Merge "certificates: generate libvirt TLS certificates"

ansible/certificates.yml

@@ -2,7 +2,8 @@
 - import_playbook: gather-facts.yml
   when: >-
     kolla_enable_tls_backend | default(false) | bool or
-    rabbitmq_enable_tls | default(false) | bool
+    rabbitmq_enable_tls | default(false) | bool or
+    certificates_generate_libvirt | default(libvirt_tls) | default(false) | bool
 
 - name: Apply role certificates
   hosts: localhost

ansible/roles/certificates/defaults/main.yml

@@ -3,3 +3,9 @@ root_dir: "{{ kolla_certificates_dir }}/private/root"
 external_dir: "{{ kolla_certificates_dir }}/private/external"
 internal_dir: "{{ kolla_certificates_dir }}/private/internal"
 backend_dir: "{{ kolla_certificates_dir }}/private/backend"
+libvirt_dir: "{{ kolla_certificates_dir }}/private/libvirt"
+
+# Whether to generate certificates for libvirt TLS.
+certificates_generate_libvirt: "{{ libvirt_tls | default(false) | bool }}"
+# Directory into which to copy generated certificates and keys for libvirt TLS.
+certificates_libvirt_output_dir: "{{ node_custom_config }}/nova/nova-libvirt"

ansible/roles/certificates/tasks/generate-libvirt.yml

@@ -0,0 +1,84 @@
+---
+- name: Ensuring private libvirt directory exist
+  file:
+    path: "{{ libvirt_dir }}"
+    state: "directory"
+    mode: "0770"
+
+- name: Creating libvirt SSL configuration file
+  template:
+    src: "{{ item }}.j2"
+    dest: "{{ kolla_certificates_dir }}/{{ item }}"
+    mode: "0660"
+  with_items:
+    - "openssl-kolla-libvirt.cnf"
+
+- name: Creating libvirt certificate key
+  command: >
+    openssl genrsa
+    -out "{{ libvirt_dir }}/libvirt.key" 2048
+  args:
+    creates: "{{ libvirt_dir }}/libvirt.key"
+
+- name: Creating libvirt certificate signing request
+  command: >
+    openssl req
+    -new
+    -key "{{ libvirt_dir }}/libvirt.key"
+    -out "{{ libvirt_dir }}/libvirt.csr"
+    -config "{{ kolla_certificates_dir }}/openssl-kolla-libvirt.cnf"
+    -sha256
+  args:
+    creates: "{{ libvirt_dir }}/libvirt.csr"
+
+- name: Creating libvirt certificate
+  command: >
+    openssl x509
+    -req
+    -in "{{ libvirt_dir }}/libvirt.csr"
+    -CA "{{ root_dir }}/root.crt"
+    -CAkey "{{ root_dir }}/root.key"
+    -CAcreateserial
+    -extensions v3_req
+    -extfile "{{ kolla_certificates_dir }}/openssl-kolla-libvirt.cnf"
+    -out "{{ libvirt_dir }}/libvirt.crt"
+    -days 500
+    -sha256
+  args:
+    creates: "{{ libvirt_dir }}/libvirt.crt"
+
+- name: Setting permissions on libvirt key
+  file:
+    path: "{{ libvirt_dir }}/libvirt.key"
+    mode: "0660"
+    state: file
+
+- name: Ensure libvirt output directory exists
+  file:
+    path: "{{ certificates_libvirt_output_dir }}"
+    state: directory
+    mode: "0770"
+
+- name: Copy libvirt root CA to default configuration location
+  copy:
+    src: "{{ root_dir }}/root.crt"
+    dest: "{{ certificates_libvirt_output_dir }}/cacert.pem"
+    mode: "0660"
+
+- name: Copy libvirt cert to default configuration locations
+  copy:
+    src: "{{ libvirt_dir }}/libvirt.crt"
+    dest: "{{ certificates_libvirt_output_dir }}/{{ item }}cert.pem"
+    mode: "0660"
+  loop:
+    - server
+    - client
+
+- name: Copy libvirt key to default configuration locations
+  copy:
+    src: "{{ libvirt_dir }}/libvirt.key"
+    dest: "{{ certificates_libvirt_output_dir }}/{{ item }}key.pem"
+    mode: "0660"
+  loop:
+    - server
+    - client

ansible/roles/certificates/tasks/main.yml

@@ -4,3 +4,5 @@
 - include_tasks: generate-backend.yml
   when:
     - kolla_enable_tls_backend | bool or rabbitmq_enable_tls | bool
+- include_tasks: generate-libvirt.yml
+  when: certificates_generate_libvirt | bool

ansible/roles/certificates/templates/openssl-kolla-libvirt.cnf.j2

@@ -0,0 +1,18 @@
+[req]
+prompt = no
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+
+[req_distinguished_name]
+countryName = US
+stateOrProvinceName = NC
+localityName = RTP
+organizationalUnitName = kolla
+
+[v3_req]
+subjectAltName = @alt_names
+
+[alt_names]
+{% for host in groups['compute'] %}
+DNS.{{ loop.index }} = {{ hostvars[host].migration_hostname | default(hostvars[host].ansible_facts.nodename) }}
+{% endfor %}

releasenotes/notes/libvirt-tls-certificates-b4b27b1a6b4a2db7.yaml

@@ -0,0 +1,10 @@
+---
+features:
+  - |
+    Adds support to the ``kolla-ansible certificates`` command for generating
+    certificates for libvirt TLS, when ``libvirt_tls`` is ``true``. The same
+    certificate and key are used for the libvirt client and server.
+
+    The certificates use the same root CA as the other generated certificates,
+    and are written to ``{{ node_custom_config }}/nova/nova-libvirt/``, ready
+    to be picked up by nova-libvirt and nova-compute.