openstack/tripleo-heat-templates
Code Issues Proposed changes

Merge "[victoria/ussuri/train] Change nbd, vnc and qemu default cacert file" into stable/ussuri

Browse Source
This commit is contained in:
Zuul 2021-06-22 00:16:39 +00:00 committed by Gerrit Code Review
commit 74efd5e616
3 changed files with 26 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
deployment/nova/nova-libvirt-container-puppet.yaml
View File

@ -105,15 +105,15 @@ parameters:
description: Specifies the default CA cert to use if TLS is used for
services in the internal network.
InternalTLSNbdCAFile:
default: '/etc/pki/qemu/ca-cert.pem'
default: '/etc/ipa/ca.crt'
type: string
description: Specifies the CA cert to use for NBD TLS.
InternalTLSVncCAFile:
default: '/etc/pki/CA/certs/vnc.crt'
default: '/etc/ipa/ca.crt'
type: string
description: Specifies the CA cert to use for VNC TLS.
InternalTLSQemuCAFile:
default: '/etc/pki/CA/certs/qemu.pem'
default: '/etc/ipa/ca.crt'
type: string
description: Specifies the CA cert to use for qemu.
CertificateKeySize:
@ -311,6 +311,8 @@ conditions:
- {get_param: LibvirtVncCACert}
- ''
libvirt_vnc_ca_non_default: {not: {equals: [{get_param: InternalTLSVncCAFile}, '/etc/ipa/ca.crt']}}
memory_backing_dir_set:
not:
and:
@ -340,6 +342,8 @@ conditions:
- {get_param: QemuCACert}
- ''
qemu_ca_non_default: {not: {equals: [{get_param: InternalTLSQemuCAFile}, '/etc/ipa/ca.crt']}}
key_size_libvirt_override_unset: {equals: [{get_param: LibvirtCertificateKeySize}, '']}
key_size_libvirtvnc_override_unset: {equals: [{get_param: LibvirtVNCServerCertificateKeySize}, '']}
key_size_qemu_client_override_unset: {equals: [{get_param: QemuClientCertificateKeySize}, '']}
@ -510,7 +514,7 @@ outputs:
qemu-server-cert:
cacertfile:
if:
- qemu_specific_ca_unset
- qemu_ca_non_default
- get_param: InternalTLSQemuCAFile
- null
service_certificate: '/etc/pki/qemu/server-cert.pem'
@ -572,7 +576,7 @@ outputs:
libvirt-vnc-server-cert:
cacertfile:
if:
- libvirt_vnc_specific_ca_unset
- libvirt_vnc_ca_non_default
- get_param: InternalTLSVncCAFile
- null
service_certificate: '/etc/pki/libvirt-vnc/server-cert.pem'

6
deployment/nova/nova-vnc-proxy-container-puppet.yaml
View File

@ -51,7 +51,7 @@ parameters:
enable TLS transaport for libvirt VNC and configure the
relevant keys for libvirt.
InternalTLSVncProxyCAFile:
default: '/etc/pki/CA/certs/vnc.crt'
default: '/etc/ipa/ca.crt'
type: string
description: Specifies the CA cert to use for VNC TLS.
CertificateKeySize:
@ -122,6 +122,8 @@ conditions:
- {get_param: LibvirtVncCACert}
- ''
libvirt_vnc_ca_non_default: {not: {equals: [{get_param: InternalTLSVncProxyCAFile}, '/etc/ipa/ca.crt']}}
allow_noauth:
# Allow noauth VNC connections during P->Q upgrade. Remove in Rocky.
equals: [{get_param: StackUpdateType}, 'UPGRADE']
@ -219,7 +221,7 @@ outputs:
libvirt-vnc-client-cert:
cacertfile:
if:
- libvirt_vnc_specific_ca_unset
- libvirt_vnc_ca_non_default
- get_param: InternalTLSVncProxyCAFile
- null
service_certificate: '/etc/pki/libvirt-vnc/client-cert.pem'

13
releasenotes/notes/nova_libvirt_default_ca_cert-d1a7acaa5cbc9293.yaml Normal file
View File

@ -0,0 +1,13 @@
---
fixes:
- |
InternalTLSNbdCAFile, InternalTLSVncCAFile and InternalTLSQemuCAFile
do not point to the default IPA ca.crt file and instead are requested
to be loaded to component specific CA files (even if they are the same).
This can lead to a race where the CA cert is not being written by
certmonger in time.
Ib868465c20d97c62cbcb214bfc62d949bd6efc62 already changed the default to
use the IPA system cacert file '/etc/ipa/ca.crt' per default starting with
the wallaby release using the ansible role. This change backports to also
use the IPA system cacert file '/etc/ipa/ca.crt' to previous release when
managing the certs via puppet-tripleo.