This document explains the way one could use SSL for connectivity between OVN components. The details in this documentation needs a minimum version of Open vSwitch 2.7.
Detailed explanation of how OVS utilites and daemons use SSL certificates is explained at OVS.SSL. The following section summarizes it for ovn-kubernetes.
On a secure machine (separate from your k8s cluster), where you have installed the ovs-pki utility (comes with OVS installations), create a certificate authority by running
ovs-pki init --force
The above command creates 2 certificate authorities. But we are concerned only with one of them, i.e the "switch" certificate authority. We will use this certificate authority to sign individual certificates of all the nodes. We will then use the same certificate authority's certificate to verify a node's connections to the master.
Copy this certificate to the master and each of the nodes. $CENTRAL_IP is the IP address of the master.
scp /var/lib/openvswitch/pki/switchca/cacert.pem \
root@$CENTRAL_IP:/etc/openvswitch/.
On the master, run the following commands.
cd /etc/openvswitch
ovs-pki req ovnnb
The above command will generate a private key "ovnnb-privkey.pem" and a corresponding certificate request named "ovnnb-req.pem". Copy over the ovnnb-req.pem to the aforementioned secure machine's /var/lib/openvswitch/pki folder to sign it using the command below.
ovs-pki -b sign ovnnb
The above command will generate ovnnb-cert.pem. Copy over this file back to the master's /etc/openvswitch. The ovnnb-privkey.pem and ovnnb-cert.pem will be used by the ovsdb-server that fronts the OVN NB database.
Now run the following commands to ask ovsdb-server to use these certificates and also to open up SSL ports via which the database can be accessed.
ovn-nbctl set-ssl /etc/openvswitch/ovnnb-privkey.pem \
/etc/openvswitch/ovnnb-cert.pem /etc/openvswitch/cacert.pem
ovn-nbctl set-connection pssl:6641
cd /etc/openvswitch
ovs-pki req ovnsb
The above command will generate a private key "ovnsb-privkey.pem" and a corresponding certificate request named "ovnsb-req.pem". Copy over the ovnsb-req.pem to the aforementioned secure machine's /var/lib/openvswitch/pki to sign it using the command below.
ovs-pki -b sign ovnsb
The above command will generate ovnsb-cert.pem. Copy over this file back to the master's /etc/openvswitch. The ovnsb-privkey.pem and ovnsb-cert.pem will be used by the ovsdb-server that fronts the OVN SB database.
Now run the following commands to ask ovsdb-server to use these certificates and also to open up SSL ports via which the database can be accessed.
ovn-sbctl set-ssl /etc/openvswitch/ovnsb-privkey.pem \
/etc/openvswitch/ovnsb-cert.pem /etc/openvswitch/cacert.pem
ovn-sbctl set-connection pssl:6642
If you are running ovn-northd on the same host as the OVN NB and SB database servers, then there is no need to secure the communication between ovn-northd and OVN NB/SB daemons. ovn-northd will communicate using UNIX path.
In case you still want to secure the communication, or the daemons are running on separate hosts, then follow the instructions on this page [OVN-NORTHD.SSL.md]
On each node, create a certificate request.
cd /etc/openvswitch
ovs-pki req ovncontroller
The above command will create a new private key for the node called ovncontroller-privkey.pem and a certificate request file called ovncontroller-req.pem. Copy this certificate request file to the secure machine where you created the certificate authority and from the directory where the copied file exists, run:
ovs-pki -b sign ovncontroller switch
The above will create the certificate for the node called "ovncontroller-cert.pem". You should copy this certificate back to the node's /etc/openvswitch directory.
Additionally, the common name used for signing the certificates (ovncontroller)
needs to be passed in for TLS server certificate verification using the
-nb-cert-common-name and the -sb-cert-common-name CLI options.
As explained in README.md, OVN architecture has a central component which stores your networking intent in a database. You start this central component on the node where you intend to start your k8s central daemons by running:
/usr/share/openvswitch/scripts/ovn-ctl start_northd
You should now restart the ovn-controller on each host with the following additional options.
