[ovs-dev] ovn-ctl: Add bootstrap ovn-controller CA certificate option.
diff mbox

Message ID 1484738729-4219-1-git-send-email-guru@ovn.org
State Accepted
Headers show

Commit Message

Guru Shetty Jan. 18, 2017, 11:25 a.m. UTC
ovn-controller accepts the option --bootstrap-ca-cert. With this
commit, ovn-ctl will let user pass a value for that via
--ovn-controller-ssl-bootstrap-ca-cert option.

Bootstrapping is useful for ovn-controller as you don't have to
copy the controller's certificate (self-signed or otherwise) to every host.

Signed-off-by: Gurucharan Shetty <guru@ovn.org>
---
 ovn/utilities/ovn-ctl       | 20 ++++++++++++++++++--
 ovn/utilities/ovn-ctl.8.xml |  1 +
 2 files changed, 19 insertions(+), 2 deletions(-)

Comments

Ben Pfaff Jan. 18, 2017, 10:02 p.m. UTC | #1
On Wed, Jan 18, 2017 at 03:25:29AM -0800, Gurucharan Shetty wrote:
> ovn-controller accepts the option --bootstrap-ca-cert. With this
> commit, ovn-ctl will let user pass a value for that via
> --ovn-controller-ssl-bootstrap-ca-cert option.
> 
> Bootstrapping is useful for ovn-controller as you don't have to
> copy the controller's certificate (self-signed or otherwise) to every host.
> 
> Signed-off-by: Gurucharan Shetty <guru@ovn.org>

I didn't test this, but the feature makes sense, so as long as it works:

Acked-by: Ben Pfaff <blp@ovn.org>
Lance Richardson Jan. 18, 2017, 10:26 p.m. UTC | #2
> From: "Gurucharan Shetty" <guru@ovn.org>
> To: dev@openvswitch.org
> Sent: Wednesday, January 18, 2017 6:25:29 AM
> Subject: [ovs-dev] [PATCH] ovn-ctl: Add bootstrap ovn-controller CA	certificate option.
> 
> ovn-controller accepts the option --bootstrap-ca-cert. With this
> commit, ovn-ctl will let user pass a value for that via
> --ovn-controller-ssl-bootstrap-ca-cert option.
> 
> Bootstrapping is useful for ovn-controller as you don't have to
> copy the controller's certificate (self-signed or otherwise) to every host.
> 
> Signed-off-by: Gurucharan Shetty <guru@ovn.org>
> ---
LGTM (haven't tried it, but I'm planning to). Thanks for the enhancement
as well as the clean-ups.

It would be nice if this could go into the 2.7 branch as well.

Acked-by: Lance Richardson <lrichard@redhat.com>
Guru Shetty Jan. 18, 2017, 10:40 p.m. UTC | #3
On 18 January 2017 at 14:26, Lance Richardson <lrichard@redhat.com> wrote:

> > From: "Gurucharan Shetty" <guru@ovn.org>
> > To: dev@openvswitch.org
> > Sent: Wednesday, January 18, 2017 6:25:29 AM
> > Subject: [ovs-dev] [PATCH] ovn-ctl: Add bootstrap ovn-controller CA
>  certificate option.
> >
> > ovn-controller accepts the option --bootstrap-ca-cert. With this
> > commit, ovn-ctl will let user pass a value for that via
> > --ovn-controller-ssl-bootstrap-ca-cert option.
> >
> > Bootstrapping is useful for ovn-controller as you don't have to
> > copy the controller's certificate (self-signed or otherwise) to every
> host.
> >
> > Signed-off-by: Gurucharan Shetty <guru@ovn.org>
> > ---
> LGTM (haven't tried it, but I'm planning to). Thanks for the enhancement
> as well as the clean-ups.
>
> It would be nice if this could go into the 2.7 branch as well.
>
> Acked-by: Lance Richardson <lrichard@redhat.com>
>

Thanks Ben and Lance. I pushed this to master and 2.7.

