openstack/kolla-ansible
Code Issues Proposed changes

docs: add information about development libvirt TLS certs

Browse Source 
Adds docs for I1bde9fa018f66037aec82dc74c61ad1f477a7c12.

Change-Id: I88a07bb3bfeb0c98bea9dbe8674033208ec3fb9f
This commit is contained in:
Mark Goddard 2022-02-10 17:22:42 +00:00
parent 654edefca3
commit f853b323fa
1 changed files with 13 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
doc/source/reference/compute/libvirt-guide.rst
View File

@ -44,10 +44,11 @@ Libvirt TLS can be enabled in Kolla Ansible by setting the following option in
libvirt_tls: "yes"
Creation of the TLS certificates is currently out-of-scope for Kolla Ansible.
You will need to either use an existing Internal CA or you will need to
generate your own offline CA. For the TLS communication to work correctly you
will have to supply Kolla Ansible the following pieces of information:
Creation of production-ready TLS certificates is currently out-of-scope for
Kolla Ansible. You will need to either use an existing Internal CA or you will
need to generate your own offline CA. For the TLS communication to work
correctly you will have to supply Kolla Ansible the following pieces of
information:
* cacert.pem
@ -116,3 +117,11 @@ copied into the nova-compute and nova-libvirt containers. With this option
disabled you will also be responsible for restarting the nova-compute and
nova-libvirt containers when the certs are updated, as kolla-ansible will not
be able to tell when the files have changed.
Generating certificates for test and development
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Since the Yoga release, the ``kolla-ansible certificates`` command generates
certificates for libvirt TLS. A single key and certificate is used for all
hosts, with a Subject Alternative Name (SAN) entry for each compute host
hostname.