Expose missing --peer-ca-cert and SSL options in usage and manpages.

Signed-off-by: Dan Williams <[email protected]>
Signed-off-by: Ben Pfaff <[email protected]>

lib/automake.mk

@@ -476,6 +476,7 @@ EXTRA_DIST += \
 	lib/db-ctl-base.xml \
 	lib/ssl.xml \
 	lib/ssl-bootstrap.xml \
+	lib/ssl-peer-ca-cert.xml \
 	lib/table.xml \
 	lib/vlog.xml \
 	lib/unixctl.xml

lib/ssl-peer-ca-cert.xml

@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dl>
+  <dt><code>--peer-ca-cert=</code><var>peer-cacert.pem</var></dt>
+  <dd>
+    <p>
+      Specifies a PEM file that contains one or more additional certificates
+      to send to SSL peers.  <var>peer-cacert.pem</var> should be the CA
+      certificate used to sign the program's own certificate, that is, the
+      certificate specified on <code>-c</code> or <code>--certificate</code>.
+      If the program's certificate is self-signed, then
+      <code>--certificate</code> and <code>--peer-ca-cert</code> should specify
+      the same file.
+    </p>
+    <p>
+      This option is not useful in normal operation, because the SSL peer
+      must already have the CA certificate for the peer to have any
+      confidence in the program's identity.  However, this offers a way for
+      a new installation to bootstrap the CA certificate on its first SSL
+      connection.
+    </p>
+  </dd>
+</dl>

manpages.mk

@@ -256,6 +256,7 @@ vswitchd/ovs-vswitchd.8: \
 	lib/netdev-dpdk-unixctl.man \
 	lib/service.man \
 	lib/ssl-bootstrap.man \
+	lib/ssl-peer-ca-cert.man \
 	lib/ssl.man \
 	lib/unixctl.man \
 	lib/vlog-unixctl.man \

ovn/controller-vtep/ovn-controller-vtep.8.xml

@@ -19,6 +19,15 @@
       database (see <code>vtep</code>(5)) over the OVSDB protocol.
     </p>
 
+    <h2>PKI Options</h2>
+    <p>
+      PKI configuration is required in order to use SSL for the connections to
+      the VTEP and Southbound databases.
+    </p>
+    <xi:include href="lib/ssl.xml" xmlns:xi="http://www.w3.org/2003/XInclude"/>
+    <xi:include href="lib/ssl-bootstrap.xml" xmlns:xi="http://www.w3.org/2003/XInclude"/>
+    <xi:include href="lib/ssl-peer-ca-cert.xml" xmlns:xi="http://www.w3.org/2003/XInclude"/>
+
     <h1>Configuration</h1>
     <p>
       <code>ovn-controller-vtep</code> retrieves its configuration

ovn/controller-vtep/ovn-controller-vtep.c

@@ -254,7 +254,7 @@ Options:\n\
   -o, --options             list available options\n\
   -V, --version             display version information\n\
 ", program_name, program_name, default_db(), default_db());
-    stream_usage("database", true, false, false);
+    stream_usage("database", true, false, true);
     daemon_usage();
     vlog_usage();
     exit(EXIT_SUCCESS);

ovn/controller/ovn-controller.8.xml

@@ -43,6 +43,8 @@
       the Northbound and Southbound databases.
     </p>
     <xi:include href="lib/ssl.xml" xmlns:xi="http://www.w3.org/2003/XInclude"/>
+    <xi:include href="lib/ssl-bootstrap.xml" xmlns:xi="http://www.w3.org/2003/XInclude"/>
+    <xi:include href="lib/ssl-peer-ca-cert.xml" xmlns:xi="http://www.w3.org/2003/XInclude"/>
 
     <h2>Other Options</h2>
 

ovn/controller/ovn-controller.c

@@ -971,7 +971,7 @@ usage(void)
            "usage %s [OPTIONS] [OVS-DATABASE]\n"
            "where OVS-DATABASE is a socket on which the OVS OVSDB server is listening.\n",
                program_name, program_name);
-    stream_usage("OVS-DATABASE", true, false, false);
+    stream_usage("OVS-DATABASE", true, false, true);
     daemon_usage();
     vlog_usage();
     printf("\nOther options:\n"

utilities/ovs-vsctl.c

@@ -434,7 +434,7 @@ Options:\n\
     vlog_usage();
     printf("\
   --no-syslog             equivalent to --verbose=vsctl:syslog:warn\n");
-    stream_usage("database", true, true, false);
+    stream_usage("database", true, true, true);
     printf("\n\
 Other options:\n\
   -h, --help                  display this help message\n\

vswitchd/ovs-vswitchd.8.in

@@ -97,6 +97,7 @@ configuration.
 .SS "Public Key Infrastructure Options"
 .so lib/ssl.man
 .so lib/ssl-bootstrap.man
+.so lib/ssl-peer-ca-cert.man
 .SS "Logging Options"
 .so lib/vlog.man
 .SS "Other Options"