Skip to content

Commit

Permalink
Merge pull request #588 from SeanMooney/OSPRH-5053
Browse files Browse the repository at this point in the history
ADD tls-e support for edpm_nova
  • Loading branch information
openshift-merge-bot[bot] authored Mar 14, 2024
2 parents 9e2a677 + 1d129db commit fcbb4f2
Show file tree
Hide file tree
Showing 8 changed files with 77 additions and 1 deletion.
5 changes: 5 additions & 0 deletions roles/edpm_nova/defaults/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,11 @@ edpm_nova_compute_image: "quay.io/podified-antelope-centos9/openstack-nova-compu

# certs
edpm_nova_tls_certs_enabled: "{{ edpm_tls_certs_enabled | default(False) }}"
# NOTE(sean-k-mooney): nova will use unix sockets for libvirt and communicate with ovs via tcp
# so we will not need the libvirt or ovs client certs or ca. nova will communicate other services
# via there api endpoints and will connect to rabbitmq. To support this we will need to trust
# the general ca root cert.
edpm_nova_tls_ca_src_dir: "/var/lib/openstack/cacerts/{{ edpm_service_name | default('nova') }}"

# list of tripleo nova services to stop during EDPM adoption
edpm_nova_old_tripleo_compute_sevices:
Expand Down
4 changes: 4 additions & 0 deletions roles/edpm_nova/molecule/default/collections.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@

collections:
- name: community.crypto
type: galaxy
2 changes: 2 additions & 0 deletions roles/edpm_nova/molecule/default/converge.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,3 +15,5 @@
- role: osp.edpm.edpm_nova
vars:
edpm_nova_config_src: "{{lookup('env', 'MOLECULE_PROJECT_DIRECTORY')}}/molecule/default/test-data"
edpm_nova_tls_ca_src_dir: /tmp/pki
edpm_nova_tls_certs_enabled: true
47 changes: 47 additions & 0 deletions roles/edpm_nova/molecule/default/prepare.yml
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,8 @@

- name: Setup DUT
hosts: all
vars:
edpm_nova_tls_ca_src_dir: /tmp/pki
pre_tasks:
- name: set basic user fact
set_fact:
Expand Down Expand Up @@ -107,3 +109,48 @@
owner: root
group: root
mode: '0655'

- name: create pki temp directory
become: true
ansible.builtin.file:
path: "{{ edpm_nova_tls_ca_src_dir }}"
state: directory
owner: root
group: root
mode: 0777

- name: Create private key (RSA, 4096 bits)
community.crypto.openssl_privatekey:
path: "{{ edpm_nova_tls_ca_src_dir }}/ca.key"

- name: Create a certificate signing request for ca
community.crypto.openssl_csr_pipe:
privatekey_path: "{{ edpm_nova_tls_ca_src_dir }}/ca.key"
organization_name: fake-corp
basic_constraints:
- 'CA:TRUE'
subject_alt_name:
- "DNS:compute-1.example.com"
- "DNS:compute-1"
- "DNS:{{ inventory_hostname }}"
key_usage:
- keyCertSign
register: csr

- name: Create a certificate athority
community.crypto.x509_certificate:
path: "{{ edpm_nova_tls_ca_src_dir }}/tls-ca-bundle.pem"
privatekey_path: "{{ edpm_nova_tls_ca_src_dir }}/ca.key"
csr_content: "{{ csr.csr }}"
provider: selfsigned

# FIXME(sean-k-mooney): this is a hack to work around the fact that we dont
# currently manage the hostname on the DUT via boostrap or a dedicated role
# in the molecule test. This is needed to ensure the hostname is resolvable
# when executing virsh commands. remove this when we have a proper solution
- name: Ensure hostname is resolvable in /etc/hosts
become: true
ansible.builtin.lineinfile:
path: /etc/hosts
line: "{{ ansible_default_ipv4.address | default('127.0.0.1') }} {{ ansible_fqdn }} {{ inventory_hostname }}"
state: present
10 changes: 10 additions & 0 deletions roles/edpm_nova/molecule/default/verify.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
gather_facts: false
vars:
test_helper_dir: "../../../../molecule/test-helpers"
edpm_nova_tls_ca_src_dir: /tmp/pki
tasks:
- name: ensure expected directories exist
ansible.builtin.include_tasks: "{{test_helper_dir}}/verify_dir.yaml"
Expand All @@ -25,6 +26,9 @@
- "/var/lib/_nova_secontext"
- "/var/lib/nova/instances"
- "/var/log/containers/nova"
# NOTE(sean-k-mooney): this directory is normaly created by the edpm_install_cert role
# in molecule we create it in prepare so lets just assert it exists
- "{{ edpm_nova_tls_ca_src_dir }}"
- name: ensure systemd services are defined and functional
ansible.builtin.include_tasks: "{{test_helper_dir}}/verify_systemd_unit.yaml"
loop:
Expand Down Expand Up @@ -56,6 +60,12 @@
that:
- "'10.0.0.3' in host_specific_config.content | b64decode"

- name: Assert libvirt is configured to use tls for live migration
ansible.builtin.assert:
that:
- "'live_migration_with_native_tls = true' in host_specific_config.content | b64decode"
- "'live_migration_scheme = tls' in host_specific_config.content | b64decode"

- name: Check if user exists
ansible.builtin.getent:
database: passwd
Expand Down
1 change: 1 addition & 0 deletions roles/edpm_nova/molecule/vagrant/collections.yml
5 changes: 5 additions & 0 deletions roles/edpm_nova/templates/02-nova-host-specific.conf.j2
Original file line number Diff line number Diff line change
@@ -1,2 +1,7 @@
[DEFAULT]
my_ip = {{ ctlplane_ip }}
{% if edpm_nova_tls_certs_enabled | bool %}
[libvirt]
live_migration_with_native_tls = true
live_migration_scheme = tls
{% endif %}
4 changes: 3 additions & 1 deletion roles/edpm_nova/templates/nova_compute.json.j2
Original file line number Diff line number Diff line change
Expand Up @@ -10,10 +10,12 @@
},
"volumes": [
"/var/lib/openstack/config/nova:/var/lib/kolla/config_files:ro",
{% if edpm_nova_tls_certs_enabled %}
"{{ edpm_nova_tls_ca_src_dir }}/tls-ca-bundle.pem:/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem:ro",
{% endif %}
"/etc/localtime:/etc/localtime:ro",
"/lib/modules:/lib/modules:ro",
"/dev:/dev",
"/run/openvswitch:/run/openvswitch",
"/var/log/containers/nova:/var/log/containers/nova",
"/var/lib/libvirt:/var/lib/libvirt",
"/run/libvirt:/run/libvirt:shared",
Expand Down

0 comments on commit fcbb4f2

Please sign in to comment.