Hello, Jake, On Tue, Dec 13, 2022 at 3:29 AM Jake Yip via discuss <ovs-discuss@openvswitch.org> wrote: > > Hi all, > > In OVN, NB and SB databases run on TCP 6641 and 6642 by default. > > I've noticed in many docs[1], the SSL configs are to set SSL on 6641/6642. > > Personally, this is unlike many protocols which will use a different > port for SSL traffic. For example HTTP/HTTPS, IMAP/IMAPS. > > I'm wondering if there is a reason this was not recommended? > > In our setup, we have set our SSL ports to 6645/6656. This has the > advantage of also allowing ptcp:6641/6642, so clients can connect either > way. > > I am wondering if we might be missing anything by setting it up this way.
>From my point of view, using SSL/TLS with the OVSDB server in an OVN deployment is a requirement, as the OVSDB protocol itself does not provide any form of authentication/authorization. And since we are not configuring TCP listeners, just re-using the default ones for SSL/TLS makes sense in our deployments. -- Frode Nordahl > Regards, > Jake > > [1] > https://github.com/ovn-org/ovn-kubernetes/blob/master/docs/INSTALL.SSL.md > > -- > Jake Yip > DevOps Engineer, ARDC Nectar Research Cloud > _______________________________________________ > discuss mailing list > disc...@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss _______________________________________________ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
