ovn-ctl: Add bootstrap ovn-controller CA certificate option.

ovn-controller accepts the option --bootstrap-ca-cert. With this commit, ovn-ctl will let user pass a value for that via --ovn-controller-ssl-bootstrap-ca-cert option. Bootstrapping is useful for ovn-controller as you don't have to copy the controller's certificate (self-signed or otherwise) to every host. Signed-off-by: Gurucharan Shetty <[email protected]> Acked-by: Ben Pfaff <[email protected]> Acked-by: Lance Richardson <[email protected]>
txj36 · Jan 18, 2017 · ea2d950 · ea2d950
1 parent cb99159
commit ea2d950
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 2 deletions.
diff --git a/ovn/utilities/ovn-ctl b/ovn/utilities/ovn-ctl
@@ -220,22 +220,36 @@ start_northd () {
 start_controller () {
     set ovn-controller "unix:$DB_SOCK"
     set "$@" $OVN_CONTROLLER_LOG
-    if test X"$OVN_CONTROLLER_SSL_CERT" != X; then
+    if test X"$OVN_CONTROLLER_SSL_KEY" != X; then
         set "$@" --private-key=$OVN_CONTROLLER_SSL_KEY
+    fi
+    if test X"$OVN_CONTROLLER_SSL_CERT" != X; then
         set "$@" --certificate=$OVN_CONTROLLER_SSL_CERT
+    fi
+    if test X"$OVN_CONTROLLER_SSL_CA_CERT" != X; then
         set "$@" --ca-cert=$OVN_CONTROLLER_SSL_CA_CERT
     fi
+    if test X"$OVN_CONTROLLER_SSL_BOOTSTRAP_CA_CERT" != X; then
+        set "$@" --bootstrap-ca-cert=$OVN_CONTROLLER_SSL_BOOTSTRAP_CA_CERT
+    fi
     OVS_RUNDIR=${OVN_RUNDIR} start_daemon "$OVN_CONTROLLER_PRIORITY" "$OVN_CONTROLLER_WRAPPER" "$@"
 }
 
 start_controller_vtep () {
     set ovn-controller-vtep "unix:$DB_SOCK"
     set "$@" -vconsole:emer -vsyslog:err -vfile:info
-    if test X"$OVN_CONTROLLER_SSL_CERT" != X; then
+    if test X"$OVN_CONTROLLER_SSL_KEY" != X; then
         set "$@" --private-key=$OVN_CONTROLLER_SSL_KEY
+    fi
+    if test X"$OVN_CONTROLLER_SSL_CERT" != X; then
         set "$@" --certificate=$OVN_CONTROLLER_SSL_CERT
+    fi
+    if test X"$OVN_CONTROLLER_SSL_CA_CERT" != X; then
         set "$@" --ca-cert=$OVN_CONTROLLER_SSL_CA_CERT
     fi
+    if test X"$OVN_CONTROLLER_SSL_BOOTSTRAP_CA_CERT" != X; then
+        set "$@" --bootstrap-ca-cert=$OVN_CONTROLLER_SSL_BOOTSTRAP_CA_CERT
+    fi
     OVS_RUNDIR=${OVN_RUNDIR} start_daemon "$OVN_CONTROLLER_PRIORITY" "$OVN_CONTROLLER_WRAPPER" "$@"
 }
 
@@ -335,6 +349,7 @@ set_defaults () {
     OVN_CONTROLLER_SSL_KEY=""
     OVN_CONTROLLER_SSL_CERT=""
     OVN_CONTROLLER_SSL_CA_CERT=""
+    OVN_CONTROLLER_SSL_BOOTSTRAP_CA_CERT=""
 
     DB_SB_CREATE_INSECURE_REMOTE="no"
     DB_NB_CREATE_INSECURE_REMOTE="no"
@@ -384,6 +399,7 @@ Options:
   --ovn-controller-ssl-key=KEY OVN Southbound SSL private key file
   --ovn-controller-ssl-cert=CERT OVN Southbound SSL certificate file
   --ovn-controller-ssl-ca-cert=CERT OVN Southbound SSL CA certificate file
+  --ovn-controller-ssl-bootstrap-ca-cert=CERT Bootstrapped OVN Southbound SSL CA certificate file
   --ovn-manage-ovsdb=yes|no        Whether or not the OVN databases should be
                                    automatically started and stopped along
                                    with ovn-northd. The default is "yes". If

diff --git a/ovn/utilities/ovn-ctl.8.xml b/ovn/utilities/ovn-ctl.8.xml
@@ -48,6 +48,7 @@
     <p><code>--ovn-controller-ssl-key=<var>KEY</var></code></p>
     <p><code>--ovn-controller-ssl-cert=<var>CERT</var></code></p>
     <p><code>--ovn-controller-ssl-ca-cert=<var>CERT</var></code></p>
+    <p><code>--ovn-controller-ssl-bootstrap-ca-cert=<var>CERT</var></code></p>
 
     <h1>Address and port options</h1>
     <p><code>--db-nb-sync-from-addr=<var>IP ADDRESS</var></code></p>