Merge "Realize libvirt SSL"

libvirt/Chart.yaml

@@ -15,7 +15,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm libvirt
 name: libvirt
-version: 0.1.1
+version: 0.1.2
 home: https://libvirt.org
 sources:
   - https://libvirt.org/git/?p=libvirt.git;a=summary

libvirt/templates/daemonset-libvirt.yaml

@@ -17,6 +17,10 @@ limitations under the License.
 {{- $configMapName := index . 1 }}
 {{- $serviceAccountName := index . 2 }}
 {{- $envAll := index . 3 }}
+{{- $ssl_enabled := false }}
+{{- if eq $envAll.Values.conf.libvirt.listen_tls "1" }}
+{{- $ssl_enabled = true }}
+{{- end }}
 {{- with $envAll }}
 
 {{- $mounts_libvirt := .Values.pod.mounts.libvirt.libvirt }}
@@ -153,6 +157,10 @@ spec:
                   - |-
                     kill $(cat /var/run/libvirtd.pid)
           volumeMounts:
+            {{ dict "enabled" $ssl_enabled "name" "ssl-client" "path" "/etc/pki/libvirt" "certs" (tuple "clientcert.pem" "clientkey.pem" ) | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+            {{ dict "enabled" $ssl_enabled "name" "ssl-server-cert" "path" "/etc/pki/libvirt" "certs" (tuple "servercert.pem" ) | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+            {{ dict "enabled" $ssl_enabled "name" "ssl-server-key" "path" "/etc/pki/libvirt/private" "certs" (tuple "serverkey.pem" ) | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+            {{ dict "enabled" $ssl_enabled "name" "ssl-ca-cert" "path" "/etc/pki/CA" "certs" (tuple "cacert.pem" ) | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
             - name: pod-tmp
               mountPath: /tmp
             - name: libvirt-bin
@@ -214,6 +222,10 @@ spec:
             {{- end }}
 {{ if $mounts_libvirt.volumeMounts }}{{ toYaml $mounts_libvirt.volumeMounts | indent 12 }}{{ end }}
       volumes:
+        {{ dict "enabled" $ssl_enabled "secretName" $envAll.Values.secrets.tls.client "name" "ssl-client" "path" "/etc/pki/libvirt" "certs" (tuple "clientcert.pem" "clientkey.pem" ) | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+        {{ dict "enabled" $ssl_enabled "secretName" $envAll.Values.secrets.tls.server "name" "ssl-server-cert" "path" "/etc/pki/libvirt" "certs" (tuple "servercert.pem" ) | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+        {{ dict "enabled" $ssl_enabled "secretName" $envAll.Values.secrets.tls.server "name" "ssl-server-key" "path" "/etc/pki/libvirt/private" "certs" (tuple "serverkey.pem" ) | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+        {{ dict "enabled" $ssl_enabled "secretName" $envAll.Values.secrets.tls.server "name" "ssl-ca-cert" "path" "/etc/pki/CA" "certs" (tuple "cacert.pem" ) | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
         - name: pod-tmp
           emptyDir: {}
         - name: libvirt-bin

libvirt/values.yaml

@@ -87,7 +87,9 @@ conf:
     listen_tcp: "1"
     listen_tls: "0"
     auth_tcp: "none"
-    ca_file: ""
+    ca_file: "/etc/pki/CA/cacert.pem"
+    cert_file: "/etc/pki/libvirt/servercert.pem"
+    key_file: "/etc/pki/libvirt/private/serverkey.pem"
     listen_addr: 127.0.0.1
     log_level: "3"
     log_outputs: "1:file:/var/log/libvirt/libvirtd.log"
@@ -195,4 +197,9 @@ manifests:
   daemonset_libvirt: true
   job_image_repo_sync: true
   network_policy: false
+
+secrets:
+  tls:
+    server: libvirt-tls-server
+    client: libvirt-tls-client
 ...

libvirt/values_overrides/ssl.yaml

@@ -0,0 +1,7 @@
+---
+conf:
+  libvirt:
+    listen_tcp: "0"
+    listen_tls: "1"
+    listen_addr: 0.0.0.0
+...

