diff mbox series

[ovs-dev,5/5] ovn-nbctl: Support ssl cert rotation for daemon mode.

Message ID 20210513224614.1878220-5-hzhou@ovn.org
State Superseded
Headers show
Series [ovs-dev,1/5] ovn-controller: Support ssl cert rotation when command line options are used. | expand

Commit Message

Han Zhou May 13, 2021, 10:46 p.m. UTC
Update SSL in the server_loop so that updated pki files can be reapplied.

Signed-off-by: Han Zhou <hzhou@ovn.org>
---
 utilities/ovn-nbctl.c | 30 +++++++++++++++++++++++++++++-
 1 file changed, 29 insertions(+), 1 deletion(-)
diff mbox series

Patch

diff --git a/utilities/ovn-nbctl.c b/utilities/ovn-nbctl.c
index 48fd0b7ee..290b4d30d 100644
--- a/utilities/ovn-nbctl.c
+++ b/utilities/ovn-nbctl.c
@@ -57,6 +57,11 @@  static bool oneline;
 /* --dry-run: Do not commit any changes. */
 static bool dry_run;
 
+/* SSL options */
+static const char *ssl_private_key_file;
+static const char *ssl_certificate_file;
+static const char *ssl_ca_cert_file;
+
 /* --wait=TYPE: Wait for configuration change to take effect? */
 enum nbctl_wait_type {
     NBCTL_WAIT_NONE,            /* Do not wait. */
@@ -549,6 +554,16 @@  add_local_option(const char *name, const char *arg,
     return NULL;
 }
 
+static void
+update_ssl_config(void)
+{
+    if (!ssl_private_key_file || !ssl_certificate_file || !ssl_ca_cert_file) {
+        return;
+    }
+    stream_ssl_set_key_and_cert(ssl_private_key_file, ssl_certificate_file);
+    stream_ssl_set_ca_cert_file(ssl_ca_cert_file, false);
+}
+
 static void
 apply_options_direct(const struct ovs_cmdl_parsed_option *parsed_options,
                      size_t n, struct shash *local_options)
@@ -621,7 +636,18 @@  apply_options_direct(const struct ovs_cmdl_parsed_option *parsed_options,
         OVN_DAEMON_OPTION_HANDLERS
         VLOG_OPTION_HANDLERS
         TABLE_OPTION_HANDLERS(&table_style)
-        STREAM_SSL_OPTION_HANDLERS
+
+        case 'p':
+            ssl_private_key_file = optarg;
+            break;
+
+        case 'c':
+            ssl_certificate_file = optarg;
+            break;
+
+        case 'C':
+            ssl_ca_cert_file = optarg;
+            break;
 
         case OPT_BOOTSTRAP_CA_CERT:
             stream_ssl_set_ca_cert_file(po->arg, true);
@@ -641,6 +667,7 @@  apply_options_direct(const struct ovs_cmdl_parsed_option *parsed_options,
     if (!db) {
         db = default_nb_db();
     }
+    update_ssl_config();
 }
 
 static void
@@ -6956,6 +6983,7 @@  server_loop(struct ovsdb_idl *idl, int argc, char *argv[])
     server_cmd_init(idl, &exiting);
 
     for (;;) {
+        update_ssl_config();
         memory_run();
         if (memory_should_report()) {
             struct simap usage = SIMAP_INITIALIZER(&usage);