Skip to content

Commit

Permalink
[Windows] Check if importing certificate is needed (#1963)
Browse files Browse the repository at this point in the history 
* Added a new option "ImportCertificate" to decide if certificate is needed.
  Default is true
* Simplified certificate addition with command "Import-Certificate"
  • Loading branch information
@lzhecheng
lzhecheng authored Mar 25, 2021
1 parent cb840ce commit 9b8440d
Show file tree
Hide file tree
Showing 2 changed files with 30 additions and 18 deletions.
19 changes: 13 additions & 6 deletions docs/windows.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -149,15 +149,21 @@ kubectl apply -f https://github.com/vmware-tanzu/antrea/releases/download/<TAG>/

#### Join Windows worker Nodes

#### 1. (Optional, Test-Only) Install OVS provided by Antrea
#### 1. (Optional) Install OVS (provided by Antrea or your own)

Antrea provides a pre-built OVS package which contains test-signed OVS kernel
driver. If you don't have a self-signed OVS package and just want to try the
Antrea on Windows, this package can be used for testing. We also provide a help
script to install the OVS driver and register userspace binaries as services.
Antrea on Windows, this package can be used for testing. We also provide a helper
script `Install-OVS.ps1` to install the OVS driver and register userspace binaries
as services. If you want to use your own signed OVS package for production, you can
run `Install-OVS.ps1` like this:

Firstly, please make sure to [enable test-signed](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/the-testsigning-boot-configuration-option)
code on Windows Nodes.
```powershell
Install-OVS.ps1 -ImportCertificate $false -Local -LocalFile <PathToOVSPackage>
```

**[Test-only]** First, if you are using test-signed driver (such as the one provided with Antrea),
please make sure to [enable test-signed](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/the-testsigning-boot-configuration-option)

```powershell
Bcdedit.exe -set TESTSIGNING ON
Expand All @@ -168,7 +174,8 @@ Then, install the OVS using the script.

```powershell
curl.exe -LO https://raw.githubusercontent.com/vmware-tanzu/antrea/main/hack/windows/Install-OVS.ps1
.\Install-OVS.ps1
.\Install-OVS.ps1 # Test-only
.\Install-OVS.ps1 -ImportCertificate $false -Local -LocalFile <PathToOVSPackage> # Production
```

Verify the OVS services are installed.
Expand Down
29 changes: 17 additions & 12 deletions hack/windows/Install-OVS.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,13 +17,18 @@
.PARAMETER LocalFile
Specifies the path of a local OpenvSwitch package to be used for installation.
When the param is used, "DownloadURL" and "DownloadDir" params will be ignored.
.PARAMETER ImportCertificate
Specifies if a certificate file is needed for OVS package. If true, certificate
will be retrieved from OVSExt.sys and a package.cer file will be generated.
#>
Param(
[parameter(Mandatory = $false)] [string] $DownloadDir,
[parameter(Mandatory = $false)] [string] $DownloadURL,
[parameter(Mandatory = $false)] [string] $OVSInstallDir = "C:\openvswitch",
[parameter(Mandatory = $false)] [bool] $CheckFileHash = $true,
[parameter(Mandatory = $false)] [string] $LocalFile
[parameter(Mandatory = $false)] [string] $LocalFile,
[parameter(Mandatory = $false)] [bool] $ImportCertificate = $true
)

$ErrorActionPreference = "Stop"
Expand Down Expand Up @@ -136,17 +141,17 @@ function InstallOVS() {
$OVSDriverDir = "$OVSInstallDir\driver"

# Install OVS driver certificate.
if (Test-Path $OVSDriverDir\package.cer) {
$DriverFile="$OVSDriverDir\OVSExt.sys"
if ($ImportCertificate) {
$CertificateFile = "$OVSDriverDir\package.cer"
if (!(Test-Path $CertificateFile)) {
$ExportType = [System.Security.Cryptography.X509Certificates.X509ContentType]::Cert;
$Cert = (Get-AuthenticodeSignature $DriverFile).SignerCertificate;
[System.IO.File]::WriteAllBytes($CertificateFile, $Cert.Export($ExportType));
}
Log "Installing OVS driver certificate."
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("$OVSDriverDir\package.cer")
$rootStore = Get-Item cert:\LocalMachine\TrustedPublisher
$rootStore.Open("ReadWrite")
$rootStore.Add($cert)
$rootStore.Close()
$rootStore = Get-Item cert:\LocalMachine\Root
$rootStore.Open("ReadWrite")
$rootStore.Add($cert)
$rootStore.Close()
Import-Certificate -FilePath "$CertificateFile" -CertStoreLocation cert:\LocalMachine\TrustedPublisher
Import-Certificate -FilePath "$CertificateFile" -CertStoreLocation cert:\LocalMachine\Root
}

# Install Microsoft Visual C++ Redistributable Package.
Expand Down Expand Up @@ -213,7 +218,7 @@ function ConfigOVS() {
sc.exe failure ovs-vswitchd reset= 0 actions= restart/0/restart/0/restart/0
Start-Service ovs-vswitchd
# Set OVS version.
$OVS_VERSION=$(Get-Item $OVSInstallDir\driver\ovsext.sys).VersionInfo.ProductVersion
$OVS_VERSION=$(Get-Item $OVSInstallDir\driver\OVSExt.sys).VersionInfo.ProductVersion
Log "Set OVS version to: $OVS_VERSION"
ovs-vsctl --no-wait set Open_vSwitch . ovs_version=$OVS_VERSION
}
Expand Down

0 comments on commit 9b8440d

Please sign in to comment.