/usr/share/openvswitch/scripts/ovn-ctl \
--ovn-controller-ssl-key="/etc/openvswitch/ovncontroller-privkey.pem" \
--ovn-controller-ssl-cert="/etc/openvswitch/ovncontroller-cert.pem" \
--ovn-controller-ssl-ca-cert="/etc/openvswitch/cacert.pem" \
restart_controller
To make sure that ovn-controller restarts with the above options during system reboots, you should add the above options to your startup script's defaults file. For e.g. on Ubuntu, if you installed ovn-controller via the package 'ovn-host*.deb', write the following to your /etc/default/ovn-host file
OVN_CTL_OPTS="--ovn-controller-ssl-key=/etc/openvswitch/ovncontroller-privkey.pem --ovn-controller-ssl-cert=/etc/openvswitch/ovncontroller-cert.pem --ovn-controller-ssl-ca-cert=/etc/openvswitch/cacert.pem"
If you start the ovnkube utility on master with "--init-master" or with "--init-network-control-manager", you should pass the SSL certificates to it. For e.g:
sudo ovnkube -k8s-kubeconfig kubeconfig.yaml -loglevel=4 \
-k8s-apiserver="http://$CENTRAL_IP:8080" \
-logfile="/var/log/ovn-kubernetes/ovnkube.log" \
-init-master="$NODE_NAME" -cluster-subnets=$CLUSTER_IP_SUBNET \
-k8s-service-cidr=$SERVICE_IP_SUBNET \
-nodeport \
-nb-address="ssl:$CENTRAL_IP:6641" \
-sb-address="ssl:$CENTRAL_IP:6642" \
-nb-client-privkey /etc/openvswitch/ovncontroller-privkey.pem \
-nb-client-cert /etc/openvswitch/ovncontroller-cert.pem \
-nb-client-cacert /etc/openvswitch/cacert.pem \
-nb-cert-common-name ovncontroller \
-sb-client-privkey /etc/openvswitch/ovncontroller-privkey.pem \
-sb-client-cert /etc/openvswitch/ovncontroller-cert.pem \
-sb-client-cacert /etc/openvswitch/cacert.pem \
-sb-cert-common-name ovncontroller
If you start the ovnkube utility with "--init-cluster-manager", there is no need to pass the SSL certificates to it as it doesn't connect to the OVN databases. For e.g:
sudo ovnkube -k8s-kubeconfig kubeconfig.yaml -loglevel=4 \
-k8s-apiserver="http://$CENTRAL_IP:8080" \
-logfile="/var/log/ovn-kubernetes/ovnkube-cluster-manager.log" \
-init-cluster-manager="$NODE_NAME" -cluster-subnets=$CLUSTER_IP_SUBNET \
-k8s-service-cidr=$SERVICE_IP_SUBNET
And when you start your ovnkube utility on nodes, you should pass the SSL certificates to it. For e.g:
sudo ovnkube -k8s-kubeconfig $HOME/kubeconfig.yaml -loglevel=4 \
-k8s-apiserver="http://$CENTRAL_IP:8080" \
-init-node="$NODE_NAME" \
-nodeport \
-nb-address="ssl:$CENTRAL_IP:6641" \
-sb-address="ssl:$CENTRAL_IP:6642" -k8s-token=$TOKEN \
-nb-client-privkey /etc/openvswitch/ovncontroller-privkey.pem \
-nb-client-cert /etc/openvswitch/ovncontroller-cert.pem \
-nb-client-cacert /etc/openvswitch/cacert.pem \
-nb-cert-common-name ovncontroller \
-sb-client-privkey /etc/openvswitch/ovncontroller-privkey.pem \
-sb-client-cert /etc/openvswitch/ovncontroller-cert.pem \
-sb-client-cacert /etc/openvswitch/cacert.pem \
-sb-cert-common-name ovncontroller \
-init-gateways \
-k8s-service-cidr=$SERVICE_IP_SUBNET \
-cluster-subnets=$CLUSTER_IP_SUBNET