(The bootstrapping worked fine on my 3 host test bed)

Patch
diff mbox

diff --git a/ovn/utilities/ovn-ctl b/ovn/utilities/ovn-ctl
index 90d0463..a3bdad1 100755
--- a/ovn/utilities/ovn-ctl
+++ b/ovn/utilities/ovn-ctl
@@ -220,22 +220,36 @@  start_northd () {
 start_controller () {
     set ovn-controller "unix:$DB_SOCK"
     set "$@" $OVN_CONTROLLER_LOG
-    if test X"$OVN_CONTROLLER_SSL_CERT" != X; then
+    if test X"$OVN_CONTROLLER_SSL_KEY" != X; then
         set "$@" --private-key=$OVN_CONTROLLER_SSL_KEY
+    fi
+    if test X"$OVN_CONTROLLER_SSL_CERT" != X; then
         set "$@" --certificate=$OVN_CONTROLLER_SSL_CERT
+    fi
+    if test X"$OVN_CONTROLLER_SSL_CA_CERT" != X; then
         set "$@" --ca-cert=$OVN_CONTROLLER_SSL_CA_CERT
     fi
+    if test X"$OVN_CONTROLLER_SSL_BOOTSTRAP_CA_CERT" != X; then
+        set "$@" --bootstrap-ca-cert=$OVN_CONTROLLER_SSL_BOOTSTRAP_CA_CERT
+    fi
     OVS_RUNDIR=${OVN_RUNDIR} start_daemon "$OVN_CONTROLLER_PRIORITY" "$OVN_CONTROLLER_WRAPPER" "$@"
 }
 
 start_controller_vtep () {
     set ovn-controller-vtep "unix:$DB_SOCK"
     set "$@" -vconsole:emer -vsyslog:err -vfile:info
-    if test X"$OVN_CONTROLLER_SSL_CERT" != X; then
+    if test X"$OVN_CONTROLLER_SSL_KEY" != X; then
         set "$@" --private-key=$OVN_CONTROLLER_SSL_KEY
+    fi
+    if test X"$OVN_CONTROLLER_SSL_CERT" != X; then
         set "$@" --certificate=$OVN_CONTROLLER_SSL_CERT
+    fi
+    if test X"$OVN_CONTROLLER_SSL_CA_CERT" != X; then
         set "$@" --ca-cert=$OVN_CONTROLLER_SSL_CA_CERT
     fi
+    if test X"$OVN_CONTROLLER_SSL_BOOTSTRAP_CA_CERT" != X; then
+        set "$@" --bootstrap-ca-cert=$OVN_CONTROLLER_SSL_BOOTSTRAP_CA_CERT
+    fi
     OVS_RUNDIR=${OVN_RUNDIR} start_daemon "$OVN_CONTROLLER_PRIORITY" "$OVN_CONTROLLER_WRAPPER" "$@"
 }
 
@@ -335,6 +349,7 @@  set_defaults () {
     OVN_CONTROLLER_SSL_KEY=""
     OVN_CONTROLLER_SSL_CERT=""
     OVN_CONTROLLER_SSL_CA_CERT=""
+    OVN_CONTROLLER_SSL_BOOTSTRAP_CA_CERT=""
 
     DB_SB_CREATE_INSECURE_REMOTE="no"
     DB_NB_CREATE_INSECURE_REMOTE="no"
@@ -384,6 +399,7 @@  Options:
   --ovn-controller-ssl-key=KEY OVN Southbound SSL private key file
   --ovn-controller-ssl-cert=CERT OVN Southbound SSL certificate file
   --ovn-controller-ssl-ca-cert=CERT OVN Southbound SSL CA certificate file
+  --ovn-controller-ssl-bootstrap-ca-cert=CERT Bootstrapped OVN Southbound SSL CA certificate file
   --ovn-manage-ovsdb=yes|no        Whether or not the OVN databases should be
                                    automatically started and stopped along
                                    with ovn-northd. The default is "yes". If
diff --git a/ovn/utilities/ovn-ctl.8.xml b/ovn/utilities/ovn-ctl.8.xml
index c4884f8..7b090ae 100644
--- a/ovn/utilities/ovn-ctl.8.xml
+++ b/ovn/utilities/ovn-ctl.8.xml
@@ -48,6 +48,7 @@ 
     <p><code>--ovn-controller-ssl-key=<var>KEY</var></code></p>
     <p><code>--ovn-controller-ssl-cert=<var>CERT</var></code></p>
     <p><code>--ovn-controller-ssl-ca-cert=<var>CERT</var></code></p>
+    <p><code>--ovn-controller-ssl-bootstrap-ca-cert=<var>CERT</var></code></p>
 
     <h1>Address and port options</h1>
     <p><code>--db-nb-sync-from-addr=<var>IP ADDRESS</var></code></p>