To help ourself to not forget updating RBAC rules when we land changes to existing functionality and new features we must enable SSL+RBAC on the `ovn-controller` <-> SB DB connection for builds with OpenSSL enabled.
Signed-off-by: Frode Nordahl <[email protected]> --- tests/automake.mk | 9 +++++++-- tests/ofproto-macros.at | 12 ++++++++++++ tests/ovn-macros.at | 38 ++++++++++++++++++++++++++++++++++++-- tests/ovn-northd.at | 6 +++--- 4 files changed, 58 insertions(+), 7 deletions(-) diff --git a/tests/automake.mk b/tests/automake.mk index 771dddea2..ba8567da4 100644 --- a/tests/automake.mk +++ b/tests/automake.mk @@ -237,7 +237,10 @@ FLAKE8_PYFILES += $(CHECK_PYFILES) if HAVE_OPENSSL OVS_PKI_DIR = $(CURDIR)/tests/pki -TESTPKI_CNS = test test2 +# NOTE: Certificate generation has to be done serially, and each one adds a few +# seconds to the test run. Please try to re-use one of the many CNs already +# used in the existing tests. +TESTPKI_CNS = test test2 main hv hv-foo hv1 hv2 hv3 hv4 hv5 hv6 hv7 hv8 hv9 hv10 hv-1 hv-2 hv-10-1 hv-10-2 hv-20-1 hv-20-2 vtep hv_gw pbr-hv gw1 gw2 gw3 gw4 gw5 ext1 TESTPKI_FILES = $(shell \ for cn in $(TESTPKI_CNS); do \ echo tests/testpki-$$cn-cert.pem ; \ @@ -262,9 +265,11 @@ tests/pki/stamp: $(AM_V_at)rm -f tests/pki/stamp $(AM_V_at)rm -rf tests/pki $(AM_V_GEN)$(OVS_PKI) init && \ + cd tests/pki && \ for cn in $(TESTPKI_CNS); do \ - $(OVS_PKI) req+sign tests/pki/$$cn; \ + $(OVS_PKI) -u req+sign $$cn; \ done && \ + cd ../../ && \ : > tests/pki/stamp CLEANFILES += tests/ovs-pki.log diff --git a/tests/ofproto-macros.at b/tests/ofproto-macros.at index 3d7ac08b3..23d793a95 100644 --- a/tests/ofproto-macros.at +++ b/tests/ofproto-macros.at @@ -104,6 +104,7 @@ start_daemon () { # # sim_add hv0 # as hv0 ovs-vsctl add-br br0 +PKIDIR="$(cd $abs_top_builddir/tests && pwd)" sims= sim_add () { echo "adding simulator '$1'" @@ -126,6 +127,17 @@ sim_add () { # Start ovs-vswitchd as $1 start_daemon ovs-vswitchd --enable-dummy=system -vvconn -vofproto_dpif -vunixctl as $1 ovs-appctl vlog/disable-rate-limit vconn + if test X$HAVE_OPENSSL = Xyes; then + if test -f $PKIDIR/testpki-$1-privkey.pem; then + as $1 ovs-vsctl set-ssl \ + $PKIDIR/testpki-$1-privkey.pem \ + $PKIDIR/testpki-$1-cert.pem \ + $PKIDIR/testpki-cacert.pem \ + || return 1 + else + echo "WARNING: No certificate created for sim '$1', check TESTPKI_CNS variable in tests/automake.mk" + fi + fi } # "as $1" sets the OVS_*DIR environment variables to point to $ovs_base/$1. diff --git a/tests/ovn-macros.at b/tests/ovn-macros.at index be8114de2..25f3dbe34 100644 --- a/tests/ovn-macros.at +++ b/tests/ovn-macros.at @@ -124,7 +124,18 @@ ovn_init_db () { mkdir "$d" || return 1 : > "$d"/.$1.db.