Add support for native TLS encryption on NBD for disk migration

The NBD protocol previously runs in clear text, offering no security
protection for the data transferred, unless it is tunnelled over some
external transport like SSH. Such tunnelling is inefficient and
inconvenient to manage. Support for TLS to the NBD clients & servers
provided by QEMU was added. In tls-everywhere use case we want to
take advantage of this feature to create the certificates and configure
qemu to use nbd tls.

Closes-Bug: 1793093
Depends-On: Ifa5cf08d5104a62c9c094e3585de33e19e265110
Depends-On: I1db1b60be4907511f0ec0f5aa0f0a45e1c5d9b45
Depends-On: I347881cf4822583179c0c042c42fa1e33dbcedd2
Change-Id: I7d9df304d75bdbe36ecdfe50e5ce6b42a53063cc

docker/services/nova-libvirt.yaml

@@ -85,11 +85,21 @@ parameters:
     description: If set to true and if EnableInternalTLS is enabled, it will
                  enable TLS transaport for libvirt VNC and configure the
                  relevant keys for libvirt.
+  UseTLSTransportForNbd:
+    type: boolean
+    default: true
+    description: If set to true and if EnableInternalTLS is enabled, it will
+                 enable TLS transaport for libvirt NBD and configure the
+                 relevant keys for libvirt.
   InternalTLSCAFile:
     default: '/etc/ipa/ca.crt'
     type: string
     description: Specifies the default CA cert to use if TLS is used for
                  services in the internal network.
+  InternalTLSNbdCAFile:
+    default: '/etc/pki/qemu/ca-cert.pem'
+    type: string
+    description: Specifies the CA cert to use for NBD TLS.
   InternalTLSVncCAFile:
     default: '/etc/pki/CA/certs/vnc.crt'
     type: string
@@ -116,6 +126,16 @@ parameters:
                  the InternalTLSVncCAFile parameter) is not desired. The current
                  default reflects TripleO's default CA, which is FreeIPA.
                  It will only be used if internal TLS is enabled.
+  LibvirtNbdCACert:
+    type: string
+    default: ''
+    description: This specifies the CA certificate to use for NBD TLS.
+                 This file will be symlinked to the default CA path,
+                 which is /etc/pki/libvirt-nbd/ca-cert.pem.
+                 This parameter should be used if the default (which comes from
+                 the InternalTLSNbdCAFile parameter) is not desired. The current
+                 default reflects TripleO's default CA, which is FreeIPA.
+                 It will only be used if internal TLS is enabled.
   VhostuserSocketGroup:
     default: "qemu"
     description: >
@@ -186,6 +206,20 @@ conditions:
       - {get_param: QemuMemoryBackingDir}
       - ''
 
+  use_tls_for_nbd:
+    and:
+    - equals:
+      - {get_param: EnableInternalTLS}
+      - true
+    - equals:
+      - {get_param: UseTLSTransportForNbd}
+      - true
+
+  libvirt_nbd_specific_ca_unset:
+    equals:
+      - {get_param: LibvirtNbdCACert}
+      - ''
+
   docker_enabled:
     equals:
       - {get_param: ContainerCli}
@@ -277,6 +311,14 @@ outputs:
                     merge: true
                     preserve_properties: true
                 - null
+              - if:
+                - use_tls_for_nbd
+                -
+                  - source: /var/lib/kolla/config_files/src-libvirt-nbd-pki/client-*.pem
+                    dest: /etc/pki/libvirt-nbd/
+                    merge: true
+                    preserve_properties: true
+                - null
           permissions:
             list_concat:
               -
@@ -295,6 +337,19 @@ outputs:
                     owner: root:qemu
                     perm: '0640'
                 - null
+              - if:
+                - use_tls_for_nbd
+                -
+                  - path: /etc/pki/libvirt-nbd/client-key.pem
+                    owner: root:qemu
+                    perm: '0640'
+                  - path: /etc/pki/qemu/server-key.pem
+                    owner: root:qemu
+                    perm: '0640'
+                  - path: /etc/pki/qemu/ca-cert.pem
+                    owner: root:root
+                    perm: '0644'
+                - null
         /var/lib/kolla/config_files/nova_virtlogd.json:
           command: /usr/sbin/virtlogd --config /etc/libvirt/virtlogd.conf
           config_files:
@@ -403,6 +458,22 @@ outputs:
                           params:
                             MEMORY_BACKING_DIR: {get_attr: [RoleParametersValue, value, memory_backing_dir]}
                     - null
+                -
+                  if:
+                    - use_tls_for_nbd
+                    -
+                      - str_replace:
+                          template: "CACERT:/var/lib/kolla/config_files/src-tls/etc/pki/qemu/ca-cert.pem:ro"
+                          params:
+                            CACERT:
+                              if:
+                                - libvirt_nbd_specific_ca_unset
+                                - get_param: InternalTLSNbdCAFile
+                                - get_param: LibvirtNbdCACert
+                      - /etc/pki/qemu/server-cert.pem:/var/lib/kolla/config_files/src-tls/etc/pki/qemu/server-cert.pem:ro
+                      - /etc/pki/qemu/server-key.pem:/var/lib/kolla/config_files/src-tls/etc/pki/qemu/server-key.pem:ro
+                      - /etc/pki/libvirt-nbd:/var/lib/kolla/config_files/src-libvirt-nbd-pki:ro
+                    - null
             environment:
               - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
         step_4:

puppet/services/certmonger-user.yaml

@@ -48,6 +48,9 @@ parameters:
   CertmongerVncCA:
     type: string
     default: 'IPA'
+  CertmongerQemuCA:
+    type: string
+    default: 'IPA'
 
 conditions:
 
