From patchwork Tue Oct  9 11:00:45 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: aginwala aginwala <amginwal@gmail.com>
X-Patchwork-Id: 981535
Return-Path: <ovs-dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=pass (mailfrom) smtp.mailfrom=openvswitch.org
	(client-ip=140.211.169.12; helo=mail.linuxfoundation.org;
	envelope-from=ovs-dev-bounces@openvswitch.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=fail (p=none dis=none) header.from=gmail.com
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="PwD5phbz"; dkim-atps=neutral
Received: from mail.linuxfoundation.org (mail.linuxfoundation.org
	[140.211.169.12])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 42VBKB1gRVz9s8r
	for <incoming@patchwork.ozlabs.org>;
	Wed, 10 Oct 2018 09:11:42 +1100 (AEDT)
Received: from mail.linux-foundation.org (localhost [127.0.0.1])
	by mail.linuxfoundation.org (Postfix) with ESMTP id 37AE0B92;
	Tue,  9 Oct 2018 22:11:39 +0000 (UTC)
X-Original-To: dev@openvswitch.org
Delivered-To: ovs-dev@mail.linuxfoundation.org
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id 7A3ECB69
	for <dev@openvswitch.org>; Tue,  9 Oct 2018 22:11:37 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-pf1-f193.google.com (mail-pf1-f193.google.com
	[209.85.210.193])
	by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 1110D815
	for <dev@openvswitch.org>; Tue,  9 Oct 2018 22:11:36 +0000 (UTC)
Received: by mail-pf1-f193.google.com with SMTP id u12-v6so1531236pfn.12
	for <dev@openvswitch.org>; Tue, 09 Oct 2018 15:11:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id;
	bh=GxYQ8YU6UlPof4DWQjcnghpcu6W8HRyVyF10/83gGJQ=;
	b=PwD5phbzg5tvVkyqSaybfSLxH9QfEArT1ozLIEFXRbeoQ2zuD/xWBr2UYmVrbQqV8V
	xlZhNGxpazt3R/LS5MuTdkHgJjwInR+HomI5NUNtEN98zUkQjBXE8Eo2h0Iw74LqVPlO
	oZQXD2i7bzqh9In5vLfSylSwewcsWb+oGA0KoSmRxczxhWjbNxMd55Mt925768+lgRU2
	ecMXEtZ93WF9eo6eLKIe3PAJuXdns21+eIoKaSbAm8yDTUuLytTlhRZDOjne1Ispof+a
	oLAaVVMRTOvDqJIHZy3M5BwqT0EfEaSol46/loRNSM8xe9wJuGA23q3r+qKGGVFs07OY
	LLMw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=GxYQ8YU6UlPof4DWQjcnghpcu6W8HRyVyF10/83gGJQ=;
	b=VM1myZlKf7I+FZ8B0vEVTZ9iL8WThgwLK2FaN18txF4C0pLogZizCH3rUW6zuBYVVB
	0Znk318jL+o8rfOqI/yysjuLXBImCpeOyO/rfIcsxj4ldW8PJMRvV5jfA+gSOvBU+/GK
	IFdlzEg24gOvghOIDc4uCHvbge2r58EbmHlyq6zjycrFekqtRmsyv+L4EJkSxLSictAR
	gxNp7gDo6rvkhfObZXOdlnMf85G+rBQdy96tuORBExOJiEas9QTyZ03+daB4mXnixpcU
	m/sD1EVQBR1lcbDpssqnEwxCwDy2h1q4Fc8swZGCBHmq4dYH2si/lBOyOat8vHdHVAMB
	zsrg==
X-Gm-Message-State: ABuFfoi5/c0TggKGfT5lmfpQfe/2B5iQVs8ZrK0bP5p3TUOZuoVAFHNX
	28LdWWi3H0BCZR9UZf5CBglf1zlJ
X-Google-Smtp-Source: 
 ACcGV61v4AlJhl6mactYm71FjwJMSVmktGVBLIRjNVQvAPrdWNoW+lmc8JjRd5FDh7Oby0JP454amA==
X-Received: by 2002:a62:579c:: with SMTP id
	i28-v6mr32311659pfj.158.1539123096296;
	Tue, 09 Oct 2018 15:11:36 -0700 (PDT)
Received: from ubuntu.corp.ebay.com ([216.113.160.77])
	by smtp.gmail.com with ESMTPSA id
	u124-v6sm44225006pgc.0.2018.10.09.15.11.34
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Tue, 09 Oct 2018 15:11:35 -0700 (PDT)
From: aginwala <amginwal@gmail.com>
X-Google-Original-From: aginwala <aginwala@ebay.com>
To: dev@openvswitch.org
Date: Tue,  9 Oct 2018 04:00:45 -0700
Message-Id: <1539082846-29711-1-git-send-email-aginwala@ebay.com>
X-Mailer: git-send-email 1.9.1
X-Spam-Status: No, score=-0.5 required=5.0 tests=BAYES_00, DATE_IN_PAST_06_12,
	DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM,
	RCVD_IN_DNSWL_NONE autolearn=no version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
Cc: aginwala <aginwala@ebay.com>
Subject: [ovs-dev] [PATCH v3 1/2] ovn-ctl: Allow passing ssl certs when
	starting OVN DBs in ssl mode.
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <ovs-dev.openvswitch.org>
List-Unsubscribe: <https://mail.openvswitch.org/mailman/options/ovs-dev>,
	<mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://mail.openvswitch.org/pipermail/ovs-dev/>
List-Post: <mailto:ovs-dev@openvswitch.org>
List-Help: <mailto:ovs-dev-request@openvswitch.org?subject=help>
List-Subscribe: <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,
	<mailto:ovs-dev-request@openvswitch.org?subject=subscribe>
MIME-Version: 1.0
Sender: ovs-dev-bounces@openvswitch.org
Errors-To: ovs-dev-bounces@openvswitch.org

