From f234218dba3cfad36513e7701cabf18a7fde217a Mon Sep 17 00:00:00 2001 From: "Mosher, Jaymes (jm616v)" Date: Thu, 13 Jul 2023 09:05:25 -0600 Subject: [PATCH] Allow enabling vencrypt for VNC This patchset allows enabling vencrypt for VNC, based on a downstream patchset. [1] Primary differences: - script to generate pod-specific certs has been moved under values.conf.vencrypt.cert_init_sh to allow for it to be overridden if necessary - leaves the creation of a (sub)issuer for vencrypt as outside the scope of this (and the nova) chart - issuer to use to sign these certs configurable under: values.conf.vencrypt.issuer.kind values.conf.vencrypt.issuer.name - added manifests.role_cert_manager to control creation of roles needed to create/update certs 1. https://github.com/vexxhost/atmosphere/pull/483 Change-Id: I955015874fed2b24570251c4cad01412bbab6045 --- libvirt/Chart.yaml | 2 +- libvirt/templates/bin/_libvirt.sh.tpl | 8 ++++ libvirt/templates/configmap-bin.yaml | 4 ++ libvirt/templates/daemonset-libvirt.yaml | 37 ++++++++++++++++ libvirt/templates/role-cert-manager.yaml | 53 +++++++++++++++++++++++ libvirt/values.yaml | 55 ++++++++++++++++++++++++ releasenotes/notes/libvirt.yaml | 1 + 7 files changed, 159 insertions(+), 1 deletion(-) create mode 100755 libvirt/templates/role-cert-manager.yaml diff --git a/libvirt/Chart.yaml b/libvirt/Chart.yaml index 46815d63c..cceb89b17 100644 --- a/libvirt/Chart.yaml +++ b/libvirt/Chart.yaml @@ -15,7 +15,7 @@ apiVersion: v1 appVersion: v1.0.0 description: OpenStack-Helm libvirt name: libvirt -version: 0.1.22 +version: 0.1.23 home: https://libvirt.org sources: - https://libvirt.org/git/?p=libvirt.git;a=summary diff --git a/libvirt/templates/bin/_libvirt.sh.tpl b/libvirt/templates/bin/_libvirt.sh.tpl index 2abaa238d..357bfe363 100644 --- a/libvirt/templates/bin/_libvirt.sh.tpl +++ b/libvirt/templates/bin/_libvirt.sh.tpl @@ -16,6 +16,14 @@ limitations under the License. set -ex +# NOTE(mnaser): This will move the VNC certificates into the expected location. +if [ -f /tmp/vnc.crt ]; then + mkdir -p /etc/pki/libvirt-vnc + mv /tmp/vnc.key /etc/pki/libvirt-vnc/server-key.pem + mv /tmp/vnc.crt /etc/pki/libvirt-vnc/server-cert.pem + mv /tmp/vnc-ca.crt /etc/pki/libvirt-vnc/ca-cert.pem +fi + # TODO: We disable cgroup functionality for cgroup v2, we should fix this in the future if $(stat -fc %T /sys/fs/cgroup/ | grep -q cgroup2fs); then CGROUP_VERSION=v2 diff --git a/libvirt/templates/configmap-bin.yaml b/libvirt/templates/configmap-bin.yaml index 621e9815f..ca1a7ecd1 100644 --- a/libvirt/templates/configmap-bin.yaml +++ b/libvirt/templates/configmap-bin.yaml @@ -26,6 +26,10 @@ data: {{- end }} libvirt.sh: | {{ tuple "bin/_libvirt.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} +{{- if eq .Values.conf.qemu.vnc_tls "1" }} + cert-init.sh: | +{{ tpl .Values.conf.vencrypt.cert_init_sh . | indent 4 }} +{{- end }} {{- if .Values.conf.ceph.enabled }} ceph-keyring.sh: | {{ tuple "bin/_ceph-keyring.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} diff --git a/libvirt/templates/daemonset-libvirt.yaml b/libvirt/templates/daemonset-libvirt.yaml index 7502fb25f..4a0b128ab 100644 --- a/libvirt/templates/daemonset-libvirt.yaml +++ b/libvirt/templates/daemonset-libvirt.yaml @@ -79,6 +79,43 @@ spec: initContainers: {{ tuple $envAll "pod_dependency" $mounts_libvirt_init | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }} {{ dict "envAll" $envAll | include "helm-toolkit.snippets.kubernetes_apparmor_loader_init_container" | indent 8 }} +{{- if eq .Values.conf.qemu.vnc_tls "1" }} + - name: cert-init-vnc +{{ tuple $envAll "kubectl" | include "helm-toolkit.snippets.image" | indent 