tools/deployment/openstack-support/051-libvirt-ssl.sh

@@ -0,0 +1,242 @@
+#!/bin/bash
+
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+set -xe
+
+: ${OSH_INFRA_EXTRA_HELM_ARGS_LIBVIRT:="$(./tools/deployment/common/get-values-overrides.sh libvirt)"}
+
+# NOTE(Alex): Use static certs and key for test
+cat <<EOF | kubectl apply -f-
+apiVersion: v1
+kind: Secret
+metadata:
+  name: libvirt-tls-client
+  namespace: openstack
+type: Opaque
+stringData:
+  cacert.pem: |
+    -----BEGIN CERTIFICATE-----
+    MIID9TCCAl2gAwIBAgIMX2ExnQ//mYG6bVAaMA0GCSqGSIb3DQEBCwUAMBYxFDAS
+    BgNVBAMTC2xpYnZpcnQub3JnMB4XDTIwMDkxNTIxMjY1M1oXDTIxMDkxNTIxMjY1
+    M1owFjEUMBIGA1UEAxMLbGlidmlydC5vcmcwggGiMA0GCSqGSIb3DQEBAQUAA4IB
+    jwAwggGKAoIBgQDaRyGiqmztvL3NHeYGzgwx1Dpg1194Qk1Ak79lowQz9aIARLDG
+    yTjj14ToPLC392eWyosCsEQ1dDXx5rKOiEtSJgN18vdAPywsej1wb+f3H3EAslZu
+    uOXAiXTBp0ex/EoWqmVmG/JpwP74Rf16WVnTAc1xGABnDwsSIs8gigKI8ha+TdiT
+    uFqLNLpJuRXKnI0srBpUrkfhjJmikx9aP99wik+Y6I/iDiUKuDPvjtI4wqlwBqWc
+    +WDh2Zx/ot3UGwHS7jUAiZaodAjO40OniQCevwYlbCppj3e7C+3fYSGJ4L/RBUVS
+    +HaTyyos/Mz+2gIyNY9y2qi7YCMC1Q0h31o5Cr1G+B9BtQonOGXWq2FuCvCj4KOY
+    vpdvnHt6RCvtUkW4rinvqzx9GIiu3E8cFPrMTXH9hgkRvRsKz+X8dGXBstPMNcmT
+    N/DQ3Udtg75OlKixNhzxhYn845AhQ0HIZp4SZSsLZRP/KUYtIUhmgIwR84o6Jhb5
+    Rlf/zhVTauAD+6kCAwEAAaNDMEEwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8E
+    BQMDBwQAMB0GA1UdDgQWBBRqB1vUFPzNJVgSrh2R2WnIvO+T6zANBgkqhkiG9w0B
+    AQsFAAOCAYEAl4FDGkogq8eRwBE4QIwSlcjeUFTKc142PN3ZiVsx/QHwaZQwo+N4
+    JNflN15+GPasm/yNs7hYlowNcb6GC93k2NRaZ66jXQ3Yp1T2fSIvs2vKMj362eXK
+    hcfjG//t4HUrNqivTcpwg+klDXV/w0K0/cFVnwWaGjvfRU6lx8/fBGmag30t0UQq
+    UgCuPclV53JCArdGhoRZcxvAgql+uWxdyvsdmdFvaCe0D3n15nRMuFhFkrDIxyjI
+    JHBu+Z32yn6zTTkZPoPpPvSFQiXCzppdKLvGs/vbMi6qKty6wMZcpZtzTaKNHxUr
+    n0+/BeMDuQT7IYGl29Ds6LzFnnYhN4Ckh+R8nCml9+JicQPQNL1TC0u1ZlrQdSIc
+    kqpLCxb4OGp2u5eYxMaXKHWpl5LJoJbe9Rvyr5yV+zx46FH0o0qz8Rvka32hSiDG
+    FpNX6DoAEk3zVSYdFB5xTQ6h0BK1dMMbHPVzuXaYa0N2yjEWvBfjcVygn2164Rkj
+    6ZwFOKGDbhUL
+    -----END CERTIFICATE----
+  clientcert.pem: |
+    -----BEGIN CERTIFICATE-----
+    MIIEazCCAtOgAwIBAgIMX2E0dSC5i+cK7sDUMA0GCSqGSIb3DQEBCwUAMBYxFDAS
+    BgNVBAMTC2xpYnZpcnQub3JnMB4XDTIwMDkxNTIxMzkwMVoXDTIxMDkxNTIxMzkw
