Browse Source

Merge "Missing client certificate for live-migration with TLS"

changes/99/773999/4
Zuul 2 weeks ago
committed by Gerrit Code Review
parent
commit
2b8479d319
2 changed files with 19 additions and 0 deletions
  1. +10
    -0
      deployment/nova/nova-libvirt-container-puppet.yaml
  2. +9
    -0
      releasenotes/notes/introducing-qemutlsverify-af590e0243fe6b08.yaml

+ 10
- 0
deployment/nova/nova-libvirt-container-puppet.yaml View File

@ -246,6 +246,13 @@ parameters:
description: The password for the libvirt service when TLS is enabled
type: string
hidden: true
QemuDefaultTLSVerify:
description: >
Whether to enable or disable TLS client certificate verification. Enabling this
option will reject any client who does not have a certificate signed by the CA
in /etc/pki/qemu/ca-cert.pem
default: true
type: boolean
LibvirtLogFilters:
description: Defines a filter in libvirt daemon to select a different
logging level for a given category log outputs, as specified
@ -452,6 +459,7 @@ outputs:
-
tripleo::profile::base::nova::migration::client::libvirt_tls: true
tripleo::profile::base::nova::libvirt::tls_password: {get_param: [LibvirtTLSPassword]}
nova::compute::libvirt::qemu::default_tls_verify: {get_param: QemuDefaultTLSVerify}
nova::compute::libvirt::tls_priority: {get_param: LibvirtTLSPriority}
nova::migration::libvirt::listen_address:
str_replace:
@ -662,6 +670,8 @@ outputs:
- get_param: LibvirtNbdCACert
- /etc/pki/qemu/server-cert.pem:/etc/pki/qemu/server-cert.pem:ro
- /etc/pki/qemu/server-key.pem:/etc/pki/qemu/server-key.pem:ro
- /etc/pki/qemu/server-cert.pem:/etc/pki/qemu/client-cert.pem:ro
- /etc/pki/qemu/server-key.pem:/etc/pki/qemu/client-key.pem:ro
- null
-
if:


+ 9
- 0
releasenotes/notes/introducing-qemutlsverify-af590e0243fe6b08.yaml View File

@ -0,0 +1,9 @@
---
features:
- |
`QemuDefaultTLSVerify` will allow operators to enable or disable TLS client
certificate verification. Enabling this option will reject any client
who does not have a certificate signed by the CA in
/etc/pki/qemu/ca-cert.pem.
The default is true and matches libvirt's. We will want to disable this
by default in train.

Loading…
Cancel
Save