diff --git a/deployment/nova/nova-libvirt-container-puppet.yaml b/deployment/nova/nova-libvirt-container-puppet.yaml index e94e0876d7..dabbc367f3 100644 --- a/deployment/nova/nova-libvirt-container-puppet.yaml +++ b/deployment/nova/nova-libvirt-container-puppet.yaml @@ -105,15 +105,15 @@ parameters: description: Specifies the default CA cert to use if TLS is used for services in the internal network. InternalTLSNbdCAFile: - default: '/etc/pki/qemu/ca-cert.pem' + default: '/etc/ipa/ca.crt' type: string description: Specifies the CA cert to use for NBD TLS. InternalTLSVncCAFile: - default: '/etc/pki/CA/certs/vnc.crt' + default: '/etc/ipa/ca.crt' type: string description: Specifies the CA cert to use for VNC TLS. InternalTLSQemuCAFile: - default: '/etc/pki/CA/certs/qemu.pem' + default: '/etc/ipa/ca.crt' type: string description: Specifies the CA cert to use for qemu. CertificateKeySize: @@ -311,6 +311,8 @@ conditions: - {get_param: LibvirtVncCACert} - '' + libvirt_vnc_ca_non_default: {not: {equals: [{get_param: InternalTLSVncCAFile}, '/etc/ipa/ca.crt']}} + memory_backing_dir_set: not: and: @@ -340,6 +342,8 @@ conditions: - {get_param: QemuCACert} - '' + qemu_ca_non_default: {not: {equals: [{get_param: InternalTLSQemuCAFile}, '/etc/ipa/ca.crt']}} + key_size_libvirt_override_unset: {equals: [{get_param: LibvirtCertificateKeySize}, '']} key_size_libvirtvnc_override_unset: {equals: [{get_param: LibvirtVNCServerCertificateKeySize}, '']} key_size_qemu_client_override_unset: {equals: [{get_param: QemuClientCertificateKeySize}, '']} @@ -510,7 +514,7 @@ outputs: qemu-server-cert: cacertfile: if: - - qemu_specific_ca_unset + - qemu_ca_non_default - get_param: InternalTLSQemuCAFile - null service_certificate: '/etc/pki/qemu/server-cert.pem' @@ -572,7 +576,7 @@ outputs: libvirt-vnc-server-cert: cacertfile: if: - - libvirt_vnc_specific_ca_unset + - libvirt_vnc_ca_non_default - get_param: InternalTLSVncCAFile - null service_certificate: '/etc/pki/libvirt-vnc/server-cert.pem' diff --git a/deployment/nova/nova-vnc-proxy-container-puppet.yaml b/deployment/nova/nova-vnc-proxy-container-puppet.yaml index 31be2be4c4..d502258dec 100644 --- a/deployment/nova/nova-vnc-proxy-container-puppet.yaml +++ b/deployment/nova/nova-vnc-proxy-container-puppet.yaml @@ -51,7 +51,7 @@ parameters: enable TLS transaport for libvirt VNC and configure the relevant keys for libvirt. InternalTLSVncProxyCAFile: - default: '/etc/pki/CA/certs/vnc.crt' + default: '/etc/ipa/ca.crt' type: string description: Specifies the CA cert to use for VNC TLS. CertificateKeySize: @@ -122,6 +122,8 @@ conditions: - {get_param: LibvirtVncCACert} - '' + libvirt_vnc_ca_non_default: {not: {equals: [{get_param: InternalTLSVncProxyCAFile}, '/etc/ipa/ca.crt']}} + proxy_ssl_ciphers_unset: equals: - {get_param: NovaVNCProxySSLCiphers} @@ -228,7 +230,7 @@ outputs: libvirt-vnc-client-cert: cacertfile: if: - - libvirt_vnc_specific_ca_unset + - libvirt_vnc_ca_non_default - get_param: InternalTLSVncProxyCAFile - null service_certificate: '/etc/pki/libvirt-vnc/client-cert.pem' diff --git a/releasenotes/notes/nova_libvirt_default_ca_cert-d1a7acaa5cbc9293.yaml b/releasenotes/notes/nova_libvirt_default_ca_cert-d1a7acaa5cbc9293.yaml new file mode 100644 index 0000000000..84a9c87b94 --- /dev/null +++ b/releasenotes/notes/nova_libvirt_default_ca_cert-d1a7acaa5cbc9293.yaml @@ -0,0 +1,13 @@ +--- +fixes: + - | + InternalTLSNbdCAFile, InternalTLSVncCAFile and InternalTLSQemuCAFile + do not point to the default IPA ca.crt file and instead are requested + to be loaded to component specific CA files (even if they are the same). + This can lead to a race where the CA cert is not being written by + certmonger in time. + Ib868465c20d97c62cbcb214bfc62d949bd6efc62 already changed the default to + use the IPA system cacert file '/etc/ipa/ca.crt' per default starting with + the wallaby release using the ansible role. This change backports to also + use the IPA system cacert file '/etc/ipa/ca.crt' to previous release when + managing the certs via puppet-tripleo.