Merge pull request skydive-project#2358 from rcarrillocruz/add_ovn_ss…

…l_support Add SSL support to OVN
datadope-io · Mar 16, 2021 · 3ccba88 · 3ccba88
2 parents 60454be + c9904ca
commit 3ccba88
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 3 deletions.
diff --git a/analyzer/probes.go b/analyzer/probes.go
@@ -114,7 +114,10 @@ func NewTopologyProbeBundleFromConfig(g *graph.Graph) (*probe.Bundle, error) {
 		switch t {
 		case "ovn":
 			addr := config.GetString("analyzer.topology.ovn.address")
-			handler, err = ovn.NewProbe(g, addr)
+			certFile := config.GetString("analyzer.topology.ovn.cert")
+			keyFile := config.GetString("analyzer.topology.ovn.key")
+			cacertFile := config.GetString("analyzer.topology.ovn.cacert")
+			handler, err = ovn.NewProbe(g, addr, certFile, keyFile, cacertFile)
 		case "k8s":
 			handler, err = k8s.NewK8sProbe(g)
 		case "istio":

diff --git a/etc/skydive.yml.default b/etc/skydive.yml.default
@@ -174,6 +174,10 @@ analyzer:
       # * tcp:addr:port
       # * unix:/var/run/ovn/ovnnb_db.sock
       # address: unix:/var/run/ovn/ovnnb_db.sock
+      # Specify client, key and CA certificate files for TLS authentication.
+      # cert: /myovnnbcert
+      # key: /myovnkey
+      # cacert: /myovncacert
 
   replication:
     # debug: false

diff --git a/topology/probes/ovn/ovn.go b/topology/probes/ovn/ovn.go
@@ -22,8 +22,11 @@ package ovn
 
 import (
 	"context"
+	"crypto/tls"
+	"crypto/x509"
 	"encoding/json"
 	"fmt"
+	"io/ioutil"
 	"sync"
 
 	"github.com/skydive-project/skydive/probe"
@@ -43,6 +46,9 @@ type Probe struct {
 	graph.ListenerHandler
 	graph       *graph.Graph
 	address     string
+	certFile    string
+	keyFile     string
+	cacertFile  string
 	ovndbapi    goovn.Client
 	switchPorts map[string]*goovn.LogicalSwitch
 	eventChan   chan ovnEvent
@@ -491,8 +497,23 @@ func (p *Probe) Do(ctx context.Context, wg *sync.WaitGroup) error {
 	}()
 
 	logging.GetLogger().Debugf("Trying to get an OVN DB api")
+	tlsConfig := &tls.Config{}
+	if p.certFile != "" && p.keyFile != "" && p.cacertFile != "" {
+		cert, err := tls.LoadX509KeyPair(p.certFile, p.keyFile)
+		if err != nil {
+			return err
+		}
+		cacert, err := ioutil.ReadFile(p.cacertFile)
+		if err != nil {
+			return err
+		}
+		cacertPool := x509.NewCertPool()
+		cacertPool.AppendCertsFromPEM(cacert)
+		tlsConfig = &tls.Config{RootCAs: cacertPool, Certificates: []tls.Certificate{cert}}
+	}
 	cfg := &goovn.Config{
 		Addr:         p.address,
+		TLSConfig:    tlsConfig,
 		SignalCB:     p,
 		DisconnectCB: p.OnDisconnected,
 	}
@@ -538,11 +559,14 @@ func (p *Probe) Do(ctx context.Context, wg *sync.WaitGroup) error {
 	return nil
 }
 
-// NewProbe creates a new graph OVS database probe
-func NewProbe(g *graph.Graph, address string) (probe.Handler, error) {
+// NewProbe creates a new graph OVN database probe
+func NewProbe(g *graph.Graph, address string, certFile string, keyFile string, cacertFile string) (probe.Handler, error) {
 	p := &Probe{
 		graph:      g,
 		address:    address,
+		certFile:   certFile,
+		keyFile:    keyFile,
+		cacertFile: cacertFile,
 		eventChan:  make(chan ovnEvent, 50),
 		aclIndexer: graph.NewIndexer(g, nil, uuidHasher, false),
 		lsIndexer:  graph.NewIndexer(g, nil, uuidHasher, false),