From 33e93ab323a570d9140168c967a37c311e0052d6 Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Wed, 26 Jan 2022 16:27:33 +0000 Subject: [PATCH] certificates: generate libvirt TLS certificates Adds support to the 'kolla-ansible certificates' command for generating certificates for libvirt TLS, when libvirt_tls is true. The same certificate and key are used for the libvirt client and server. The certificates use the same root CA as the other generated certificates, and are written to {{ node_custom_config }}/nova/nova-libvirt/, ready to be picked up by nova-libvirt and nova-compute. Change-Id: I1bde9fa018f66037aec82dc74c61ad1f477a7c12 --- ansible/certificates.yml | 3 +- ansible/roles/certificates/defaults/main.yml | 6 ++ .../certificates/tasks/generate-libvirt.yml | 84 +++++++++++++++++++ ansible/roles/certificates/tasks/main.yml | 2 + .../templates/openssl-kolla-libvirt.cnf.j2 | 18 ++++ ...irt-tls-certificates-b4b27b1a6b4a2db7.yaml | 10 +++ 6 files changed, 122 insertions(+), 1 deletion(-) create mode 100644 ansible/roles/certificates/tasks/generate-libvirt.yml create mode 100644 ansible/roles/certificates/templates/openssl-kolla-libvirt.cnf.j2 create mode 100644 releasenotes/notes/libvirt-tls-certificates-b4b27b1a6b4a2db7.yaml diff --git a/ansible/certificates.yml b/ansible/certificates.yml index 28a1a5f8ee..772aa2f5c3 100644 --- a/ansible/certificates.yml +++ b/ansible/certificates.yml @@ -2,7 +2,8 @@ - import_playbook: gather-facts.yml when: >- kolla_enable_tls_backend | default(false) | bool or - rabbitmq_enable_tls | default(false) | bool + rabbitmq_enable_tls | default(false) | bool or + certificates_generate_libvirt | default(libvirt_tls) | default(false) | bool - name: Apply role certificates hosts: localhost diff --git a/ansible/roles/certificates/defaults/main.yml b/ansible/roles/certificates/defaults/main.yml index a478311eff..473bbb40d4 100644 --- a/ansible/roles/certificates/defaults/main.yml +++ b/ansible/roles/certificates/defaults/main.yml @@ -3,3 +3,9 @@ root_dir: "{{ kolla_certificates_dir }}/private/root" external_dir: "{{ kolla_certificates_dir }}/private/external" internal_dir: "{{ kolla_certificates_dir }}/private/internal" backend_dir: "{{ kolla_certificates_dir }}/private/backend" +libvirt_dir: "{{ kolla_certificates_dir }}/private/libvirt" + +# Whether to generate certificates for libvirt TLS. +certificates_generate_libvirt: "{{ libvirt_tls | default(false) | bool }}" +# Directory into which to copy generated certificates and keys for libvirt TLS. +certificates_libvirt_output_dir: "{{ node_custom_config }}/nova/nova-libvirt" diff --git a/ansible/roles/certificates/tasks/generate-libvirt.yml b/ansible/roles/certificates/tasks/generate-libvirt.yml new file mode 100644 index 0000000000..c655127506 --- /dev/null +++ b/ansible/roles/certificates/tasks/generate-libvirt.yml @@ -0,0 +1,84 @@ +--- +- name: Ensuring private libvirt directory exist + file: + path: "{{ libvirt_dir }}" + state: "directory" + mode: "0770" + +- name: Creating libvirt SSL configuration file + template: + src: "{{ item }}.j2" + dest: "{{ kolla_certificates_dir }}/{{ item }}" + mode: "0660" + with_items: + - "openssl-kolla-libvirt.cnf" + +- name: Creating libvirt certificate key + command: > + openssl genrsa + -out "{{ libvirt_dir }}/libvirt.key" 2048 + args: + creates: "{{ libvirt_dir }}/libvirt.key" + +- name: Creating libvirt certificate signing request + command: > + openssl req + -new + -key "{{ libvirt_dir }}/libvirt.key" + -out "{{ libvirt_dir }}/libvirt.csr" + -config "{{ kolla_certificates_dir }}/openssl-kolla-libvirt.cnf" + -sha256 + args: + creates: "{{ libvirt_dir }}/libvirt.csr" + +- name: Creating libvirt certificate + command: > + openssl x509 + -req + -in "{{ libvirt_dir }}/libvirt.csr" + -CA "{{ root_dir }}/root.crt" + -CAkey "{{ root_dir }}/root.key" + -CAcreateserial + -extensions v3_req + -extfile "{{ kolla_certificates_dir }}/openssl-kolla-libvirt.cnf" + -out "{{ libvirt_dir }}/libvirt.crt" + -days 500 + -sha256 + args: + creates: "{{ libvirt_dir }}/libvirt.crt" + +- name: Setting permissions on libvirt key + file: + path: "{{ libvirt_dir }}/libvirt.key" + mode: "0660" + state: file + +- name: Ensure libvirt output directory exists + file: + path: "{{ certificates_libvirt_output_dir }}" + state: directory + mode: "0770" + +- name: Copy libvirt root CA to default configuration location + copy: + src: "{{ root_dir }}/root.crt" + dest: "{{ certificates_libvirt_output_dir }}/cacert.pem" + mode: "0660" + +- name: Copy libvirt cert to default configuration locations + copy: + src: "{{ libvirt_dir }}/libvirt.crt" + dest: "{{ certificates_libvirt_output_dir }}/{{ item }}cert.pem" + mode: "0660" + loop: + - server + - client + +- name: Copy libvirt key to default configuration locations + copy: + src: "{{ libvirt_dir }}/libvirt.key" + dest: "{{ certificates_libvirt_output_dir }}/{{ item }}key.pem" + mode: "0660" + loop: + - server + - client diff --git a/ansible/roles/certificates/tasks/main.yml b/ansible/roles/certificates/tasks/main.yml index f8d80dd9b9..eccd6d668d 100644 --- a/ansible/roles/certificates/tasks/main.yml +++ b/ansible/roles/certificates/tasks/main.yml @@ -4,3 +4,5 @@ - include_tasks: generate-backend.yml when: - kolla_enable_tls_backend | bool or rabbitmq_enable_tls | bool +- include_tasks: generate-libvirt.yml + when: certificates_generate_libvirt | bool diff --git a/ansible/roles/certificates/templates/openssl-kolla-libvirt.cnf.j2 b/ansible/roles/certificates/templates/openssl-kolla-libvirt.cnf.j2 new file mode 100644 index 0000000000..f625e03a4a --- /dev/null +++ b/ansible/roles/certificates/templates/openssl-kolla-libvirt.cnf.j2 @@ -0,0 +1,18 @@ +[req] +prompt = no +distinguished_name = req_distinguished_name +req_extensions = v3_req + +[req_distinguished_name] +countryName = US +stateOrProvinceName = NC +localityName = RTP +organizationalUnitName = kolla + +[v3_req] +subjectAltName = @alt_names + +[alt_names] +{% for host in groups['compute'] %} +DNS.{{ loop.index }} = {{ hostvars[host].migration_hostname | default(hostvars[host].ansible_facts.nodename) }} +{% endfor %} diff --git a/releasenotes/notes/libvirt-tls-certificates-b4b27b1a6b4a2db7.yaml b/releasenotes/notes/libvirt-tls-certificates-b4b27b1a6b4a2db7.yaml new file mode 100644 index 0000000000..8ee99dd7e0 --- /dev/null +++ b/releasenotes/notes/libvirt-tls-certificates-b4b27b1a6b4a2db7.yaml @@ -0,0 +1,10 @@ +--- +features: + - | + Adds support to the ``kolla-ansible certificates`` command for generating + certificates for libvirt TLS, when ``libvirt_tls`` is ``true``. The same + certificate and key are used for the libvirt client and server. + + The certificates use the same root CA as the other generated certificates, + and are written to ``{{ node_custom_config }}/nova/nova-libvirt/``, ready + to be picked up by nova-libvirt and nova-compute.