+    MVowWTEOMAwGA1UEAxMFaG9zdDIxFDASBgNVBAoTC2xpYnZpcnQub3JnMREwDwYD
+    VQQHEwhNb250cmVhbDERMA8GA1UECBMITW9udHJlYWwxCzAJBgNVBAYTAkNBMIIB
+    ojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEA2tZ4SWNtyNadoHjMBgRJp2wq
+    zHn1u5p6bgDDnr82aXyQWuNvuicwvrZfCOtPQ47oaALUP8UCoJo1Ym38DAL+yBNl
+    msbbpepOV41BfyZCIzEIzq6eIdEB8fjbNYvisJKXUcfpaO/l0tU/NhTwXJ8m+cro
+    Wh2vRO5V4hw+ULey5qNPvKP4MlSf8FZ7MmFeY0yludjVBnjnx+Swiq/gXMgb576c
+    OOVBFywjsaBI4J1+SUF9vAp/X7qUXMLWEPXQGMMDfQb1dq5IrA1dIqgYg3vEPjT4
+    uLm/p7ZYCcDZuB1DdwPYqZjoQBi/DwBLdEV9Nhy4C0WB6hbOQ3sStcnr8Jvv5OJu
+    77Bh9i55sjjSRmhNCV5110v4JkJfADqvFWw1oyoCpccoFmOnxv27Xq6NIEiCQRgC
+    qdtcyk6GlqqkZPGGXHH9Z0RUo55GnF7LGmVuZhUP3zlxZAeOcd5lIKCBjGRtZXxr
+    DkaaIpoPCIPGNjpaCXQLJvCmF1OZmDXN2O3HC4qJAgMBAAGjdjB0MAwGA1UdEwEB
+    /wQCMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDwYDVR0PAQH/BAUDAwegADAdBgNV
+    HQ4EFgQUTFvg8/AISJddhIxdN1Qq8Z6+KCUwHwYDVR0jBBgwFoAUagdb1BT8zSVY
+    Eq4dkdlpyLzvk+swDQYJKoZIhvcNAQELBQADggGBALZYn9Mu67xyPKojI5PKETD0
+    kLCamToW7k+p/LvpAJkqGDs8OabHXfzCCRl5cy6i1qcyvoyTL3hhXQNnlVe9j+G8
+    TqEYDUupKQm2L6GGuKudQ/TbvCMGfhPYgYGSfoyml8kuXKEGw/hSQW+LlsLjriu0
+    U6oPJ3P9t5gwnGuf82XXpdvBWbzVbJKC9lDtrk4YPMVNwHYtZGh4lMOBmYPAzRMV
+    vy+oDGpUHVslgRAuR6ElQ3hCDzSM85wSOAnf6Jdk40OSNEHklXlWaorBJsQSfhNH
+    uQNyoDJVWUoTaAoOkBifTcwkztNnsCW9/zjeTPzy82k+FXEP+kqRKl7Z6by9MHaq
+    v7cN61i2+FXSCHlcFzv7kRub5PBg67xLOUyzS9mkyyuZmiGhSlxLxMh+iksZyiGQ
+    F0S0jE+5Zv0OuFcwJCA7z8OziSbGVq+Hc6ERe1/0dtoxNqDs4q0voMunqgIJ0sex
+    0LGjdLdnU1+SFYPnKGJEDKdfYjbAHo3XIX3n8Yz18g==
+    -----END CERTIFICATE-----
+  clientkey.pem: |
+    -----BEGIN RSA PRIVATE KEY-----
+    MIIG4gIBAAKCAYEA2tZ4SWNtyNadoHjMBgRJp2wqzHn1u5p6bgDDnr82aXyQWuNv
+    uicwvrZfCOtPQ47oaALUP8UCoJo1Ym38DAL+yBNlmsbbpepOV41BfyZCIzEIzq6e
+    IdEB8fjbNYvisJKXUcfpaO/l0tU/NhTwXJ8m+croWh2vRO5V4hw+ULey5qNPvKP4
+    MlSf8FZ7MmFeY0yludjVBnjnx+Swiq/gXMgb576cOOVBFywjsaBI4J1+SUF9vAp/
+    X7qUXMLWEPXQGMMDfQb1dq5IrA1dIqgYg3vEPjT4uLm/p7ZYCcDZuB1DdwPYqZjo
+    QBi/DwBLdEV9Nhy4C0WB6hbOQ3sStcnr8Jvv5OJu77Bh9i55sjjSRmhNCV5110v4
+    JkJfADqvFWw1oyoCpccoFmOnxv27Xq6NIEiCQRgCqdtcyk6GlqqkZPGGXHH9Z0RU
+    o55GnF7LGmVuZhUP3zlxZAeOcd5lIKCBjGRtZXxrDkaaIpoPCIPGNjpaCXQLJvCm
