[ovs-discuss] [OVN][SSL] replacing ssl key and certs file at runtime has no effect on ovn-controller connection
gmoodalbail at gmail.com
Fri Dec 11 17:54:07 UTC 2020
In ovn-kubernetes K8s CNI project we use SSL connections between
ovn-controller and OVN SB DB. Our goal is to rotate the
privateKey/signedCert used by ovn-controller very often. When the rotation
occurs, we want ovn-controller to redo the TLS handshake without dropping
the TCP connection or without requiring ovn-controller restart.
In ovn-controller code, I see that in the main loop we call
update_ssl_config(), which through a series of functions checks if SSL
files are modified, and if so, calls into OpenSSL library updating the SSL
context. At this point, the expectation is for ovn-controller to restart
the TLS handshake so that we are using new SSL keys/certs. However, we
don't see this happening.
I ran tcpdump on the ovn-controller side to check for TLS handshake
packets, but I didn't see any TLS related packets. With `stream_ssl` module
logging set to debug, I don't see any SSL control plane messages in
I also created certs with expiry time of 10mins using OVS-PKI and restarted
ovn-controller. My expectation was that after 10mins the SSL connection
should error out with certificates already expired. I don't see
that is happening as well. When I run the `ovn-sbctl` command using the
expired certs it obviously fails.
Looks to me that once the JSON-RPC session is created between
ovn-controller and OVN SB DB process, then nothing seems to re-trigger the
Are we missing something?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the discuss