tripleo-heat-templates/releasenotes/notes/nova_libvirt_ssl_cert_simplification-dbee541be9f55ce5.yaml
Martin Schuppert d20f295f3a Simplify libvirt/qemu ssl certificates
On the compute nodes, right now ssl certificates got created for
libvirt, qemu-default, qemu-vnc and qemu-nbd. This is not required
because the all services use the same NovaLibvirtNetwork network and
therefore multiple certificates for the same hostname get created.
Also from qemu point of view, if default_tls_x509_cert_dir and
default_tls_x509_verify parameters get set for all certificates, there
is no need to specify any of the other *_tls* config options. From [1]

The intention (of libvirt) is that you can just use the
default_tls_x509_* config attributes so that you don’t need to set any
other *_tls* parameters, unless_ you need different certificates for
some services. The rationale for that is that some services (e.g.
migration / NBD) are only exposed to internal infrastructure; while
some sevices (VNC, Spice) might be exposed publically, so might need
different certificates. For OpenStack this does not matter, though,
we will stick with the defaults.

Therefore with this change InternalTLSNbdCAFile, InternalTLSVncCAFile
and InternalTLSQemuCAFile get removed (which defaulted to
/etc/ipa/ca.crt anyways) and just use InternalTLSCAFile.

Also all cerfificates get created when EnableInternalTLS is true to
and mount all SSL certificates from the host. This is to prevent
certificate information is not available in a qemu's process container
environment if features get switched later, which has shown to be
problematic.

[1] https://docs.openstack.org/nova/latest/admin/secure-live-migration-with-qemu-native-tls.html

Change-Id: Ie2c78fc3a07be1cd22cb6cac240047b5d2b9cd0a
2021-06-15 08:58:39 +02:00

31 lines
1.7 KiB
YAML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
fixes:
- |
On the compute nodes, right now ssl certificates got created for
libvirt, qemu-default, qemu-vnc and qemu-nbd. This is not required
because the all services use the same NovaLibvirtNetwork network and
therefore multiple certificates for the same hostname get created.
Also from qemu point of view, if default_tls_x509_cert_dir and
default_tls_x509_verify parameters get set for all certificates, there
is no need to specify any of the other `*_tls*` config options. From
`Secure live migration with QEMU-native TLS <https://docs.openstack.org/nova/latest/admin/secure-live-migration-with-qemu-native-tls.html>`_
The intention (of libvirt) is that you can just use the
default_tls_x509_* config attributes so that you dont need to set any
other `*_tls*` parameters, unless you need different certificates for
some services. The rationale for that is that some services (e.g.
migration / NBD) are only exposed to internal infrastructure; while
some sevices (VNC, Spice) might be exposed publically, so might need
different certificates. For OpenStack this does not matter, though,
we will stick with the defaults.
Therefore with this change InternalTLSNbdCAFile, InternalTLSVncCAFile
and InternalTLSQemuCAFile get removed (which defaulted to
/etc/ipa/ca.crt anyways) and just use InternalTLSCAFile.
Also all cerfificates get created when EnableInternalTLS is true to
and mount all SSL certificates from the host. This is to prevent
certificate information is not available in a qemu's process container
environment if features get switched later, which has shown to be
problematic.