In ovn-kubernetes K8s CNI project we use SSL connections between ovn-controller and OVN SB DB. Our goal is to rotate the privateKey/signedCert used by ovn-controller very often. When the rotation occurs, we want ovn-controller to redo the TLS handshake without dropping the TCP connection or without requiring ovn-controller restart.
In ovn-controller code, I see that in the main loop we call update_ssl_config(), which through a series of functions checks if SSL files are modified, and if so, calls into OpenSSL library updating the SSL context. At this point, the expectation is for ovn-controller to restart the TLS handshake so that we are using new SSL keys/certs. However, we don't see this happening. I ran tcpdump on the ovn-controller side to check for TLS handshake packets, but I didn't see any TLS related packets. With `stream_ssl` module logging set to debug, I don't see any SSL control plane messages in ovn-controller.log. I also created certs with expiry time of 10mins using OVS-PKI and restarted ovn-controller. My expectation was that after 10mins the SSL connection should error out with certificates already expired. I don't see that is happening as well. When I run the `ovn-sbctl` command using the expired certs it obviously fails. Looks to me that once the JSON-RPC session is created between ovn-controller and OVN SB DB process, then nothing seems to re-trigger the TLS handshake. Are we missing something? Regards, ~Girish
_______________________________________________ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
