Support for VNC display in vino

- Added enableVNC in vino crd
- Updated flavor-template yaml with changes for enableVNC
  attribute.
- Added server side TLS certificate support  for secure
  communication using initContainer to generate the same.
- Added password authentication ( password to be set
  in qemu.conf)

Depends-On: Iaffcb1497fbf0f8ce24a25b38564854b9ad61083
Relates-To: #8
Closes: #8
Change-Id: Iaf351db5e5d0a6b8852e14e11d7cbddf3f368d73

config/crd/bases/airship.airshipit.org_vinoes.yaml

@@ -183,6 +183,10 @@ spec:
                             type: string
                         type: object
                       type: array
+                    enableVNC:
+                      description: EnableVNC create VNC for graphical interaction
+                        with the VM that will be created.
+                      type: boolean
                     libvirtTemplate:
                       description: NamespacedName to be used to spawn VMs
                       properties:

config/manager/create_tls_cert.sh

@@ -0,0 +1,70 @@
+#!/bin/bash
+set -xe
+set -o pipefail
+
+echo "Target directory location = $1"
+# check if certificates are already present
+# TBD should validity of existing certs be checked.
+if  [ -f $1/ca-cert.pem ] && [ -f $1/server-cert.pem ] && [ -f $1/server-key.pem ]
+then
+       echo "ca-cert.pem, server-cert.pem and server-key.pem already present"
+       exit 0
+else
+# create a temp dir
+TMP=$(mktemp -d)
+cd ${TMP}
+# create ca certificate
+echo ' cn = airshipit.org
+  ca
+  cert_signing_key' > ca-template.info
+
+(umask 277 && certtool --generate-privkey > ca-key.pem)
+
+certtool --generate-self-signed \
+	 --template ca-template.info \
+	 --load-privkey ca-key.pem \
+	 --outfile ca-cert.pem
+
+rm ca-template.info
+
+echo ' organization = airshipit.org
+ cn = server
+  tls_www_server
+   encryption_key
+    signing_key' > server-template.info
+
+(umask 277 && certtool --generate-privkey > server-key.pem)
+
+# create server certificate
+certtool --generate-certificate \
+         --template server-template.info \
+         --load-privkey server-key.pem \
+         --load-ca-certificate ca-cert.pem \
+         --load-ca-privkey ca-key.pem \
+         --outfile server-cert.pem
+
+rm server-template.info
+
+# copy the required certs in the target location
+echo "Copy the required certs to target location : $1"
+cp *.pem $1
+
+#echo ' country = Country
+# state = State
+# locality = City
+# organization = Name of your organization
+# cn = Client Host Name
+# tls_www_client
+# encryption_key
+# signing_key' > client-template.info
+
+#(umask 277 && certtool --generate-privkey > client-key.pem)
+
+#certtool --generate-certificate
+#          --template client-template.info
+#	  --load-privkey client-key.pem
+# 	  --load-ca-certificate ca-cert.pem
+#	  --load-ca-privkey ca_key.pem
+#	  --outfile client-cert.pem
+fi
+exit 0

config/manager/daemonset-template.yaml

@@ -15,6 +15,18 @@ spec:
       hostNetwork: true
       hostPID: true
       hostIPC: true
+      initContainers:
+        - name: create-libvirt-vnc-certs
+          image: quay.io/airshipit/gnu-tls:latest-minideb
+          imagePullPolicy: IfNotPresent
+          command: ["/usr/local/bin/create_tls_cert.sh"]
+          args: [ "/etc/pki/libvirt-vnc"]
+          volumeMounts:
+            - name: etc-pki-libvirt-vnc
+              mountPath: "/etc/pki/libvirt-vnc"
+            - name: usr-local-bin
+              mountPath: "/usr/local/bin"
+
       containers:
         - name: libvirt
           command:
@@ -51,6 +63,11 @@ spec:
               mountPath: /etc/libvirt/storage
             - name: var-lib-vino
               mountPath: /var/lib/vino
+            - name: etc-libvirt
+              mountPath: /etc/libvirt
+            - name: etc-pki-libvirt-vnc
+              mountPath: /etc/pki/libvirt-vnc
+
         - name: sushy
           image: quay.io/metal3-io/sushy-tools
           imagePullPolicy: IfNotPresent
@@ -208,3 +225,14 @@ spec:
           hostPath:
             path: /var/lib/vino
             type: DirectoryOrCreate
+        - name: etc-libvirt
+          configMap:
+            name: vino-libvirt-qemu-conf
+            defaultMode: 0555
+        - name: etc-pki-libvirt-vnc
+          hostPath:
+            path: /etc/pki/libvirt-vnc
+        - name: usr-local-bin
+          configMap:
+            name: vino-create-libvirt-vnc-cert
+            defaultMode: 0777