+    F1OZmDXN2O3HC4qJAgMBAAECggGAKCWGZbhG8LxmqITgsQ3iUUOnymFpcmRRp5Ke
+    UKY1nj6K4RGucpE0ARjF8IXywasa+dHjDFvhMoN33bndrnpyMVRVpIJs01Bb1PYG
+    GQR0x638NqaUPhHw8Go+FOG30bri5c7uBCFWoUob0Zkfy24rIVJXNAkUGWo7+UJD
+    MF2zBVraivnt05XwzY+gBEsWnNL36FNeKVTO+L38oUTIvVy8udQfJtTwDwc6+SA1
+    nndmLpxEK9YlLfO1uhrIWM4vwgssZqrB4hk2luLhAiPO6jB+QrO/lES0uenP/Btd
+    StrgyQYQ0ZMbINDxRkyq9hRcPKQmxkQ5Jh+pUTYgSkYFvXdmx7ejFTXLo6YR9LRI
+    tMXESlsSLN7A3DWVK3j8NKX0taXOLBe7a4kFGktuzkX/C+GGVZp5XtViSl13KB/A
+    /HtcKaY/g/yUSIe2fCAwfBfbNROA9AhwkqVUUDZq3AHXaLi5gDaQCtrRFH5CiGjf
+    E+i4v0e1yfgB0BjW4YdKAiNxHKaxAoHBAPrVBtcg9V09IEF9Y1wFjIhaMlG0pip9
+    l3BUDYsT+lmohkgM7W/5uSRo2GS+ifdyk+FcNlTAzgoRlrZhyWajYHlOtnsbSZ2G
+    6arsqDpKVJljJRkmHeOhunWj5Ywc549RwT71nb1JnrRDdwP7MGHStdxKzf4c5Bph
+    o08ROThLNENbiCEVV3J91SpEclgF5WYV202+j6D/XDAyO7VNimnJv13LeEvcawQH
+    W9TU4Etb7b7iyiNMg2mCXGmblHPR7G6E9QKBwQDfWLGv5xR+KHR5U7y2ifI6jKWR
+    qatqN6BB+BslLPrCoejtRRpvHGb2aQFB63Gzd5V+srwmRzbn+uFc5UVSDcMolPWy
+    KbhZo+MuPIbcOFm93K95da8Z4q8fYLt9uSR6+YoeJjBGZcJlhde54eajENiSAnrt
+    /YQVhGTwR9LHYAU140RyBdib6KgLDdXC+8CC0wXR3Dfo2YCvyCjxFw+GQBi/3sOs
+    OyEEZbVWkrJJqtwenCIKWka/DOavGWScE5ZOEsUCgcBh2n9bp8jxAeq2gdMkUCnd
+    +8oLo/z7MJnGwZOzAS02kw8nxptOhs6ajKh2zPqH5VQZo96yO7Flrizso8NtXilB
+    ydpYtnGGmd5IxyBt9ReB63LKl9srNanHQRRJD/GqMMvB4xIRiUn3qyYgEHt0fj5i
+    XXB1RRIb1KFgNCjtdDFEYc3+khPWX46seZ1eB5bRt48hikkAFv8A8mfmuARadtFI
+    JxucBLZfEPvbUNzbqVZblKAlGzFdFPU2YfKNKIUjLI0CgcB6C5ltKbTFC446Dkv8
+    43x+CgUfh7unmyXzZoRO2DleyeLiZPSA6uBInjCVuPa0vw/t3/V4ZUnXkfw8Kvyq
+    TeLq9hscdDfMpAWsal63UAOaAFHS6T/5wSk42D8cAGOy31FeEDgo/8oud+jeJldF
+    nBr8DmbmTbYzm9kcg+LmF85BGCN6uz8WUxggkjrRBYi49F8lwlS65L+xTosw0w0k
+    qzna/vulzdnI8VsaJ6dNIhSOlXr0dUhbdc1IuXOE5h8oIpECgcA4x4O+sooMZZlZ
+    dOZCzExdgGD50acOxkVyj4X3J4sdr+0uApYJkHjlMsSHMCL9SuYX2snmrTLNdvBR
+    L75UG1COSgXp3CJ9adoMXmlMH0JyNLxCxqLiAkdQYrO7AGpaq6HM1tt3YF8twK1N
+    j/aKndzgr9FYG7qDLtEb77lZbjtv3mWhf87nFDF4ZSGQhsDLp5MVt7ZhjD4i05ES
+    OpYHN0mE42Go5kd/FywlOZcSLmT7SCFP6CrbzjZt3HLNjcX/1yo=
+    -----END RSA PRIVATE KEY-----
+EOF
+
+
+cat <<EOF | kubectl apply -f-
+apiVersion: v1
+kind: Secret
+metadata:
+  name: libvirt-tls-server
+  namespace: openstack
+type: Opaque
+stringData:
