Thanks for this patch too, and thanks especially for adding a test! Acked-by: Mark Michelson <[email protected]>
On Mon, Oct 20, 2025 at 6:15 PM Gurucharan Shetty <[email protected]> wrote: > > This adds the case for OPT_SSL_SERVER_NAME in ovn-dbctl.c, > enabling --ssl-server-name support for ovn-nbctl and ovn-sbctl. > > The --ssl-server-name option allows specifying the server name for TLS > Server Name Indication (SNI), which is useful when connecting through > proxies or service meshes. > > Example usage: > ovn-nbctl --db=ssl:$ISTIO_GATEWAY_IP:6641 \ > --ssl-server-name=hv-171.ovsdb.provider.internal \ > --private-key=ovn-nbctl-client.key \ > --certificate=ovn-nbctl-client.crt \ > --ca-cert=ca.crt \ > list nb_global > > The above command will connect to a istio proxy. Depending > on the configuration of istio proxy for SNI hv-171, > it can connect to a pod or a node in the kubernetes cluster. > > Signed-off-by: Gurucharan Shetty <[email protected]> > --- > tests/ovn-nbctl.at | 69 +++++++++++++++++++++++++++++++++++++++++++ > utilities/ovn-dbctl.c | 4 +++ > 2 files changed, 73 insertions(+) > > diff --git a/tests/ovn-nbctl.at b/tests/ovn-nbctl.at > index 266789417..6a1814a2f 100644 > --- a/tests/ovn-nbctl.at > +++ b/tests/ovn-nbctl.at > @@ -3335,3 +3335,72 @@ AT_CHECK([ovn-nbctl nf-list | uuidfilt], [0], [dnl > AT_CHECK([ovn-nbctl nf-del nf2]) > AT_CHECK([ovn-nbctl nf-list | uuidfilt], [0], []) > ]) > + > +AT_SETUP([ovn-nbctl - TLS server name indication (SNI) with > --ssl-server-name]) > +AT_KEYWORDS([ovn-nbctl ssl tls sni client]) > +AT_SKIP_IF([test "$HAVE_OPENSSL" = no]) > + > +# This test validates the --ssl-server-name option for SNI in ovn-nbctl. > +# Test 1: Connect to IP with --ssl-server-name to verify SNI override. > +# Test 2: Connect to same IP without --ssl-server-name (no SNI sent). > + > +# Create ovn-nb database > +AT_CHECK([ovsdb-tool create ovn-nb.db $abs_top_srcdir/ovn-nb.ovsschema]) > + > +PKIDIR=$abs_top_builddir/tests > +AT_CAPTURE_FILE([ovsdb-server.log]) > +on_exit 'kill $(cat ovsdb-server.pid)' > + > +# Start ovsdb-server with SSL and debug logging > +AT_CHECK([ovsdb-server --log-file --detach --no-chdir --pidfile \ > + --private-key=$PKIDIR/testpki-test-privkey.pem \ > + --certificate=$PKIDIR/testpki-test-cert.pem \ > + --ca-cert=$PKIDIR/testpki-cacert.pem \ > + --remote=pssl:0:127.0.0.1 \ > + -vstream_ssl:file:dbg ovn-nb.db], [0], [ignore], [ignore]) > +PARSE_LISTENING_PORT([ovsdb-server.log], [SSL_PORT]) > + > +# Initialize the database > +AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$SSL_PORT \ > + --private-key=$PKIDIR/testpki-test-privkey.pem \ > + --certificate=$PKIDIR/testpki-test-cert.pem \ > + --ca-cert=$PKIDIR/testpki-cacert.pem \ > + init]) > + > +# Test 1: SNI override - connect to IP but specify server name. > +# This validates that --ssl-server-name overrides connection hostname. > +AT_CHECK([ovn-nbctl -t 5 \ > + --db=ssl:127.0.0.1:$SSL_PORT \ > + --private-key=$PKIDIR/testpki-test-privkey.pem \ > + --certificate=$PKIDIR/testpki-test-cert.pem \ > + --ca-cert=$PKIDIR/testpki-cacert.pem \ > + --ssl-server-name=sni-test.example \ > + ls-add test-ls]) > + > +# Verify SNI was sent with the overridden name. > +OVS_WAIT_UNTIL([grep -q \ > + "connection indicated server name sni-test.example" \ > + ovsdb-server.log]) > + > +# Save current log size for Test 2. > +LOG_SIZE=$(wc -l < ovsdb-server.log) > + > +# Test 2: Default behavior without SNI override - should NOT show SNI > +# connecting to IP address (no hostname to extract). > +AT_CHECK([ovn-nbctl -t 5 \ > + --db=ssl:127.0.0.1:$SSL_PORT \ > + --private-key=$PKIDIR/testpki-test-privkey.pem \ > + --certificate=$PKIDIR/testpki-test-cert.pem \ > + --ca-cert=$PKIDIR/testpki-cacert.pem \ > + ls-del test-ls]) > + > +# Stop server to ensure logs are flushed before checking. > +AT_CHECK([ovs-appctl -t ovsdb-server exit]) > +OVS_WAIT_WHILE([kill -0 $(cat ovsdb-server.pid) 2>/dev/null]) > + > +# Check that no new SNI messages appeared in Test 2 (connecting to IP > +# without --ssl-server-name should not generate SNI). > +AT_CHECK([tail -n +$(($LOG_SIZE + 1)) ovsdb-server.log | \ > + grep -q "connection indicated server name"], [1]) > + > +AT_CLEANUP > diff --git a/utilities/ovn-dbctl.c b/utilities/ovn-dbctl.c > index e9fa4da03..afa88a071 100644 > --- a/utilities/ovn-dbctl.c > +++ b/utilities/ovn-dbctl.c > @@ -622,6 +622,10 @@ apply_options_direct(const struct ovn_dbctl_options > *dbctl_options, > stream_ssl_set_ciphersuites(optarg); > break; > > + case OPT_SSL_SERVER_NAME: > + stream_ssl_set_server_name(optarg); > + break; > + > case OPT_BOOTSTRAP_CA_CERT: > stream_ssl_set_ca_cert_file(po->arg, true); > break; > -- > 2.34.1 > > _______________________________________________ > dev mailing list > [email protected] > https://mail.openvswitch.org/mailman/listinfo/ovs-dev > _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
