SSL/TLS Everywhere missing for Neutron Agents + OVSDB connections

Fix proposed to branch: master
Review: https://review.openstack.org/540127

Fix proposed to branch: master
Review: https://review.openstack.org/540146

Fix proposed to branch: master
Review: https://review.openstack.org/540164

Reviewed: https://review.openstack.org/540146
Committed: https://git.openstack.org/cgit/openstack/puppet-tripleo/commit/?id=92c7d6880b95938cb6a47ff7a4a339aab61bf255
Submitter: Zuul
Branch: master

commit 92c7d6880b95938cb6a47ff7a4a339aab61bf255
Author: Tim Rozet <email address hidden>
Date: Thu Feb 1 16:28:12 2018 -0500

    Adds missing Neutron TLS certificate/key generation

    Neutron agents need key/certificate in order to communicate with OVS
    using SSL.

    Partial-Bug: 1746762

    Change-Id: I4bbaf00f0776cab0be34d814a541fb2fd1e64326
    Signed-off-by: Tim Rozet <email address hidden>

Reviewed: https://review.openstack.org/540127
Committed: https://git.openstack.org/cgit/openstack/puppet-neutron/commit/?id=094e594d4009b79668b214c0c176eb5b01ce211c
Submitter: Zuul
Branch: master

commit 094e594d4009b79668b214c0c176eb5b01ce211c
Author: Tim Rozet <email address hidden>
Date: Thu Feb 1 12:49:14 2018 -0500

    Adds configuration for SSL OVSDB connections

    Exposes new parameters to configure SSL key, certificate, and CA
    certificate files. This allows DHCP agent to connect to OVSDB using
    SSL. Also the OVS/ovsdb_connection configuration was previously in ODL
    ML2 class, which should have been in the DHCP agent to begin with as it
    is not ML2 configuration. This patch deprecates the previous behavior
    and adds ovsdb_connection into DHCP agent to use its normal service
    default.

    Partial-Bug: 1746762

    Depends-On: I19fd9dd0c72260835eb91e557a6029ec9d652179

    Change-Id: I82281eefa1aa81207ccd8ea565cffc6ca0ec48de
    Signed-off-by: Tim Rozet <email address hidden>

Reviewed: https://review.openstack.org/540164
Committed: https://git.openstack.org/cgit/openstack/tripleo-heat-templates/commit/?id=2adb2b6f57e031b70cb49cf3586fb204e6919d33
Submitter: Zuul
Branch: master

commit 2adb2b6f57e031b70cb49cf3586fb204e6919d33
Author: Tim Rozet <email address hidden>
Date: Thu Feb 1 17:06:10 2018 -0500

    Fixes missing SSL configuration for Neutron DHCP agent

    Currently when deploying with TLS for internal API traffic, Neutron is
    not configured to securely communicate with OVSDB. In regular OVS agent
    deployments OVS listens on ptcp and accepts any incoming connection. In
    ODL deployments OVS is configured to only listen for pssl connections.
    To allow Neutron agents to communicate with OVSDB in pssl, Neutron needs
    to be configured with SSL key/certificate in order to connect to OVS.

    This patch adds key/certificate generation for NeutronBase service to be
    consumed by any agent. The only agent required with ODL is DHCP, so
    this patch only addresses configuring SSL there. However, a future
    patch could enable SSL for default ML2/OVS agent deployments as well by
    building off of this change.

    Note, by default OVSDB listens on port 6640. This does not work in ODL
    deployments when ODL is on the control node because ODL also listens
    on port 6640. Therefore from the ODL service, the ovsdb_connection
    setting for DHCP agent is modified when ODL is deployed.

    Depends-On: I82281eefa1aa81207ccd8ea565cffc6ca0ec48de
    Depends-On: I4bbaf00f0776cab0be34d814a541fb2fd1e64326

    Closes-Bug: 1746762

    Change-Id: I97352027d7f750d0820610fb9e06f82b47e77056
    Signed-off-by: Tim Rozet <email address hidden>

This issue was fixed in the openstack/tripleo-heat-templates 8.0.0.0rc1 release candidate.

This was fixed by https://review.opendev.org/c/openstack/puppet-neutron/+/540127