+  cacert.pem: |
+    -----BEGIN CERTIFICATE-----
+    MIID9TCCAl2gAwIBAgIMX2ExnQ//mYG6bVAaMA0GCSqGSIb3DQEBCwUAMBYxFDAS
+    BgNVBAMTC2xpYnZpcnQub3JnMB4XDTIwMDkxNTIxMjY1M1oXDTIxMDkxNTIxMjY1
+    M1owFjEUMBIGA1UEAxMLbGlidmlydC5vcmcwggGiMA0GCSqGSIb3DQEBAQUAA4IB
+    jwAwggGKAoIBgQDaRyGiqmztvL3NHeYGzgwx1Dpg1194Qk1Ak79lowQz9aIARLDG
+    yTjj14ToPLC392eWyosCsEQ1dDXx5rKOiEtSJgN18vdAPywsej1wb+f3H3EAslZu
+    uOXAiXTBp0ex/EoWqmVmG/JpwP74Rf16WVnTAc1xGABnDwsSIs8gigKI8ha+TdiT
+    uFqLNLpJuRXKnI0srBpUrkfhjJmikx9aP99wik+Y6I/iDiUKuDPvjtI4wqlwBqWc
+    +WDh2Zx/ot3UGwHS7jUAiZaodAjO40OniQCevwYlbCppj3e7C+3fYSGJ4L/RBUVS
+    +HaTyyos/Mz+2gIyNY9y2qi7YCMC1Q0h31o5Cr1G+B9BtQonOGXWq2FuCvCj4KOY
+    vpdvnHt6RCvtUkW4rinvqzx9GIiu3E8cFPrMTXH9hgkRvRsKz+X8dGXBstPMNcmT
+    N/DQ3Udtg75OlKixNhzxhYn845AhQ0HIZp4SZSsLZRP/KUYtIUhmgIwR84o6Jhb5
+    Rlf/zhVTauAD+6kCAwEAAaNDMEEwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8E
+    BQMDBwQAMB0GA1UdDgQWBBRqB1vUFPzNJVgSrh2R2WnIvO+T6zANBgkqhkiG9w0B
+    AQsFAAOCAYEAl4FDGkogq8eRwBE4QIwSlcjeUFTKc142PN3ZiVsx/QHwaZQwo+N4
+    JNflN15+GPasm/yNs7hYlowNcb6GC93k2NRaZ66jXQ3Yp1T2fSIvs2vKMj362eXK
+    hcfjG//t4HUrNqivTcpwg+klDXV/w0K0/cFVnwWaGjvfRU6lx8/fBGmag30t0UQq
+    UgCuPclV53JCArdGhoRZcxvAgql+uWxdyvsdmdFvaCe0D3n15nRMuFhFkrDIxyjI
+    JHBu+Z32yn6zTTkZPoPpPvSFQiXCzppdKLvGs/vbMi6qKty6wMZcpZtzTaKNHxUr
+    n0+/BeMDuQT7IYGl29Ds6LzFnnYhN4Ckh+R8nCml9+JicQPQNL1TC0u1ZlrQdSIc
+    kqpLCxb4OGp2u5eYxMaXKHWpl5LJoJbe9Rvyr5yV+zx46FH0o0qz8Rvka32hSiDG
+    FpNX6DoAEk3zVSYdFB5xTQ6h0BK1dMMbHPVzuXaYa0N2yjEWvBfjcVygn2164Rkj
+    6ZwFOKGDbhUL
+    -----END CERTIFICATE----
+  servercert.pem: |
+    -----BEGIN CERTIFICATE-----
+    MIIEOTCCAqGgAwIBAgIMX2Eywwri9B/TrC1DMA0GCSqGSIb3DQEBCwUAMBYxFDAS
+    BgNVBAMTC2xpYnZpcnQub3JnMB4XDTIwMDkxNTIxMzE0N1oXDTIxMDkxNTIxMzE0
+    N1owJzEPMA0GA1UEAxMGc2VydmVyMRQwEgYDVQQKEwtsaWJ2aXJ0Lm9yZzCCAaIw
+    DQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAObsdrSsGTxY7j0BmS11wWVv0zZY
+    YHfYA7OFRCfyEuetqU8KYW2AbuMrJJ3B89ymefCboK755vJ63IfXEYDk3m0NEDtb
+    AMXPrKjKoo4+FnIyU+xa65M3BvnbquZMFLrP0BqQspjngXZWDq3GFbVTMqT2TeWt
+    oeWAeZU99vFwn1I9aT3UPLnnY+lO+URedTzEb5BHHaQmIMMiH6uNNFFY8O3Y4L54
+    Th5xkrO+Xl0N+lnz7pbWQSacvheGbTdu1n8CSGIwDPUzJiOWffqnLx3ATjUkY20w
