From 8d163a21f5c932631736c7e87c168cacdf93ce01 Mon Sep 17 00:00:00 2001 From: Martin Schuppert Date: Tue, 7 Aug 2018 13:34:02 +0200 Subject: [PATCH] SSL support for haproxy -> novnc proxy connection With tls-everywhere enabled the connection from haproxy to the nova novnc proxy was not encrypted. Now we request a certificate and configue haproxy and the novnc proxy to encrypt this remaining part in a vnc connection to be encrypted as well. Change-Id: Ia0c8c452f0121298bef58409bd0bdbe4caa54e42 Closes-Bug: #1785700 Depends-On: Ice51fe175bdc1cb14fa49cf53d1f38e9728bbb60 Depends-On: I4667706633205c240f2efb51663e6efbce5e344e --- docker/services/nova-vnc-proxy.yaml | 9 +++++++++ puppet/services/nova-vnc-proxy.yaml | 19 +++++++++++++++++++ ...nc_proxy_ssl_support-edc7bc13d0cd6d2b.yaml | 8 ++++++++ 3 files changed, 36 insertions(+) create mode 100644 releasenotes/notes/nova_novnc_proxy_ssl_support-edc7bc13d0cd6d2b.yaml diff --git a/docker/services/nova-vnc-proxy.yaml b/docker/services/nova-vnc-proxy.yaml index ef72abcfac..4e1b5437bc 100644 --- a/docker/services/nova-vnc-proxy.yaml +++ b/docker/services/nova-vnc-proxy.yaml @@ -151,10 +151,17 @@ outputs: dest: "/" merge: true preserve_properties: true + - source: "/var/lib/kolla/config_files/src-tls/*" + dest: "/" + merge: true + preserve_properties: true + optional: true permissions: - path: /var/log/nova owner: nova:nova recurse: true + - path: /etc/pki/tls/private/novnc_proxy.key + owner: root:nova docker_config: step_4: nova_vnc_proxy: @@ -185,6 +192,8 @@ outputs: - get_param: LibvirtVncCACert - /etc/pki/libvirt-vnc/client-cert.pem:/etc/pki/libvirt-vnc/client-cert.pem:ro - /etc/pki/libvirt-vnc/client-key.pem:/etc/pki/libvirt-vnc/client-key.pem:ro + - /etc/pki/tls/certs/novnc_proxy.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/novnc_proxy.crt:ro + - /etc/pki/tls/private/novnc_proxy.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/novnc_proxy.key:ro - null environment: - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS diff --git a/puppet/services/nova-vnc-proxy.yaml b/puppet/services/nova-vnc-proxy.yaml index c93a375714..aaca43ea07 100644 --- a/puppet/services/nova-vnc-proxy.yaml +++ b/puppet/services/nova-vnc-proxy.yaml @@ -140,6 +140,9 @@ outputs: nova::vncproxy::vencrypt_key: /etc/pki/libvirt-vnc/client-key.pem nova::vncproxy::vencrypt_cert: /etc/pki/libvirt-vnc/client-cert.pem nova::vncproxy::vencrypt_ca: /etc/pki/libvirt-vnc/ca-cert.pem + nova::ssl_only: true + nova::cert: /etc/pki/tls/certs/novnc_proxy.crt + nova::key: /etc/pki/tls/private/novnc_proxy.key generate_service_certificates: true tripleo::certmonger::ca::libvirt_vnc::origin_ca_pem: if: @@ -167,6 +170,19 @@ outputs: template: "libvirt-vnc/%{hiera('fqdn_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} + novnc_proxy_certificates_specs: + service_certificate: '/etc/pki/tls/certs/novnc_proxy.crt' + service_key: '/etc/pki/tls/private/novnc_proxy.key' + hostname: + str_replace: + template: "%{hiera('fqdn_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]} + principal: + str_replace: + template: "novnc-proxy/%{hiera('fqdn_NETWORK')}" + params: + NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]} - {} service_config_settings: fluentd: @@ -187,4 +203,7 @@ outputs: - service: libvirt-vnc network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} type: node + - service: novnc-proxy + network: {get_param: [ServiceNetMap, NovaApiNetwork]} + type: node - null diff --git a/releasenotes/notes/nova_novnc_proxy_ssl_support-edc7bc13d0cd6d2b.yaml b/releasenotes/notes/nova_novnc_proxy_ssl_support-edc7bc13d0cd6d2b.yaml new file mode 100644 index 0000000000..ccd38be383 --- /dev/null +++ b/releasenotes/notes/nova_novnc_proxy_ssl_support-edc7bc13d0cd6d2b.yaml @@ -0,0 +1,8 @@ +--- +fixes: + - | + When tls-everywhere is configured we have TLS connection from + client -> haproxy and novncproxy -> vnc server (instance), but the + connection from haproxy to the nova novnc proxy was not encrypted. Now + we request a certificate and configue haproxy and the novnc proxy to + encrypt this remaining part in a vnc connection to be encrypted as well.