Bug 2071584

Summary: [RFE] Reload libvirt certificates on refresh
Product: Red Hat OpenStack Reporter: Grzegorz Grasza <ggrasza>
Component: openstack-tripleo-heat-templatesAssignee: Grzegorz Grasza <ggrasza>
Status: NEW --- QA Contact: Arik Chernetsky <achernet>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 17.1 (Wallaby)CC: apevec, lhh, mburns, sbaker
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2058441    
Bug Blocks:    

Description Grzegorz Grasza 2022-04-04 09:40:30 UTC 
As stated in bugzilla 2058441, post_save commands are currently not provided for libvirt. It should now be possible to reload certificates on the renewal process.

libvirtd daemons certs (ie libvirtd or virtproxyd) can be reloaded on the fly using 'virt-admin server-update-tls'


QEMU VM certs, **for VNC only**, can be reloaded on the fly from QEMU using  'display-reload', but this is not yet mapped into libvirt APIs, so can't be used in a supported manner.

Controller: 

~~~
Request ID 'libvirt-vnc-client-cert':
	status: MONITORING
	stuck: no
	key pair storage: type=FILE,location='/etc/pki/libvirt-vnc/client-key.pem'
	certificate: type=FILE,location='/etc/pki/libvirt-vnc/client-cert.pem'
	CA: IPA
	issuer: CN=Certificate Authority,O=REDHAT.LOCAL
	subject: CN=controller-0.internalapi.redhat.local,O=REDHAT.LOCAL
	expires: 2024-02-25 03:12:39 UTC
	dns: controller-0.internalapi.redhat.local
	principal name: libvirt-vnc/controller-0.internalapi.redhat.local
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: systemctl reload libvirtd
	track: yes
	auto-renew: yes


Compute: 

~~~
Request ID 'libvirt-client-cert':
	status: MONITORING
	stuck: no
	key pair storage: type=FILE,location='/etc/pki/libvirt/private/clientkey.pem'
	certificate: type=FILE,location='/etc/pki/libvirt/clientcert.pem'
	CA: IPA
	issuer: CN=Certificate Authority,O=REDHAT.LOCAL
	subject: CN=compute-0.internalapi.redhat.local,O=REDHAT.LOCAL
	expires: 2024-02-25 03:11:28 UTC
	dns: compute-0.internalapi.redhat.local
	principal name: libvirt/compute-0.internalapi.redhat.local
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: systemctl reload libvirtd
	track: yes
	auto-renew: yes
Request ID 'libvirt-server-cert':
	status: MONITORING
	stuck: no
	key pair storage: type=FILE,location='/etc/pki/libvirt/private/serverkey.pem'
	certificate: type=FILE,location='/etc/pki/libvirt/servercert.pem'
	CA: IPA
	issuer: CN=Certificate Authority,O=REDHAT.LOCAL
	subject: CN=compute-0.internalapi.redhat.local,O=REDHAT.LOCAL
	expires: 2024-02-25 03:11:30 UTC
	dns: compute-0.internalapi.redhat.local
	principal name: libvirt/compute-0.internalapi.redhat.local
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: systemctl reload libvirtd
	track: yes
	auto-renew: yes