diff --git a/defaults/main.yml b/defaults/main.yml index c5cf68a5..efcf32d3 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -156,6 +156,11 @@ nova_console_keymap: en-us # Set the console type. Presently the only options are ["spice", "novnc"]. nova_console_type: spice +# Nova console ssl info, presently only used by novnc console type +nova_console_ssl_dir: "/etc/nova/ssl" +nova_console_ssl_cert: "{{ nova_console_ssl_dir }}/nova-console.pem" +nova_console_ssl_key: "{{ nova_console_ssl_dir }}/nova-console.key" + ## Nova global config nova_cpu_mode: host-model nova_linuxnet_interface_driver: nova.network.linux_net.NeutronLinuxBridgeInterfaceDriver diff --git a/tasks/nova_console_novnc_install.yml b/tasks/nova_console_novnc_install.yml index ae569ad9..8ef6819c 100644 --- a/tasks/nova_console_novnc_install.yml +++ b/tasks/nova_console_novnc_install.yml @@ -88,3 +88,9 @@ tags: - nova-install - nova-novnc-pip-packages + +- include: nova_console_novnc_ssl.yml + when: nova_console_user_ssl_cert is defined and nova_console_user_ssl_key is defined + tags: + - nova-novnc + - nova-novnc-ssl diff --git a/tasks/nova_console_novnc_ssl.yml b/tasks/nova_console_novnc_ssl.yml new file mode 100644 index 00000000..003fcaaa --- /dev/null +++ b/tasks/nova_console_novnc_ssl.yml @@ -0,0 +1,39 @@ +--- +# Copyright 2016, Logan Vig +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: Ensure ssl cert directory exists + file: + path: "{{ nova_console_ssl_dir }}" + state: directory + owner: "nova" + group: "nova" + mode: "0755" + +- name: Prepare combined nova-console SSL and CA certs + local_action: command cat {{ nova_console_user_ssl_cert }} {{ nova_console_user_ssl_ca_cert is defined | ternary(nova_console_user_ssl_ca_cert,'') }} + register: nova_console_user_ssl_combined + +- name: Drop user provided ssl cert and key + copy: + src: "{{ item.src | default(omit) }}" + content: "{{ item.content | default(omit) }}" + dest: "{{ item.dest }}" + owner: "nova" + group: "nova" + mode: "{{ item.mode }}" + with_items: + - { content: "{{ nova_console_user_ssl_combined.stdout ~ '\n' }}", dest: "{{ nova_console_ssl_cert }}", mode: "0644" } + - { src: "{{ nova_console_user_ssl_key }}", dest: "{{ nova_console_ssl_key }}", mode: "0640" } + notify: Restart nova services diff --git a/templates/nova.conf.j2 b/templates/nova.conf.j2 index 8449ee30..2c558667 100644 --- a/templates/nova.conf.j2 +++ b/templates/nova.conf.j2 @@ -59,6 +59,13 @@ allow_resize_to_same_host = True image_cache_manager_interval = {{ nova_image_cache_manager_interval }} resume_guests_state_on_host_boot = {{ nova_resume_guests_state_on_host_boot }} +{% if nova_console_user_ssl_cert is defined and nova_console_user_ssl_key is defined and inventory_hostname in groups['nova_console'] %} +# Console SSL keys +ssl_only = true +cert = {{ nova_console_ssl_cert }} +key = {{ nova_console_ssl_key }} +{% endif %} + # Api's enabled_apis = {{ nova_enabled_apis }} osapi_compute_workers = {{ nova_osapi_compute_workers | default(api_threads) }}