+    ZtU6HoySpeQu7XcjeztZOfX8A9iaC327gMj9uUTqMuVPyII0+4S7sfHGv7SKBDUt
+    cIeZ7eyrT26Kr+XEFsRJNHtgGEPA2MMzUJ5MwAAIXCm2RV46EGbtkGRlQYDu/mp4
+    iP2irXx5O4HuiE51YF+uhQvNMO0T5J+EvqXVXro1YHmjUgywyCfLSvYnGF/DuPW8
+    hMb/jX8rccup+jE0mtBq9STEs5b96GT+cQhXEwIDAQABo3YwdDAMBgNVHRMBAf8E
+    AjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA8GA1UdDwEB/wQFAwMHoAAwHQYDVR0O
+    BBYEFEoGTjAI7woGizDIO6XOMURtvlQ3MB8GA1UdIwQYMBaAFGoHW9QU/M0lWBKu
+    HZHZaci875PrMA0GCSqGSIb3DQEBCwUAA4IBgQB9Vu3Awii5Adb0PtluVYNmLZvv
+    yLxCMDAdko6PDKXwxZ4pqL6BkyQtt51uxfgGugiFz8Im3Sq5aNAw4NhG3nK5qS/W
+    /KwC3jd8OkbM4RwKGlxTM9CbShOvemj+LJmH+dbYvMwxJrahSOw7DhJfIUq2mEjc
+    LrN+ygngadJOoiSQ067+qWh8yywQteYgqDInfaGneXcU65aoTZYOXIEKouqfHTZK
+    TfWP9WSx/VmnlqTmiXLa7PYGwslgoIIID5tmqPqn8W2z6xSnZDwdUR2yvFtCucaE
+    wgsbxdKxNrcYnfK6ZSmXZpptSHO/5HivRxoC7kK5Tzde0g01u9r8FQIYmZi7EoYP
+    KZXgZSF3QbTAPC6Ltz7dXGIPc919My27nx5xNz74pTcMIx/wYwtn7l4HMZDJK01s
+    KgkgAoyDqDaDMOpZaFkzHA/+UgYj/WMiL1h5j7yiidQmfUAxVU+BH1wqA1AzQkc9
+    Pjd4NkUQZY/TpRhcwkjHm9B4LwKGD8L5c6S3gi8=
+    -----END CERTIFICATE-----
+  serverkey.pem: |
+    -----BEGIN RSA PRIVATE KEY-----
+    MIIG4gIBAAKCAYEA5ux2tKwZPFjuPQGZLXXBZW/TNlhgd9gDs4VEJ/IS562pTwph
+    bYBu4yskncHz3KZ58Jugrvnm8nrch9cRgOTebQ0QO1sAxc+sqMqijj4WcjJT7Frr
+    kzcG+duq5kwUus/QGpCymOeBdlYOrcYVtVMypPZN5a2h5YB5lT328XCfUj1pPdQ8
+    uedj6U75RF51PMRvkEcdpCYgwyIfq400UVjw7djgvnhOHnGSs75eXQ36WfPultZB
+    Jpy+F4ZtN27WfwJIYjAM9TMmI5Z9+qcvHcBONSRjbTBm1ToejJKl5C7tdyN7O1k5
+    9fwD2JoLfbuAyP25ROoy5U/IgjT7hLux8ca/tIoENS1wh5nt7KtPboqv5cQWxEk0
+    e2AYQ8DYwzNQnkzAAAhcKbZFXjoQZu2QZGVBgO7+aniI/aKtfHk7ge6ITnVgX66F
+    C80w7RPkn4S+pdVeujVgeaNSDLDIJ8tK9icYX8O49byExv+Nfytxy6n6MTSa0Gr1
+    JMSzlv3oZP5xCFcTAgMBAAECggGAY5cHetPd7lDMLjNKRHjMd1rK1F04/XaD4iBP
+    TIrx7EjRA+2OJxOEvyQUHpVO/pItdL8phUzxdRHXmh3+xn/uDUnc/jw5ERaHeCQs
+    Bvxv4cAiwYRUpKDOuWMrSTb2mbqWHV7aJ2dwRgDHQ9px8kl3Rf2TisJfWAMYbGzU
+    2zue+nDRuoCVz/ci97O/fOTf2t084BRLjEeFSaKl1e6H6a1Z+rnV808fIbIJestX
+    Fvq4RaMV+qdcYbKnqK2o3IdIqm3ox9U5KAlPfWocQMRcqM62z7tahDuiEqA6+BOV
+    ETKY8oRmVM9IbKTz35jpPjCg9Wg/0GyunLF6o6qNy1V4D6P/OjLn8vRTOLkK+MJ1
+    RJzfVW7coysdTn4ky0Sa5uA94bD32dzGJlmuh2KIZbbAkRy5hGkuP9CYYS2yOOms
+    zacNehFTtfzB3qX3z9dGz/kVniWStBD7H6GnRQFU5wTwxFAu88J9nsL8OgTpyBoo
