puppet-tripleo/manifests/certmonger/qemu_nbd_dirs.pp
Martin Schuppert 62861db22d Add support for native TLS encryption on NBD for disk migration
The NBD protocol previously runs in clear text, offering no security
protection for the data transferred, unless it is tunnelled over some
external transport like SSH. Such tunnelling is inefficient and
inconvenient to manage. Support for TLS to the NBD clients & servers
provided by QEMU was added. In tls-everywhere use case we want to
take advantage of this feature to create the certificates and configure
qemu to use nbd tls.

Related-bug: 1793093
Depends-On: Ifa5cf08d5104a62c9c094e3585de33e19e265110
Change-Id: I1db1b60be4907511f0ec0f5aa0f0a45e1c5d9b45
2018-12-05 11:31:43 +01:00

43 lines
1.3 KiB
Puppet

# Copyright 2017 Red Hat, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
#
# == Class: tripleo::certmonger::qemu_nbd_dirs
#
# Creates the necessary directories for qemu nbd client certificates and keys
# in the assigned locations if specified. It also assigns the correct SELinux
# tags.
#
# === Parameters:
#
# [*certificate_dir*]
# (Optional) Directory where qemu-nbd's client certificates will be stored.
# If left unspecified, it won't be created.
# Defaults to undef
#
class tripleo::certmonger::qemu_nbd_dirs(
$certificate_dir = undef,
){
if $certificate_dir {
file { $certificate_dir :
ensure => 'directory',
selrole => 'object_r',
seltype => 'cert_t',
seluser => 'system_u',
}
File[$certificate_dir] ~> Certmonger_certificate<| tag == 'qemu-cert' |>
}
}