[ovs-dev] [PATCH] ovn-controller: enable ssl config via local ovsdb

[Lance Richardson]

Allow ovn-controller to use SSL certificate and key configuration
from local ovsdb. With this change, SSL configuration from the
vswitchd database will be used if present, otherwise configuration
can still be specified from the command line.

If SSL configuration is present in both locations, the configuration
in the local ovsdb has precedence. This is consistent with how
vswitchd is currently implemented.

The existing ovs-vsctl get-ssl/set-ssl/del-ssl commands can be used
to manage the configuration in the vswitchd database.

Signed-off-by: Lance Richardson <lrichard at redhat.com>
---
 ovn/controller/ovn-controller.c | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/ovn/controller/ovn-controller.c b/ovn/controller/ovn-controller.c
index a36973a..e00f57a 100644
--- a/ovn/controller/ovn-controller.c
+++ b/ovn/controller/ovn-controller.c
@@ -283,6 +283,17 @@ addr_sets_init(struct controller_ctx *ctx, struct shash *addr_sets)
     }
 }
 
+static void
+update_ssl_config(const struct ovsdb_idl *ovs_idl)
+{
+    const struct ovsrec_ssl *ssl = ovsrec_ssl_first(ovs_idl);
+
+    if (ssl) {
+        stream_ssl_set_key_and_cert(ssl->private_key, ssl->certificate);
+        stream_ssl_set_ca_cert_file(ssl->ca_cert, ssl->bootstrap_ca_cert);
+    }
+}
+
 /* Retrieves the OVN Southbound remote location from the
  * "external-ids:ovn-remote" key in 'ovs_idl' and returns a copy of it. */
 static char *
@@ -296,6 +307,7 @@ get_ovnsb_remote(struct ovsdb_idl *ovs_idl)
         if (cfg) {
             const char *remote = smap_get(&cfg->external_ids, "ovn-remote");
             if (remote) {
+                update_ssl_config(ovs_idl);
                 return xstrdup(remote);
             }
         }
@@ -529,6 +541,11 @@ main(int argc, char *argv[])
     ovsdb_idl_add_column(ovs_idl_loop.idl, &ovsrec_bridge_col_fail_mode);
     ovsdb_idl_add_column(ovs_idl_loop.idl, &ovsrec_bridge_col_other_config);
     ovsdb_idl_add_column(ovs_idl_loop.idl, &ovsrec_bridge_col_external_ids);
+    ovsdb_idl_add_table(ovs_idl_loop.idl, &ovsrec_table_ssl);
+    ovsdb_idl_add_column(ovs_idl_loop.idl, &ovsrec_ssl_col_bootstrap_ca_cert);
+    ovsdb_idl_add_column(ovs_idl_loop.idl, &ovsrec_ssl_col_ca_cert);
+    ovsdb_idl_add_column(ovs_idl_loop.idl, &ovsrec_ssl_col_certificate);
+    ovsdb_idl_add_column(ovs_idl_loop.idl, &ovsrec_ssl_col_private_key);
     chassis_register_ovs_idl(ovs_idl_loop.idl);
     encaps_register_ovs_idl(ovs_idl_loop.idl);
     binding_register_ovs_idl(ovs_idl_loop.idl);
@@ -579,6 +596,8 @@ main(int argc, char *argv[])
 
         update_probe_interval(&ctx);
 
+        update_ssl_config(ctx.ovs_idl);
+
         /* Contains "struct local_datapath" nodes. */
         struct hmap local_datapaths = HMAP_INITIALIZER(&local_datapaths);
 
-- 
2.7.4