libvirt: Support cert_file and key_file

This introduces parameters to customize cert_file and key_file used for
tls connections in libvirt, in addition to ca_file and crl_file which
are currently supported.

Closes-Bug: #2055160
Change-Id: I597b4d61661a21470ed76ba259f276c2ceffc5ba

manifests/migration/libvirt.pp

@@ -123,6 +123,18 @@
 #   See https://libvirt.org/guide/html/Application_Development_Guide-Architecture-Remote_URIs.html
 #   Defaults to {}
 #
+# [*key_file*]
+#   (optional) Specifies the key file that the TLS transport will use.
+#   Note that this is only used if the TLS transport is enabled via the
+#   "transport" option.
+#   Defaults to $facts['os_service_default']
+#
+# [*cert_file*]
+#   (optional) Specifies the certificate file that the TLS transport will use.
+#   Note that this is only used if the TLS transport is enabled via the
+#   "transport" option.
+#   Defaults to $facts['os_service_default']
+#
 # [*ca_file*]
 #   (optional) Specifies the CA certificate that the TLS transport will use.
 #   Note that this is only used if the TLS transport is enabled via the
@@ -181,6 +193,8 @@ class nova::migration::libvirt(
   $client_user                         = undef,
   $client_port                         = undef,
   Hash $client_extraparams             = {},
+  $key_file                            = $facts['os_service_default'],
+  $cert_file                           = $facts['os_service_default'],
   $ca_file                             = $facts['os_service_default'],
   $crl_file                            = $facts['os_service_default'],
   $libvirt_version                     = $::nova::compute::libvirt::version::default,
@@ -292,20 +306,26 @@ class nova::migration::libvirt(
     }
 
     if $transport == 'tls' {
-      $auth_tls_real = $auth
+      $auth_tls_real  = $auth
-      $auth_tcp_real = $facts['os_service_default']
+      $auth_tcp_real  = $facts['os_service_default']
-      $ca_file_real  = $ca_file
+      $key_file_real  = $key_file
-      $crl_file_real = $crl_file
+      $cert_file_real = $cert_file
+      $ca_file_real   = $ca_file
+      $crl_file_real  = $crl_file
     } elsif $transport == 'tcp' {
-      $auth_tls_real = $facts['os_service_default']
+      $auth_tls_real  = $facts['os_service_default']
-      $auth_tcp_real = $auth
+      $auth_tcp_real  = $auth
-      $ca_file_real  = $facts['os_service_default']
+      $key_file_real  = $facts['os_service_default']
-      $crl_file_real = $facts['os_service_default']
+      $cert_file_real = $facts['os_service_default']
+      $ca_file_real   = $facts['os_service_default']
+      $crl_file_real  = $facts['os_service_default']
     } else {
-      $auth_tls_real = $facts['os_service_default']
+      $auth_tls_real  = $facts['os_service_default']
-      $auth_tcp_real = $facts['os_service_default']
+      $auth_tcp_real  = $facts['os_service_default']
-      $ca_file_real  = $facts['os_service_default']
+      $key_file_real  = $facts['os_service_default']
-      $crl_file_real = $facts['os_service_default']
+      $cert_file_real = $facts['os_service_default']
+      $ca_file_real   = $facts['os_service_default']
+      $crl_file_real  = $facts['os_service_default']
     }
 
     $libvirt_listen_config = $modular_libvirt_real ? {
@@ -314,10 +334,12 @@ class nova::migration::libvirt(
     }
 
     create_resources( $libvirt_listen_config , {
-      'auth_tls' => { 'value' => $auth_tls_real, 'quote' => true },
+      'auth_tls'  => { 'value' => $auth_tls_real,  'quote' => true },
-      'auth_tcp' => { 'value' => $auth_tcp_real, 'quote' => true },
+      'auth_tcp'  => { 'value' => $auth_tcp_real,  'quote' => true },
-      'ca_file'  => { 'value' => $ca_file_real, 'quote'  => true },
+      'key_file'  => { 'value' => $key_file_real,  'quote' => true },
-      'crl_file' => { 'value' => $crl_file_real, 'quote' => true },
+      'cert_file' => { 'value' => $cert_file_real, 'quote' => true },
+      'ca_file'   => { 'value' => $ca_file_real,   'quote' => true },
+      'crl_file'  => { 'value' => $crl_file_real,  'quote' => true },
     })
 
     if $transport == 'tls' or $transport == 'tcp' {

releasenotes/notes/libvirt-tls-key-and-cert-539e13253c28453d.yaml

@@ -0,0 +1,8 @@
+---
+features:
+  - |
+    The ``nova::migration::libvirt`` class now supports the following two new
+    parameters.
+
+    - ``cert_file``
+    - ``key_file``

