From 33e93ab323a570d9140168c967a37c311e0052d6 Mon Sep 17 00:00:00 2001
From: Mark Goddard <mark@stackhpc.com>
Date: Wed, 26 Jan 2022 16:27:33 +0000
Subject: [PATCH] certificates: generate libvirt TLS certificates

Adds support to the 'kolla-ansible certificates' command for generating
certificates for libvirt TLS, when libvirt_tls is true. The same
certificate and key are used for the libvirt client and server.

The certificates use the same root CA as the other generated
certificates, and are written to
{{ node_custom_config }}/nova/nova-libvirt/, ready to be picked up by
nova-libvirt and nova-compute.

Change-Id: I1bde9fa018f66037aec82dc74c61ad1f477a7c12
---
 ansible/certificates.yml                      |  3 +-
 ansible/roles/certificates/defaults/main.yml  |  6 ++
 .../certificates/tasks/generate-libvirt.yml   | 84 +++++++++++++++++++
 ansible/roles/certificates/tasks/main.yml     |  2 +
 .../templates/openssl-kolla-libvirt.cnf.j2    | 18 ++++
 ...irt-tls-certificates-b4b27b1a6b4a2db7.yaml | 10 +++
 6 files changed, 122 insertions(+), 1 deletion(-)
 create mode 100644 ansible/roles/certificates/tasks/generate-libvirt.yml
 create mode 100644 ansible/roles/certificates/templates/openssl-kolla-libvirt.cnf.j2
 create mode 100644 releasenotes/notes/libvirt-tls-certificates-b4b27b1a6b4a2db7.yaml

diff --git a/ansible/certificates.yml b/ansible/certificates.yml
index 28a1a5f8e..772aa2f5c 100644
--- a/ansible/certificates.yml
+++ b/ansible/certificates.yml
@@ -2,7 +2,8 @@
 - import_playbook: gather-facts.yml
   when: >-
     kolla_enable_tls_backend | default(false) | bool or
-    rabbitmq_enable_tls | default(false) | bool
+    rabbitmq_enable_tls | default(false) | bool or
+    certificates_generate_libvirt | default(libvirt_tls) | default(false) | bool
 
