ovn-ctl: add support for SSL nb/sb db connections

Add support for SSL connections to OVN northbound and/or
southbound databases.

To improve security, the NB and SB ovsdb daemons no longer
have open ptcp connections by default.  This is a change in
behavior from previous versions, users wishing to use TCP
connections to the NB/SB daemons can either request that
a passive TCP connection be used via ovn-ctl command-line
options (e.g. via OVN_CTL_OPTS/OVN_NORTHD_OPTS in startup
scripts):

    --db-sb-create-insecure-remote=yes
    --db-nb-create-insecure-remote=yes

Or configure a connection after the NB/SB daemons have been
started, e.g.:

    ovn-sbctl set-connection ptcp:6642
    ovn-nbctl set-connection ptcp:6641

Users desiring SSL database connections will need to generate certificates
and private key as described in INSTALL.SSL.rst and perform the following
one-time configuration steps:

   ovn-sbctl set-ssl <private-key> <certificate> <ca-cert>
   ovn-sbctl set-connection pssl:6642
   ovn-nbctl set-ssl <private-key> <certificate> <ca-cert>
   ovn-nbctl set-connection pssl:6641

On the ovn-controller and ovn-controller-vtep side, SSL configuration
must be provided on the command-line when the daemons are started, this
should be provided via the following command-line options (e.g. via
OVN_CTL_OPTS/OVN_CONTROLLER_OPTS in startup scripts):

   --ovn-controller-ssl-key=<private-key>
   --ovn-controller-ssl-cert=<certificate>
   --ovn-controller-ssl-ca-cert=<ca-cert>

The SB database connection should also be configured to use SSL, e.g.:

    ovs-vsctl set Open_vSwitch . \
              external-ids:ovn-remote=ssl:w.x.y.z:6642

Acked-by: Ben Pfaff <blp@ovn.org>
Signed-off-by: Lance Richardson <lrichard@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>

0 files changed, 0 insertions, 0 deletions