openstack/kolla-ansible
Code Issues Proposed changes

Merge "docs: add information about development libvirt TLS certs"

Browse Source
This commit is contained in:
Zuul 2022-05-30 13:36:36 +00:00 committed by Gerrit Code Review
commit 28b4c5d35c
1 changed files with 13 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
doc/source/reference/compute/libvirt-guide.rst
View File

@ -99,10 +99,11 @@ Libvirt TLS can be enabled in Kolla Ansible by setting the following option in
libvirt_tls: "yes" libvirt_tls: "yes"
Creation of the TLS certificates is currently out-of-scope for Kolla Ansible. Creation of production-ready TLS certificates is currently out-of-scope for
You will need to either use an existing Internal CA or you will need to Kolla Ansible. You will need to either use an existing Internal CA or you will
generate your own offline CA. For the TLS communication to work correctly you need to generate your own offline CA. For the TLS communication to work
will have to supply Kolla Ansible the following pieces of information: correctly you will have to supply Kolla Ansible the following pieces of
information:
* cacert.pem * cacert.pem
@ -171,3 +172,11 @@ copied into the nova-compute and nova-libvirt containers. With this option
disabled you will also be responsible for restarting the nova-compute and disabled you will also be responsible for restarting the nova-compute and
nova-libvirt containers when the certs are updated, as kolla-ansible will not nova-libvirt containers when the certs are updated, as kolla-ansible will not
be able to tell when the files have changed. be able to tell when the files have changed.
Generating certificates for test and development
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Since the Yoga release, the ``kolla-ansible certificates`` command generates
certificates for libvirt TLS. A single key and certificate is used for all
hosts, with a Subject Alternative Name (SAN) entry for each compute host
hostname.