Merge lp:~tilmanbaumann/charms/trusty/contrail-control/trunk into lp:~sdn-charmers/charms/trusty/contrail-control/trunk
Status: | Needs review |
---|---|
Proposed branch: | lp:~tilmanbaumann/charms/trusty/contrail-control/trunk |
Merge into: | lp:~sdn-charmers/charms/trusty/contrail-control/trunk |
Diff against target: |
688 lines (+264/-75) 5 files modified
config.yaml (+6/-0) hooks/contrail_control_hooks.py (+85/-13) hooks/contrail_control_utils.py (+161/-61) metadata.yaml (+2/-0) templates/control-node.conf (+10/-1) |
To merge this branch: | bzr merge lp:~tilmanbaumann/charms/trusty/contrail-control/trunk |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Tilman Baumann (community) | Approve | ||
Robert Ayres | Pending | ||
Review via email: mp+340110@code.launchpad.net |
Description of the change
Previously xmpp-auth was only set to true when tls certificates are set.
There is, however, no strong link between the two settings.
This change allows setting this independently as required.
It would undoubtedly be nicer to have this option only in contrail-contrail and read it via context relation from there. This is rather quick and dirty and a bit redundant.
But it is what I built so far...
Unmerged revisions
- 33. By Tilman Baumann
-
Adding xmpp_auth option
Sparating xmpp_auth_enable from tls settings
Making it switchable via xmpp_auth config option - 32. By Dmitrii Shcherbakov
-
enable TLS for XMPP communication as of contrail 3
TLS is enabled unconditionally for contail 3.0 and above deployments to
make sure communication is secure by default.XMPP clients are vrouter agents on compute nodes. XMPP servers are
contrail-control nodes.Certificates are generated automatically from a PKI charm (e.g. easyrsa
with a Subject Alternative Name field containing an IP address on a
control network which is used by both contrail-control and
neutron-contrail to communicate with each other.Using a Subject Alternative Name (SAN) with an IP address avoids a
dependency on a DNS infrastructure while keeping the communication
secure between endpoints that are related.Client authentication by XMPP servers was not supported at the time of
writing hence there is no mention of that in the code.As of Juju 2.x network spaces can be used if an underlying cloud
supports them. In order to facilitate that support one should bind
control-node endpoint to a specific network space. Otherwise, old
mechanisms such as unit private address are going to be used to retrieve
an ip address to be included into a certificate.Control node address fetching mechanism has changed as well: instead of
just doing a relation-get for a private IP address of a control-node
unit a different value is taken from the relation data called
control_node_ip (available due to modifications on the contrail-control
side) - it is either an address in the network space which control-node
endpoint is bound to or a fall-back address (unit private address). - 31. By Dmitrii Shcherbakov
-
hooks: pep8 refactoring
Please merge