Merge "Missing client certificate for live-migration with TLS" into stable/victoria
This commit is contained in:
commit
486ad355b9
|
@ -238,6 +238,13 @@ parameters:
|
||||||
description: The password for the libvirt service when TLS is enabled
|
description: The password for the libvirt service when TLS is enabled
|
||||||
type: string
|
type: string
|
||||||
hidden: true
|
hidden: true
|
||||||
|
QemuDefaultTLSVerify:
|
||||||
|
description: >
|
||||||
|
Whether to enable or disable TLS client certificate verification. Enabling this
|
||||||
|
option will reject any client who does not have a certificate signed by the CA
|
||||||
|
in /etc/pki/qemu/ca-cert.pem
|
||||||
|
default: true
|
||||||
|
type: boolean
|
||||||
LibvirtLogFilters:
|
LibvirtLogFilters:
|
||||||
description: Defines a filter in libvirt daemon to select a different
|
description: Defines a filter in libvirt daemon to select a different
|
||||||
logging level for a given category log outputs, as specified
|
logging level for a given category log outputs, as specified
|
||||||
|
@ -440,6 +447,7 @@ outputs:
|
||||||
generate_service_certificates: true
|
generate_service_certificates: true
|
||||||
tripleo::profile::base::nova::migration::client::libvirt_tls: true
|
tripleo::profile::base::nova::migration::client::libvirt_tls: true
|
||||||
tripleo::profile::base::nova::libvirt::tls_password: {get_param: [LibvirtTLSPassword]}
|
tripleo::profile::base::nova::libvirt::tls_password: {get_param: [LibvirtTLSPassword]}
|
||||||
|
nova::compute::libvirt::qemu::default_tls_verify: {get_param: QemuDefaultTLSVerify}
|
||||||
nova::compute::libvirt::tls_priority: {get_param: LibvirtTLSPriority}
|
nova::compute::libvirt::tls_priority: {get_param: LibvirtTLSPriority}
|
||||||
nova::migration::libvirt::listen_address:
|
nova::migration::libvirt::listen_address:
|
||||||
str_replace:
|
str_replace:
|
||||||
|
@ -753,6 +761,8 @@ outputs:
|
||||||
- get_param: LibvirtNbdCACert
|
- get_param: LibvirtNbdCACert
|
||||||
- /etc/pki/qemu/server-cert.pem:/etc/pki/qemu/server-cert.pem:ro
|
- /etc/pki/qemu/server-cert.pem:/etc/pki/qemu/server-cert.pem:ro
|
||||||
- /etc/pki/qemu/server-key.pem:/etc/pki/qemu/server-key.pem:ro
|
- /etc/pki/qemu/server-key.pem:/etc/pki/qemu/server-key.pem:ro
|
||||||
|
- /etc/pki/qemu/server-cert.pem:/etc/pki/qemu/client-cert.pem:ro
|
||||||
|
- /etc/pki/qemu/server-key.pem:/etc/pki/qemu/client-key.pem:ro
|
||||||
- null
|
- null
|
||||||
-
|
-
|
||||||
if:
|
if:
|
||||||
|
|
|
@ -0,0 +1,9 @@
|
||||||
|
---
|
||||||
|
features:
|
||||||
|
- |
|
||||||
|
`QemuDefaultTLSVerify` will allow operators to enable or disable TLS client
|
||||||
|
certificate verification. Enabling this option will reject any client
|
||||||
|
who does not have a certificate signed by the CA in
|
||||||
|
/etc/pki/qemu/ca-cert.pem.
|
||||||
|
The default is true and matches libvirt's. We will want to disable this
|
||||||
|
by default in train.
|
Loading…
Reference in New Issue