Merge "nova: add support for TLS between novnc proxy & compute nodes"
diff --git a/lib/nova b/lib/nova
index fea2b85..1d2478d 100644
--- a/lib/nova
+++ b/lib/nova
@@ -82,6 +82,10 @@
NOVA_SERVICE_PROTOCOL="https"
fi
+# Whether to use TLS for comms between the VNC/SPICE/serial proxy
+# services and the compute node
+NOVA_CONSOLE_PROXY_COMPUTE_TLS=${NOVA_CONSOLE_PROXY_COMPUTE_TLS:-False}
+
# Public facing bits
NOVA_SERVICE_HOST=${NOVA_SERVICE_HOST:-$SERVICE_HOST}
NOVA_SERVICE_PORT=${NOVA_SERVICE_PORT:-8774}
@@ -197,6 +201,13 @@
return 1
}
+# is_nova_console_proxy_compute_tls_enabled() - Test if the Nova Console Proxy
+# service has TLS enabled
+function is_nova_console_proxy_compute_tls_enabled {
+ [[ ${NOVA_CONSOLE_PROXY_COMPUTE_TLS} = "True" ]] && return 0
+ return 1
+}
+
# Helper to clean iptables rules
function clean_iptables {
# Delete rules
@@ -524,6 +535,17 @@
iniset $NOVA_CONF vnc server_proxyclient_address "$VNCSERVER_PROXYCLIENT_ADDRESS"
iniset $NOVA_CONF vnc novncproxy_host "$NOVA_SERVICE_LISTEN_ADDRESS"
iniset $NOVA_CONF vnc xvpvncproxy_host "$NOVA_SERVICE_LISTEN_ADDRESS"
+
+ if is_nova_console_proxy_compute_tls_enabled ; then
+ iniset $NOVA_CONF vnc auth_schemes "vencrypt"
+ iniset $NOVA_CONF vnc vencrypt_client_key "/etc/pki/nova-novnc/client-key.pem"
+ iniset $NOVA_CONF vnc vencrypt_client_cert "/etc/pki/nova-novnc/client-cert.pem"
+ iniset $NOVA_CONF vnc vencrypt_ca_certs "/etc/pki/nova-novnc/ca-cert.pem"
+
+ sudo mkdir -p /etc/pki/nova-novnc
+ deploy_int_CA /etc/pki/nova-novnc/ca-cert.pem
+ deploy_int_cert /etc/pki/nova-novnc/client-cert.pem /etc/pki/nova-novnc/client-key.pem
+ fi
else
iniset $NOVA_CONF vnc enabled false
fi
diff --git a/lib/nova_plugins/functions-libvirt b/lib/nova_plugins/functions-libvirt
index 147ed8b..fcb4777 100644
--- a/lib/nova_plugins/functions-libvirt
+++ b/lib/nova_plugins/functions-libvirt
@@ -149,6 +149,18 @@
fi
fi
+ if is_nova_console_proxy_compute_tls_enabled ; then
+ if is_service_enabled n-novnc ; then
+ echo "vnc_tls = 1" | sudo tee -a $QEMU_CONF
+ echo "vnc_tls_x509_verify = 1" | sudo tee -a $QEMU_CONF
+
+ sudo mkdir -p /etc/pki/libvirt-vnc
+ sudo chown libvirt-qemu:libvirt-qemu /etc/pki/libvirt-vnc
+ deploy_int_CA /etc/pki/libvirt-vnc/ca-cert.pem
+ deploy_int_cert /etc/pki/libvirt-vnc/server-cert.pem /etc/pki/libvirt-vnc/server-key.pem
+ fi
+ fi
+
# Service needs to be started on redhat/fedora -- do a restart for
# sanity after fiddling the config.
restart_service $LIBVIRT_DAEMON
diff --git a/lib/tls b/lib/tls
index 0bc389b..a72b708 100644
--- a/lib/tls
+++ b/lib/tls
@@ -340,6 +340,24 @@
fi
}
+# Deploy the service cert & key to a service specific
+# location
+function deploy_int_cert {
+ local cert_target_file=$1
+ local key_target_file=$2
+
+ sudo cp "$INT_CA_DIR/$DEVSTACK_CERT_NAME.crt" "$cert_target_file"
+ sudo cp "$INT_CA_DIR/private/$DEVSTACK_CERT_NAME.key" "$key_target_file"
+}
+
+# Deploy the intermediate CA cert bundle file to a service
+# specific location
+function deploy_int_CA {
+ local ca_target_file=$1
+
+ sudo cp "$INT_CA_DIR/ca-chain.pem" "$ca_target_file"
+}
+
# If a non-system python-requests is installed then it will use the
# built-in CA certificate store rather than the distro-specific
# CA certificate store. Detect this and symlink to the correct