@@ -64,6 +67,7 @@ outputs:
           - tripleo::certmonger::ca::crl::crl_source: {get_param: DefaultCRLURL}
             certmonger_ca: {get_param: CertmongerCA}
             certmonger_ca_vnc: {get_param: CertmongerVncCA}
+            certmonger_ca_qemu: {get_param: CertmongerQemuCA}
           - {}
       step_config: |
         include ::tripleo::profile::base::certmonger_user

puppet/services/nova-libvirt.yaml

@@ -82,6 +82,12 @@ parameters:
     description: If set to true and if EnableInternalTLS is enabled, it will
                  enable TLS transaport for libvirt VNC and configure the
                  relevant keys for libvirt.
+  UseTLSTransportForNbd:
+    type: boolean
+    default: true
+    description: If set to true and if EnableInternalTLS is enabled, it will
+                 enable TLS transaport for libvirt NBD and configure the
+                 relevant keys for libvirt.
   InternalTLSCAFile:
     default: '/etc/ipa/ca.crt'
     type: string
@@ -91,6 +97,10 @@ parameters:
     default: '/etc/pki/CA/certs/vnc.crt'
     type: string
     description: Specifies the CA cert to use for VNC TLS.
+  InternalTLSQemuCAFile:
+    default: '/etc/pki/CA/certs/qemu.pem'
+    type: string
+    description: Specifies the CA cert to use for qemu.
   LibvirtCACert:
     type: string
     default: ''
@@ -113,6 +123,16 @@ parameters:
                  the InternalTLSVncCAFile parameter) is not desired. The current
                  default reflects TripleO's default CA, which is FreeIPA.
                  It will only be used if internal TLS is enabled.
+  QemuCACert:
+    type: string
+    default: ''
+    description: This specifies the CA certificate to use for qemu.
+                 This file will be symlinked to the default CA path,
+                 which is /etc/pki/qemu/ca-cert.pem.
+                 This parameter should be used if the default (which comes from
+                 the InternalTLSQemuCAFile parameter) is not desired. The current
+                 default reflects TripleO's default CA, which is FreeIPA.
+                 It will only be used if internal TLS is enabled.
   MigrationSshKey:
     type: json
     description: >
@@ -169,6 +189,19 @@ conditions:
       - {get_param: LibvirtVncCACert}
       - ''
 
+  use_tls_for_nbd:
+    and:
+    - equals:
+      - {get_param: EnableInternalTLS}
+      - true
+    - equals:
+      - {get_param: UseTLSTransportForNbd}
+      - true
+
+  qemu_specific_ca_unset:
+    equals:
+      - {get_param: QemuCACert}
+      - ''
 
 resources:
   NovaBase:
@@ -342,6 +375,58 @@ outputs:
                         params:
                           NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
               - {}
+          -
+            if:
+              - use_tls_for_nbd
+              -
+                nova::compute::libvirt::qemu::nbd_tls: true
+                nova::migration::libvirt::live_migration_with_native_tls: true
+                tripleo::certmonger::qemu_dirs::certificate_dir: '/etc/pki/qemu'
+                tripleo::certmonger::qemu_nbd_dirs::certificate_dir: '/etc/pki/libvirt-nbd'
+                generate_service_certificates: true
+                tripleo::certmonger::ca::qemu::origin_ca_pem:
+                  if:
+                    - qemu_specific_ca_unset
+                    - get_param: InternalTLSQemuCAFile
+                    - get_param: QemuCACert
+                qemu_certificates_specs:
+                  qemu-server-cert:
+                    cacertfile:
+                      if:
+                        - qemu_specific_ca_unset
+                        - get_param: InternalTLSQemuCAFile
+                        - null
+                    service_certificate: '/etc/pki/qemu/server-cert.pem'
+                    service_key: '/etc/pki/qemu/server-key.pem'
+                    hostname:
+                      str_replace:
+                        template: "%{hiera('fqdn_NETWORK')}"
+                        params:
+                          NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
+                    principal:
+                      str_replace:
+                        template: "qemu/%{hiera('fqdn_NETWORK')}"
+                        params:
+                          NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
+                  qemu-nbd-client-cert:
+                    cacertfile:
+                      if:
+                        - qemu_specific_ca_unset
+                        - get_param: InternalTLSQemuCAFile
+                        - null
+                    service_certificate: '/etc/pki/libvirt-nbd/client-cert.pem'
+                    service_key: '/etc/pki/libvirt-nbd/client-key.pem'
+                    hostname:
+                      str_replace:
+                        template: "%{hiera('fqdn_NETWORK')}"
+                        params:
+                          NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
+                    principal:
+                      str_replace:
+                        template: "qemu/%{hiera('fqdn_NETWORK')}"
+                        params:
+                          NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
+              - {}
       step_config: |
         include tripleo::profile::base::nova::libvirt
       metadata_settings:
@@ -360,3 +445,10 @@ outputs:
                 network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
                 type: node
             - null
+          - if:
+            - use_tls_for_nbd
+            -
+              - service: qemu
+                network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
+                type: node
+            - null

releasenotes/notes/nova_qemu_native_tls_encryption_on_nbd_for_disk_migration-2e16003c4764a399.yaml

@@ -0,0 +1,12 @@
+---
+features:
+  - |
+    Add support for native TLS encryption on NBD for disk migration
+
+    The NBD protocol previously runs in clear text, offering no security
+    protection for the data transferred, unless it is tunnelled over some
+    external transport like SSH. Such tunnelling is inefficient and
+    inconvenient to manage. Support for TLS to the NBD clients & servers
+    provided by QEMU was added. In tls-everywhere use case we want to
+    take advantage of this feature to create the certificates and configure
+    qemu to use nbd tls.