[ovs-dev] [PATCH ovn 2/5] ovn-northd: Support ssl cert rotation.
Han Zhou
hzhou at ovn.org
Thu May 13 22:46:11 UTC 2021
Update SSL in the main loop so that updated pki files can be reapplied.
Signed-off-by: Han Zhou <hzhou at ovn.org>
---
northd/ovn-northd.c | 29 ++++++++++++++++++++++++++++-
1 file changed, 28 insertions(+), 1 deletion(-)
diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
index f503ddd5e..4804093fd 100644
--- a/northd/ovn-northd.c
+++ b/northd/ovn-northd.c
@@ -107,6 +107,11 @@ static bool use_ct_inv_match = true;
static int northd_probe_interval_nb = 0;
static int northd_probe_interval_sb = 0;
+/* SSL options */
+static const char *ssl_private_key_file;
+static const char *ssl_certificate_file;
+static const char *ssl_ca_cert_file;
+
#define MAX_OVN_TAGS 4096
�
/* Pipeline stages. */
@@ -13978,7 +13983,18 @@ parse_options(int argc OVS_UNUSED, char *argv[] OVS_UNUSED)
switch (c) {
OVN_DAEMON_OPTION_HANDLERS;
VLOG_OPTION_HANDLERS;
- STREAM_SSL_OPTION_HANDLERS;
+
+ case 'p':
+ ssl_private_key_file = optarg;
+ break;
+
+ case 'c':
+ ssl_certificate_file = optarg;
+ break;
+
+ case 'C':
+ ssl_ca_cert_file = optarg;
+ break;
case 'd':
ovnsb_db = optarg;
@@ -14028,6 +14044,16 @@ add_column_noalert(struct ovsdb_idl *idl,
ovsdb_idl_omit_alert(idl, column);
}
+static void
+update_ssl_config(void)
+{
+ if (!ssl_private_key_file || !ssl_certificate_file || !ssl_ca_cert_file) {
+ return;
+ }
+ stream_ssl_set_key_and_cert(ssl_private_key_file, ssl_certificate_file);
+ stream_ssl_set_ca_cert_file(ssl_ca_cert_file, false);
+}
+
int
main(int argc, char *argv[])
{
@@ -14344,6 +14370,7 @@ main(int argc, char *argv[])
state.paused = false;
while (!exiting) {
+ update_ssl_config();
memory_run();
if (memory_should_report()) {
struct simap usage = SIMAP_INITIALIZER(&usage);
--
2.30.2
More information about the dev
mailing list