certificates: generate libvirt TLS certificates

Adds support to the 'kolla-ansible certificates' command for generating certificates for libvirt TLS, when libvirt_tls is true. The same certificate and key are used for the libvirt client and server. The certificates use the same root CA as the other generated certificates, and are written to {{ node_custom_config }}/nova/nova-libvirt/, ready to be picked up by nova-libvirt and nova-compute. Change-Id: I1bde9fa018f66037aec82dc74c61ad1f477a7c12
2022-01-26 16:27:33 +00:00 · 2022-01-26 16:27:33 +00:00 · 33e93ab323
parent 92e635bb0a
commit 33e93ab323
6 changed files with 122 additions and 1 deletions
--- a/ansible/certificates.yml
+++ b/ansible/certificates.yml
@ -2,7 +2,8 @@
 - import_playbook: gather-facts.yml
  when: >-
    kolla_enable_tls_backend | default(false) | bool or
-    rabbitmq_enable_tls | default(false) | bool
+    rabbitmq_enable_tls | default(false) | bool or
+    certificates_generate_libvirt | default(libvirt_tls) | default(false) | bool

 - name: Apply role certificates
  hosts: localhost
--- a/ansible/roles/certificates/defaults/main.yml
+++ b/ansible/roles/certificates/defaults/main.yml
@ -3,3 +3,9 @@ root_dir: "{{ kolla_certificates_dir }}/private/root"
 external_dir: "{{ kolla_certificates_dir }}/private/external"
 internal_dir: "{{ kolla_certificates_dir }}/private/internal"
 backend_dir: "{{ kolla_certificates_dir }}/private/backend"
+libvirt_dir: "{{ kolla_certificates_dir }}/private/libvirt"
+
+# Whether to generate certificates for libvirt TLS.
+certificates_generate_libvirt: "{{ libvirt_tls | default(false) | bool }}"
+# Directory into which to copy generated certificates and keys for libvirt TLS.
+certificates_libvirt_output_dir: "{{ node_custom_config }}/nova/nova-libvirt"
--- a/ansible/roles/certificates/tasks/generate-libvirt.yml
+++ b/ansible/roles/certificates/tasks/generate-libvirt.yml
@ -0,0 +1,84 @@
+---
+- name: Ensuring private libvirt directory exist
+  file:
+    path: "{{ libvirt_dir }}"
+    state: "directory"
+    mode: "0770"
+
+- name: Creating libvirt SSL configuration file
+  template:
+    src: "{{ item }}.j2"
+    dest: "{{ kolla_certificates_dir }}/{{ item }}"
+    mode: "0660"
+  with_items:
+    - "openssl-kolla-libvirt.cnf"
+
+- name: Creating libvirt certificate key
+  command: >
+    openssl genrsa
+    -out "{{ libvirt_dir }}/libvirt.key" 2048
+  args:
+    creates: "{{ libvirt_dir }}/libvirt.key"
+
+- name: Creating libvirt certificate signing request
+  command: >
+    openssl req
+    -new
+    -key "{{ libvirt_dir }}/libvirt.key"
+    -out "{{ libvirt_dir }}/libvirt.csr"
+    -config "{{ kolla_certificates_dir }}/openssl-kolla-libvirt.cnf"
+    -sha256
+  args:
+    creates: "{{ libvirt_dir }}/libvirt.csr"
+
+- name: Creating libvirt certificate
+  command: >
+    openssl x509
+    -req
+    -in "{{ libvirt_dir }}/libvirt.csr"
+    -CA "{{ root_dir }}/root.crt"
+    -CAkey "{{ root_dir }}/root.key"
+    -CAcreateserial
+    -extensions v3_req
+    -extfile "{{ kolla_certificates_dir }}/openssl-kolla-libvirt.cnf"
+    -out "{{ libvirt_dir }}/libvirt.crt"
+    -days 500
+    -sha256
+  args:
+    creates: "{{ libvirt_dir }}/libvirt.crt"
+
+- name: Setting permissions on libvirt key
+  file:
+    path: "{{ libvirt_dir }}/libvirt.key"
+    mode: "0660"
+    state: file
+
+- name: Ensure libvirt output directory exists
+  file:
+    path: "{{ certificates_libvirt_output_dir }}"
+    state: directory
+    mode: "0770"
+
+- name: Copy libvirt root CA to default configuration location
+  copy:
+    src: "{{ root_dir }}/root.crt"
+    dest: "{{ certificates_libvirt_output_dir }}/cacert.pem"
+    mode: "0660"
+
+- name: Copy libvirt cert to default configuration locations
+  copy:
+    src: "{{ libvirt_dir }}/libvirt.crt"
+    dest: "{{ certificates_libvirt_output_dir }}/{{ item }}cert.pem"
+    mode: "0660"
+  loop:
+    - server
+    - client
+
+- name: Copy libvirt key to default configuration locations
+  copy:
+    src: "{{ libvirt_dir }}/libvirt.key"
+    dest: "{{ certificates_libvirt_output_dir }}/{{ item }}key.pem"
+    mode: "0660"
+  loop:
+    - server
+    - client
--- a/ansible/roles/certificates/tasks/main.yml
+++ b/ansible/roles/certificates/tasks/main.yml
@ -4,3 +4,5 @@
 - include_tasks: generate-backend.yml
  when:
    - kolla_enable_tls_backend | bool or rabbitmq_enable_tls | bool
+- include_tasks: generate-libvirt.yml
+  when: certificates_generate_libvirt | bool
--- a/ansible/roles/certificates/templates/openssl-kolla-libvirt.cnf.j2
+++ b/ansible/roles/certificates/templates/openssl-kolla-libvirt.cnf.j2
@ -0,0 +1,18 @@
+[req]
+prompt = no
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+
+[req_distinguished_name]
+countryName = US
+stateOrProvinceName = NC
+localityName = RTP
+organizationalUnitName = kolla
+
+[v3_req]
+subjectAltName = @alt_names
+
+[alt_names]
+{% for host in groups['compute'] %}
+DNS.{{ loop.index }} = {{ hostvars[host].migration_hostname | default(hostvars[host].ansible_facts.nodename) }}
+{% endfor %}
--- a/releasenotes/notes/libvirt-tls-certificates-b4b27b1a6b4a2db7.yaml
+++ b/releasenotes/notes/libvirt-tls-certificates-b4b27b1a6b4a2db7.yaml
@ -0,0 +1,10 @@
+---
+features:
+  - |
+    Adds support to the ``kolla-ansible certificates`` command for generating
+    certificates for libvirt TLS, when ``libvirt_tls`` is ``true``. The same
+    certificate and key are used for the libvirt client and server.
+
+    The certificates use the same root CA as the other generated certificates,
+    and are written to ``{{ node_custom_config }}/nova/nova-libvirt/``, ready
+    to be picked up by nova-libvirt and nova-compute.