libvirt: Support cert_file and key_file
This introduces parameters to customize cert_file and key_file used for tls connections in libvirt, in addition to ca_file and crl_file which are currently supported. Closes-Bug: #2055160 Change-Id: I597b4d61661a21470ed76ba259f276c2ceffc5ba
This commit is contained in:
parent
332fb89413
commit
d1359ab1f5
|
@ -123,6 +123,18 @@
|
||||||
# See https://libvirt.org/guide/html/Application_Development_Guide-Architecture-Remote_URIs.html
|
# See https://libvirt.org/guide/html/Application_Development_Guide-Architecture-Remote_URIs.html
|
||||||
# Defaults to {}
|
# Defaults to {}
|
||||||
#
|
#
|
||||||
|
# [*key_file*]
|
||||||
|
# (optional) Specifies the key file that the TLS transport will use.
|
||||||
|
# Note that this is only used if the TLS transport is enabled via the
|
||||||
|
# "transport" option.
|
||||||
|
# Defaults to $facts['os_service_default']
|
||||||
|
#
|
||||||
|
# [*cert_file*]
|
||||||
|
# (optional) Specifies the certificate file that the TLS transport will use.
|
||||||
|
# Note that this is only used if the TLS transport is enabled via the
|
||||||
|
# "transport" option.
|
||||||
|
# Defaults to $facts['os_service_default']
|
||||||
|
#
|
||||||
# [*ca_file*]
|
# [*ca_file*]
|
||||||
# (optional) Specifies the CA certificate that the TLS transport will use.
|
# (optional) Specifies the CA certificate that the TLS transport will use.
|
||||||
# Note that this is only used if the TLS transport is enabled via the
|
# Note that this is only used if the TLS transport is enabled via the
|
||||||
|
@ -181,6 +193,8 @@ class nova::migration::libvirt(
|
||||||
$client_user = undef,
|
$client_user = undef,
|
||||||
$client_port = undef,
|
$client_port = undef,
|
||||||
Hash $client_extraparams = {},
|
Hash $client_extraparams = {},
|
||||||
|
$key_file = $facts['os_service_default'],
|
||||||
|
$cert_file = $facts['os_service_default'],
|
||||||
$ca_file = $facts['os_service_default'],
|
$ca_file = $facts['os_service_default'],
|
||||||
$crl_file = $facts['os_service_default'],
|
$crl_file = $facts['os_service_default'],
|
||||||
$libvirt_version = $::nova::compute::libvirt::version::default,
|
$libvirt_version = $::nova::compute::libvirt::version::default,
|
||||||
|
@ -292,20 +306,26 @@ class nova::migration::libvirt(
|
||||||
}
|
}
|
||||||
|
|
||||||
if $transport == 'tls' {
|
if $transport == 'tls' {
|
||||||
$auth_tls_real = $auth
|
$auth_tls_real = $auth
|
||||||
$auth_tcp_real = $facts['os_service_default']
|
$auth_tcp_real = $facts['os_service_default']
|
||||||
$ca_file_real = $ca_file
|
$key_file_real = $key_file
|
||||||
$crl_file_real = $crl_file
|
$cert_file_real = $cert_file
|
||||||
|
$ca_file_real = $ca_file
|
||||||
|
$crl_file_real = $crl_file
|
||||||
} elsif $transport == 'tcp' {
|
} elsif $transport == 'tcp' {
|
||||||
$auth_tls_real = $facts['os_service_default']
|
$auth_tls_real = $facts['os_service_default']
|
||||||
$auth_tcp_real = $auth
|
$auth_tcp_real = $auth
|
||||||
$ca_file_real = $facts['os_service_default']
|
$key_file_real = $facts['os_service_default']
|
||||||
$crl_file_real = $facts['os_service_default']
|
$cert_file_real = $facts['os_service_default']
|
||||||
|
$ca_file_real = $facts['os_service_default']
|
||||||
|
$crl_file_real = $facts['os_service_default']
|
||||||
} else {
|
} else {
|
||||||
$auth_tls_real = $facts['os_service_default']
|
$auth_tls_real = $facts['os_service_default']
|
||||||
$auth_tcp_real = $facts['os_service_default']
|
$auth_tcp_real = $facts['os_service_default']
|
||||||
$ca_file_real = $facts['os_service_default']
|
$key_file_real = $facts['os_service_default']
|
||||||
$crl_file_real = $facts['os_service_default']
|
$cert_file_real = $facts['os_service_default']
|
||||||
|
$ca_file_real = $facts['os_service_default']
|
||||||
|
$crl_file_real = $facts['os_service_default']
|
||||||
}
|
}
|
||||||
|
|
||||||
$libvirt_listen_config = $modular_libvirt_real ? {
|
$libvirt_listen_config = $modular_libvirt_real ? {
|
||||||
|
@ -314,10 +334,12 @@ class nova::migration::libvirt(
|
||||||
}
|
}
|
||||||
|
|
||||||
create_resources( $libvirt_listen_config , {
|
create_resources( $libvirt_listen_config , {
|
||||||
'auth_tls' => { 'value' => $auth_tls_real, 'quote' => true },
|
'auth_tls' => { 'value' => $auth_tls_real, 'quote' => true },
|
||||||
'auth_tcp' => { 'value' => $auth_tcp_real, 'quote' => true },
|
'auth_tcp' => { 'value' => $auth_tcp_real, 'quote' => true },
|
||||||
'ca_file' => { 'value' => $ca_file_real, 'quote' => true },
|
'key_file' => { 'value' => $key_file_real, 'quote' => true },
|
||||||
'crl_file' => { 'value' => $crl_file_real, 'quote' => true },
|
'cert_file' => { 'value' => $cert_file_real, 'quote' => true },
|
||||||
|
'ca_file' => { 'value' => $ca_file_real, 'quote' => true },
|
||||||
|
'crl_file' => { 'value' => $crl_file_real, 'quote' => true },
|
||||||
})
|
})
|
||||||
|
|
||||||
if $transport == 'tls' or $transport == 'tcp' {
|
if $transport == 'tls' or $transport == 'tcp' {
|
||||||
|
|
|
@ -0,0 +1,8 @@
|
||||||
|
---
|
||||||
|
features:
|
||||||
|
- |
|
||||||
|
The ``nova::migration::libvirt`` class now supports the following two new
|
||||||
|
parameters.