 - name: Apply role certificates
   hosts: localhost
diff --git a/ansible/roles/certificates/defaults/main.yml b/ansible/roles/certificates/defaults/main.yml
index a478311ef..473bbb40d 100644
--- a/ansible/roles/certificates/defaults/main.yml
+++ b/ansible/roles/certificates/defaults/main.yml
@@ -3,3 +3,9 @@ root_dir: "{{ kolla_certificates_dir }}/private/root"
 external_dir: "{{ kolla_certificates_dir }}/private/external"
 internal_dir: "{{ kolla_certificates_dir }}/private/internal"
 backend_dir: "{{ kolla_certificates_dir }}/private/backend"
+libvirt_dir: "{{ kolla_certificates_dir }}/private/libvirt"
+
+# Whether to generate certificates for libvirt TLS.
+certificates_generate_libvirt: "{{ libvirt_tls | default(false) | bool }}"
+# Directory into which to copy generated certificates and keys for libvirt TLS.
+certificates_libvirt_output_dir: "{{ node_custom_config }}/nova/nova-libvirt"
diff --git a/ansible/roles/certificates/tasks/generate-libvirt.yml b/ansible/roles/certificates/tasks/generate-libvirt.yml
new file mode 100644
index 000000000..c65512750
--- /dev/null
+++ b/ansible/roles/certificates/tasks/generate-libvirt.yml
@@ -0,0 +1,84 @@
+---
+- name: Ensuring private libvirt directory exist
+  file:
+    path: "{{ libvirt_dir }}"
+    state: "directory"
+    mode: "0770"
+
+- name: Creating libvirt SSL configuration file
+  template:
+    src: "{{ item }}.j2"
+    dest: "{{ kolla_certificates_dir }}/{{ item }}"
+    mode: "0660"
+  with_items:
+    - "openssl-kolla-libvirt.cnf"
+
+- name: Creating libvirt certificate key
+  command: >
+    openssl genrsa
+    -out "{{ libvirt_dir }}/libvirt.key" 2048
+  args:
+    creates: "{{ libvirt_dir }}/libvirt.key"
+
+- name: Creating libvirt certificate signing request
+  command: >
+    openssl req
+    -new
+    -key "{{ libvirt_dir }}/libvirt.key"
+    -out "{{ libvirt_dir }}/libvirt.csr"
+    -config "{{ kolla_certificates_dir }}/openssl-kolla-libvirt.cnf"
+    -sha256
+  args:
+    creates: "{{ libvirt_dir }}/libvirt.csr"
+
+- name: Creating libvirt certificate
+  command: >
+    openssl x509
+    -req
+    -in "{{ libvirt_dir }}/libvirt.csr"
+    -CA "{{ root_dir }}/root.crt"
+    -CAkey "{{ root_dir }}/root.key"
+    -CAcreateserial
+    -extensions v3_req
+    -extfile "{{ kolla_certificates_dir }}/openssl-kolla-libvirt.cnf"
+    -out "{{ libvirt_dir }}/libvirt.crt"
+    -days 500
+    -sha256
+  args:
+    creates: "{{ libvirt_dir }}/libvirt.crt"
+
+- name: Setting permissions on libvirt key
+  file:
+    path: "{{ libvirt_dir }}/libvirt.key"
+    mode: "0660"
+    state: file
+
+- name: Ensure libvirt output directory exists
+  file:
+    path: "{{ certificates_libvirt_output_dir }}"
+    state: directory
+    mode: "0770"
+
+- name: Copy libvirt root CA to default configuration location
+  copy:
+    src: "{{ root_dir }}/root.crt"
+    dest: "{{ certificates_libvirt_output_dir }}/cacert.pem"
+    mode: "0660"
+
+- name: Copy libvirt cert to default configuration locations
+  copy:
+    src: "{{ libvirt_dir }}/libvirt.crt"
+    dest: "{{ certificates_libvirt_output_dir }}/{{ item }}cert.pem"
+    mode: "0660"
+  loop:
+    - server
+    - client
+
+- name: Copy libvirt key to default configuration locations
+  copy:
+    src: "{{ libvirt_dir }}/libvirt.key"
+    dest: "{{ certificates_libvirt_output_dir }}/{{ item }}key.pem"
+    mode: "0660"
+  loop:
+    - server
+    - client
diff --git a/ansible/roles/certificates/tasks/main.yml b/ansible/roles/certificates/tasks/main.yml
index f8d80dd9b..eccd6d668 100644
--- a/ansible/roles/certificates/tasks/main.yml
+++ b/ansible/roles/certificates/tasks/main.yml
@@ -4,3 +4,5 @@
 - include_tasks: generate-backend.yml
   when:
     - kolla_enable_tls_backend | bool or rabbitmq_enable_tls | bool
+- include_tasks: generate-libvirt.yml
+  when: certificates_generate_libvirt | bool
diff --git a/ansible/roles/certificates/templates/openssl-kolla-libvirt.cnf.j2 b/ansible/roles/certificates/templates/openssl-kolla-libvirt.cnf.j2
new file mode 100644
index 000000000..f625e03a4
--- /dev/null
+++ b/ansible/roles/certificates/templates/openssl-kolla-libvirt.cnf.j2
@@ -0,0 +1,18 @@
+[req]
+prompt = no
+distinguished_name = req_distinguished_name
+req_extensions = v3_req
+
+[req_distinguished_name]
+countryName = US
+stateOrProvinceName = NC
+localityName = RTP
+organizationalUnitName = kolla
+
+[v3_req]
+subjectAltName = @alt_names
+
+[alt_names]
+{% for host in groups['compute'] %}
+DNS.{{ loop.index }} = {{ hostvars[host].migration_hostname | default(hostvars[host].ansible_facts.nodename) }}
+{% endfor %}
diff --git a/releasenotes/notes/libvirt-tls-certificates-b4b27b1a6b4a2db7.yaml b/releasenotes/notes/libvirt-tls-certificates-b4b27b1a6b4a2db7.yaml
new file mode 100644
index 000000000..8ee99dd7e
--- /dev/null
+++ b/releasenotes/notes/libvirt-tls-certificates-b4b27b1a6b4a2db7.yaml
@@ -0,0 +1,10 @@
+---
+features:
+  - |
+    Adds support to the ``kolla-ansible certificates`` command for generating
+    certificates for libvirt TLS, when ``libvirt_tls`` is ``true``. The same
+    certificate and key are used for the libvirt client and server.
+
+    The certificates use the same root CA as the other generated certificates,
+    and are written to ``{{ node_custom_config }}/nova/nova-libvirt/``, ready
+    to be picked up by nova-libvirt and nova-compute.
-- 
GitLab