Realize libvirt SSL

Motivation: libvirt 127.0.0.1 listen is terrible for live migration.
To resolve that, we can use 0.0.0.0 but it is not secure so tried
to realize SSL.
Once create secrets for cacert, client&server cert and keys then it will
 mounted on libvirt daemonset.
It means all instances use the same key and cert. This is not ideal
 but can be considered as the first stage.

Change-Id: Ic3407e484039afaf98495e0f6028254c4c2a0a78

libvirt/Chart.yaml

@@ -15,7 +15,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm libvirt
 name: libvirt
-version: 0.1.1
+version: 0.1.2
 home: https://libvirt.org
 sources:
   - https://libvirt.org/git/?p=libvirt.git;a=summary

libvirt/templates/daemonset-libvirt.yaml

@@ -17,6 +17,10 @@ limitations under the License.
 {{- $configMapName := index . 1 }}
 {{- $serviceAccountName := index . 2 }}
 {{- $envAll := index . 3 }}
+{{- $ssl_enabled := false }}
+{{- if eq $envAll.Values.conf.libvirt.listen_tls "1" }}
+{{- $ssl_enabled = true }}
+{{- end }}
 {{- with $envAll }}
 
 {{- $mounts_libvirt := .Values.pod.mounts.libvirt.libvirt }}
@@ -153,6 +157,10 @@ spec:
                   - |-
                     kill $(cat /var/run/libvirtd.pid)
           volumeMounts:
+            {{ dict "enabled" $ssl_enabled "name" "ssl-client" "path" "/etc/pki/libvirt" "certs" (tuple "clientcert.pem" "clientkey.pem" ) | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+            {{ dict "enabled" $ssl_enabled "name" "ssl-server-cert" "path" "/etc/pki/libvirt" "certs" (tuple "servercert.pem" ) | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+            {{ dict "enabled" $ssl_enabled "name" "ssl-server-key" "path" "/etc/pki/libvirt/private" "certs" (tuple "serverkey.pem" ) | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+            {{ dict "enabled" $ssl_enabled "name" "ssl-ca-cert" "path" "/etc/pki/CA" "certs" (tuple "cacert.pem" ) | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
             - name: pod-tmp
               mountPath: /tmp
             - name: libvirt-bin
@@ -214,6 +222,10 @@ spec:
             {{- end }}
 {{ if $mounts_libvirt.volumeMounts }}{{ toYaml $mounts_libvirt.volumeMounts | indent 12 }}{{ end }}
       volumes:
+        {{ dict "enabled" $ssl_enabled "secretName" $envAll.Values.secrets.tls.client "name" "ssl-client" "path" "/etc/pki/libvirt" "certs" (tuple "clientcert.pem" "clientkey.pem" ) | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+        {{ dict "enabled" $ssl_enabled "secretName" $envAll.Values.secrets.tls.server "name" "ssl-server-cert" "path" "/etc/pki/libvirt" "certs" (tuple "servercert.pem" ) | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+        {{ dict "enabled" $ssl_enabled "secretName" $envAll.Values.secrets.tls.server "name" "ssl-server-key" "path" "/etc/pki/libvirt/private" "certs" (tuple "serverkey.pem" ) | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+        {{ dict "enabled" $ssl_enabled "secretName" $envAll.Values.secrets.tls.server "name" "ssl-ca-cert" "path" "/etc/pki/CA" "certs" (tuple "cacert.pem" ) | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
         - name: pod-tmp
           emptyDir: {}
         - name: libvirt-bin

libvirt/values.yaml

@@ -87,7 +87,9 @@ conf:
     listen_tcp: "1"
     listen_tls: "0"
     auth_tcp: "none"
-    ca_file: ""
+    ca_file: "/etc/pki/CA/cacert.pem"
+    cert_file: "/etc/pki/libvirt/servercert.pem"
+    key_file: "/etc/pki/libvirt/private/serverkey.pem"
     listen_addr: 127.0.0.1
     log_level: "3"
     log_outputs: "1:file:/var/log/libvirt/libvirtd.log"
@@ -195,4 +197,9 @@ manifests:
   daemonset_libvirt: true
   job_image_repo_sync: true
   network_policy: false
+
+secrets:
+  tls:
+    server: libvirt-tls-server
+    client: libvirt-tls-client
 ...

libvirt/values_overrides/ssl.yaml

@@ -0,0 +1,7 @@
+---
+conf:
+  libvirt:
+    listen_tcp: "0"
+    listen_tls: "1"
+    listen_addr: 0.0.0.0
+...