spec/classes/nova_migration_libvirt_spec.rb

@@ -35,6 +35,8 @@ describe 'nova::migration::libvirt' do
     context 'with default params' do
       it { is_expected.to contain_libvirtd_config('auth_tls').with_value('<SERVICE DEFAULT>').with_quote(true) }
       it { is_expected.to contain_libvirtd_config('auth_tcp').with_value('none').with_quote(true) }
+      it { is_expected.to contain_libvirtd_config('key_file').with_value('<SERVICE DEFAULT>').with_quote(true) }
+      it { is_expected.to contain_libvirtd_config('cert_file').with_value('<SERVICE DEFAULT>').with_quote(true) }
       it { is_expected.to contain_libvirtd_config('ca_file').with_value('<SERVICE DEFAULT>').with_quote(true) }
       it { is_expected.to contain_libvirtd_config('crl_file').with_value('<SERVICE DEFAULT>').with_quote(true) }
       it { is_expected.to contain_nova_config('libvirt/migration_inbound_addr').with_value('<SERVICE DEFAULT>')}
@@ -89,6 +91,8 @@ describe 'nova::migration::libvirt' do
       end
       it { is_expected.to contain_libvirtd_config('auth_tls').with_value('none').with_quote(true) }
       it { is_expected.to contain_libvirtd_config('auth_tcp').with_value('<SERVICE DEFAULT>').with_quote(true) }
+      it { is_expected.to contain_libvirtd_config('key_file').with_value('<SERVICE DEFAULT>').with_quote(true) }
+      it { is_expected.to contain_libvirtd_config('cert_file').with_value('<SERVICE DEFAULT>').with_quote(true) }
       it { is_expected.to contain_libvirtd_config('ca_file').with_value('<SERVICE DEFAULT>').with_quote(true) }
       it { is_expected.to contain_libvirtd_config('crl_file').with_value('<SERVICE DEFAULT>').with_quote(true) }
       it { is_expected.to contain_nova_config('libvirt/live_migration_uri').with_value('qemu+tls://%s/system')}
@@ -160,6 +164,8 @@ describe 'nova::migration::libvirt' do
       end
       it { is_expected.to contain_libvirtd_config('auth_tls').with_value('<SERVICE DEFAULT>').with_quote(true) }
       it { is_expected.to contain_libvirtd_config('auth_tcp').with_value('sasl').with_quote(true) }
+      it { is_expected.to contain_libvirtd_config('key_file').with_value('<SERVICE DEFAULT>').with_quote(true) }
+      it { is_expected.to contain_libvirtd_config('cert_file').with_value('<SERVICE DEFAULT>').with_quote(true) }
       it { is_expected.to contain_libvirtd_config('ca_file').with_value('<SERVICE DEFAULT>').with_quote(true) }
       it { is_expected.to contain_libvirtd_config('crl_file').with_value('<SERVICE DEFAULT>').with_quote(true) }
     end
@@ -173,6 +179,8 @@ describe 'nova::migration::libvirt' do
       end
       it { is_expected.to contain_libvirtd_config('auth_tls').with_value('sasl').with_quote(true) }
       it { is_expected.to contain_libvirtd_config('auth_tcp').with_value('<SERVICE DEFAULT>').with_quote(true) }
+      it { is_expected.to contain_libvirtd_config('key_file').with_value('<SERVICE DEFAULT>').with_quote(true) }
+      it { is_expected.to contain_libvirtd_config('cert_file').with_value('<SERVICE DEFAULT>').with_quote(true) }
       it { is_expected.to contain_libvirtd_config('ca_file').with_value('<SERVICE DEFAULT>').with_quote(true) }
       it { is_expected.to contain_libvirtd_config('crl_file').with_value('<SERVICE DEFAULT>').with_quote(true) }
     end
@@ -181,14 +189,18 @@ describe 'nova::migration::libvirt' do
       let :params do
         {
           :transport => 'tls',
-          :ca_file   => '/ca',
+          :key_file  => '/etc/pki/libvirt/private/serverkey.pem',
-          :crl_file  => '/crl',
+          :cert_file => '/etc/pki/libvirt/servercert.pem',
+          :ca_file   => '/etc/pki/CA/cacert.pem',
+          :crl_file  => '/etc/pki/CA/crl.pem',
         }
       end
       it { is_expected.to contain_libvirtd_config('auth_tls').with_value('none').with_quote(true) }
       it { is_expected.to contain_libvirtd_config('auth_tcp').with_value('<SERVICE DEFAULT>').with_quote(true) }
-      it { is_expected.to contain_libvirtd_config('ca_file').with_value('/ca').with_quote(true) }
+      it { is_expected.to contain_libvirtd_config('key_file').with_value('/etc/pki/libvirt/private/serverkey.pem').with_quote(true) }
-      it { is_expected.to contain_libvirtd_config('crl_file').with_value('/crl').with_quote(true) }
+      it { is_expected.to contain_libvirtd_config('cert_file').with_value('/etc/pki/libvirt/servercert.pem').with_quote(true) }
+      it { is_expected.to contain_libvirtd_config('ca_file').with_value('/etc/pki/CA/cacert.pem').with_quote(true) }
+      it { is_expected.to contain_libvirtd_config('crl_file').with_value('/etc/pki/CA/crl.pem').with_quote(true) }
     end
 
     context 'with auth set to an invalid setting' do