Add parameters for console proxy SSL/TLS settings

This adds new console_ssl_ciphers and console_ssl_minimum_version
parameters for configuring the allowed TLS ciphers and minimum protocol
version to enforce for incoming client connections to the console proxy
services (VNC, SPICE, etc).

Depends-On: I23ac1cc79482d0fabb359486a4b934463854cae5
Change-Id: I3a1262f70f6a801db276701a39ebb01f40025192
Related-Bug: 1842149
This commit is contained in:
Nathan Kinder 2019-09-05 20:01:12 -07:00 committed by Takashi Kajinami
parent 75504111d5
commit 533a8b8b26
3 changed files with 30 additions and 0 deletions

View File

@ -285,6 +285,19 @@
# (optional) SSL key file (if separate from cert).
# Defaults to $::os_service_default
#
# [*console_ssl_ciphers*]
# (optional) OpenSSL cipher preference string that specifies what ciphers to
# allow for TLS connections from clients. See the man page for the OpenSSL
# 'ciphers' command for details of the cipher preference string format and
# allowed values.
# Defaults to $::os_service_default
#
# [*console_ssl_minimum_version*]
# (optional) Minimum allowed SSL/TLS protocol version. Valid values are
# 'default', 'tlsv1_1', 'tlsv1_2', and 'tlsv1_3'. A value of 'default' will
# use the underlying system OpenSSL defaults.
# Defaults to $::os_service_default
#
# [*notification_transport_url*]
# (optional) A URL representing the messaging driver to use for notifications
# and its full configuration. Transport URLs take the form:
@ -490,6 +503,8 @@ class nova(
$ssl_only = false,
$cert = $::os_service_default,
$key = $::os_service_default,
$console_ssl_ciphers = $::os_service_default,
$console_ssl_minimum_version = $::os_service_default,
$notification_transport_url = $::os_service_default,
$notification_driver = $::os_service_default,
$notification_topics = $::os_service_default,
@ -638,6 +653,8 @@ but should be one of: ssh-rsa, ssh-dsa, ssh-ecdsa.")
'DEFAULT/ssl_only': value => $ssl_only;
'DEFAULT/cert': value => $cert;
'DEFAULT/key': value => $key;
'console/ssl_ciphers': value => $console_ssl_ciphers;
'console/ssl_minimum_version': value => $console_ssl_minimum_version;
'DEFAULT/my_ip': value => $my_ip;
'api/auth_strategy': value => $auth_strategy;
'DEFAULT/host': value => $host;

View File

@ -0,0 +1,7 @@
---
features:
- |
Added parameters nova::console_ssl_ciphers and
nova::console_ssl_minimum_version to manage the allowed TLS ciphers and
minimum protocol version to enforce for incoming client connections to the
console proxy services (VNC, SPICE, etc).

View File

@ -62,6 +62,8 @@ describe 'nova' do
is_expected.to contain_nova_config('DEFAULT/ssl_only').with_value(false)
is_expected.to contain_nova_config('DEFAULT/cert').with_value('<SERVICE DEFAULT>')
is_expected.to contain_nova_config('DEFAULT/key').with_value('<SERVICE DEFAULT>')
is_expected.to contain_nova_config('console/ssl_ciphers').with_value('<SERVICE DEFAULT>')
is_expected.to contain_nova_config('console/ssl_minimum_version').with_value('<SERVICE DEFAULT>')
end
it 'configures block_device_allocate params' do
@ -110,6 +112,8 @@ describe 'nova' do
:ssl_only => true,
:cert => '/etc/ssl/private/snakeoil.pem',
:key => '/etc/ssl/certs/snakeoil.pem',
:console_ssl_ciphers => 'kEECDH+aECDSA+AES:kEECDH+AES+aRSA:kEDH+aRSA+AES',
:console_ssl_minimum_version => 'tlsv1_2',
}
end
@ -177,6 +181,8 @@ describe 'nova' do
is_expected.to contain_nova_config('DEFAULT/ssl_only').with_value(true)
is_expected.to contain_nova_config('DEFAULT/cert').with_value('/etc/ssl/private/snakeoil.pem')
is_expected.to contain_nova_config('DEFAULT/key').with_value('/etc/ssl/certs/snakeoil.pem')
is_expected.to contain_nova_config('console/ssl_ciphers').with_value('kEECDH+aECDSA+AES:kEECDH+AES+aRSA:kEDH+aRSA+AES')
is_expected.to contain_nova_config('console/ssl_minimum_version').with_value('tlsv1_2')
end
context 'with multiple notification_driver' do