Merge "TLS-everywhere: Add resources for libvirt's cert for live migration"

2017-04-07 18:45:43 +00:00 · 2017-04-07 18:45:43 +00:00 · ffed067dbf
parent cad6c62fee 8b40d4670d
commit ffed067dbf
4 changed files with 192 additions and 0 deletions
--- a/manifests/certmonger/ca/libvirt.pp
+++ b/manifests/certmonger/ca/libvirt.pp
@ -0,0 +1,42 @@
+# Copyright 2017 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::certmonger::ca::libvirt
+#
+# Sets the necessary file that will be used by both libvirt servers and
+# clients.
+#
+# === Parameters:
+#
+# [*origin_ca_pem*]
+#  (Optional) Path to the CA certificate that libvirt will use. This is not
+#  assumed automatically or uses the system CA bundle as is the case of other
+#  services because a limitation with the file sizes in GNU TLS, which libvirt
+#  uses as a TLS backend.
+#  Defaults to undef
+#
+class tripleo::certmonger::ca::libvirt(
+  $origin_ca_pem = undef
+){
+  if $origin_ca_pem {
+    $ensure_file = 'link'
+  } else {
+    $ensure_file = 'absent'
+  }
+  file { '/etc/pki/CA/cacert.pem':
+    ensure => $ensure_file,
+    mode   => '0644',
+    target => $origin_ca_pem,
+  }
+}
--- a/manifests/certmonger/libvirt.pp
+++ b/manifests/certmonger/libvirt.pp
@ -0,0 +1,78 @@
+# Copyright 2017 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Resource: tripleo::certmonger::libvirt
+#
+# Request a certificate for libvirt and do the necessary setup.
+#
+# === Parameters
+#
+# [*hostname*]
+#   The hostname of the node. this will be set in the CN of the certificate.
+#
+# [*service_certificate*]
+#   The path to the certificate that will be used for TLS in this service.
+#
+# [*service_key*]
+#   The path to the key that will be used for TLS in this service.
+#
+# [*certmonger_ca*]
+#   (Optional) The CA that certmonger will use to generate the certificates.
+#   Defaults to hiera('certmonger_ca', 'local').
+#
+# [*file_owner*]
+#   (Optional) The user which the certificate and key files belong to.
+#   Defaults to 'root'
+#
+# [*principal*]
+#   (Optional) The service principal that is set for the service in kerberos.
+#   Defaults to undef
+#
+define tripleo::certmonger::libvirt (
+  $hostname,
+  $service_certificate,
+  $service_key,
+  $certmonger_ca = hiera('certmonger_ca', 'local'),
+  $principal     = undef,
+) {
+  include ::certmonger
+  include ::nova::params
+
+  $postsave_cmd  = "systemctl restart ${::nova::params::libvirt_service_name}"
+  certmonger_certificate { $name :
+    ensure       => 'present',
+    certfile     => $service_certificate,
+    keyfile      => $service_key,
+    hostname     => $hostname,
+    dnsname      => $hostname,
+    principal    => $principal,
+    postsave_cmd => $postsave_cmd,
+    ca           => $certmonger_ca,
+    wait         => true,
+    tag          => 'libvirt-cert',
+    require      => Class['::certmonger'],
+  }
+
+  # Just register the files in puppet's resource catalog. Certmonger should
+  # give the right permissions.
+  file { $service_certificate :
+    require => Certmonger_certificate[$name],
+  }
+  file { $service_key :
+    require => Certmonger_certificate[$name],
+  }
+
+  File[$service_certificate] ~> Service<| title == $::nova::params::libvirt_service_name |>
+  File[$service_key] ~> Service<| title == $::nova::params::libvirt_service_name |>
+}
--- a/manifests/certmonger/libvirt_dirs.pp
+++ b/manifests/certmonger/libvirt_dirs.pp
@ -0,0 +1,60 @@
+# Copyright 2017 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::certmonger::libvirt_dirs
+#
+# Creates the necessary directories for libvirt's certificates and keys in the
+# assigned locations if specified. It also assigns the correct SELinux tags.
+#
+# === Parameters:
+#
+# [*certificate_dir*]
+#   (Optional) Directory where libvirt's certificates will be stored. If left
+#   unspecified, it won't be created.
+#   Defaults to undef
+#
+# [*certificate_dir*]
+#   (Optional) Directory where libvirt's certificates will be stored.
+#   Defaults to undef
+#
+# [*key_dir*]
+#   (Optional) Directory where libvirt's keys will be stored.
+#   Defaults to undef
+#
+class tripleo::certmonger::libvirt_dirs(
+  $certificate_dir = undef,
+  $key_dir         = undef,
+){
+
+  if $certificate_dir {
+    file { $certificate_dir :
+      ensure  => 'directory',
+      selrole => 'object_r',
+      seltype => 'cert_t',
+      seluser => 'system_u',
+    }
+    File[$certificate_dir] ~> Certmonger_certificate<| tag == 'libvirt-cert' |>
+  }
+
+  if $key_dir {
+    file { $key_dir :
+      ensure  => 'directory',
+      selrole => 'object_r',
+      seltype => 'cert_t',
+      seluser => 'system_u',
+    }
+    File[$key_dir] ~> Certmonger_certificate<| tag == 'libvirt-cert' |>
+  }
+
+}
--- a/manifests/profile/base/certmonger_user.pp
+++ b/manifests/profile/base/certmonger_user.pp
@ -43,6 +43,11 @@
 #   it will create.
 #   Defaults to hiera('tripleo::profile::base::haproxy::certificate_specs', {}).
 #
+# [*libvirt_certificates_specs*]
+#   (Optional) The specifications to give to certmonger for the certificate(s)
+#   it will create.
+#   Defaults to hiera('libvirt_certificates_specs', {}).
+#
 # [*mysql_certificate_specs*]
 #   (Optional) The specifications to give to certmonger for the certificate(s)
 #   it will create.
@ -56,12 +61,19 @@
 class tripleo::profile::base::certmonger_user (
  $apache_certificates_specs  = hiera('apache_certificates_specs', {}),
  $haproxy_certificates_specs = hiera('tripleo::profile::base::haproxy::certificates_specs', {}),
+  $libvirt_certificates_specs = hiera('libvirt_certificates_specs', {}),
  $mysql_certificate_specs    = hiera('tripleo::profile::base::database::mysql::certificate_specs', {}),
  $rabbitmq_certificate_specs = hiera('tripleo::profile::base::rabbitmq::certificate_specs', {}),
 ) {
+  include ::tripleo::certmonger::ca::libvirt
+
  unless empty($apache_certificates_specs) {
    ensure_resources('tripleo::certmonger::httpd', $apache_certificates_specs)
  }
+  unless empty($libvirt_certificates_specs) {
+    include ::tripleo::certmonger::libvirt_dirs
+    ensure_resources('tripleo::certmonger::libvirt', $libvirt_certificates_specs)
+  }
  unless empty($haproxy_certificates_specs) {
    ensure_resources('tripleo::certmonger::haproxy', $haproxy_certificates_specs)
    # The haproxy fronends (or listen resources) depend on the certificate