Issue certificates for libvirt tls in initContainer
diff --git a/charts/libvirt/templates/bin/_libvirt.sh.tpl b/charts/libvirt/templates/bin/_libvirt.sh.tpl
index 357bfe3..0f96c0b 100644
--- a/charts/libvirt/templates/bin/_libvirt.sh.tpl
+++ b/charts/libvirt/templates/bin/_libvirt.sh.tpl
@@ -16,6 +16,24 @@
set -ex
+# NOTE(mnaser): This will move the API certificates into the expected location.
+if [ -f /tmp/api.crt ]; then
+ mkdir -p /etc/pki/CA /etc/pki/libvirt/private
+
+ cp /tmp/api-ca.crt {{ .Values.conf.libvirt.ca_file }}
+ cp /tmp/api-ca.crt /etc/pki/qemu/ca-cert.pem
+
+ cp /tmp/api.crt {{ .Values.conf.libvirt.cert_file }}
+ cp /tmp/api.crt /etc/pki/libvirt/clientcert.pem
+ cp /tmp/api.crt /etc/pki/qemu/server-cert.pem
+ cp /tmp/api.crt /etc/pki/qemu/client-cert.pem
+
+ cp /tmp/api.key {{ .Values.conf.libvirt.key_file }}
+ cp /tmp/api.key /etc/pki/libvirt/private/clientkey.pem
+ cp /tmp/api.key /etc/pki/qemu/server-key.pem
+ cp /tmp/api.key /etc/pki/qemu/client-key.pem
+fi
+
# NOTE(mnaser): This will move the VNC certificates into the expected location.
if [ -f /tmp/vnc.crt ]; then
mkdir -p /etc/pki/libvirt-vnc
diff --git a/charts/libvirt/templates/configmap-bin.yaml b/charts/libvirt/templates/configmap-bin.yaml
index ca1a7ec..44ca6bd 100644
--- a/charts/libvirt/templates/configmap-bin.yaml
+++ b/charts/libvirt/templates/configmap-bin.yaml
@@ -28,7 +28,7 @@
{{ tuple "bin/_libvirt.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }}
{{- if eq .Values.conf.qemu.vnc_tls "1" }}
cert-init.sh: |
-{{ tpl .Values.conf.vencrypt.cert_init_sh . | indent 4 }}
+{{ tpl .Values.scripts.cert_init_sh . | indent 4 }}
{{- end }}
{{- if .Values.conf.ceph.enabled }}
ceph-keyring.sh: |
diff --git a/charts/libvirt/templates/daemonset-libvirt.yaml b/charts/libvirt/templates/daemonset-libvirt.yaml
index 4a0b128..b2a2bce 100644
--- a/charts/libvirt/templates/daemonset-libvirt.yaml
+++ b/charts/libvirt/templates/daemonset-libvirt.yaml
@@ -79,6 +79,43 @@
initContainers:
{{ tuple $envAll "pod_dependency" $mounts_libvirt_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
{{ dict "envAll" $envAll | include "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" | indent 8 }}
+{{- if $ssl_enabled }}
+ - name: cert-init-api
+{{ tuple $envAll "kubectl" | include "helm-toolkit.snippets.image" | indent 10 }}
+{{ dict "envAll" $envAll "application" "libvirt" "container" "cert_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
+ command:
+ - /tmp/cert-init.sh
+ env:
+ - name: TYPE
+ value: api
+ - name: ISSUER_KIND
+ value: {{ .Values.conf.libvirt.issuer.kind }}
+ - name: ISSUER_NAME
+ value: {{ .Values.conf.libvirt.issuer.name }}
+ - name: POD_UID
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.uid
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ - name: POD_IP
+ valueFrom:
+ fieldRef:
+ fieldPath: status.podIP
+ volumeMounts:
+ - name: pod-tmp
+ mountPath: /tmp
+ - name: libvirt-bin
+ mountPath: /tmp/cert-init.sh
+ subPath: cert-init.sh
+ readOnly: true
+{{- end }}
{{- if eq .Values.conf.qemu.vnc_tls "1" }}
- name: cert-init-vnc
{{ tuple $envAll "kubectl" | include "helm-toolkit.snippets.image" | indent 10 }}
@@ -202,10 +239,10 @@
- |-
kill $(cat /var/run/libvirtd.pid)
volumeMounts:
- {{ dict "enabled" $ssl_enabled "name" "ssl-client" "path" "/etc/pki/libvirt" "certs" (tuple "clientcert.pem" "clientkey.pem" ) | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
- {{ dict "enabled" $ssl_enabled "name" "ssl-server-cert" "path" "/etc/pki/libvirt" "certs" (tuple "servercert.pem" ) | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
- {{ dict "enabled" $ssl_enabled "name" "ssl-server-key" "path" "/etc/pki/libvirt/private" "certs" (tuple "serverkey.pem" ) | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
