Add nova_libvirt_live_migration_inbound_addr to compute SAN

Some deployments might want to perform live migrations over dedicated networks, like fast storage network, while keep management over default mgmt network. Current default behaviour will prevent such usecase, since nova_libvirt_live_migration_inbound_addr is not added to the generated for libvirtd certificate, and thus live migration will fail. Also to enable users override default behviour more nicely and reduce code duplication, new variable ``nova_pki_compute_san`` was introduced, that handles SAN definition for compute nodes. Change-Id: I22cc1a20190f0573b0350369a6cea5310ab0f0a7
2023-10-18 21:03:11 +02:00 · 2023-10-18 21:03:11 +02:00 · 155323fe68
parent 32867052d7
commit 155323fe68
1 changed files with 8 additions and 10 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -617,17 +617,19 @@ nova_pki_intermediate_chain_path: >-
  {{ nova_pki_dir ~ '/roots/' ~ nova_pki_intermediate_cert_name ~ '/certs/' ~ nova_pki_intermediate_cert_name ~ '-chain.crt' }}
 nova_pki_regen_cert: ''
 nova_pki_san: "{{ openstack_pki_san | default('DNS:' ~ ansible_facts['hostname'] ~ ',IP:' ~ management_address) }}"
+nova_pki_compute_san: >-
+  {{
+    'DNS:' ~ ansible_facts['hostname'] ~ ',DNS:' ~ ansible_facts['nodename'] ~ ',IP:' ~ (nova_management_address == 'localhost') | ternary(
+    '127.0.0.1', nova_management_address) ~ (nova_libvirt_live_migration_inbound_addr != nova_management_address) |ternary(
+    ',IP:' ~ nova_libvirt_live_migration_inbound_addr, '')
+  }}
 # Create client and server cert for compute hosts
 # This certiticate is used to secure TLS live migrations and VNC sessions
 nova_pki_compute_certificates:
  - name: "nova_{{ ansible_facts['hostname'] }}"
    provider: ownca
    cn: "{{ ansible_facts['nodename'] }}"
-    san: >-
-      {{
-        'DNS:' ~ ansible_facts['hostname'] ~ ',DNS:' ~ ansible_facts['nodename'] ~ ',IP:' ~ (nova_management_address == 'localhost') | ternary(
-          '127.0.0.1', nova_management_address)
-      }}
+    san: "{{ nova_pki_compute_san }}"
    signed_by: "{{ nova_pki_intermediate_cert_name }}"
    key_usage:
      - digitalSignature
@ -720,11 +722,7 @@ nova_pki_console_certificates:
  - name: "nova_{{ ansible_facts['hostname'] }}-client"
    provider: ownca
    cn: "{{ ansible_facts['nodename'] }}"
-    san: >-
-      {{
-        'DNS:' ~ ansible_facts['hostname'] ~ ',DNS:' ~ ansible_facts['nodename'] ~ ',IP:' ~ (nova_management_address == 'localhost') | ternary(
-          '127.0.0.1', nova_management_address)
-      }}
+    san: "{{ nova_pki_compute_san }}"
    signed_by: "{{ nova_pki_intermediate_cert_name }}"
    key_usage:
      - digitalSignature