Gitiles
Code Review Sign In
review.vexxhost.dev / atmosphere / a4cbb615a229a7920636699cbe827755a57f510a^! / .
commita4cbb615a229a7920636699cbe827755a57f510a[log] [tgz]
authorMohammed Naser <mnaser@vexxhost.com>Mon Jul 10 20:59:58 2023 -0400
committerMohammed Naser <mnaser@vexxhost.com>Mon Jul 10 22:01:23 2023 -0400
treef06df21a4b4d981f91ea2928ef612ff4d8287fd8
parentf799a7bbcf7e63c4d71c774443c8dc7bf2811475 [diff]
chore(libvirt): switch back to tunnelled

diff --git a/charts/libvirt/templates/bin/_cert-init.sh.tpl b/charts/libvirt/templates/bin/_cert-init.sh.tpl
index ca4d33f..a352219 100644
--- a/charts/libvirt/templates/bin/_cert-init.sh.tpl
+++ b/charts/libvirt/templates/bin/_cert-init.sh.tpl

@@ -29,6 +29,7 @@
       uid: ${POD_UID}
 spec:
   secretName: ${POD_NAME}-${TYPE}
+  commonName: ${POD_IP}
   usages:
   - client auth
   - server auth

diff --git a/charts/libvirt/templates/bin/_libvirt.sh.tpl b/charts/libvirt/templates/bin/_libvirt.sh.tpl
index b4b2b9f..62ab1f6 100644
--- a/charts/libvirt/templates/bin/_libvirt.sh.tpl
+++ b/charts/libvirt/templates/bin/_libvirt.sh.tpl

@@ -18,7 +18,7 @@
 
 # NOTE(mnaser): This will move the API certificates into the expected location.
 if [ -f /tmp/api.crt ]; then
-  mkdir -p /etc/pki/CA /etc/pki/qemu /etc/pki/libvirt/private
+  mkdir -p /etc/pki/CA /etc/pki/libvirt/private
 
   cp /tmp/api-ca.crt {{ .Values.conf.libvirt.ca_file }}
   cp /tmp/api-ca.crt /etc/pki/qemu/ca-cert.pem

diff --git a/charts/libvirt/templates/daemonset-libvirt.yaml b/charts/libvirt/templates/daemonset-libvirt.yaml
index 0eca106..fc2c3b3 100644
--- a/charts/libvirt/templates/daemonset-libvirt.yaml
+++ b/charts/libvirt/templates/daemonset-libvirt.yaml

@@ -240,6 +240,10 @@
               readOnly: true
             - name: etc-libvirt-qemu
               mountPath: /etc/libvirt/qemu
+{{- if eq .Values.conf.libvirt.listen_tls "1" }}
+            - name: etc-pki-qemu
+              mountPath: /etc/pki/qemu
+{{- end }}
             - mountPath: /lib/modules
               name: libmodules
               readOnly: true
@@ -341,6 +345,11 @@
         - name: etc-libvirt-qemu
           hostPath:
             path: /etc/libvirt/qemu
+{{- if eq .Values.conf.libvirt.listen_tls "1" }}
+        - name: etc-pki-qemu
+          hostPath:
+            path: /etc/pki/qemu
+{{- end }}
 {{ dict "envAll" $envAll "component" "libvirt" "requireSys" true | include "helm-toolkit.snippets.kubernetes_apparmor_volumes" | indent 8 }}
 {{ if $mounts_libvirt.volumes }}{{ toYaml $mounts_libvirt.volumes | indent 8 }}{{ end }}
 {{- end }}

diff --git a/roles/nova/vars/main.yml b/roles/nova/vars/main.yml
index 94ff565..e47eeb9 100644
--- a/roles/nova/vars/main.yml
+++ b/roles/nova/vars/main.yml

@@ -82,8 +82,10 @@
         #                        https://review.opendev.org/883066
         service_type: compute
       libvirt:
-        live_migration_with_native_tls: true
         live_migration_scheme: tls
+        # TODO(mnaser): We should enable this once we figure out how to "inject"
+        #               the certificates into the existing "qemu-kvm" processes.
+        # live_migration_with_native_tls: true
       neutron:
         metadata_proxy_shared_secret: "{{ openstack_helm_endpoints['compute_metadata']['secret'] }}"
       oslo_messaging_notifications: