2071584 – [RFE] Reload libvirt certificates on refresh

Bug 2071584 - [RFE] Reload libvirt certificates on refresh

Summary: [RFE] Reload libvirt certificates on refresh

Keywords:
Status:	NEW
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-tripleo-heat-templates
Sub Component:
Version:	17.1 (Wallaby)
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	---
Assignee:	Grzegorz Grasza
QA Contact:	Arik Chernetsky
Docs Contact:
URL:
Whiteboard:
Depends On:	2058441
Blocks:
TreeView+	depends on / blocked

Reported:	2022-04-04 09:40 UTC by Grzegorz Grasza
Modified:	2022-04-04 14:53 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	OSP-14485	0	None	None	None	2022-04-04 09:46:53 UTC

Description Grzegorz Grasza 2022-04-04 09:40:30 UTC

As stated in bugzilla 2058441, post_save commands are currently not provided for libvirt. It should now be possible to reload certificates on the renewal process.

libvirtd daemons certs (ie libvirtd or virtproxyd) can be reloaded on the fly using 'virt-admin server-update-tls'


QEMU VM certs, **for VNC only**, can be reloaded on the fly from QEMU using  'display-reload', but this is not yet mapped into libvirt APIs, so can't be used in a supported manner.

Controller: 

~~~
Request ID 'libvirt-vnc-client-cert':
	status: MONITORING
	stuck: no
	key pair storage: type=FILE,location='/etc/pki/libvirt-vnc/client-key.pem'
	certificate: type=FILE,location='/etc/pki/libvirt-vnc/client-cert.pem'
	CA: IPA
	issuer: CN=Certificate Authority,O=REDHAT.LOCAL
	subject: CN=controller-0.internalapi.redhat.local,O=REDHAT.LOCAL
	expires: 2024-02-25 03:12:39 UTC
	dns: controller-0.internalapi.redhat.local
	principal name: libvirt-vnc/controller-0.internalapi.redhat.local
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: systemctl reload libvirtd
	track: yes
	auto-renew: yes


Compute: 

~~~
Request ID 'libvirt-client-cert':
	status: MONITORING
	stuck: no
	key pair storage: type=FILE,location='/etc/pki/libvirt/private/clientkey.pem'
	certificate: type=FILE,location='/etc/pki/libvirt/clientcert.pem'
	CA: IPA
	issuer: CN=Certificate Authority,O=REDHAT.LOCAL
	subject: CN=compute-0.internalapi.redhat.local,O=REDHAT.LOCAL
	expires: 2024-02-25 03:11:28 UTC
	dns: compute-0.internalapi.redhat.local
	principal name: libvirt/compute-0.internalapi.redhat.local
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: systemctl reload libvirtd
	track: yes
	auto-renew: yes
Request ID 'libvirt-server-cert':
	status: MONITORING
	stuck: no
	key pair storage: type=FILE,location='/etc/pki/libvirt/private/serverkey.pem'
	certificate: type=FILE,location='/etc/pki/libvirt/servercert.pem'
	CA: IPA
	issuer: CN=Certificate Authority,O=REDHAT.LOCAL
	subject: CN=compute-0.internalapi.redhat.local,O=REDHAT.LOCAL
	expires: 2024-02-25 03:11:30 UTC
	dns: compute-0.internalapi.redhat.local
	principal name: libvirt/compute-0.internalapi.redhat.local
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: systemctl reload libvirtd
	track: yes
	auto-renew: yes

Note You need to log in before you can comment on or make changes to this bug.