From ae9fc454e2a72b7e956f1e871a2750d4a148acb2 Mon Sep 17 00:00:00 2001
From: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Date: Thu, 21 Mar 2019 10:11:40 +0200
Subject: [PATCH] Enable configuration of ca_file and crl_file for nova live
 migration

These options are for libvirt's configuration file; and allow us to use
custom paths for these parameters, instead of relying on the default
ones.

Related-Bug: #1821139
Change-Id: I208bb53c2a270d770d114116fde3f062c0d66985
---
 manifests/migration/libvirt.pp                | 24 +++++++++++++++++++
 ...irt-ca-file-crl-file-c6672aa3d12382cb.yaml |  8 +++++++
 spec/classes/nova_migration_libvirt_spec.rb   | 12 ++++++++++
 3 files changed, 44 insertions(+)
 create mode 100644 releasenotes/notes/libvirt-ca-file-crl-file-c6672aa3d12382cb.yaml

diff --git a/manifests/migration/libvirt.pp b/manifests/migration/libvirt.pp
index 79eac27bc..d3b932e4b 100644
--- a/manifests/migration/libvirt.pp
+++ b/manifests/migration/libvirt.pp
@@ -77,6 +77,18 @@
 #   See https://libvirt.org/guide/html/Application_Development_Guide-Architecture-Remote_URIs.html
 #   Defaults to {}
 #
+# [*ca_file*]
+#   (optional) Specifies the CA certificate that the TLS transport will use.
+#   Note that this is only used if the TLS transport is enabled via the
+#   "transport" option.
+#   Defaults to undef
+#
+# [*crl_file*]
+#   (optional) Specifies the CRL file that the TLS transport will use.
+#   Note that this is only used if the TLS transport is enabled via the
+#   "transport" option.
+#   Defaults to undef
+#
 class nova::migration::libvirt(
   $transport                         = undef,
   $auth                              = 'none',
@@ -91,6 +103,8 @@ class nova::migration::libvirt(
   $client_user                       = undef,
   $client_port                       = undef,
   $client_extraparams                = {},
+  $ca_file                           = undef,
+  $crl_file                          = undef,
 ){
 
   include ::nova::deps
@@ -195,6 +209,16 @@ class nova::migration::libvirt(
       libvirtd_config {
         'auth_tls': value => "\"${auth}\"";
       }
+      if $ca_file {
+        libvirtd_config {
+          'ca_file': value => "\"${ca_file}\"";
+        }
+      }
+      if $crl_file {
+        libvirtd_config {
+          'crl_file': value => "\"${crl_file}\"";
+        }
+      }
     } elsif $transport_real == 'tcp' {
       libvirtd_config {
         'auth_tcp': value => "\"${auth}\"";
diff --git a/releasenotes/notes/libvirt-ca-file-crl-file-c6672aa3d12382cb.yaml b/releasenotes/notes/libvirt-ca-file-crl-file-c6672aa3d12382cb.yaml
new file mode 100644
index 000000000..68081e513
--- /dev/null
+++ b/releasenotes/notes/libvirt-ca-file-crl-file-c6672aa3d12382cb.yaml
@@ -0,0 +1,8 @@
+---
+features:
+  - |
+    The ca_file is now configurable for the TLS transport in nova's live
+    migration options for libvirt.
+  - |
+    The crl_file is now configurable for the TLS transport in nova's live
+    migration options for libvirt.
diff --git a/spec/classes/nova_migration_libvirt_spec.rb b/spec/classes/nova_migration_libvirt_spec.rb
index b3c8f444d..69d80ced4 100644
--- a/spec/classes/nova_migration_libvirt_spec.rb
+++ b/spec/classes/nova_migration_libvirt_spec.rb
@@ -139,6 +139,18 @@ describe 'nova::migration::libvirt' do
       it { is_expected.not_to contain_libvirtd_config('auth_tcp') }
     end
 
+    context 'with certificates set and tls enabled' do
+      let :params do
+        {
+          :transport => 'tls',
+          :ca_file   => '/ca',
+          :crl_file  => '/crl',
+        }
+      end
+      it { is_expected.to contain_libvirtd_config('ca_file').with_value("\"/ca\"") }
+      it { is_expected.to contain_libvirtd_config('crl_file').with_value("\"/crl\"") }
+    end
+
     context 'with auth set to an invalid setting' do
       let :params do
         {