lp://staging/~tilmanbaumann/charms/trusty/contrail-control/trunk
- Get this branch:
- bzr branch lp://staging/~tilmanbaumann/charms/trusty/contrail-control/trunk
Branch merges
- Tilman Baumann (community): Approve
- Robert Ayres: Pending requested
-
Diff: 688 lines (+264/-75)5 files modifiedconfig.yaml (+6/-0)
hooks/contrail_control_hooks.py (+85/-13)
hooks/contrail_control_utils.py (+161/-61)
metadata.yaml (+2/-0)
templates/control-node.conf (+10/-1)
Branch information
- Owner:
- Tilman Baumann
- Status:
- Development
Recent revisions
- 33. By Tilman Baumann
-
Adding xmpp_auth option
Sparating xmpp_auth_enable from tls settings
Making it switchable via xmpp_auth config option - 32. By Dmitrii Shcherbakov
-
enable TLS for XMPP communication as of contrail 3
TLS is enabled unconditionally for contail 3.0 and above deployments to
make sure communication is secure by default.XMPP clients are vrouter agents on compute nodes. XMPP servers are
contrail-control nodes.Certificates are generated automatically from a PKI charm (e.g. easyrsa
with a Subject Alternative Name field containing an IP address on a
control network which is used by both contrail-control and
neutron-contrail to communicate with each other.Using a Subject Alternative Name (SAN) with an IP address avoids a
dependency on a DNS infrastructure while keeping the communication
secure between endpoints that are related.Client authentication by XMPP servers was not supported at the time of
writing hence there is no mention of that in the code.As of Juju 2.x network spaces can be used if an underlying cloud
supports them. In order to facilitate that support one should bind
control-node endpoint to a specific network space. Otherwise, old
mechanisms such as unit private address are going to be used to retrieve
an ip address to be included into a certificate.Control node address fetching mechanism has changed as well: instead of
just doing a relation-get for a private IP address of a control-node
unit a different value is taken from the relation data called
control_node_ip (available due to modifications on the contrail-control
side) - it is either an address in the network space which control-node
endpoint is bound to or a fall-back address (unit private address).
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)