10 }} +{{ dict "envAll" $envAll "application" "libvirt" "container" "cert_init" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} + command: + - /tmp/cert-init.sh + env: + - name: TYPE + value: vnc + - name: ISSUER_KIND + value: {{ .Values.conf.vencrypt.issuer.kind }} + - name: ISSUER_NAME + value: {{ .Values.conf.vencrypt.issuer.name }} + - name: POD_UID + valueFrom: + fieldRef: + fieldPath: metadata.uid + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + volumeMounts: + - name: pod-tmp + mountPath: /tmp + - name: libvirt-bin + mountPath: /tmp/cert-init.sh + subPath: cert-init.sh + readOnly: true +{{- end }} {{- if .Values.conf.ceph.enabled }} {{- if empty .Values.conf.ceph.cinder.keyring }} - name: ceph-admin-keyring-placement diff --git a/libvirt/templates/role-cert-manager.yaml b/libvirt/templates/role-cert-manager.yaml new file mode 100755 index 000000000..cab1059e1 --- /dev/null +++ b/libvirt/templates/role-cert-manager.yaml @@ -0,0 +1,53 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.role_cert_manager }} +{{- $serviceAccountName := "libvirt" }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ .Release.Name }}-cert-manager + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ .Release.Name }}-cert-manager +subjects: + - kind: ServiceAccount + name: {{ $serviceAccountName }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ .Release.Name }}-cert-manager + namespace: {{ .Release.Namespace }} +rules: + - apiGroups: + - cert-manager.io + verbs: + - get + - list + - create + resources: + - certificates + - apiGroups: + - "" + verbs: + - get + - patch + resources: + - secrets +{{- end -}} \ No newline at end of file diff --git a/libvirt/values.yaml b/libvirt/values.yaml index 76f09ca11..66aa7bb2d 100644 --- a/libvirt/values.yaml +++ b/libvirt/values.yaml @@ -31,6 +31,7 @@ images: ceph_config_helper: 'docker.io/openstackhelm/ceph-config-helper:ubuntu_focal_17.2.6-1-20230508' dep_check: quay.io/airshipit/kubernetes-entrypoint:v1.0.0 image_repo_sync: docker.io/library/docker:17.07.0 + kubectl: docker.io/bitnami/kubectl:latest pull_policy: "IfNotPresent" local_registry: active: false @@ -115,11 +116,64 @@ conf: log_level: "3" log_outputs: "1:file:/var/log/libvirt/libvirtd.log" qemu: + vnc_tls: "0" + vnc_tls_x509_verify: "0" stdio_handler: "file" user: "nova" group: "kvm" kubernetes: cgroup: "kubepods.slice" + vencrypt: + # Issuer to use for the vencrypt certs. + issuer: + kind: ClusterIssuer + name: ca-clusterissuer + # Script is included here (vs in bin/) to allow overriding, in the case that + # communication happens over an IP other than the pod IP for some reason. + cert_init_sh: | + #!/bin/bash + set -x + + # Script to create certs for each libvirt pod based on pod IP (by default). + + cat < /tmp/${TYPE}.crt + kubectl -n ${POD_NAMESPACE} get secret ${POD_NAME}-${TYPE} -o jsonpath='{.data.tls\.key}' | base64 -d > /tmp/${TYPE}.key + kubectl -n ${POD_NAMESPACE} get secret ${POD_NAME}-${TYPE} -o jsonpath='{.data.ca\.crt}' | base64 -d > /tmp/${TYPE}-ca.crt pod: probes: @@ -262,6 +316,7 @@ manifests: daemonset_libvirt: true job_image_repo_sync: true network_policy: false + role_cert_manager: false secret_registry: true secrets: diff --git a/releasenotes/notes/libvirt.yaml b/releasenotes/notes/libvirt.yaml index 31aa79897..cac95cc48 100644 --- a/releasenotes/notes/libvirt.yaml +++ b/releasenotes/notes/libvirt.yaml @@ -23,4 +23,5 @@ libvirt: - 0.1.20 Update Ceph to 17.2.6 - 0.1.21 Disable libvirt cgroup functionality for cgroup-v2 - 0.1.22 Set targeted dependency of libvirt with ovn networking backend + - 0.1.23 Add support for enabling vencrypt ...