Enhance OVN southbound database schema to allow SSL connection configuration to be stored and managed within the db.
Signed-off-by: Lance Richardson <[email protected]> --- ovn/ovn-sb.ovsschema | 21 ++++++++++++++++++--- ovn/ovn-sb.xml | 48 +++++++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 65 insertions(+), 4 deletions(-) diff --git a/ovn/ovn-sb.ovsschema b/ovn/ovn-sb.ovsschema index 89342fe..0212a5e 100644 --- a/ovn/ovn-sb.ovsschema +++ b/ovn/ovn-sb.ovsschema @@ -1,7 +1,7 @@ { "name": "OVN_Southbound", "version": "1.9.0", - "cksum": "239060528 9012", + "cksum": "2240045372 9719", "tables": { "SB_Global": { "columns": { @@ -13,7 +13,11 @@ "type": {"key": {"type": "uuid", "refTable": "Connection"}, "min": 0, - "max": "unlimited"}}}, + "max": "unlimited"}}, + "ssl": { + "type": {"key": {"type": "uuid", + "refTable": "SSL"}, + "min": 0, "max": 1}}}, "maxRows": 1, "isRoot": true}, "Chassis": { @@ -183,4 +187,15 @@ "min": 0, "max": "unlimited"}, "ephemeral": true}}, - "indexes": [["target"]]}}} + "indexes": [["target"]]}, + "SSL": { + "columns": { + "private_key": {"type": "string"}, + "certificate": {"type": "string"}, + "ca_cert": {"type": "string"}, + "bootstrap_ca_cert": {"type": "boolean"}, + "external_ids": {"type": {"key": "string", + "value": "string", + "min": 0, + "max": "unlimited"}}}, + "maxRows": 1}}} diff --git a/ovn/ovn-sb.xml b/ovn/ovn-sb.xml index 45c473c..1d17fef 100644 --- a/ovn/ovn-sb.xml +++ b/ovn/ovn-sb.xml @@ -169,6 +169,9 @@ connections should be configured. See the <ref table="Connection"/> table for more information. </column> + <column name="ssl"> + Global SSL configuration. + </column> </group> </table> @@ -2294,7 +2297,9 @@ tcp.flags = RST; <p> The specified SSL <var>port</var> on the host at the given <var>ip</var>, which must be expressed as an IP address - (not a DNS name). + (not a DNS name). A valid SSL configuration must be provided + when this form is used, this configuration can be specified + via command-line options or the <ref table="SSL"/> table. </p> <p> If <var>port</var> is not specified, it defaults to 6640. @@ -2330,6 +2335,9 @@ tcp.flags = RST; address, wrap in square brackets, e.g. <code>pssl:6640:[::1]</code>. If <var>ip</var> is not specified then it listens only on IPv4 (but not IPv6) addresses. + A valid SSL configuration must be provided when this form is used, + this can be specified either via command-line options or the + <ref table="SSL"/> table. </p> <p> If <var>port</var> is not specified, it defaults to 6640. @@ -2502,4 +2510,42 @@ tcp.flags = RST; <column name="other_config"/> </group> </table> + <table name="SSL"> + SSL configuration for ovn-sb database access. + + <column name="private_key"> + Name of a PEM file containing the private key used as the switch's + identity for SSL connections to the controller. + </column> + + <column name="certificate"> + Name of a PEM file containing a certificate, signed by the + certificate authority (CA) used by the controller and manager, + that certifies the switch's private key, identifying a trustworthy + switch. + </column> + + <column name="ca_cert"> + Name of a PEM file containing the CA certificate used to verify + that the switch is connected to a trustworthy controller. + </column> + + <column name="bootstrap_ca_cert"> + If set to <code>true</code>, then Open vSwitch will attempt to + obtain the CA certificate from the controller on its first SSL + connection and save it to the named PEM file. If it is successful, + it will immediately drop the connection and reconnect, and from then + on all SSL connections must be authenticated by a certificate signed + by the CA certificate thus obtained. <em>This option exposes the + SSL connection to a man-in-the-middle attack obtaining the initial + CA certificate.</em> It may still be useful for bootstrapping. + </column> + + <group title="Common Columns"> + The overall purpose of these columns is described under <code>Common + Columns</code> at the beginning of this document. + + <column name="external_ids"/> + </group> + </table> </database> -- 2.5.5 _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