|
||||||
|
|
||||||
|
- ``cert_file``
|
||||||
|
- ``key_file``
|
|
@ -35,6 +35,8 @@ describe 'nova::migration::libvirt' do
|
||||||
context 'with default params' do
|
context 'with default params' do
|
||||||
it { is_expected.to contain_libvirtd_config('auth_tls').with_value('<SERVICE DEFAULT>').with_quote(true) }
|
it { is_expected.to contain_libvirtd_config('auth_tls').with_value('<SERVICE DEFAULT>').with_quote(true) }
|
||||||
it { is_expected.to contain_libvirtd_config('auth_tcp').with_value('none').with_quote(true) }
|
it { is_expected.to contain_libvirtd_config('auth_tcp').with_value('none').with_quote(true) }
|
||||||
|
it { is_expected.to contain_libvirtd_config('key_file').with_value('<SERVICE DEFAULT>').with_quote(true) }
|
||||||
|
it { is_expected.to contain_libvirtd_config('cert_file').with_value('<SERVICE DEFAULT>').with_quote(true) }
|
||||||
it { is_expected.to contain_libvirtd_config('ca_file').with_value('<SERVICE DEFAULT>').with_quote(true) }
|
it { is_expected.to contain_libvirtd_config('ca_file').with_value('<SERVICE DEFAULT>').with_quote(true) }
|
||||||
it { is_expected.to contain_libvirtd_config('crl_file').with_value('<SERVICE DEFAULT>').with_quote(true) }
|
it { is_expected.to contain_libvirtd_config('crl_file').with_value('<SERVICE DEFAULT>').with_quote(true) }
|
||||||
it { is_expected.to contain_nova_config('libvirt/migration_inbound_addr').with_value('<SERVICE DEFAULT>')}
|
it { is_expected.to contain_nova_config('libvirt/migration_inbound_addr').with_value('<SERVICE DEFAULT>')}
|
||||||
|
@ -89,6 +91,8 @@ describe 'nova::migration::libvirt' do
|
||||||
end
|
end
|
||||||
it { is_expected.to contain_libvirtd_config('auth_tls').with_value('none').with_quote(true) }
|
it { is_expected.to contain_libvirtd_config('auth_tls').with_value('none').with_quote(true) }
|
||||||
it { is_expected.to contain_libvirtd_config('auth_tcp').with_value('<SERVICE DEFAULT>').with_quote(true) }
|
it { is_expected.to contain_libvirtd_config('auth_tcp').with_value('<SERVICE DEFAULT>').with_quote(true) }
|
||||||
|
it { is_expected.to contain_libvirtd_config('key_file').with_value('<SERVICE DEFAULT>').with_quote(true) }
|
||||||
|
it { is_expected.to contain_libvirtd_config('cert_file').with_value('<SERVICE DEFAULT>').with_quote(true) }
|
||||||
it { is_expected.to contain_libvirtd_config('ca_file').with_value('<SERVICE DEFAULT>').with_quote(true) }
|
it { is_expected.to contain_libvirtd_config('ca_file').with_value('<SERVICE DEFAULT>').with_quote(true) }
|
||||||
it { is_expected.to contain_libvirtd_config('crl_file').with_value('<SERVICE DEFAULT>').with_quote(true) }
|
it { is_expected.to contain_libvirtd_config('crl_file').with_value('<SERVICE DEFAULT>').with_quote(true) }
|
||||||
it { is_expected.to contain_nova_config('libvirt/live_migration_uri').with_value('qemu+tls://%s/system')}
|
it { is_expected.to contain_nova_config('libvirt/live_migration_uri').with_value('qemu+tls://%s/system')}
|
||||||
|
@ -160,6 +164,8 @@ describe 'nova::migration::libvirt' do
|
||||||
end
|
end
|
||||||
it { is_expected.to contain_libvirtd_config('auth_tls').with_value('<SERVICE DEFAULT>').with_quote(true) }
|
it { is_expected.to contain_libvirtd_config('auth_tls').with_value('<SERVICE DEFAULT>').with_quote(true) }
|
||||||
it { is_expected.to contain_libvirtd_config('auth_tcp').with_value('sasl').with_quote(true) }
|
it { is_expected.to contain_libvirtd_config('auth_tcp').with_value('sasl').with_quote(true) }
|
||||||
|
it { is_expected.to contain_libvirtd_config('key_file').with_value('<SERVICE DEFAULT>').with_quote(true) }
|