For OVN DBs to work with SSL in HA, we need to have capability to pass ssl
certs when starting OVN DBs. Say when starting OVN DBs in active passive mode,
in order for the standby DBs to sync from master node, it cannot sync
because the required ssl certs are not passed when standby DBs are initialized.
Hence, we need to have this option.

e.g. start nb db with ssl certs as below:
/usr/share/openvswitch/scripts/ovn-ctl --ovn-nb-db-ssl-key=/etc/openvswitch/ovnnb-privkey.pem \
--ovn-nb-db-ssl-cert=/etc/openvswitch/ovnnb-cert.pem \
--ovn-nb-db-ssl-ca-cert=/etc/openvswitch/cacert.pem \
--db-nb-create-insecure-remote=no start_nb_ovsdb

When certs are passed in the command line, it will read certs from the path
mentioned instead of default db configs.

Certs can be generated based on ovs ssl docs:
http://docs.openvswitch.org/en/latest/howto/ssl/

Signed-off-by: aginwala <aginwala@ebay.com>
Acked-by: Han Zhou <hzhou8@ebay.com>
---
 ovn/utilities/ovn-ctl       | 41 ++++++++++++++++++++++++++++++++++++++---
 ovn/utilities/ovn-ctl.8.xml | 14 ++++++++++++++
 2 files changed, 52 insertions(+), 3 deletions(-)

diff --git a/ovn/utilities/ovn-ctl b/ovn/utilities/ovn-ctl
index 3ff0df6..d71071a 100755
--- a/ovn/utilities/ovn-ctl
+++ b/ovn/utilities/ovn-ctl
@@ -116,6 +116,9 @@ start_ovsdb__() {
     local addr
     local active_conf_file
     local use_remote_in_db
+    local ovn_db_ssl_key
+    local ovn_db_ssl_cert
+    local ovn_db_ssl_cacert
     eval pid=\$DB_${DB}_PID
     eval cluster_local_addr=\$DB_${DB}_CLUSTER_LOCAL_ADDR
     eval cluster_local_port=\$DB_${DB}_CLUSTER_LOCAL_PORT
@@ -137,6 +140,9 @@ start_ovsdb__() {
     eval addr=\$DB_${DB}_ADDR
     eval active_conf_file=\$ovn${db}_active_conf_file
     eval use_remote_in_db=\$DB_${DB}_USE_REMOTE_IN_DB
+    eval ovn_db_ssl_key=\$OVN_${DB}_DB_SSL_KEY
+    eval ovn_db_ssl_cert=\$OVN_${DB}_DB_SSL_CERT
+    eval ovn_db_ssl_cacert=\$OVN_${DB}_DB_SSL_CA_CERT
 
