setup on central node
首先在central node生成CA
然后分别为nb、sb、switch创建private key和request
然后在centaral node(生成CA到机器)上对上一步生成的request进行签名,生成证书文件cert
然后把生成的pki/controllerca/cacert.pem and pki/switchca/cacert.pem 和private key和cert证书文件拷贝到其它computing node上
systemctl start ovn-northd
systemctl start ovn-controller
# 使用ovs-pki init --force生成controller CA和switch CA,
# 分别存放在/var/lib/openvswitch/pki/controllerca/目录和/var/lib/openvswitch/pki/switchca/
# 要把根证书pki/controllerca/cacert.pem and pki/switchca/cacert.pem分别copy到controller和switch中
ovs-pki init --force
pushd /etc/openvswitch
# 为nb创建private key并且签名
# both using "controller" CA
ovs-pki req+sign northdb controller
ovs-pki req+sign nbctl controller
# 为sb,ovn-controller创建private key并且签名
ovs-pki req+sign southdb switch
ovs-pki req+sign chassis-1 switch
ovs-pki req+sign chassis-2 switch
popd
# since ovn2.12
# https://bugzilla.redhat.com/show_bug.cgi?id=1769668
chown -R openvswitch /etc/openvswitch
chown -R openvswitch /var/lib/openvswitch
# Configure SSL certificates and keys for northbound db, enable SSL
ovn-nbctl set-ssl /etc/openvswitch/northdb-privkey.pem \
/etc/openvswitch/northdb-cert.pem \
/var/lib/openvswitch/pki/controllerca/cacert.pem
ovn-nbctl set-connection pssl:6641
# Configure SSL certificates and keys for southbound db, enable SSL
ovn-sbctl set-ssl /etc/openvswitch/southdb-privkey.pem \
/etc/openvswitch/southdb-cert.pem \
/var/lib/openvswitch/pki/switchca/cacert.pem
ovn-sbctl set-connection pssl:6642
# Configure ovn-controller to use SSL for connection to southbound db
ovs-vsctl set Open_vSwitch . external-ids:ovn-remote=ssl:177.1.1.1:6642
ovs-vsctl set Open_vSwitch . external-ids:ovn-encap-type=geneve
ovs-vsctl set Open_vSwitch . external-ids:ovn-encap-ip=177.1.1.1
# Configure SSL key and certificates for ovn-cotnroller
# Note: In OVS 2.8 you will be able to do this instead, restarting ovn-controller
# will not be required:
ovs-vsctl set-ssl /etc/openvswitch/chassis-1-privkey.pem \
/etc/openvswitch/chassis-1-cert.pem \
/var/lib/openvswitch/pki/switchca/cacert.pem
# Restart ovn-controller to pickup changed OVN_CONTROLLER_OPTS
systemctl restart ovn-controller
# check sb ssl
ovn-sbctl show
# check nb ssl
ovn-nbctl --db=ssl:177.1.1.1:6641 -p /etc/openvswitch/nbctl-privkey.pem -c /etc/openvswitch/nbctl-cert.pem -C /var/lib/openvswitch/pki/controllerca/cacert.pem ls-add ls1
ovn-nbctl --db=ssl:177.1.1.1:6641 -p /etc/openvswitch/nbctl-privkey.pem -c /etc/openvswitch/nbctl-cert.pem -C /var/lib/openvswitch/pki/controllerca/cacert.pem show
setup on computing node
systemctl start ovn-controller
# Create "switch" and "controller" CAs
ovs-pki init --force
# get private key and cert and ca
scp 177.1.1.1:/etc/openvswitch/chassis-2-privkey.pem /etc/openvswitch/
scp 177.1.1.1:/etc/openvswitch/chassis-2-cert.pem /etc/openvswitch/
scp -r 177.1.1.1:/var/lib/openvswitch/pki/switchca/* /var/lib/openvswitch/pki/switchca/
# since ovn2.12
# https://bugzilla.redhat.com/show_bug.cgi?id=1769668
chown -R openvswitch /etc/openvswitch
chown -R openvswitch /var/lib/openvswitch
# Configure ovn-controller to use SSL for connection to southbound db
ovs-vsctl set Open_vSwitch . external-ids:ovn-remote=ssl:177.1.1.1:6642
ovs-vsctl set Open_vSwitch . external-ids:ovn-encap-type=geneve
ovs-vsctl set Open_vSwitch . external-ids:ovn-encap-ip=177.1.1.2
# Configure SSL key and certificates for ovn-cotnroller
# Note: In OVS 2.8 you will be able to do this instead, restarting ovn-controller
# will not be required:
ovs-vsctl set-ssl /etc/openvswitch/chassis-2-privkey.pem \
/etc/openvswitch/chassis-2-cert.pem \
/var/lib/openvswitch/pki/switchca/cacert.pem
systemctl restart ovn-controller