From f853b323fa90c8f25e29f65bb329571041b58523 Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Thu, 10 Feb 2022 17:22:42 +0000 Subject: [PATCH] docs: add information about development libvirt TLS certs Adds docs for I1bde9fa018f66037aec82dc74c61ad1f477a7c12. Change-Id: I88a07bb3bfeb0c98bea9dbe8674033208ec3fb9f --- doc/source/reference/compute/libvirt-guide.rst | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/doc/source/reference/compute/libvirt-guide.rst b/doc/source/reference/compute/libvirt-guide.rst index 3aae36690b..c3baaec3f8 100644 --- a/doc/source/reference/compute/libvirt-guide.rst +++ b/doc/source/reference/compute/libvirt-guide.rst @@ -44,10 +44,11 @@ Libvirt TLS can be enabled in Kolla Ansible by setting the following option in libvirt_tls: "yes" -Creation of the TLS certificates is currently out-of-scope for Kolla Ansible. -You will need to either use an existing Internal CA or you will need to -generate your own offline CA. For the TLS communication to work correctly you -will have to supply Kolla Ansible the following pieces of information: +Creation of production-ready TLS certificates is currently out-of-scope for +Kolla Ansible. You will need to either use an existing Internal CA or you will +need to generate your own offline CA. For the TLS communication to work +correctly you will have to supply Kolla Ansible the following pieces of +information: * cacert.pem @@ -116,3 +117,11 @@ copied into the nova-compute and nova-libvirt containers. With this option disabled you will also be responsible for restarting the nova-compute and nova-libvirt containers when the certs are updated, as kolla-ansible will not be able to tell when the files have changed. + +Generating certificates for test and development +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Since the Yoga release, the ``kolla-ansible certificates`` command generates +certificates for libvirt TLS. A single key and certificate is used for all +hosts, with a Subject Alternative Name (SAN) entry for each compute host +hostname.