From patchwork Thu May 13 22:46:13 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Han Zhou <hzhou@ovn.org>
X-Patchwork-Id: 1478246
Return-Path: <ovs-dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org
 (client-ip=2605:bc80:3010::136; helo=smtp3.osuosl.org;
 envelope-from=ovs-dev-bounces@openvswitch.org; receiver=<UNKNOWN>)
Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4Fh6GQ43bHz9sW5
	for <incoming@patchwork.ozlabs.org>; Fri, 14 May 2021 08:46:38 +1000 (AEST)
Received: from localhost (localhost [127.0.0.1])
	by smtp3.osuosl.org (Postfix) with ESMTP id 47D0A60A52;
	Thu, 13 May 2021 22:46:35 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from smtp3.osuosl.org ([127.0.0.1])
	by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id ywVqVD3LI33e; Thu, 13 May 2021 22:46:34 +0000 (UTC)
Received: from lists.linuxfoundation.org (lf-lists.osuosl.org
 [IPv6:2605:bc80:3010:104::8cd3:938])
	by smtp3.osuosl.org (Postfix) with ESMTP id 6434260B98;
	Thu, 13 May 2021 22:46:33 +0000 (UTC)
Received: from lf-lists.osuosl.org (localhost [127.0.0.1])
	by lists.linuxfoundation.org (Postfix) with ESMTP id 1528FC0022;
	Thu, 13 May 2021 22:46:33 +0000 (UTC)
X-Original-To: dev@openvswitch.org
Delivered-To: ovs-dev@lists.linuxfoundation.org
Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137])
 by lists.linuxfoundation.org (Postfix) with ESMTP id 59333C001C
 for <dev@openvswitch.org>; Thu, 13 May 2021 22:46:31 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp4.osuosl.org (Postfix) with ESMTP id 14C3D41832
 for <dev@openvswitch.org>; Thu, 13 May 2021 22:46:31 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from smtp4.osuosl.org ([127.0.0.1])
 by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id OAJ5k2leiMzZ for <dev@openvswitch.org>;
 Thu, 13 May 2021 22:46:30 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0
Received: from relay2-d.mail.gandi.net (relay2-d.mail.gandi.net
 [217.70.183.194])
 by smtp4.osuosl.org (Postfix) with ESMTPS id 04DE241835
 for <dev@openvswitch.org>; Thu, 13 May 2021 22:46:29 +0000 (UTC)
X-Originating-IP: 216.228.112.22
Received: from localhost.localdomain.com (thunderhill.nvidia.com
 [216.228.112.22]) (Authenticated sender: hzhou@ovn.org)
 by relay2-d.mail.gandi.net (Postfix) with ESMTPSA id 93B4B4000A;
 Thu, 13 May 2021 22:46:27 +0000 (UTC)
From: Han Zhou <hzhou@ovn.org>
To: dev@openvswitch.org
Date: Thu, 13 May 2021 15:46:13 -0700
Message-Id: <20210513224614.1878220-4-hzhou@ovn.org>
X-Mailer: git-send-email 2.30.2
In-Reply-To: <20210513224614.1878220-1-hzhou@ovn.org>
References: <20210513224614.1878220-1-hzhou@ovn.org>
MIME-Version: 1.0
Subject: [ovs-dev] [PATCH ovn 4/5] ovn-ic: Support ssl cert rotation.
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <ovs-dev.openvswitch.org>
List-Unsubscribe: <https://mail.openvswitch.org/mailman/options/ovs-dev>,
 <mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://mail.openvswitch.org/pipermail/ovs-dev/>
List-Post: <mailto:ovs-dev@openvswitch.org>
List-Help: <mailto:ovs-dev-request@openvswitch.org?subject=help>
List-Subscribe: <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,
 <mailto:ovs-dev-request@openvswitch.org?subject=subscribe>
Errors-To: ovs-dev-bounces@openvswitch.org
Sender: "dev" <ovs-dev-bounces@openvswitch.org>

Update SSL in the main loop so that updated pki files can be reapplied.

Signed-off-by: Han Zhou <hzhou@ovn.org>
---
 ic/ovn-ic.c | 29 ++++++++++++++++++++++++++++-
 1 file changed, 28 insertions(+), 1 deletion(-)

diff --git a/ic/ovn-ic.c b/ic/ovn-ic.c
index 18e37a31f..dec29fcfd 100644
--- a/ic/ovn-ic.c
+++ b/ic/ovn-ic.c
@@ -80,6 +80,11 @@ static const char *ovn_ic_nb_db;
 static const char *ovn_ic_sb_db;
 static const char *unixctl_path;
 
+/* SSL options */
+static const char *ssl_private_key_file;
+static const char *ssl_certificate_file;
+static const char *ssl_ca_cert_file;
+
 
 static void
 usage(void)
@@ -1519,7 +1524,18 @@ parse_options(int argc OVS_UNUSED, char *argv[] OVS_UNUSED)
         switch (c) {
         OVN_DAEMON_OPTION_HANDLERS;
         VLOG_OPTION_HANDLERS;
-        STREAM_SSL_OPTION_HANDLERS;
+
+        case 'p':
+            ssl_private_key_file = optarg;
+            break;
+
+        case 'c':
+            ssl_certificate_file = optarg;
+            break;
+
+        case 'C':
+            ssl_ca_cert_file = optarg;
+            break;
 
         case 'd':
             ovnsb_db = optarg;
@@ -1585,6 +1601,16 @@ add_column_noalert(struct ovsdb_idl *idl,
     ovsdb_idl_omit_alert(idl, column);
 }
 
+static void
+update_ssl_config(void)
+{
+    if (!ssl_private_key_file || !ssl_certificate_file || !ssl_ca_cert_file) {
+        return;
+    }
+    stream_ssl_set_key_and_cert(ssl_private_key_file, ssl_certificate_file);
+    stream_ssl_set_ca_cert_file(ssl_ca_cert_file, false);
+}
+
 int
 main(int argc, char *argv[])
 {
@@ -1655,6 +1681,7 @@ main(int argc, char *argv[])
     state.had_lock = false;
     state.paused = false;
     while (!exiting) {
+        update_ssl_config();
         memory_run();
         if (memory_should_report()) {
             struct simap usage = SIMAP_INITIALIZER(&usage);