||||||
|
it { is_expected.to contain_libvirtd_config('cert_file').with_value('<SERVICE DEFAULT>').with_quote(true) }
|
||||||
it { is_expected.to contain_libvirtd_config('ca_file').with_value('<SERVICE DEFAULT>').with_quote(true) }
|
it { is_expected.to contain_libvirtd_config('ca_file').with_value('<SERVICE DEFAULT>').with_quote(true) }
|
||||||
it { is_expected.to contain_libvirtd_config('crl_file').with_value('<SERVICE DEFAULT>').with_quote(true) }
|
it { is_expected.to contain_libvirtd_config('crl_file').with_value('<SERVICE DEFAULT>').with_quote(true) }
|
||||||
end
|
end
|
||||||
|
@ -173,6 +179,8 @@ describe 'nova::migration::libvirt' do
|
||||||
end
|
end
|
||||||
it { is_expected.to contain_libvirtd_config('auth_tls').with_value('sasl').with_quote(true) }
|
it { is_expected.to contain_libvirtd_config('auth_tls').with_value('sasl').with_quote(true) }
|
||||||
it { is_expected.to contain_libvirtd_config('auth_tcp').with_value('<SERVICE DEFAULT>').with_quote(true) }
|
it { is_expected.to contain_libvirtd_config('auth_tcp').with_value('<SERVICE DEFAULT>').with_quote(true) }
|
||||||
|
it { is_expected.to contain_libvirtd_config('key_file').with_value('<SERVICE DEFAULT>').with_quote(true) }
|
||||||
|
it { is_expected.to contain_libvirtd_config('cert_file').with_value('<SERVICE DEFAULT>').with_quote(true) }
|
||||||
it { is_expected.to contain_libvirtd_config('ca_file').with_value('<SERVICE DEFAULT>').with_quote(true) }
|
it { is_expected.to contain_libvirtd_config('ca_file').with_value('<SERVICE DEFAULT>').with_quote(true) }
|
||||||
it { is_expected.to contain_libvirtd_config('crl_file').with_value('<SERVICE DEFAULT>').with_quote(true) }
|
it { is_expected.to contain_libvirtd_config('crl_file').with_value('<SERVICE DEFAULT>').with_quote(true) }
|
||||||
end
|
end
|
||||||
|
@ -181,14 +189,18 @@ describe 'nova::migration::libvirt' do
|
||||||
let :params do
|
let :params do
|
||||||
{
|
{
|
||||||
:transport => 'tls',
|
:transport => 'tls',
|
||||||
:ca_file => '/ca',
|
:key_file => '/etc/pki/libvirt/private/serverkey.pem',
|
||||||
:crl_file => '/crl',
|
:cert_file => '/etc/pki/libvirt/servercert.pem',
|
||||||
|
:ca_file => '/etc/pki/CA/cacert.pem',
|
||||||
|
:crl_file => '/etc/pki/CA/crl.pem',
|
||||||
}
|
}
|
||||||
end
|
end
|
||||||
it { is_expected.to contain_libvirtd_config('auth_tls').with_value('none').with_quote(true) }
|
it { is_expected.to contain_libvirtd_config('auth_tls').with_value('none').with_quote(true) }
|
||||||
it { is_expected.to contain_libvirtd_config('auth_tcp').with_value('<SERVICE DEFAULT>').with_quote(true) }
|
it { is_expected.to contain_libvirtd_config('auth_tcp').with_value('<SERVICE DEFAULT>').with_quote(true) }
|
||||||
it { is_expected.to contain_libvirtd_config('ca_file').with_value('/ca').with_quote(true) }
|
it { is_expected.to contain_libvirtd_config('key_file').with_value('/etc/pki/libvirt/private/serverkey.pem').with_quote(true) }
|
||||||
it { is_expected.to contain_libvirtd_config('crl_file').with_value('/crl').with_quote(true) }
|
it { is_expected.to contain_libvirtd_config('cert_file').with_value('/etc/pki/libvirt/servercert.pem').with_quote(true) }
|
||||||
|
it { is_expected.to contain_libvirtd_config('ca_file').with_value('/etc/pki/CA/cacert.pem').with_quote(true) }
|
||||||
|
it { is_expected.to contain_libvirtd_config('crl_file').with_value('/etc/pki/CA/crl.pem').with_quote(true) }
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'with auth set to an invalid setting' do
|
context 'with auth set to an invalid setting' do
|
||||||
|
|
Loading…
Reference in New Issue