openstack/tripleo-heat-templates
Code Issues Proposed changes

TLS-everywhere: Enable for TLS libvirt live migration

Browse Source 
This relies on using the default paths for certs/keys used by libvirt
and is only enabled if TLS-everywhere is enabled.

bp tls-via-certmonger
Depends-On: If18206d89460f6660a81aabc4ff8b97f1f99bba7
Depends-On: I0a1684397ebefaa8dc00237e0b7952e9296381fa
Change-Id: I0538bbdd54fd0b82518585f4f270b4be684f0ec4
This commit is contained in:
Juan Antonio Osorio Robles 2017-03-28 14:23:48 +03:00
parent 487dbe3107
commit fa740c5e49
2 changed files with 88 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

82
puppet/services/nova-libvirt.yaml
View File

@ -32,6 +32,36 @@ parameters:
MonitoringSubscriptionNovaLibvirt: MonitoringSubscriptionNovaLibvirt:
default: 'overcloud-nova-libvirt' default: 'overcloud-nova-libvirt'
type: string type: string
EnableInternalTLS:
type: boolean
default: false
UseTLSTransportForLiveMigration:
type: boolean
default: true
description: If set to true and if EnableInternalTLS is enabled, it will
set the libvirt URI's transport to tls and configure the
relevant keys for libvirt.
LibvirtCACert:
type: string
default: '/etc/ipa/ca.crt'
description: This specifies the CA certificate to use for TLS in libvirt.
This file will be symlinked to the default CA path in libvirt,
which is /etc/pki/CA/cacert.pem. Note that due to limitations
GNU TLS, which is the TLS backend for libvirt, the file must
be less than 65K (so we can't use the system's CA bundle). The
current default reflects TripleO's default CA, which is
FreeIPA. It will only be used if internal TLS is enabled.
conditions:
use_tls_for_live_migration:
and:
- equals:
- {get_param: EnableInternalTLS}
- true
- equals:
- {get_param: UseTLSTransportForLiveMigration}
- true
resources: resources:
NovaBase: NovaBase:
@ -71,5 +101,57 @@ outputs:
- '49152-49215' - '49152-49215'
- '5900-5999' - '5900-5999'
-
if:
- use_tls_for_live_migration
-
generate_service_certificates: true
tripleo::profile::base::nova::libvirt_tls: true
nova::migration::libvirt::live_migration_inbound_addr:
str_replace:
template:
"%{hiera('fqdn_$NETWORK')}"
params:
$NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
tripleo::certmonger::ca::libvirt::origin_ca_pem:
get_param: LibvirtCACert
tripleo::certmonger::libvirt_dirs::certificate_dir: '/etc/pki/libvirt'
tripleo::certmonger::libvirt_dirs::key_dir: '/etc/pki/libvirt/private'
libvirt_certificates_specs:
libvirt-server-cert:
service_certificate: '/etc/pki/libvirt/servercert.pem'
service_key: '/etc/pki/libvirt/private/serverkey.pem'
hostname:
str_replace:
template: "%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
principal:
str_replace:
template: "libvirt/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
libvirt-client-cert:
service_certificate: '/etc/pki/libvirt/clientcert.pem'
service_key: '/etc/pki/libvirt/private/clientkey.pem'
hostname:
str_replace:
template: "%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
principal:
str_replace:
template: "libvirt/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
- {}
step_config: | step_config: |
include tripleo::profile::base::nova::libvirt include tripleo::profile::base::nova::libvirt
metadata_settings:
if:
- use_tls_for_live_migration
-
- service: libvirt
network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
type: node
- null

6
releasenotes/notes/Enable-TLS-for-libvirt-0aab48cd8339da0f.yaml Normal file
View File

@ -0,0 +1,6 @@
---
features:
- |
If TLS in the internal network is enabled, libvirt's transport defaults to
using TLS. This can be changed by setting the ``UseTLSTransportForLiveMigration``
parameter, which is ``true`` by default.