     # Check and eventually start ovsdb-server for DB
     if pidfile_is_running $pid; then
@@ -183,9 +189,23 @@ $cluster_remote_port
     if test X"$use_remote_in_db" != Xno; then
         set "$@" --remote=db:$schema_name,$table_name,connections
     fi
-    set "$@" --private-key=db:$schema_name,SSL,private_key
-    set "$@" --certificate=db:$schema_name,SSL,certificate
-    set "$@" --ca-cert=db:$schema_name,SSL,ca_cert
+
+    if test X"$ovn_db_ssl_key" != X; then
+        set "$@" --private-key=$ovn_db_ssl_key
+    else
+        set "$@" --private-key=db:$schema_name,SSL,private_key
+    fi
+    if test X"$ovn_db_ssl_cert" != X; then
+        set "$@" --certificate=$ovn_db_ssl_cert
+    else
+        set "$@" --certificate=db:$schema_name,SSL,certificate
+    fi
+    if test X"$ovn_db_ssl_cacert" != X; then
+        set "$@" --ca-cert=$ovn_db_ssl_cacert
+    else
+        set "$@" --ca-cert=db:$schema_name,SSL,ca_cert
+    fi
+
     set "$@" --ssl-protocols=db:$schema_name,SSL,ssl_protocols
     set "$@" --ssl-ciphers=db:$schema_name,SSL,ssl_ciphers
 
@@ -481,6 +501,15 @@ set_defaults () {
     OVN_NORTHD_SB_DB="unix:$DB_SB_SOCK"
     DB_NB_USE_REMOTE_IN_DB="yes"
     DB_SB_USE_REMOTE_IN_DB="yes"
+
+    OVN_NB_DB_SSL_KEY=""
+    OVN_NB_DB_SSL_CERT=""
+    OVN_NB_DB_SSL_CA_CERT=""
+
+    OVN_SB_DB_SSL_KEY=""
+    OVN_SB_DB_SSL_CERT=""
+    OVN_SB_DB_SSL_CA_CERT=""
+
 }
 
 set_option () {
@@ -536,6 +565,12 @@ Options:
   --ovn-controller-ssl-cert=CERT OVN Southbound SSL certificate file
   --ovn-controller-ssl-ca-cert=CERT OVN Southbound SSL CA certificate file
   --ovn-controller-ssl-bootstrap-ca-cert=CERT Bootstrapped OVN Southbound SSL CA certificate file
+  --ovn-nb-db-ssl-key=KEY OVN Northbound DB SSL private key file
+  --ovn-nb-db-ssl-cert=CERT OVN Northbound DB SSL certificate file
+  --ovn-nb-db-ssl-ca-cert=CERT OVN Northbound DB SSL CA certificate file
+  --ovn-sb-db-ssl-key=KEY OVN Southbound DB SSL private key file
+  --ovn-sb-db-ssl-cert=CERT OVN Southbound DB SSL certificate file
+  --ovn-sb-db-ssl-ca-cert=CERT OVN Southbound DB SSL CA certificate file
   --ovn-manage-ovsdb=yes|no        Whether or not the OVN databases should be
                                    automatically started and stopped along
                                    with ovn-northd. The default is "yes". If
diff --git a/ovn/utilities/ovn-ctl.8.xml b/ovn/utilities/ovn-ctl.8.xml
index 3b0e67a..c5294d7 100644
--- a/ovn/utilities/ovn-ctl.8.xml
+++ b/ovn/utilities/ovn-ctl.8.xml
@@ -198,4 +198,18 @@
           start_northd
       </code>
     </p>
+
+    <h2>Passing ssl keys when starting OVN dbs will supercede the default ssl values in db</h2>
+    <h3>Starting standalone ovn db server passing SSL certificates</h3>
+    <p>
+      <code>
+        # ovn-ctl --ovn-nb-db-ssl-key=/etc/openvswitch/ovnnb-privkey.pem
+          --ovn-nb-db-ssl-cert=/etc/openvswitch/ovnnb-cert.pem
+          --ovn-nb-db-ssl-ca-cert=/etc/openvswitch/cacert.pem
+          --ovn-sb-db-ssl-key=/etc/openvswitch/ovnsb-privkey.pem
+          --ovn-sb-db-ssl-cert=/etc/openvswitch/ovnsb-cert.pem
+          --ovn-sb-db-ssl-ca-cert=/etc/openvswitch/cacert.pem
+           start_northd
+      </code>
+    </p>
 </manpage>

