From fa740c5e49994ffdd3a5aa1f43a0305c8e5a0b3a Mon Sep 17 00:00:00 2001
From: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Date: Tue, 28 Mar 2017 14:23:48 +0300
Subject: [PATCH] TLS-everywhere: Enable for TLS libvirt live migration

This relies on using the default paths for certs/keys used by libvirt
and is only enabled if TLS-everywhere is enabled.

bp tls-via-certmonger
Depends-On: If18206d89460f6660a81aabc4ff8b97f1f99bba7
Depends-On: I0a1684397ebefaa8dc00237e0b7952e9296381fa
Change-Id: I0538bbdd54fd0b82518585f4f270b4be684f0ec4
---
 puppet/services/nova-libvirt.yaml             | 82 +++++++++++++++++++
 ...able-TLS-for-libvirt-0aab48cd8339da0f.yaml |  6 ++
 2 files changed, 88 insertions(+)
 create mode 100644 releasenotes/notes/Enable-TLS-for-libvirt-0aab48cd8339da0f.yaml

diff --git a/puppet/services/nova-libvirt.yaml b/puppet/services/nova-libvirt.yaml
index faf1ae480c..0538c6cfeb 100644
--- a/puppet/services/nova-libvirt.yaml
+++ b/puppet/services/nova-libvirt.yaml
@@ -32,6 +32,36 @@ parameters:
   MonitoringSubscriptionNovaLibvirt:
     default: 'overcloud-nova-libvirt'
     type: string
+  EnableInternalTLS:
+    type: boolean
+    default: false
+  UseTLSTransportForLiveMigration:
+    type: boolean
+    default: true
+    description: If set to true and if EnableInternalTLS is enabled, it will
+                 set the libvirt URI's transport to tls and configure the
+                 relevant keys for libvirt.
+  LibvirtCACert:
+    type: string
+    default: '/etc/ipa/ca.crt'
+    description: This specifies the CA certificate to use for TLS in libvirt.
+                 This file will be symlinked to the default CA path in libvirt,
+                 which is /etc/pki/CA/cacert.pem. Note that due to limitations
+                 GNU TLS, which is the TLS backend for libvirt, the file must
+                 be less than 65K (so we can't use the system's CA bundle). The
+                 current default reflects TripleO's default CA, which is
+                 FreeIPA. It will only be used if internal TLS is enabled.
+
+conditions:
+
+  use_tls_for_live_migration:
+    and:
+    - equals:
+      - {get_param: EnableInternalTLS}
+      - true
+    - equals:
+      - {get_param: UseTLSTransportForLiveMigration}
+      - true
 
 resources:
   NovaBase:
@@ -71,5 +101,57 @@ outputs:
                   - '49152-49215'
                   - '5900-5999'
 
+          -
+            if:
+              - use_tls_for_live_migration
+              -
+                generate_service_certificates: true
+                tripleo::profile::base::nova::libvirt_tls: true
+                nova::migration::libvirt::live_migration_inbound_addr:
+                  str_replace:
+                    template:
+                      "%{hiera('fqdn_$NETWORK')}"
+                    params:
+                      $NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
+                tripleo::certmonger::ca::libvirt::origin_ca_pem:
+                  get_param: LibvirtCACert
+                tripleo::certmonger::libvirt_dirs::certificate_dir: '/etc/pki/libvirt'
+                tripleo::certmonger::libvirt_dirs::key_dir: '/etc/pki/libvirt/private'
+                libvirt_certificates_specs:
+                  libvirt-server-cert:
+                    service_certificate: '/etc/pki/libvirt/servercert.pem'
+                    service_key: '/etc/pki/libvirt/private/serverkey.pem'
+                    hostname:
+                      str_replace:
+                        template: "%{hiera('fqdn_NETWORK')}"
+                        params:
+                          NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
+                    principal:
+                      str_replace:
+                        template: "libvirt/%{hiera('fqdn_NETWORK')}"
+                        params:
+                          NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
+                  libvirt-client-cert:
+                    service_certificate: '/etc/pki/libvirt/clientcert.pem'
+                    service_key: '/etc/pki/libvirt/private/clientkey.pem'
+                    hostname:
+                      str_replace:
+                        template: "%{hiera('fqdn_NETWORK')}"
+                        params:
+                          NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
+                    principal:
+                      str_replace:
+                        template: "libvirt/%{hiera('fqdn_NETWORK')}"
+                        params:
+                          NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
+              - {}
       step_config: |
         include tripleo::profile::base::nova::libvirt
+      metadata_settings:
+        if:
+          - use_tls_for_live_migration
+          -
+            - service: libvirt
+              network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
+              type: node
+          - null
diff --git a/releasenotes/notes/Enable-TLS-for-libvirt-0aab48cd8339da0f.yaml b/releasenotes/notes/Enable-TLS-for-libvirt-0aab48cd8339da0f.yaml
new file mode 100644
index 0000000000..e8941b7c62
--- /dev/null
+++ b/releasenotes/notes/Enable-TLS-for-libvirt-0aab48cd8339da0f.yaml
@@ -0,0 +1,6 @@
+---
+features:
+  - |
+    If TLS in the internal network is enabled, libvirt's transport defaults to
+    using TLS. This can be changed by setting the ``UseTLSTransportForLiveMigration``
+    parameter, which is ``true`` by default.