE="{{ .NAMESPACE }}"
 OPTS=""
-DB_NAME="OVN_Northbound"
-if [[ "${DB_TYPE}" == "sb" ]]; then
-    DB_NAME="OVN_Southbound"
-fi
 
 PODNAME=$(hostname -f | cut -d. -f1,2)
 PODIPV6=$(grep "${PODNAME}" /etc/hosts | grep ':' | cut -d$'\t' -f1)
@@ -59,10 +55,10 @@ set "$@" --db-${DB_TYPE}-cluster-local-port=${RAFT_PORT}
 set "$@" --db-${DB_TYPE}-probe-interval-to-active={{ .OVN_PROBE_INTERVAL_TO_ACTIVE }}
 set "$@" --db-${DB_TYPE}-addr=${DB_ADDR}
 set "$@" --db-${DB_TYPE}-port=${DB_PORT}
-{{- if .TLS }}
 set "$@" --ovn-${DB_TYPE}-db-ssl-key={{.OVNDB_KEY_PATH}}
 set "$@" --ovn-${DB_TYPE}-db-ssl-cert={{.OVNDB_CERT_PATH}}
 set "$@" --ovn-${DB_TYPE}-db-ssl-ca-cert={{.OVNDB_CACERT_PATH}}
+{{- if .TLS }}
 set "$@" --db-${DB_TYPE}-cluster-local-proto=ssl
 set "$@" --db-${DB_TYPE}-cluster-remote-proto=ssl
 set "$@" --db-${DB_TYPE}-create-insecure-remote=no
@@ -105,11 +101,8 @@ if [[ "$(hostname)" == "{{ .SERVICE_NAME }}-0" ]]; then
     # All following ctl invocation will use the local DB replica in the daemon
     export OVN_${DB_TYPE^^}_DAEMON=$(${CTLCMD} --pidfile --detach)
 
-{{- if .TLS }}
+
     ${CTLCMD} set-ssl {{.OVNDB_KEY_PATH}} {{.OVNDB_CERT_PATH}} {{.OVNDB_CACERT_PATH}}
-{{- else }}
-    ${CTLCMD} del-ssl
-{{- end }}
     ${CTLCMD} set-connection ${DB_SCHEME}:${DB_PORT}:${DB_ADDR}
 
     # OVN does not support setting inactivity-probe through --remote cli arg so