From patchwork Tue Oct  9 11:00:46 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: aginwala aginwala <amginwal@gmail.com>
X-Patchwork-Id: 981536
Return-Path: <ovs-dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=pass (mailfrom) smtp.mailfrom=openvswitch.org
	(client-ip=140.211.169.12; helo=mail.linuxfoundation.org;
	envelope-from=ovs-dev-bounces@openvswitch.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=fail (p=none dis=none) header.from=gmail.com
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="Z2WiZh3z"; dkim-atps=neutral
Received: from mail.linuxfoundation.org (mail.linuxfoundation.org
	[140.211.169.12])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 42VBKg2dgZz9s8r
	for <incoming@patchwork.ozlabs.org>;
	Wed, 10 Oct 2018 09:12:07 +1100 (AEDT)
Received: from mail.linux-foundation.org (localhost [127.0.0.1])
	by mail.linuxfoundation.org (Postfix) with ESMTP id DA13DC00;
	Tue,  9 Oct 2018 22:11:40 +0000 (UTC)
X-Original-To: dev@openvswitch.org
Delivered-To: ovs-dev@mail.linuxfoundation.org
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id E4716B88
	for <dev@openvswitch.org>; Tue,  9 Oct 2018 22:11:39 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-pg1-f194.google.com (mail-pg1-f194.google.com
	[209.85.215.194])
	by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 83EFF80D
	for <dev@openvswitch.org>; Tue,  9 Oct 2018 22:11:39 +0000 (UTC)
Received: by mail-pg1-f194.google.com with SMTP id f18-v6so1497326pgv.3
	for <dev@openvswitch.org>; Tue, 09 Oct 2018 15:11:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=7MB6eaKXLi29BDWD84EOLLz22vCZ4iKJt9NvX7jFxUU=;
	b=Z2WiZh3zFgo6dVxevEB2Aqp3ITg/S9XLqkTTX5ri8po3h9qiGzwj+Reuni3KQCbUHN
	mF7mbKHk62Ka1eY7GFpU5OKy+YVjABpF1yxrQXvCX4OwbsjaTFoNPUtf1fWq4WX/eU7L
	1KOB1vkVGHPRVMntgih2tNQQrDdIbJcyqMxZH73Wb4OdSeJgm2lv/krnUnbm52cfsKQi
	T+pQ7niric9UkPDlC/XZuNK7FMi8MgaOntZC03NYR1NDjNT2id5d13Amfxz9a0ENTeY3
	Zv4DQoYsmygesZ4n6LZ0X2pXzom42rTASkchi06giFx9jiunkuNHZfZaQnUvWGLXaOY1
	rxPw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=7MB6eaKXLi29BDWD84EOLLz22vCZ4iKJt9NvX7jFxUU=;
	b=eCOECpWQomwNA9niUusnC5ZUw3cll6URKJBLFLYiMoRb1DcPIQdDcSi7B8d6a8aLLs
	lJQ8aA8qVNvdXQA6PYm1NIySmb07BteMY7XNvDodrBcnA3VzSZYgrJK4UglJ2zNdW1rx
	svx+M/y4kld6Q2ByE3Ds1ZEhk2WCVwHRY5r5IMA+ye9ORN9p0Ys7tkpBV48+jA+iCwdi
	TbxtKecuop+6CVfNn5dQrrmGA29z9M5R8N5Se+HL1bUZPo3MjIFXVVYkzraO35TzFhI2
	RfAhFXRvsN/+L7WvBay3/yNppHuRMjRe3sQmrdtFpVcWu9ha38nmalQYRYzduSIxIqq2
	f+Lw==
X-Gm-Message-State: ABuFfojpFF9nodM35HFo7Xzm0gC4lCT/6u0Zk8UUyLkLuJQI7VH5Ei8F
	HfauuAerQy3gG0nVkOIiTBTHevwu
X-Google-Smtp-Source: 
 ACcGV63qOvH1E/s/TAPDaxj1LFLJ8M+6y+H/iIv00YLUIkJxnpAPu+70CsCUfBPJeHcCI3uMcv+muA==
X-Received: by 2002:a63:5fc5:: with SMTP id
	t188-v6mr27206273pgb.346.1539123098742;
	Tue, 09 Oct 2018 15:11:38 -0700 (PDT)
Received: from ubuntu.corp.ebay.com ([216.113.160.77])
	by smtp.gmail.com with ESMTPSA id
	u124-v6sm44225006pgc.0.2018.10.09.15.11.37
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Tue, 09 Oct 2018 15:11:38 -0700 (PDT)
From: aginwala <amginwal@gmail.com>
X-Google-Original-From: aginwala <aginwala@ebay.com>
To: dev@openvswitch.org
Date: Tue,  9 Oct 2018 04:00:46 -0700
Message-Id: <1539082846-29711-2-git-send-email-aginwala@ebay.com>
X-Mailer: git-send-email 1.9.1
In-Reply-To: <1539082846-29711-1-git-send-email-aginwala@ebay.com>
References: <1539082846-29711-1-git-send-email-aginwala@ebay.com>
X-Spam-Status: No, score=-0.5 required=5.0 tests=BAYES_00, DATE_IN_PAST_06_12,
	DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM,
	RCVD_IN_DNSWL_NONE autolearn=no version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
Cc: aginwala <aginwala@ebay.com>
Subject: [ovs-dev] [PATCH v3 2/2] ovndb-servers.ocf: Add ssl support for
	managing OVN DB resources with pacemaker using LB VIP.
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <ovs-dev.openvswitch.org>
List-Unsubscribe: <https://mail.openvswitch.org/mailman/options/ovs-dev>,
	<mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://mail.openvswitch.org/pipermail/ovs-dev/>
List-Post: <mailto:ovs-dev@openvswitch.org>
List-Help: <mailto:ovs-dev-request@openvswitch.org?subject=help>
List-Subscribe: <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,
	<mailto:ovs-dev-request@openvswitch.org?subject=subscribe>
MIME-Version: 1.0
Sender: ovs-dev-bounces@openvswitch.org
Errors-To: ovs-dev-bounces@openvswitch.org

