certificates: generate libvirt TLS certificates

Adds support to the 'kolla-ansible certificates' command for generating
certificates for libvirt TLS, when libvirt_tls is true. The same
certificate and key are used for the libvirt client and server.

The certificates use the same root CA as the other generated
certificates, and are written to
{{ node_custom_config }}/nova/nova-libvirt/, ready to be picked up by
nova-libvirt and nova-compute.

Change-Id: I1bde9fa018f66037aec82dc74c61ad1f477a7c12
This commit is contained in:
Mark Goddard 2022-01-26 16:27:33 +00:00
parent 92e635bb0a
commit 33e93ab323
6 changed files with 122 additions and 1 deletions

View File

@ -2,7 +2,8 @@
- import_playbook: gather-facts.yml
when: >-
kolla_enable_tls_backend | default(false) | bool or
rabbitmq_enable_tls | default(false) | bool
rabbitmq_enable_tls | default(false) | bool or
certificates_generate_libvirt | default(libvirt_tls) | default(false) | bool
- name: Apply role certificates
hosts: localhost

View File

@ -3,3 +3,9 @@ root_dir: "{{ kolla_certificates_dir }}/private/root"
external_dir: "{{ kolla_certificates_dir }}/private/external"
internal_dir: "{{ kolla_certificates_dir }}/private/internal"
backend_dir: "{{ kolla_certificates_dir }}/private/backend"
libvirt_dir: "{{ kolla_certificates_dir }}/private/libvirt"
# Whether to generate certificates for libvirt TLS.
certificates_generate_libvirt: "{{ libvirt_tls | default(false) | bool }}"
# Directory into which to copy generated certificates and keys for libvirt TLS.
certificates_libvirt_output_dir: "{{ node_custom_config }}/nova/nova-libvirt"

View File

@ -0,0 +1,84 @@
---
- name: Ensuring private libvirt directory exist
file:
path: "{{ libvirt_dir }}"
state: "directory"
mode: "0770"
- name: Creating libvirt SSL configuration file
template:
src: "{{ item }}.j2"
dest: "{{ kolla_certificates_dir }}/{{ item }}"
mode: "0660"
with_items:
- "openssl-kolla-libvirt.cnf"
- name: Creating libvirt certificate key
command: >
openssl genrsa
-out "{{ libvirt_dir }}/libvirt.key" 2048
args:
creates: "{{ libvirt_dir }}/libvirt.key"
- name: Creating libvirt certificate signing request
command: >
openssl req
-new
-key "{{ libvirt_dir }}/libvirt.key"
-out "{{ libvirt_dir }}/libvirt.csr"
-config "{{ kolla_certificates_dir }}/openssl-kolla-libvirt.cnf"
-sha256
args:
creates: "{{ libvirt_dir }}/libvirt.csr"
- name: Creating libvirt certificate
command: >
openssl x509
-req
-in "{{ libvirt_dir }}/libvirt.csr"
-CA "{{ root_dir }}/root.crt"
-CAkey "{{ root_dir }}/root.key"
-CAcreateserial
-extensions v3_req
-extfile "{{ kolla_certificates_dir }}/openssl-kolla-libvirt.cnf"
-out "{{ libvirt_dir }}/libvirt.crt"
-days 500
-sha256
args:
creates: "{{ libvirt_dir }}/libvirt.crt"
- name: Setting permissions on libvirt key
file:
path: "{{ libvirt_dir }}/libvirt.key"
mode: "0660"
state: file
- name: Ensure libvirt output directory exists
file:
path: "{{ certificates_libvirt_output_dir }}"
state: directory
mode: "0770"
- name: Copy libvirt root CA to default configuration location
copy:
src: "{{ root_dir }}/root.crt"
dest: "{{ certificates_libvirt_output_dir }}/cacert.pem"
mode: "0660"
- name: Copy libvirt cert to default configuration locations
copy:
src: "{{ libvirt_dir }}/libvirt.crt"
dest: "{{ certificates_libvirt_output_dir }}/{{ item }}cert.pem"
mode: "0660"
loop:
- server
- client
- name: Copy libvirt key to default configuration locations
copy:
src: "{{ libvirt_dir }}/libvirt.key"
dest: "{{ certificates_libvirt_output_dir }}/{{ item }}key.pem"
mode: "0660"
loop:
- server
- client

View File

@ -4,3 +4,5 @@
- include_tasks: generate-backend.yml
when:
- kolla_enable_tls_backend | bool or rabbitmq_enable_tls | bool
- include_tasks: generate-libvirt.yml
when: certificates_generate_libvirt | bool

View File

@ -0,0 +1,18 @@
[req]
prompt = no
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
countryName = US
stateOrProvinceName = NC
localityName = RTP
organizationalUnitName = kolla
[v3_req]
subjectAltName = @alt_names
[alt_names]
{% for host in groups['compute'] %}
DNS.{{ loop.index }} = {{ hostvars[host].migration_hostname | default(hostvars[host].ansible_facts.nodename) }}
{% endfor %}

View File

@ -0,0 +1,10 @@
---
features:
- |
Adds support to the ``kolla-ansible certificates`` command for generating
certificates for libvirt TLS, when ``libvirt_tls`` is ``true``. The same
certificate and key are used for the libvirt client and server.
The certificates use the same root CA as the other generated certificates,
and are written to ``{{ node_custom_config }}/nova/nova-libvirt/``, ready
to be picked up by nova-libvirt and nova-compute.