Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

util goovn TLS connection need to use the latest rotated certificates #563

Closed
wants to merge 1 commit into from
Closed

util goovn TLS connection need to use the latest rotated certificates #563

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
56 changes: 56 additions & 0 deletions go-controller/pkg/util/go_ovn.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,13 @@ import (
"crypto/tls"
"crypto/x509"
"fmt"
"reflect"

"io/ioutil"

goovn "github.com/ebay/go-ovn"
"github.com/ovn-org/ovn-kubernetes/go-controller/pkg/config"
"gopkg.in/fsnotify/fsnotify.v1"
"k8s.io/klog/v2"
)

Expand Down Expand Up @@ -93,10 +96,63 @@ func initGoOvnSslClient(certFile, privKeyFile, caCertFile, address, db, serverNa
if err != nil {
return nil, fmt.Errorf("error creating SSL OVNDBClient for database %s at address %s: %s", db, address, err)
}
if err = updateSslKeyPair(db, certFile, privKeyFile, tlsConfig, ovndbclient); err != nil {
return nil, fmt.Errorf("error watching SSL OVNDBClient for database %s cert/key files: %s", db, err)
}

klog.Infof("Created OVNDB SSL client for db: %s", db)
return ovndbclient, nil
}

// Watch TLS key/cert files, and update the ovndb tlsConfig Certificate.
// Call ovndbclient.Close() will disconnect underlying rpc2client connection.
// With ovndbclient initalized with reconnect flag, rcp2client will reconnct with new tlsConfig Certificate.
func updateSslKeyPair(ovndb, certFile, privKeyFile string, tlsConfig *tls.Config, ovndbclient goovn.Client) error {

watcher, err := fsnotify.NewWatcher()
if err != nil {
return err
}

go func() {
for {
select {
case event, ok := <-watcher.Events:
if ok && event.Op&(fsnotify.Write|fsnotify.Remove) != 0 {
cert, err := tls.LoadX509KeyPair(certFile, privKeyFile)
if err != nil {
klog.Infof("Cannot load new cert with cert %s key %s err %s", certFile, privKeyFile, err)
continue
}
if reflect.DeepEqual(tlsConfig.Certificates, []tls.Certificate{cert}) {
klog.Infof("TLS update already finished")
continue
}
tlsConfig.Certificates = []tls.Certificate{cert}
err = ovndbclient.Close()
if err != nil {
klog.Errorf("Cannot close %s connection: %s", ovndb, err)
continue
}
klog.Infof("TLS connection to %s force reconnected with new tlsconfig", ovndb)
}
case err, ok := <-watcher.Errors:
if ok {
klog.Errorf("Error watching for changes: %s", err)
}
}
}
}()

if err := watcher.Add(certFile); err != nil {
return err
}
if err := watcher.Add(privKeyFile); err != nil {
return err
}
return nil
}

func initGoOvnTcpClient(address, db string) (goovn.Client, error) {
ovndbclient, err := goovn.NewClient(&goovn.Config{
Db: db,
Expand Down