Added hypervisors mutual authentication. This patch adds metadata to set libvirt allowed_dn_list option, which is set by default to match all compute nodes in the cloud, but might be adjusted by updating _param:nova_compute_libvirt_allowed_dn_list For more information about libvirt_allowed_dn_list plese see https://libvirt.org/remote.html#Remote_TLS_client_certificates Related-PROD: PROD-22086 Change-Id: I24a7b482154dd315d6621c568539ab1a5f1617f6

commit: f89a75a042fc56dc48a8c09ecdc2a941900b6ec0 [log] [tgz]
author: Vasyl Saienko <vsaienko@mirantis.com> Tue Oct 02 20:21:17 2018 +0300
committer: Vasyl Saienko <vsaienko@mirantis.com> Tue Oct 02 20:21:19 2018 +0300
tree: 55edc9ed5e278fabfbc0ac1e8e02dcada87ab48f
parent: 6410f8188964eedbeae29ed2c6a904043eabad30 [diff] [blame]
diff --git a/nova/compute/libvirt/ssl/init.yml b/nova/compute/libvirt/ssl/init.yml
index 87742e0..d9be1a5 100644
--- a/nova/compute/libvirt/ssl/init.yml
+++ b/nova/compute/libvirt/ssl/init.yml

@@ -1,6 +1,11 @@
 classes:
 - system.salt.minion.cert.libvirtd
 parameters:
+  _param:
+    nova_compute_libvirt_allowed_dn_list:
+      all:
+        enabled: true
+        value: '*CN=cmp*.${_param:cluster_domain}*'
   nova:
     compute:
       libvirt:
@@ -10,6 +15,7 @@
           key_file: ${_param:libvirtd_server_ssl_key_file}
           cert_file: ${_param:libvirtd_server_ssl_cert_file}
           ca_file: ${_param:libvirtd_ssl_ca_file}
+          allowed_dn_list: ${_param:nova_compute_libvirt_allowed_dn_list}
           client:
             key_file: ${_param:libvirtd_client_ssl_key_file}
             cert_file: ${_param:libvirtd_client_ssl_cert_file}
commit	f89a75a042fc56dc48a8c09ecdc2a941900b6ec0	[log] [tgz]
author	Vasyl Saienko <vsaienko@mirantis.com>	Tue Oct 02 20:21:17 2018 +0300
committer	Vasyl Saienko <vsaienko@mirantis.com>	Tue Oct 02 20:21:19 2018 +0300
tree	55edc9ed5e278fabfbc0ac1e8e02dcada87ab48f
parent	6410f8188964eedbeae29ed2c6a904043eabad30 [diff] [blame]