When starting OVN DBs in HA using pacemaker with ssl, we need to pass ssl
certs for starting standby DBs. Hence, we need this change.

Signed-off-by: aginwala <aginwala@ebay.com>
Acked-by: Han Zhou <hzhou8@ebay.com>
Acked-by: Numan Siddique <nusiddiq@redhat.com>
---
 ovn/utilities/ovndb-servers.ocf | 72 ++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 71 insertions(+), 1 deletion(-)

diff --git a/ovn/utilities/ovndb-servers.ocf b/ovn/utilities/ovndb-servers.ocf
index 52141c7..1031330 100755
--- a/ovn/utilities/ovndb-servers.ocf
+++ b/ovn/utilities/ovndb-servers.ocf
@@ -10,6 +10,12 @@
 : ${MANAGE_NORTHD_DEFAULT="no"}
 : ${INACTIVE_PROBE_DEFAULT="5000"}
 : ${LISTEN_ON_MASTER_IP_ONLY_DEFAULT="yes"}
+: ${NB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnnb-privkey.pem"}
+: ${NB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnnb-cert.pem"}
+: ${NB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"}
+: ${SB_SSL_KEY_DEFAULT="/etc/openvswitch/ovnsb-privkey.pem"}
+: ${SB_SSL_CERT_DEFAULT="/etc/openvswitch/ovnsb-cert.pem"}
+: ${SB_SSL_CACERT_DEFAULT="/etc/openvswitch/cacert.pem"}
 
 CRM_MASTER="${HA_SBIN_DIR}/crm_master -l reboot"
 CRM_ATTR_REPL_INFO="${HA_SBIN_DIR}/crm_attribute --type crm_config --name OVN_REPL_INFO -s ovn_ovsdb_master_server"
@@ -21,6 +27,13 @@ SB_MASTER_PORT=${OCF_RESKEY_sb_master_port:-${SB_MASTER_PORT_DEFAULT}}
 SB_MASTER_PROTO=${OCF_RESKEY_sb_master_protocol:-${SB_MASTER_PROTO_DEFAULT}}
 MANAGE_NORTHD=${OCF_RESKEY_manage_northd:-${MANAGE_NORTHD_DEFAULT}}
 INACTIVE_PROBE=${OCF_RESKEY_inactive_probe_interval:-${INACTIVE_PROBE_DEFAULT}}
+NB_PRIVKEY=${OCF_RESKEY_ovn_nb_db_privkey:-${NB_SSL_KEY_DEFAULT}}
+NB_CERT=${OCF_RESKEY_ovn_nb_db_cert:-${NB_SSL_CERT_DEFAULT}}
+NB_CACERT=${OCF_RESKEY_ovn_nb_db_cacert:-${NB_SSL_CACERT_DEFAULT}}
+SB_PRIVKEY=${OCF_RESKEY_ovn_sb_db_privkey:-${SB_SSL_KEY_DEFAULT}}
+SB_CERT=${OCF_RESKEY_ovn_sb_db_cert:-${SB_SSL_CERT_DEFAULT}}
+SB_CACERT=${OCF_RESKEY_ovn_sb_db_cacert:-${SB_SSL_CACERT_DEFAULT}}
+
 