- {{ dict "enabled" $ssl_enabled "name" "ssl-ca-cert" "path" "/etc/pki/CA" "certs" (tuple "cacert.pem" ) | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- if $ssl_enabled }}
+ - name: etc-pki-qemu
+ mountPath: /etc/pki/qemu
+{{- end }}
- name: pod-tmp
mountPath: /tmp
- name: libvirt-bin
@@ -291,10 +328,11 @@
{{- end }}
{{- end }}
volumes:
- {{ dict "enabled" $ssl_enabled "secretName" $envAll.Values.secrets.tls.client "name" "ssl-client" "path" "/etc/pki/libvirt" "certs" (tuple "clientcert.pem" "clientkey.pem" ) | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
- {{ dict "enabled" $ssl_enabled "secretName" $envAll.Values.secrets.tls.server "name" "ssl-server-cert" "path" "/etc/pki/libvirt" "certs" (tuple "servercert.pem" ) | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
- {{ dict "enabled" $ssl_enabled "secretName" $envAll.Values.secrets.tls.server "name" "ssl-server-key" "path" "/etc/pki/libvirt/private" "certs" (tuple "serverkey.pem" ) | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
- {{ dict "enabled" $ssl_enabled "secretName" $envAll.Values.secrets.tls.server "name" "ssl-ca-cert" "path" "/etc/pki/CA" "certs" (tuple "cacert.pem" ) | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- if $ssl_enabled }}
+ - name: etc-pki-qemu
+ hostPath:
+ path: /etc/pki/qemu
+{{- end }}
- name: pod-tmp
emptyDir: {}
- name: libvirt-bin
diff --git a/charts/libvirt/values.yaml b/charts/libvirt/values.yaml
index 66aa7bb..7314f78 100644
--- a/charts/libvirt/values.yaml
+++ b/charts/libvirt/values.yaml
@@ -105,6 +105,10 @@
secret_uuid: null
user_secret_name: null
libvirt:
+ # Issuer to issue a certificate for libvirt api when listen_tls is enabled.
+ issuer:
+ kind: ClusterIssuer
+ name: ca-clusterissuer
listen_tcp: "1"
listen_tls: "0"
auth_tcp: "none"
@@ -128,52 +132,6 @@
issuer:
kind: ClusterIssuer
name: ca-clusterissuer
- # Script is included here (vs in bin/) to allow overriding, in the case that
- # communication happens over an IP other than the pod IP for some reason.
- cert_init_sh: |
- #!/bin/bash
- set -x
-
- # Script to create certs for each libvirt pod based on pod IP (by default).
-
- cat <<EOF | kubectl apply -f -
- apiVersion: cert-manager.io/v1
- kind: Certificate
- metadata:
- name: ${POD_NAME}-${TYPE}
- namespace: ${POD_NAMESPACE}
- ownerReferences:
- - apiVersion: v1
- kind: Pod
- name: ${POD_NAME}
- uid: ${POD_UID}
- spec:
- secretName: ${POD_NAME}-${TYPE}
- commonName: ${POD_IP}
- usages:
- - client auth
- - server auth
- dnsNames:
- - ${HOSTNAME}
- ipAddresses:
- - ${POD_IP}
- issuerRef:
- kind: ${ISSUER_KIND}
- name: ${ISSUER_NAME}
- EOF
-
- kubectl -n ${POD_NAMESPACE} wait --for=condition=Ready --timeout=300s \
- certificate/${POD_NAME}-${TYPE}
-
- # NOTE(mnaser): cert-manager does not clean-up the secrets when the certificate
- # is deleted, so we should add an owner reference to the secret
- # to ensure that it is cleaned up when the pod is deleted.
- kubectl -n ${POD_NAMESPACE} patch secret ${POD_NAME}-${TYPE} \
- --type=json -p='[{"op": "add", "path": "/metadata/ownerReferences", "value": [{"apiVersion": "v1", "kind": "Pod", "name": "'${POD_NAME}'", "uid": "'${POD_UID}'"}]}]'
-
- kubectl -n ${POD_NAMESPACE} get secret ${POD_NAME}-${TYPE} -o jsonpath='{.data.tls\.crt}' | base64 -d > /tmp/${TYPE}.crt
- kubectl -n ${POD_NAMESPACE} get secret ${POD_NAME}-${TYPE} -o jsonpath='{.data.tls\.key}' | base64 -d > /tmp/${TYPE}.key
- kubectl -n ${POD_NAMESPACE} get secret ${POD_NAME}-${TYPE} -o jsonpath='{.data.ca\.crt}' | base64 -d > /tmp/${TYPE}-ca.crt
pod:
probes:
@@ -310,6 +268,53 @@
- endpoint: internal
service: local_image_registry
+scripts:
+ # Script is included here (vs in bin/) to allow overriding.
