From 155323fe68ca75fe15a5a092edc8989ff64d2e7a Mon Sep 17 00:00:00 2001 From: Dmitriy Rabotyagov Date: Wed, 18 Oct 2023 21:03:11 +0200 Subject: [PATCH] Add nova_libvirt_live_migration_inbound_addr to compute SAN Some deployments might want to perform live migrations over dedicated networks, like fast storage network, while keep management over default mgmt network. Current default behaviour will prevent such usecase, since nova_libvirt_live_migration_inbound_addr is not added to the generated for libvirtd certificate, and thus live migration will fail. Also to enable users override default behviour more nicely and reduce code duplication, new variable ``nova_pki_compute_san`` was introduced, that handles SAN definition for compute nodes. Change-Id: I22cc1a20190f0573b0350369a6cea5310ab0f0a7 --- defaults/main.yml | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index aaf6a065..0251b3ca 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -617,17 +617,19 @@ nova_pki_intermediate_chain_path: >- {{ nova_pki_dir ~ '/roots/' ~ nova_pki_intermediate_cert_name ~ '/certs/' ~ nova_pki_intermediate_cert_name ~ '-chain.crt' }} nova_pki_regen_cert: '' nova_pki_san: "{{ openstack_pki_san | default('DNS:' ~ ansible_facts['hostname'] ~ ',IP:' ~ management_address) }}" +nova_pki_compute_san: >- + {{ + 'DNS:' ~ ansible_facts['hostname'] ~ ',DNS:' ~ ansible_facts['nodename'] ~ ',IP:' ~ (nova_management_address == 'localhost') | ternary( + '127.0.0.1', nova_management_address) ~ (nova_libvirt_live_migration_inbound_addr != nova_management_address) |ternary( + ',IP:' ~ nova_libvirt_live_migration_inbound_addr, '') + }} # Create client and server cert for compute hosts # This certiticate is used to secure TLS live migrations and VNC sessions nova_pki_compute_certificates: - name: "nova_{{ ansible_facts['hostname'] }}" provider: ownca cn: "{{ ansible_facts['nodename'] }}" - san: >- - {{ - 'DNS:' ~ ansible_facts['hostname'] ~ ',DNS:' ~ ansible_facts['nodename'] ~ ',IP:' ~ (nova_management_address == 'localhost') | ternary( - '127.0.0.1', nova_management_address) - }} + san: "{{ nova_pki_compute_san }}" signed_by: "{{ nova_pki_intermediate_cert_name }}" key_usage: - digitalSignature @@ -720,11 +722,7 @@ nova_pki_console_certificates: - name: "nova_{{ ansible_facts['hostname'] }}-client" provider: ownca cn: "{{ ansible_facts['nodename'] }}" - san: >- - {{ - 'DNS:' ~ ansible_facts['hostname'] ~ ',DNS:' ~ ansible_facts['nodename'] ~ ',IP:' ~ (nova_management_address == 'localhost') | ternary( - '127.0.0.1', nova_management_address) - }} + san: "{{ nova_pki_compute_san }}" signed_by: "{{ nova_pki_intermediate_cert_name }}" key_usage: - digitalSignature