Add ssl deployment to novnc console type

Deploy user SSL keys for novnc console containers so users viewing
the console in Horizon will be able to access the console over https.

Example configuration:
nova_console_type: novnc
nova_novncproxy_proto: https
nova_console_user_ssl_cert: ~/certs/horizon.pem
nova_console_user_ssl_key: ~/certs/horizon.key
nova_console_user_ssl_ca_cert: "{{ ssl_ca_cert }}"

Change-Id: Icb66631ac0b00afe12519fd742e3198e828a10cc

playbooks/roles/os_nova/defaults/main.yml

@@ -156,6 +156,11 @@ nova_console_keymap: en-us
 # Set the console type. Presently the only options are ["spice", "novnc"].
 nova_console_type: spice
 
+# Nova console ssl info, presently only used by novnc console type
+nova_console_ssl_dir: "/etc/nova/ssl"
+nova_console_ssl_cert: "{{ nova_console_ssl_dir }}/nova-console.pem"
+nova_console_ssl_key: "{{ nova_console_ssl_dir }}/nova-console.key"
+
 ## Nova global config
 nova_cpu_mode: host-model
 nova_linuxnet_interface_driver: nova.network.linux_net.NeutronLinuxBridgeInterfaceDriver

playbooks/roles/os_nova/tasks/nova_console_novnc_install.yml

@@ -88,3 +88,9 @@
   tags:
     - nova-install
     - nova-novnc-pip-packages
+
+- include: nova_console_novnc_ssl.yml
+  when: nova_console_user_ssl_cert is defined and nova_console_user_ssl_key is defined
+  tags:
+    - nova-novnc
+    - nova-novnc-ssl

playbooks/roles/os_nova/tasks/nova_console_novnc_ssl.yml

@@ -0,0 +1,39 @@
+---
+# Copyright 2016, Logan Vig <logan2211@gmail.com>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Ensure ssl cert directory exists
+  file:
+    path: "{{ nova_console_ssl_dir }}"
+    state: directory
+    owner: "nova"
+    group: "nova"
+    mode: "0755"
+
+- name: Prepare combined nova-console SSL and CA certs
+  local_action: command cat {{ nova_console_user_ssl_cert }} {{ nova_console_user_ssl_ca_cert is defined | ternary(nova_console_user_ssl_ca_cert,'') }}
+  register: nova_console_user_ssl_combined
+
+- name: Drop user provided ssl cert and key
+  copy:
+    src: "{{ item.src | default(omit) }}"
+    content: "{{ item.content | default(omit) }}"
+    dest: "{{ item.dest }}"
+    owner: "nova"
+    group: "nova"
+    mode: "{{ item.mode }}"
+  with_items:
+    - { content: "{{ nova_console_user_ssl_combined.stdout ~ '\n' }}", dest: "{{ nova_console_ssl_cert }}", mode: "0644" }
+    - { src: "{{ nova_console_user_ssl_key }}", dest: "{{ nova_console_ssl_key }}", mode: "0640" }
+  notify: Restart nova services

playbooks/roles/os_nova/templates/nova.conf.j2

@@ -59,6 +59,13 @@ allow_resize_to_same_host = True
 image_cache_manager_interval = {{ nova_image_cache_manager_interval }}
 resume_guests_state_on_host_boot = {{ nova_resume_guests_state_on_host_boot }}
 
+{% if nova_console_user_ssl_cert is defined and nova_console_user_ssl_key is defined and inventory_hostname in groups['nova_console'] %}
+# Console SSL keys
+ssl_only = true
+cert = {{ nova_console_ssl_cert }}
+key = {{ nova_console_ssl_key }}
+{% endif %}
+
 # Api's
 enabled_apis = {{ nova_enabled_apis }}
 osapi_compute_workers = {{ nova_osapi_compute_workers | default(api_threads) }}