+ cert_init_sh: |
+ #!/bin/bash
+ set -x
+
+ # Script to create certs for each libvirt pod based on pod IP (by default).
+
+ cat <<EOF | kubectl apply -f -
+ apiVersion: cert-manager.io/v1
+ kind: Certificate
+ metadata:
+ name: ${POD_NAME}-${TYPE}
+ namespace: ${POD_NAMESPACE}
+ ownerReferences:
+ - apiVersion: v1
+ kind: Pod
+ name: ${POD_NAME}
+ uid: ${POD_UID}
+ spec:
+ secretName: ${POD_NAME}-${TYPE}
+ commonName: ${POD_IP}
+ usages:
+ - client auth
+ - server auth
+ dnsNames:
+ - ${HOSTNAME}
+ ipAddresses:
+ - ${POD_IP}
+ issuerRef:
+ kind: ${ISSUER_KIND}
+ name: ${ISSUER_NAME}
+ EOF
+
+ kubectl -n ${POD_NAMESPACE} wait --for=condition=Ready --timeout=300s \
+ certificate/${POD_NAME}-${TYPE}
+
+ # NOTE(mnaser): cert-manager does not clean-up the secrets when the certificate
+ # is deleted, so we should add an owner reference to the secret
+ # to ensure that it is cleaned up when the pod is deleted.
+ kubectl -n ${POD_NAMESPACE} patch secret ${POD_NAME}-${TYPE} \
+ --type=json -p='[{"op": "add", "path": "/metadata/ownerReferences", "value": [{"apiVersion": "v1", "kind": "Pod", "name": "'${POD_NAME}'", "uid": "'${POD_UID}'"}]}]'
+
+ kubectl -n ${POD_NAMESPACE} get secret ${POD_NAME}-${TYPE} -o jsonpath='{.data.tls\.crt}' | base64 -d > /tmp/${TYPE}.crt
+ kubectl -n ${POD_NAMESPACE} get secret ${POD_NAME}-${TYPE} -o jsonpath='{.data.tls\.key}' | base64 -d > /tmp/${TYPE}.key
+ kubectl -n ${POD_NAMESPACE} get secret ${POD_NAME}-${TYPE} -o jsonpath='{.data.ca\.crt}' | base64 -d > /tmp/${TYPE}-ca.crt
+
manifests:
configmap_bin: true
configmap_etc: true
diff --git a/charts/nova/Chart.yaml b/charts/nova/Chart.yaml
index eb47ead..f134982 100644
--- a/charts/nova/Chart.yaml
+++ b/charts/nova/Chart.yaml
@@ -9,4 +9,4 @@
sources:
- https://opendev.org/openstack/nova
- https://opendev.org/openstack/openstack-helm
-version: 0.3.19
+version: 0.3.20
diff --git a/charts/nova/requirements.lock b/charts/nova/requirements.lock
index 4cb5c9c..d624d95 100644
--- a/charts/nova/requirements.lock
+++ b/charts/nova/requirements.lock
@@ -3,4 +3,4 @@
repository: file://../../openstack-helm-infra/helm-toolkit
version: 0.2.54
digest: sha256:337a0f1ffb3eae591150b305c22293d85fb8c18abec78f56672de4f3ada2faae
-generated: "2023-08-30T00:10:57.22984359Z"
+generated: "2023-08-30T19:05:56.252154184Z"
diff --git a/charts/nova/templates/bin/_health-probe.py.tpl b/charts/nova/templates/bin/_health-probe.py.tpl
index a019187..6450301 100644
--- a/charts/nova/templates/bin/_health-probe.py.tpl
+++ b/charts/nova/templates/bin/_health-probe.py.tpl
@@ -34,6 +34,7 @@
import json
import os
import psutil
+import re
import signal
import socket
import sys
@@ -142,7 +143,7 @@
try:
with open(sys.argv[2]) as conf_file:
for line in conf_file:
- if line.startswith("connection ="):
+ if re.match(r'^\s*connection\s*=', line):
service = line.split(':', 3)[3].split('/')[1].rstrip('\n')
if service == "nova":
database_ports.add(