Add parameters for console proxy SSL/TLS settings

This adds new console_ssl_ciphers and console_ssl_minimum_version parameters for configuring the allowed TLS ciphers and minimum protocol version to enforce for incoming client connections to the console proxy services (VNC, SPICE, etc). Depends-On: I23ac1cc79482d0fabb359486a4b934463854cae5 Change-Id: I3a1262f70f6a801db276701a39ebb01f40025192 Related-Bug: 1842149
2019-09-05 20:01:12 -07:00 · 2019-09-05 20:01:12 -07:00 · 533a8b8b26
commit 533a8b8b26
parent 75504111d5
3 changed files with 30 additions and 0 deletions
--- a/manifests/init.pp
+++ b/manifests/init.pp
@ -285,6 +285,19 @@
 #   (optional) SSL key file (if separate from cert).
 #   Defaults to $::os_service_default
 #
+# [*console_ssl_ciphers*]
+#   (optional) OpenSSL cipher preference string that specifies what ciphers to
+#   allow for TLS connections from clients.  See the man page for the OpenSSL
+#   'ciphers' command for details of the cipher preference string format and
+#   allowed values.
+#   Defaults to $::os_service_default
+#
+# [*console_ssl_minimum_version*]
+#   (optional) Minimum allowed SSL/TLS protocol version.  Valid values are
+#   'default', 'tlsv1_1', 'tlsv1_2', and 'tlsv1_3'.  A value of 'default' will
+#   use the underlying system OpenSSL defaults.
+#   Defaults to $::os_service_default
+#
 # [*notification_transport_url*]
 #   (optional) A URL representing the messaging driver to use for notifications
 #   and its full configuration. Transport URLs take the form:
@ -490,6 +503,8 @@ class nova(
  $ssl_only                               = false,
  $cert                                   = $::os_service_default,
  $key                                    = $::os_service_default,
+  $console_ssl_ciphers                    = $::os_service_default,
+  $console_ssl_minimum_version            = $::os_service_default,
  $notification_transport_url             = $::os_service_default,
  $notification_driver                    = $::os_service_default,
  $notification_topics                    = $::os_service_default,
@ -638,6 +653,8 @@ but should be one of: ssh-rsa, ssh-dsa, ssh-ecdsa.")
    'DEFAULT/ssl_only':              value => $ssl_only;
    'DEFAULT/cert':                  value => $cert;
    'DEFAULT/key':                   value => $key;
+    'console/ssl_ciphers':           value => $console_ssl_ciphers;
+    'console/ssl_minimum_version':   value => $console_ssl_minimum_version;
    'DEFAULT/my_ip':                 value => $my_ip;
    'api/auth_strategy':             value => $auth_strategy;
    'DEFAULT/host':                  value => $host;
--- a/releasenotes/notes/add-console-ssl-cipher-protocol-params-2ad72898a85dbe17.yaml
+++ b/releasenotes/notes/add-console-ssl-cipher-protocol-params-2ad72898a85dbe17.yaml
@ -0,0 +1,7 @@
+---
+features:
+  - |
+    Added parameters nova::console_ssl_ciphers and
+    nova::console_ssl_minimum_version to manage the allowed TLS ciphers and
+    minimum protocol version to enforce for incoming client connections to the
+    console proxy services (VNC, SPICE, etc).
--- a/spec/classes/nova_init_spec.rb
+++ b/spec/classes/nova_init_spec.rb
@ -62,6 +62,8 @@ describe 'nova' do
        is_expected.to contain_nova_config('DEFAULT/ssl_only').with_value(false)
        is_expected.to contain_nova_config('DEFAULT/cert').with_value('<SERVICE DEFAULT>')
        is_expected.to contain_nova_config('DEFAULT/key').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_nova_config('console/ssl_ciphers').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_nova_config('console/ssl_minimum_version').with_value('<SERVICE DEFAULT>')
      end

      it 'configures block_device_allocate params' do
@ -110,6 +112,8 @@ describe 'nova' do
          :ssl_only                                => true,
          :cert                                    => '/etc/ssl/private/snakeoil.pem',
          :key                                     => '/etc/ssl/certs/snakeoil.pem',
+          :console_ssl_ciphers                     => 'kEECDH+aECDSA+AES:kEECDH+AES+aRSA:kEDH+aRSA+AES',
+          :console_ssl_minimum_version             => 'tlsv1_2',
        }
      end

@ -177,6 +181,8 @@ describe 'nova' do
        is_expected.to contain_nova_config('DEFAULT/ssl_only').with_value(true)
        is_expected.to contain_nova_config('DEFAULT/cert').with_value('/etc/ssl/private/snakeoil.pem')
        is_expected.to contain_nova_config('DEFAULT/key').with_value('/etc/ssl/certs/snakeoil.pem')
+        is_expected.to contain_nova_config('console/ssl_ciphers').with_value('kEECDH+aECDSA+AES:kEECDH+AES+aRSA:kEDH+aRSA+AES')
+        is_expected.to contain_nova_config('console/ssl_minimum_version').with_value('tlsv1_2')
      end

      context 'with multiple notification_driver' do