4470ca962b
This patch adds optional support for TLS encryption in libvirtd endpoints using certificates. Without encryption, libvirtd listens on private interface of K8s node without any authentication thus allowing connections from any host on the internal network. TLS for libvirt is ENABLED by default and can be disabled in fuel-ccp-nova's defaults.yaml file. When using TLS, CCP operator has 3 options: 1. Use sample, self-signed wildcard certificates valid for 10 years built into config files (e.g. for testing purposes) - default. 2. Regenerate above certs using a script provided in tools/. 3. Provide own certificates. The TLS configuration provided by this patch uses workarounds to make wildcard certifcates work and should be used for testing purposes only. The reason to have TLS enabled by default is to run all tests (e.g. CI) with encrypted communication and catch possible errors. An implementation more suitable for production usage may follow in a separate patch. Change-Id: I1d770e3618e2f5a32573b7ded74b11df18338f85 |
||
---|---|---|
.. | ||
libvirt_create_certs.sh | ||
yamllint.sh | ||
yamllint.yaml |