+    5EFFJPI+I062kVsmIG4lrwNVzuDBAoHBAPwBprPyYdiJWdLp0M+IF+fEkITq03XR
+    Me5/njXqDlEFgzfR6SWABjdwjNQPkUHbIBxFE+bh2glNLEZc6J+efXORZUG/zVU3
+    slQM8QQoAnxAX1ceH+ws9YUAzpfViOM3p9LuF9ZoO2aaauJrfxLJ0je72L8ZXqKf
+    9g0D8dll2wNyKNZWJkqQMT8xl4+bGyV13fNpFo9q2YTIHVxplQk2iMAvOyiuyXi8
+    9pf3MYNggLPr2v57OkScbZIy0DV2WtI5FQKBwQDqlUh/sN288YTc4iD1NWO/n6P1
+    CpvdwjdkoH9EssYIEgFZodxomdblFf7aIVP5ibvJ07irGZgy3MhOf8wZvzPZxPAN
+    eZwfXFSBhvtxrztEbneSMooTC4sAdVmy1mHoTsIkE2IT+gOUx23LPIWeJivQ0eHW
+    kXNg+EBlkX7HASYlRZwwbtV8QhW6EMKGrMtcegP8dQ38OENuG5bK25b5Ulocxvu5
+    e+pufo04d9jTBxa+Nq3Mv3RxtpbHYZw7n4UgiYcCgcBvxxe3J2KJFls2Nym8c6QO
+    1Fw56KLE1nZsUETPqzKQc36BauUcEg4v1wdQJFuMt3Ilt+oc9b6tc4KY7yrrafRB
+    J5OfN0EPdHXv3BGng0ue6zqevKjyK/r29KWuKTPffNc+swb1viPi3cldBstFfSl2
+    OSbplIoqXgNYQJCsmgYsIB3G/E1ds1l0qz2LoAPJeN9q0QkFsiIrSEvlqptFi9/a
+    RtjZsbWBjWdffnCC0nIj3BC14di1iCD9wPYjUIz2RAUCgcBfNHMWD8wOcN8BXm0N
+    17tB/CJowwN7PuWIW3MLiJrCj7woin6PnVAP7ZtfIAOa1QF36guatWqFygEpishk
+    8qqyiTD75w0r1Sce4o+OFhYxsbuphAVxsU+awgXDhSp7Q+ubBJrbjK6DZWT0BP4d
+    r1Q9DdFgaeuvwVExZ5lSXu8CVXwMVA8kvRVgTIkGa36la4fOoBsq8BK9z0ilz/U3
+    /uo/n6puHxKIAaiC8HD5RHlAfaSP4mv58qbDCKSFtjoreGUCgcBXBgJVNfLM1pbX
+    /QuH21tY6KTTBQdXwWOKNJ04AlaxUXeKDocV5TWV6xqIVVy+pLHaNEpMaGlN/4DH
+    TxcVgvKUJ6JSgilGN4KW/H4GEDMtT9C+Uk4DnM0eP8sfVbUa5/rh5r4o68ChoSa6
+    64u9AG2oV1SOMMNX97xOhsySroDvWmJnximT8za7wwkaCN7rDpjZ6t/XWq43gLZ3
+    aY1k7jGX7gHQhccuqIskhhVSKkapzpxkjTiFC53Lp/tDZSesRPs=
+    -----END RSA PRIVATE KEY-----
+EOF
+
+#NOTE: Lint and package chart
+make libvirt
+
+#NOTE: Deploy command
+helm upgrade --install libvirt ./libvirt \
+  --namespace=openstack \
+  --set network.backend="null" \
+  ${OSH_INFRA_EXTRA_HELM_ARGS} \
+  ${OSH_INFRA_EXTRA_HELM_ARGS_LIBVIRT}
+
+#NOTE: Please be aware that a network backend might affect
+#The loadability of this, as some need to be asynchronously
+#loaded. See also:
+#https://github.com/openstack/openstack-helm-infra/blob/b69584bd658ae5cb6744e499975f9c5a505774e5/libvirt/values.yaml#L151-L172
+if [[ "${WAIT_FOR_PODS:=True}" == "True" ]]; then
+    ./tools/deployment/common/wait-for-pods.sh openstack
+fi
+
+#NOTE: Validate Deployment info
+helm status libvirt

