Allow ovn-controller to use SSL certificate and key configuration
from local ovsdb. With this change, SSL configuration from the
vswitchd database will be used if present, otherwise configuration
can still be specified from the command line.
If SSL configuration is present in both locations, the configuration
in the local ovsdb has precedence. This is consistent with how
vswitchd is currently implemented.
The existing ovs-vsctl get-ssl/set-ssl/del-ssl commands can be used
to manage the configuration in the vswitchd database.
Signed-off-by: Lance Richardson <lrich...@redhat.com>
---
v2: Add NEWS item, update ovn-controller(8) man page.
NEWS | 2 ++
ovn/controller/ovn-controller.8.xml | 11 +++++++++++
ovn/controller/ovn-controller.c | 19 +++++++++++++++++++
3 files changed, 32 insertions(+)
diff --git a/NEWS b/NEWS
index ec8572a..ea3ed6f 100644
--- a/NEWS
+++ b/NEWS
@@ -16,6 +16,8 @@ Post-v2.7.0
- OVN:
* Make the DHCPv4 router setting optional.
* Gratuitous ARP for NAT addresses on a distributed logical router.
+ * Allow ovn-controller SSL configuration to be obtained from vswitchd
+ database.
- Add the command 'ovs-appctl stp/show' (see ovs-vswitchd(8)).
v2.7.0 - 21 Feb 2017
diff --git a/ovn/controller/ovn-controller.8.xml
b/ovn/controller/ovn-controller.8.xml
index c92fd55..f9cbbfe 100644
--- a/ovn/controller/ovn-controller.8.xml
+++ b/ovn/controller/ovn-controller.8.xml
@@ -184,6 +184,17 @@
<ref table="Chassis" db="OVN_Southbound"/> table in the OVN_Southbound
database.
</dd>
+
+ <dt><code>private_key</code>, <code>certificate</code>,
+ <code>ca_cert</code>, and <code>bootstrap_ca_cert</code>
+ from <ref table="SSL" db="Open_vSwitch"/> table</dt>
+ <dd>
+ These values provide the SSL configuration used for connecting
+ to the OVN southbound database server when an SSL connection type
+ is configured via <code>external_ids:ovn-remote</code>. Note that
+ this SSL configuration can also be provided via command-line options,
+ the configuration in the database takes precedence if both are present.
+ </dd>
</dl>
<h1>Open vSwitch Database Usage</h1>
diff --git a/ovn/controller/ovn-controller.c b/ovn/controller/ovn-controller.c
index a36973a..e00f57a 100644
--- a/ovn/controller/ovn-controller.c
+++ b/ovn/controller/ovn-controller.c
@@ -283,6 +283,17 @@ addr_sets_init(struct controller_ctx *ctx, struct shash
*addr_sets)
}
}
+static void
+update_ssl_config(const struct ovsdb_idl *ovs_idl)
+{
+ const struct ovsrec_ssl *ssl = ovsrec_ssl_first(ovs_idl);
+
+ if (ssl) {
+ stream_ssl_set_key_and_cert(ssl->private_key, ssl->certificate);
+ stream_ssl_set_ca_cert_file(ssl->ca_cert, ssl->bootstrap_ca_cert);
+ }
+}
+
/* Retrieves the OVN Southbound remote location from the
* "external-ids:ovn-remote" key in 'ovs_idl' and returns a copy of it. */
static char *
@@ -296,6 +307,7 @@ get_ovnsb_remote(struct ovsdb_idl *ovs_idl)
if (cfg) {
const char *remote = smap_get(&cfg->external_ids, "ovn-remote");
if (remote) {
+ update_ssl_config(ovs_idl);
return xstrdup(remote);
}
}
@@ -529,6 +541,11 @@ main(int argc, char *argv[])
ovsdb_idl_add_column(ovs_idl_loop.idl, &ovsrec_bridge_col_fail_mode);
ovsdb_idl_add_column(ovs_idl_loop.idl, &ovsrec_bridge_col_other_config);
ovsdb_idl_add_column(ovs_idl_loop.idl, &ovsrec_bridge_col_external_ids);
+ ovsdb_idl_add_table(ovs_idl_loop.idl, &ovsrec_table_ssl);
+ ovsdb_idl_add_column(ovs_idl_loop.idl, &ovsrec_ssl_col_bootstrap_ca_cert);
+ ovsdb_idl_add_column(ovs_idl_loop.idl, &ovsrec_ssl_col_ca_cert);
+ ovsdb_idl_add_column(ovs_idl_loop.idl, &ovsrec_ssl_col_certificate);
+ ovsdb_idl_add_column(ovs_idl_loop.idl, &ovsrec_ssl_col_private_key);
chassis_register_ovs_idl(ovs_idl_loop.idl);
encaps_register_ovs_idl(ovs_idl_loop.idl);
binding_register_ovs_idl(ovs_idl_loop.idl);
@@ -579,6 +596,8 @@ main(int argc, char *argv[])
update_probe_interval(&ctx);
+ update_ssl_config(ctx.ovs_idl);
+
/* Contains "struct local_datapath" nodes. */
struct hmap local_datapaths = HMAP_INITIALIZER(&local_datapaths);
--
2.7.4
_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
