Gitiles
Code Review Sign In
review.vexxhost.dev / atmosphere / f799a7bbcf7e63c4d71c774443c8dc7bf2811475^! / .
commitf799a7bbcf7e63c4d71c774443c8dc7bf2811475[log] [tgz]
authorMohammed Naser <mnaser@vexxhost.com>Mon Jul 10 18:06:38 2023 -0400
committerMohammed Naser <mnaser@vexxhost.com>Mon Jul 10 22:01:23 2023 -0400
tree0e1c2a743633289cc71c7ea6f01c2d5e287416d4
parentbcef41974750034e141216091c872b77d52e8052 [diff]
chore(libvirt): enable tls live migration

diff --git a/charts/libvirt/templates/bin/_cert-init.sh.tpl b/charts/libvirt/templates/bin/_cert-init.sh.tpl
index bb4f33c..ca4d33f 100644
--- a/charts/libvirt/templates/bin/_cert-init.sh.tpl
+++ b/charts/libvirt/templates/bin/_cert-init.sh.tpl

@@ -30,6 +30,7 @@
 spec:
   secretName: ${POD_NAME}-${TYPE}
   usages:
+  - client auth
   - server auth
   dnsNames:
   - ${HOSTNAME}

diff --git a/charts/libvirt/templates/bin/_libvirt.sh.tpl b/charts/libvirt/templates/bin/_libvirt.sh.tpl
index a664430..b4b2b9f 100644
--- a/charts/libvirt/templates/bin/_libvirt.sh.tpl
+++ b/charts/libvirt/templates/bin/_libvirt.sh.tpl

@@ -18,10 +18,20 @@
 
 # NOTE(mnaser): This will move the API certificates into the expected location.
 if [ -f /tmp/api.crt ]; then
-  mkdir -p /etc/pki/CA /etc/pki/libvirt/private
-  mv /tmp/api.key {{ .Values.conf.libvirt.key_file }}
-  mv /tmp/api.crt {{ .Values.conf.libvirt.cert_file }}
-  mv /tmp/api-ca.crt {{ .Values.conf.libvirt.ca_file }}
+  mkdir -p /etc/pki/CA /etc/pki/qemu /etc/pki/libvirt/private
+
+  cp /tmp/api-ca.crt {{ .Values.conf.libvirt.ca_file }}
+  cp /tmp/api-ca.crt /etc/pki/qemu/ca-cert.pem
+
+  cp /tmp/api.crt {{ .Values.conf.libvirt.cert_file }}
+  cp /tmp/api.crt /etc/pki/libvirt/clientcert.pem
+  cp /tmp/api.crt /etc/pki/qemu/server-cert.pem
+  cp /tmp/api.crt /etc/pki/qemu/client-cert.pem
+
+  cp /tmp/api.key {{ .Values.conf.libvirt.key_file }}
+  cp /tmp/api.key /etc/pki/libvirt/private/clientkey.pem
+  cp /tmp/api.key /etc/pki/qemu/server-key.pem
+  cp /tmp/api.key /etc/pki/qemu/client-key.pem
 fi
 
 # NOTE(mnaser): This will move the VNC certificates into the expected location.

diff --git a/roles/libvirt/vars/main.yml b/roles/libvirt/vars/main.yml
index 9286e84..a9bf991 100644
--- a/roles/libvirt/vars/main.yml
+++ b/roles/libvirt/vars/main.yml

@@ -24,5 +24,6 @@
       listen_tls: "1"
       listen_addr: 0.0.0.0
     qemu:
+      default_tls_x509_cert_dir: /etc/pki/qemu
+      default_tls_x509_verify: "1"
       vnc_tls: "1"
-      vnc_tls_x509_verify: "1"

diff --git a/roles/nova/vars/main.yml b/roles/nova/vars/main.yml
index c2c36b5..94ff565 100644
--- a/roles/nova/vars/main.yml
+++ b/roles/nova/vars/main.yml

@@ -81,6 +81,9 @@
         # NOTE(okozachenko1203): We can remove it once the following is merged:
         #                        https://review.opendev.org/883066
         service_type: compute
+      libvirt:
+        live_migration_with_native_tls: true
+        live_migration_scheme: tls
       neutron:
         metadata_proxy_shared_secret: "{{ openstack_helm_endpoints['compute_metadata']['secret'] }}"
       oslo_messaging_notifications: