Merge "certificates: generate libvirt TLS certificates"

2022-02-03 19:11:03 +00:00 · 2022-02-03 19:11:03 +00:00 · 0488566e82
commit 0488566e82
parent 881b0aa972 33e93ab323
6 changed files with 122 additions and 1 deletions
--- a/ansible/certificates.yml
+++ b/ansible/certificates.yml
@ -2,7 +2,8 @@
 - import_playbook: gather-facts.yml
  when: >-
    kolla_enable_tls_backend | default(false) | bool or
-    rabbitmq_enable_tls | default(false) | bool
+    rabbitmq_enable_tls | default(false) | bool or
+    certificates_generate_libvirt | default(libvirt_tls) | default(false) | bool

 - name: Apply role certificates
  hosts: localhost
--- a/ansible/roles/certificates/defaults/main.yml
+++ b/ansible/roles/certificates/defaults/main.yml
@ -3,3 +3,9 @@ root_dir: "{{ kolla_certificates_dir }}/private/root"
 external_dir: "{{ kolla_certificates_dir }}/private/external"
 internal_dir: "{{ kolla_certificates_dir }}/private/internal"
 backend_dir: "{{ kolla_certificates_dir }}/private/backend"
+libvirt_dir: "{{ kolla_certificates_dir }}/private/libvirt"
+
+# Whether to generate certificates for libvirt TLS.
+certificates_generate_libvirt: "{{ libvirt_tls | default(false) | bool }}"
+# Directory into which to copy generated certificates and keys for libvirt TLS.
+certificates_libvirt_output_dir: "{{ node_custom_config }}/nova/nova-libvirt"
--- a/ansible/roles/certificates/tasks/generate-libvirt.yml
+++ b/ansible/roles/certificates/tasks/generate-libvirt.yml
@ -0,0 +1,84 @@
+---
+- name: Ensuring private libvirt directory exist
+  file:
+    path: "{{ libvirt_dir }}"
+    state: "directory"
+    mode: "0770"
+
+- name: Creating libvirt SSL configuration file
+  template:
+    src: "{{ item }}.j2"
+    dest: "{{ kolla_certificates_dir }}/{{ item }}"
+    mode: "0660"
+  with_items:
+    - "openssl-kolla-libvirt.cnf"
+
+- name: Creating libvirt certificate key
+  command: >
+    openssl genrsa
+    -out "{{ libvirt_dir }}/libvirt.key" 2048
+  args:
+    creates: "{{ libvirt_dir }}/libvirt.key"
+
+- name: Creating libvirt certificate signing request
+  command: >
+    openssl req
+    -new
+    -key "{{ libvirt_dir }}/libvirt.key"
+    -out "{{ libvirt_dir }}/libvirt.csr"
+    -config "{{ kolla_certificates_dir }}/openssl-kolla-libvirt.cnf"
+    -sha256
+  args:
+    creates: "{{ libvirt_dir }}/libvirt.csr"
+
+- name: Creating libvirt certificate
+  command: >
+    openssl x509
+    -req
+    -in "{{ libvirt_dir }}/libvirt.csr"
+    -CA "{{ root_dir }}/root.crt"
+    -CAkey "{{ root_dir }}/root.key"
+    -CAcreateserial
+    -extensions v3_req
+    -extfile "{{ kolla_certificates_dir }}/openssl-kolla-libvirt.cnf"
+    -out "{{ libvirt_dir }}/libvirt.crt"
+    -days 500
+    -sha256
+  args:
+    creates: "{{ libvirt_dir }}/libvirt.crt"
+
+- name: Setting permissions on libvirt key
+  file:
+    path: "{{ libvirt_dir }}/libvirt.key"
+    mode: "0660"
+    state: file
+
+- name: Ensure libvirt output directory exists
+  file:
+    path: "{{ certificates_libvirt_output_dir }}"
+    state: directory
+    mode: "0770"
+
+- name: Copy libvirt root CA to default configuration location
+  copy:
+    src: "{{ root_dir }}/root.crt"
+    dest: "{{ certificates_libvirt_output_dir }}/cacert.pem"
+    mode: "0660"
+
+- name: Copy libvirt cert to default configuration locations
+  copy:
+    src: "{{ libvirt_dir }}/libvirt.crt"
+    dest: "{{ certificates_libvirt_output_dir }}/{{ item }}cert.pem"
+    mode: "0660"
+  loop:
+    - server
+    - client
+
+- name: Copy libvirt key to default configuration locations
+  copy:
+    src: "{{ libvirt_dir }}/libvirt.key"
+    dest: "{{ certificates_libvirt_output_dir }}/{{ item }}key.pem"
+    mode: "0660"
+  loop:
+    - server
+    - client
--- a/ansible/roles/certificates/tasks/main.yml
+++ b/ansible/roles/certificates/tasks/main.yml
@ -4,3 +4,5 @@
 - include_tasks: generate-backend.yml
  when:
    - kolla_enable_tls_backend | bool or rabbitmq_enable_tls | bool
+- include_tasks: generate-libvirt.yml
+  when: certificates_generate_libvirt | bool
--- a/ansible/roles/certificates/templates/openssl-kolla-libvirt.cnf.j2
+++ b/ansible/roles/certificates/templates/openssl-kolla-libvirt.cnf.j2
@ -0,0 +1,18 @@
+[req]
+prompt = no
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+
+[req_distinguished_name]
+countryName = US
+stateOrProvinceName = NC
+localityName = RTP
+organizationalUnitName = kolla
+
+[v3_req]
+subjectAltName = @alt_names
+
+[alt_names]
+{% for host in groups['compute'] %}
+DNS.{{ loop.index }} = {{ hostvars[host].migration_hostname | default(hostvars[host].ansible_facts.nodename) }}
+{% endfor %}
--- a/releasenotes/notes/libvirt-tls-certificates-b4b27b1a6b4a2db7.yaml
+++ b/releasenotes/notes/libvirt-tls-certificates-b4b27b1a6b4a2db7.yaml
@ -0,0 +1,10 @@
+---
+features:
+  - |
+    Adds support to the ``kolla-ansible certificates`` command for generating
+    certificates for libvirt TLS, when ``libvirt_tls`` is ``true``. The same
+    certificate and key are used for the libvirt client and server.
+
+    The certificates use the same root CA as the other generated certificates,
+    and are written to ``{{ node_custom_config }}/nova/nova-libvirt/``, ready
+    to be picked up by nova-libvirt and nova-compute.