Add VNC SSL options

The options ssl_only, cert, and key in the DEFAULT
section in nova.conf is mainly (and only?) used to
configure SSL and certificates for VNC.

However since they are in the DEFAULT section and are
generic for Nova my opinion is that they should be
in nova::init.

For information about these options see [1] and [2].
They are not deprecated so should be no issues adding
them in.

[1] https://docs.openstack.org/nova/queens/admin/remote-console-access.html
[2] https://github.com/openstack/nova/blob/master/nova/conf/novnc.py

Change-Id: Ice51fe175bdc1cb14fa49cf53d1f38e9728bbb60

manifests/init.pp

@@ -261,7 +261,7 @@
 #
 # [*ca_file*]
 #   (optional) CA certificate file to use to verify connecting clients
-#   Defaults to false, not set_
+#   Defaults to false, not set
 #
 # [*nova_public_key*]
 #   (optional) Install public key in .ssh/authorized_keys for the 'nova' user.
@@ -275,6 +275,18 @@
 #   'key-data' }, where 'key-type' is one of (ssh-rsa, ssh-dsa, ssh-ecdsa) and
 #   'key-data' is the contents of the private key file.
 #
+# [*ssl_only*]
+#   (optional) Disallow non-encrypted connections.
+#   Defaults to false
+#
+# [*cert*]
+#   (optional) Path to SSL certificate file.
+#   Defaults to $::os_service_default
+#
+# [*key*]
+#   (optional) SSL key file (if separate from cert).
+#   Defaults to $::os_service_default
+#
 # [*notification_transport_url*]
 #   (optional) A URL representing the messaging driver to use for notifications
 #   and its full configuration. Transport URLs take the form:
@@ -492,6 +504,9 @@ class nova(
   $key_file                               = false,
   $nova_public_key                        = undef,
   $nova_private_key                       = undef,
+  $ssl_only                               = false,
+  $cert                                   = $::os_service_default,
+  $key                                    = $::os_service_default,
   $notification_transport_url             = $::os_service_default,
   $notification_driver                    = $::os_service_default,
   $notification_topics                    = $::os_service_default,
@@ -639,6 +654,9 @@ but should be one of: ssh-rsa, ssh-dsa, ssh-ecdsa.")
   }
 
   nova_config {
+    'DEFAULT/ssl_only':              value => $ssl_only;
+    'DEFAULT/cert':                  value => $cert;
+    'DEFAULT/key':                   value => $key;
     'DEFAULT/my_ip':                 value => $my_ip;
     'api/auth_strategy':             value => $auth_strategy;
     'DEFAULT/image_service':         value => $image_service;

releasenotes/notes/add-nova-vnc-ssl-params-691909b8a2f2e18e.yaml

@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    Added parameters nova::ssl_only, nova::cert, nova::key to manage
+    SSL options for VNC.

spec/classes/nova_init_spec.rb

@@ -62,6 +62,9 @@ describe 'nova' do
         is_expected.to contain_nova_config('DEFAULT/cpu_allocation_ratio').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_nova_config('DEFAULT/ram_allocation_ratio').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_nova_config('DEFAULT/disk_allocation_ratio').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_nova_config('DEFAULT/ssl_only').with_value(false)
+        is_expected.to contain_nova_config('DEFAULT/cert').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_nova_config('DEFAULT/key').with_value('<SERVICE DEFAULT>')
       end
 
       it 'configures block_device_allocate params' do
@@ -107,6 +110,9 @@ describe 'nova' do
           :block_device_allocate_retries           => '60',
           :block_device_allocate_retries_interval  => '3',
           :my_ip                                   => '192.0.2.1',
+          :ssl_only                                => true,
+          :cert                                    => '/etc/ssl/private/snakeoil.pem',
+          :key                                     => '/etc/ssl/certs/snakeoil.pem',
         }
       end
 
@@ -172,6 +178,9 @@ describe 'nova' do
         is_expected.to contain_nova_config('DEFAULT/report_interval').with_value('60')
         is_expected.to contain_nova_config('os_vif_linux_bridge/use_ipv6').with_value('true')
         is_expected.to contain_nova_config('cinder/os_region_name').with_value('MyRegion')
+        is_expected.to contain_nova_config('DEFAULT/ssl_only').with_value(true)
+        is_expected.to contain_nova_config('DEFAULT/cert').with_value('/etc/ssl/private/snakeoil.pem')
+        is_expected.to contain_nova_config('DEFAULT/key').with_value('/etc/ssl/certs/snakeoil.pem')
       end
 
       context 'with multiple notification_driver' do