config/manager/flavor-templates.yaml

@@ -87,8 +87,8 @@ flavorTemplates:
             <target type='serial'/>
           </console>
 
-          {% if domain.enable_vnc | default(false) %}
-          <graphics type='vnc' autoport='yes' listen='0.0.0.0'>
+          {% if domain.enableVNC | default(false) %}
+          <graphics type='vnc' autoport='yes' passwd='{{ domain.vncPassword }}' listen='0.0.0.0'>
             <listen type='address' address='0.0.0.0'/>
           </graphics>
           {% endif %}
@@ -206,7 +206,7 @@ flavorTemplates:
             <target type='serial'/>
           </console>
 
-          {% if domain.enable_vnc | default(false) %}
+          {% if domain.enableVNC | default(false) %}
           <graphics type='vnc' autoport='yes' listen='0.0.0.0'>
             <listen type='address' address='0.0.0.0'/>
           </graphics>

config/manager/kustomization.yaml

@@ -26,4 +26,14 @@ configMapGenerator:
   options:
     disableNameSuffixHash: true
   files:
-    - storage-templates.yaml
+    - storage-templates.yaml
+- name: libvirt-qemu-conf
+  options:
+    disableNameSuffixHash: true
+  files:
+    - qemu.conf
+- name: create-libvirt-vnc-cert
+  options:
+    disableNameSuffixHash: true
+  files:
+    - create_tls_cert.sh

config/manager/qemu.conf

@@ -0,0 +1,6 @@
+stdio_handler = "file"
+user = "root"
+group = "root"
+security_driver = "none"
+vnc_tls = 1
+#vnc_tls_x509_verify = 1

config/samples/vino_cr.yaml

@@ -38,6 +38,7 @@ spec:
           type: network
           network: management
           mtu: 1500
+      enableVNC: true
   bmcCredentials:
     username: admin
     password: passw0rd

config/samples/vino_cr_4_workers_1_cp.yaml

@@ -42,6 +42,7 @@ spec:
           type: network
           network: management
           mtu: 1500
+      enableVNC: true
     - name: worker
       count: 4
       bmhLabels:

pkg/api/v1/vino_builder.go

@@ -40,6 +40,8 @@ type BuilderDomain struct {
 	Name           string `json:"name,omitempty"`
 	Role           string `json:"role,omitempty"`
 	BootMACAddress string `json:"bootMACAddress,omitempty"`
+	EnableVNC      bool   `json:"enableVNC,omitempty"`
+	VNCPassword    string `json:"vncPassword,omitempty"`
 
 	Interfaces []BuilderNetworkInterface `json:"interfaces,omitempty"`
 }

pkg/api/v1/vino_types.go

@@ -145,6 +145,8 @@ type NodeSet struct {
 	RootDeviceName string `json:"rootDeviceName,omitempty"`
 	// BootInterfaceName interface name to use to boot virtual machines
 	BootInterfaceName string `json:"bootInterfaceName,omitempty"`
+	// EnableVNC create VNC for graphical interaction with the VM that will be created.
+	EnableVNC bool `json:"enableVNC,omitempty"`
 }
 
 // NamespacedName to be used to spawn VMs

pkg/managers/bmh.go

@@ -208,6 +208,8 @@ func (r *BMHManager) setBMHs(ctx context.Context, pod corev1.Pod) error {
 			}
 			domainValues.Name = roleSuffix
 			domainValues.Role = node.Name
+			domainValues.EnableVNC = node.EnableVNC
+			domainValues.VNCPassword = r.ViNO.Spec.BMCCredentials.Password
 
 			// Append a specific domain to the list
 			domains = append(domains, domainValues.BuilderDomain)