~lock~ as $as_d ovsdb-tool create "$d"/$1.db "$abs_top_srcdir"/$1.ovsschema - as $as_d start_daemon ovsdb-server -vjsonrpc --remote=punix:"$d"/$1.sock "$d"/$1.db + + local remote_in_db= + if test X$HAVE_OPENSSL = Xyes -a X"$1" = X"ovn-sb"; then + remote_in_db="--remote=db:OVN_Southbound,SB_Global,connections --private-key=$PKIDIR/testpki-test-privkey.pem --certificate=$PKIDIR/testpki-test-cert.pem --ca-cert=$PKIDIR/testpki-cacert.pem" + fi + + as $as_d start_daemon ovsdb-server \ + -vjsonrpc \ + --remote=punix:"$d"/$1.sock \ + $remote_in_db \ + "$d"/$1.db + local var=`echo $1_db | tr a-z- A-Z_` AS_VAR_SET([$var], [unix:"$d"/$1.sock]); export $var } @@ -193,6 +204,24 @@ ovn_start () { ovn_start_northd backup $AZ fi + if test X$HAVE_OPENSSL = Xyes; then + # Create the SB DB pssl+RBAC connection. Ideally we could pre-create + # SB_Global and Connection with ovsdb-tool transact at DB creation + # time, but unfortunately that does not work, northd-ddlog will replace + # the SB_Global record on startup. + ovn-sbctl \ + -- --id=@c create connection \ + target=\"pssl:0:127.0.0.1\" role=ovn-controller \ + -- add SB_Global . connections @c + local d=$ovs_base + if test -n "$AZ"; then + d=$d/$AZ + fi + PARSE_LISTENING_PORT([$d/ovn-sb/ovsdb-server.log], [TCP_PORT]) + var="SSL_OVN_SB_DB" + AS_VAR_SET([$var], [ssl:127.0.0.1:$TCP_PORT]); export $var + fi + if test -n "$AZ"; then ovn-nbctl --wait=sb sync || exit $? @@ -257,11 +286,16 @@ ovn_az_attach() { local ovn_remote if test X"$az" = XNONE; then - ovn_remote=unix:$ovs_base/ovn-sb/ovn-sb.sock + if test X$HAVE_OPENSSL = Xyes; then + ovn_remote=$SSL_OVN_SB_DB + else + ovn_remote=unix:$ovs_base/ovn-sb/ovn-sb.sock + fi else ovn_remote=unix:$ovs_base/$az/ovn-sb/ovn-sb.sock fi ovs-vsctl \ + -- set Open_vSwitch . external-ids:hostname=$sandbox \ -- set Open_vSwitch . external-ids:system-id=$sandbox \ -- set Open_vSwitch . external-ids:ovn-remote=$ovn_remote \ -- set Open_vSwitch . external-ids:ovn-encap-type=$encap \ diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at index f3f88fa12..979a10b7d 100644 --- a/tests/ovn-northd.at +++ b/tests/ovn-northd.at @@ -746,7 +746,7 @@ check_row_count Datapath_Binding 1 lf=$(count_rows Logical_Flow) # Make nbdb ovsdb-server drop connection from ovn-northd. -conn=$(as ovn-nb ovs-appctl -t ovsdb-server ovsdb-server/list-remotes) +conn=$(as ovn-nb ovs-appctl -t ovsdb-server ovsdb-server/list-remotes|grep ^punix) check as ovn-nb ovs-appctl -t ovsdb-server ovsdb-server/remove-remote "$conn" conn2=punix:`pwd`/special.sock check as ovn-nb ovs-appctl -t ovsdb-server ovsdb-server/add-remote "$conn2" @@ -781,7 +781,7 @@ check_row_count Datapath_Binding 1 lf=$(count_rows Logical_Flow) # Make sbdb ovsdb-server drop connection from ovn-northd. -conn=$(as ovn-sb ovs-appctl -t ovsdb-server ovsdb-server/list-remotes) +conn=$(as ovn-sb ovs-appctl -t ovsdb-server ovsdb-server/list-remotes|grep ^punix) check as ovn-sb ovs-appctl -t ovsdb-server ovsdb-server/remove-remote "$conn" conn2=punix:`pwd`/special.sock check as ovn-sb ovs-appctl -t ovsdb-server ovsdb-server/add-remote "$conn2" @@ -2878,4 +2878,4 @@ wait_row_count FDB 0 ovn-sbctl list FDB AT_CLEANUP -]) \ No newline at end of file +]) -- 2.30.0 _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
