From 3bcb347a5b6648445660414e17a261dc50b5fb46 Mon Sep 17 00:00:00 2001 From: okozachenko Date: Wed, 16 Sep 2020 00:45:41 +0300 Subject: [PATCH] Realize libvirt SSL Motivation: libvirt 127.0.0.1 listen is terrible for live migration. To resolve that, we can use 0.0.0.0 but it is not secure so tried to realize SSL. Once create secrets for cacert, client&server cert and keys then it will mounted on libvirt daemonset. It means all instances use the same key and cert. This is not ideal but can be considered as the first stage. Change-Id: Ic3407e484039afaf98495e0f6028254c4c2a0a78 --- libvirt/Chart.yaml | 2 +- libvirt/templates/daemonset-libvirt.yaml | 12 + libvirt/values.yaml | 9 +- libvirt/values_overrides/ssl.yaml | 7 + .../openstack-support/051-libvirt-ssl.sh | 242 ++++++++++++++++++ zuul.d/jobs.yaml | 72 ++++++ zuul.d/project.yaml | 2 + 7 files changed, 344 insertions(+), 2 deletions(-) create mode 100644 libvirt/values_overrides/ssl.yaml create mode 100755 tools/deployment/openstack-support/051-libvirt-ssl.sh diff --git a/libvirt/Chart.yaml b/libvirt/Chart.yaml index 96be8aed7..e1d97928d 100644 --- a/libvirt/Chart.yaml +++ b/libvirt/Chart.yaml @@ -15,7 +15,7 @@ apiVersion: v1 appVersion: v1.0.0 description: OpenStack-Helm libvirt name: libvirt -version: 0.1.1 +version: 0.1.2 home: https://libvirt.org sources: - https://libvirt.org/git/?p=libvirt.git;a=summary diff --git a/libvirt/templates/daemonset-libvirt.yaml b/libvirt/templates/daemonset-libvirt.yaml index 749420e06..ca9f633c4 100644 --- a/libvirt/templates/daemonset-libvirt.yaml +++ b/libvirt/templates/daemonset-libvirt.yaml @@ -17,6 +17,10 @@ limitations under the License. {{- $configMapName := index . 1 }} {{- $serviceAccountName := index . 2 }} {{- $envAll := index . 3 }} +{{- $ssl_enabled := false }} +{{- if eq $envAll.Values.conf.libvirt.listen_tls "1" }} +{{- $ssl_enabled = true }} +{{- end }} {{- with $envAll }} {{- $mounts_libvirt := .Values.pod.mounts.libvirt.libvirt }} @@ -153,6 +157,10 @@ spec: - |- kill $(cat /var/run/libvirtd.pid) volumeMounts: + {{ dict "enabled" $ssl_enabled "name" "ssl-client" "path" "/etc/pki/libvirt" "certs" (tuple "clientcert.pem" "clientkey.pem" ) | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ dict "enabled" $ssl_enabled "name" "ssl-server-cert" "path" "/etc/pki/libvirt" "certs" (tuple "servercert.pem" ) | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ dict "enabled" $ssl_enabled "name" "ssl-server-key" "path" "/etc/pki/libvirt/private" "certs" (tuple "serverkey.pem" ) | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} + {{ dict "enabled" $ssl_enabled "name" "ssl-ca-cert" "path" "/etc/pki/CA" "certs" (tuple "cacert.pem" ) | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} - name: pod-tmp mountPath: /tmp - name: libvirt-bin @@ -214,6 +222,10 @@ spec: {{- end }} {{ if $mounts_libvirt.volumeMounts }}{{ toYaml $mounts_libvirt.volumeMounts | indent 12 }}{{ end }} volumes: + {{ dict "enabled" $ssl_enabled "secretName" $envAll.Values.secrets.tls.client "name" "ssl-client" "path" "/etc/pki/libvirt" "certs" (tuple "clientcert.pem" "clientkey.pem" ) | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ dict "enabled" $ssl_enabled "secretName" $envAll.Values.secrets.tls.server "name" "ssl-server-cert" "path" "/etc/pki/libvirt" "certs" (tuple "servercert.pem" ) | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ dict "enabled" $ssl_enabled "secretName" $envAll.Values.secrets.tls.server "name" "ssl-server-key" "path" "/etc/pki/libvirt/private" "certs" (tuple "serverkey.pem" ) | include "helm-toolkit.snippets.tls_volume" | indent 8 }} + {{ dict "enabled" $ssl_enabled "secretName" $envAll.Values.secrets.tls.server "name" "ssl-ca-cert" "path" "/etc/pki/CA" "certs" (tuple "cacert.pem" ) | include "helm-toolkit.snippets.tls_volume" | indent 8 }} - name: pod-tmp emptyDir: {} - name: libvirt-bin diff --git a/libvirt/values.yaml b/libvirt/values.yaml index f4564c8c4..39e1b7a22 100644 --- a/libvirt/values.yaml +++ b/libvirt/values.yaml @@ -87,7 +87,9 @@ conf: listen_tcp: "1" listen_tls: "0" auth_tcp: "none" - ca_file: "" + ca_file: "/etc/pki/CA/cacert.pem" + cert_file: "/etc/pki/libvirt/servercert.pem" + key_file: "/etc/pki/libvirt/private/serverkey.pem" listen_addr: 127.0.0.1 log_level: "3" log_outputs: "1:file:/var/log/libvirt/libvirtd.log" @@ -195,4 +197,9 @@ manifests: daemonset_libvirt: true job_image_repo_sync: true network_policy: false + +secrets: + tls: + server: libvirt-tls-server + client: libvirt-tls-client ... diff --git a/libvirt/values_overrides/ssl.yaml b/libvirt/values_overrides/ssl.yaml new file mode 100644 index 000000000..1cebd56f4 --- /dev/null +++ b/libvirt/values_overrides/ssl.yaml @@ -0,0 +1,7 @@ +--- +conf: + libvirt: + listen_tcp: "0" + listen_tls: "1" + listen_addr: 0.0.0.0 +... diff --git a/tools/deployment/openstack-support/051-libvirt-ssl.sh b/tools/deployment/openstack-support/051-libvirt-ssl.sh new file mode 100755 index 000000000..a7234209f --- /dev/null +++ b/tools/deployment/openstack-support/051-libvirt-ssl.sh @@ -0,0 +1,242 @@ +#!/bin/bash + +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +set -xe + +: ${OSH_INFRA_EXTRA_HELM_ARGS_LIBVIRT:="$(./tools/deployment/common/get-values-overrides.sh libvirt)"} + +# NOTE(Alex): Use static certs and key for test +cat <