Mark Goddard 33e93ab323 certificates: generate libvirt TLS certificates
Adds support to the 'kolla-ansible certificates' command for generating
certificates for libvirt TLS, when libvirt_tls is true. The same
certificate and key are used for the libvirt client and server.

The certificates use the same root CA as the other generated
certificates, and are written to
{{ node_custom_config }}/nova/nova-libvirt/, ready to be picked up by
nova-libvirt and nova-compute.

Change-Id: I1bde9fa018f66037aec82dc74c61ad1f477a7c12
2022-02-03 14:32:38 +00:00

85 lines
2.1 KiB
YAML

---
- name: Ensuring private libvirt directory exist
file:
path: "{{ libvirt_dir }}"
state: "directory"
mode: "0770"
- name: Creating libvirt SSL configuration file
template:
src: "{{ item }}.j2"
dest: "{{ kolla_certificates_dir }}/{{ item }}"
mode: "0660"
with_items:
- "openssl-kolla-libvirt.cnf"
- name: Creating libvirt certificate key
command: >
openssl genrsa
-out "{{ libvirt_dir }}/libvirt.key" 2048
args:
creates: "{{ libvirt_dir }}/libvirt.key"
- name: Creating libvirt certificate signing request
command: >
openssl req
-new
-key "{{ libvirt_dir }}/libvirt.key"
-out "{{ libvirt_dir }}/libvirt.csr"
-config "{{ kolla_certificates_dir }}/openssl-kolla-libvirt.cnf"
-sha256
args:
creates: "{{ libvirt_dir }}/libvirt.csr"
- name: Creating libvirt certificate
command: >
openssl x509
-req
-in "{{ libvirt_dir }}/libvirt.csr"
-CA "{{ root_dir }}/root.crt"
-CAkey "{{ root_dir }}/root.key"
-CAcreateserial
-extensions v3_req
-extfile "{{ kolla_certificates_dir }}/openssl-kolla-libvirt.cnf"
-out "{{ libvirt_dir }}/libvirt.crt"
-days 500
-sha256
args:
creates: "{{ libvirt_dir }}/libvirt.crt"
- name: Setting permissions on libvirt key
file:
path: "{{ libvirt_dir }}/libvirt.key"
mode: "0660"
state: file
- name: Ensure libvirt output directory exists
file:
path: "{{ certificates_libvirt_output_dir }}"
state: directory
mode: "0770"
- name: Copy libvirt root CA to default configuration location
copy:
src: "{{ root_dir }}/root.crt"
dest: "{{ certificates_libvirt_output_dir }}/cacert.pem"
mode: "0660"
- name: Copy libvirt cert to default configuration locations
copy:
src: "{{ libvirt_dir }}/libvirt.crt"
dest: "{{ certificates_libvirt_output_dir }}/{{ item }}cert.pem"
mode: "0660"
loop:
- server
- client
- name: Copy libvirt key to default configuration locations
copy:
src: "{{ libvirt_dir }}/libvirt.key"
dest: "{{ certificates_libvirt_output_dir }}/{{ item }}key.pem"
mode: "0660"
loop:
- server
- client