 # In order for pacemaker to work with LB, we can set LISTEN_ON_MASTER_IP_ONLY
 # to false and pass LB vip IP while creating pcs resource.
@@ -132,6 +145,54 @@ ovsdb_server_metadata() {
   <content type="string" />
   </parameter>
 
+  <parameter name="ovn_nb_db_privkey" unique="1">
+  <longdesc lang="en">
+  OVN NB DB private key absolute path for ssl setup.
+  </longdesc>
+  <shortdesc lang="en">OVN NB DB private key file</shortdesc>
+  <content type="string" />
+  </parameter>
+
+  <parameter name="ovn_nb_db_cert" unique="1">
+  <longdesc lang="en">
+  OVN NB DB certificate absolute path for ssl setup.
+  </longdesc>
+  <shortdesc lang="en">OVN NB DB cert file</shortdesc>
+  <content type="string" />
+  </parameter>
+
+  <parameter name="ovn_nb_db_cacert" unique="1">
+  <longdesc lang="en">
+  OVN NB DB CA certificate absolute path for ssl setup.
+  </longdesc>
+  <shortdesc lang="en">OVN NB DB cacert file</shortdesc>
+  <content type="string" />
+  </parameter>
+
+  <parameter name="ovn_sb_db_privkey" unique="1">
+  <longdesc lang="en">
+  OVN SB DB private key absolute path for ssl setup.
+  </longdesc>
+  <shortdesc lang="en">OVN SB DB private key file</shortdesc>
+  <content type="string" />
+  </parameter>
+
+  <parameter name="ovn_sb_db_cert" unique="1">
+  <longdesc lang="en">
+  OVN SB DB certificate absolute path for ssl setup.
+  </longdesc>
+  <shortdesc lang="en">OVN SB DB cert file</shortdesc>
+  <content type="string" />
+  </parameter>
+
+  <parameter name="ovn_sb_db_cacert" unique="1">
+  <longdesc lang="en">
+  OVN SB DB CA certificate absolute path for ssl setup.
+  </longdesc>
+  <shortdesc lang="en">OVN SB DB cacert file</shortdesc>
+  <content type="string" />
+  </parameter>
+
   </parameters>
 
   <actions>
@@ -326,6 +387,16 @@ ovsdb_server_start() {
        set $@ --db-sb-addr=${MASTER_IP} --db-sb-port=${SB_MASTER_PORT}
     fi
 
+    if [ "x${NB_MASTER_PROTO}" = xssl ]; then
+            set $@ --ovn-nb-db-ssl-key=${NB_PRIVKEY}
+            set $@ --ovn-nb-db-ssl-cert=${NB_CERT}
+            set $@ --ovn-nb-db-ssl-ca-cert=${NB_CACERT}
+    fi
+    if [ "x${SB_MASTER_PROTO}" = xssl ]; then
+            set $@ --ovn-sb-db-ssl-key=${SB_PRIVKEY}
+            set $@ --ovn-sb-db-ssl-cert=${SB_CERT}
+            set $@ --ovn-sb-db-ssl-ca-cert=${SB_CACERT}
+    fi
     if [ "x${present_master}" = x ]; then
         # No master detected, or the previous master is not among the
         # set starting.
@@ -343,7 +414,6 @@ ovsdb_server_start() {
         set $@ --db-nb-sync-from-addr=${INVALID_IP_ADDRESS} --db-sb-sync-from-addr=${INVALID_IP_ADDRESS}
 
     elif [ ${present_master} != ${host_name} ]; then
-        # TODO: for using LB vip, need to test for ssl.
         if [ "x${LISTEN_ON_MASTER_IP_ONLY}" = xyes ]; then
             if [ "x${NB_MASTER_PROTO}" = xtcp ]; then
                 set $@ --db-nb-create-insecure-remote=yes