zuul.d/jobs.yaml

@@ -617,4 +617,76 @@
         - ./tools/deployment/common/000-install-packages.sh
         - ./tools/deployment/common/005-deploy-k8s.sh
         - ./tools/deployment/common/validate-minikube-aio.sh
+
+# Use libvirt ssl
+- job:
+    name: openstack-helm-infra-openstack-support-ssl
+    parent: openstack-helm-infra-functional
+    timeout: 7200
+    pre-run: playbooks/osh-infra-upgrade-host.yaml
+    required-projects:
+      - openstack/openstack-helm-infra
+      - openstack/openstack-helm
+    post-run: playbooks/osh-infra-collect-logs.yaml
+    nodeset: openstack-helm-single-node
+    vars:
+      osh_params:
+        openstack_release: stein
+        container_distro_name: ubuntu
+        container_distro_version: bionic
+        feature_gates: ssl
+      gate_scripts_relative_path: ../openstack-helm-infra
+      gate_scripts:
+        - ./tools/deployment/openstack-support/000-install-packages.sh
+        - ./tools/deployment/openstack-support/005-deploy-k8s.sh
+        - ./tools/deployment/openstack-support/007-namespace-config.sh
+        - - ./tools/deployment/openstack-support/010-ingress.sh
+          - ./tools/deployment/openstack-support/020-ceph.sh
+        - ./tools/deployment/openstack-support/025-ceph-ns-activate.sh
+        - - ./tools/deployment/openstack-support/030-rabbitmq.sh
+          - ./tools/deployment/openstack-support/040-memcached.sh
+          - ./tools/deployment/openstack-support/051-libvirt-ssl.sh
+          - ./tools/deployment/openstack-support/060-openvswitch.sh
+          - ./tools/deployment/openstack-support/070-mariadb.sh
+          - ./tools/deployment/openstack-support/080-setup-client.sh
+        - ./tools/deployment/openstack-support/090-keystone.sh
+        - - ./tools/deployment/openstack-support/100-ceph-radosgateway.sh
+          - ./tools/deployment/openstack-support/110-openstack-exporter.sh
+          - ./tools/deployment/openstack-support/120-powerdns.sh
+          - ./tools/deployment/openstack-support/130-cinder.sh
+
+# Use libvirt ssl with apparmor
+- job:
+    name: openstack-helm-infra-openstack-support-ssl
+    parent: openstack-helm-infra-functional
+    timeout: 7200
+    pre-run: playbooks/osh-infra-upgrade-host.yaml
+    required-projects:
+      - openstack/openstack-helm-infra
+      - openstack/openstack-helm
+    post-run: playbooks/osh-infra-collect-logs.yaml
+    nodeset: openstack-helm-single-node
+    vars:
+      osh_params:
+        openstack_release: stein
+        container_distro_name: ubuntu
+        container_distro_version: bionic
+        feature_gates: "ssl,apparmor"
+      gate_scripts_relative_path: ../openstack-helm-infra
+      gate_scripts:
+        - ./tools/deployment/openstack-support/000-install-packages.sh
+        - ./tools/deployment/openstack-support/005-deploy-k8s.sh
+        - ./tools/deployment/openstack-support/007-namespace-config.sh
+        - ./tools/deployment/openstack-support/010-ingress.sh
+        - ./tools/deployment/openstack-support/020-ceph.sh
+        - ./tools/deployment/openstack-support/025-ceph-ns-activate.sh
+        - ./tools/deployment/openstack-support/030-rabbitmq.sh
+        - ./tools/deployment/openstack-support/040-memcached.sh
+        - ./tools/deployment/openstack-support/051-libvirt-ssl.sh
+        - ./tools/deployment/openstack-support/060-openvswitch.sh
+        - ./tools/deployment/openstack-support/070-mariadb.sh
+        - ./tools/deployment/openstack-support/080-setup-client.sh
+        - ./tools/deployment/openstack-support/090-keystone.sh
+        - ./tools/deployment/openstack-support/110-openstack-exporter.sh
+        - ./tools/deployment/apparmor/140-ceph-radosgateway.sh
 ...

zuul.d/project.yaml

@@ -23,6 +23,7 @@
         - openstack-helm-infra-aio-logging
         - openstack-helm-infra-aio-monitoring
         - openstack-helm-infra-openstack-support
+        - openstack-helm-infra-openstack-support-ssl
         # NOTE(srwilkers): Disabling this job until issues with the kubeadm-aio
         # based deployments are addressed
         # - openstack-helm-infra-kubernetes-keystone-auth:
@@ -41,6 +42,7 @@
         - openstack-helm-infra-aio-logging
         - openstack-helm-infra-aio-monitoring
         - openstack-helm-infra-openstack-support
+        - openstack-helm-infra-openstack-support-ssl
     post:
       jobs:
         - publish-openstack-helm-charts