From 9c6b39b93af2f3fa4c321cfd827f38a2de325389 Mon Sep 17 00:00:00 2001
From: Tobias Urdin <tobias@busybox.se>
Date: Wed, 4 Jul 2018 14:28:29 +0200
Subject: [PATCH] Add VNC SSL options

The options ssl_only, cert, and key in the DEFAULT
section in nova.conf is mainly (and only?) used to
configure SSL and certificates for VNC.

However since they are in the DEFAULT section and are
generic for Nova my opinion is that they should be
in nova::init.

For information about these options see [1] and [2].
They are not deprecated so should be no issues adding
them in.

[1] https://docs.openstack.org/nova/queens/admin/remote-console-access.html
[2] https://github.com/openstack/nova/blob/master/nova/conf/novnc.py

Change-Id: Ice51fe175bdc1cb14fa49cf53d1f38e9728bbb60
---
 manifests/init.pp                             | 20 ++++++++++++++++++-
 ...-nova-vnc-ssl-params-691909b8a2f2e18e.yaml |  5 +++++
 spec/classes/nova_init_spec.rb                |  9 +++++++++
 3 files changed, 33 insertions(+), 1 deletion(-)
 create mode 100644 releasenotes/notes/add-nova-vnc-ssl-params-691909b8a2f2e18e.yaml

diff --git a/manifests/init.pp b/manifests/init.pp
index a8d45ac03..3aa2e1111 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -261,7 +261,7 @@
 #
 # [*ca_file*]
 #   (optional) CA certificate file to use to verify connecting clients
-#   Defaults to false, not set_
+#   Defaults to false, not set
 #
 # [*nova_public_key*]
 #   (optional) Install public key in .ssh/authorized_keys for the 'nova' user.
@@ -275,6 +275,18 @@
 #   'key-data' }, where 'key-type' is one of (ssh-rsa, ssh-dsa, ssh-ecdsa) and
 #   'key-data' is the contents of the private key file.
 #
+# [*ssl_only*]
+#   (optional) Disallow non-encrypted connections.
+#   Defaults to false
+#
+# [*cert*]
+#   (optional) Path to SSL certificate file.
+#   Defaults to $::os_service_default
+#
+# [*key*]
+#   (optional) SSL key file (if separate from cert).
+#   Defaults to $::os_service_default
+#
 # [*notification_transport_url*]
 #   (optional) A URL representing the messaging driver to use for notifications
 #   and its full configuration. Transport URLs take the form:
@@ -492,6 +504,9 @@ class nova(
   $key_file                               = false,
   $nova_public_key                        = undef,
   $nova_private_key                       = undef,
+  $ssl_only                               = false,
+  $cert                                   = $::os_service_default,
+  $key                                    = $::os_service_default,
   $notification_transport_url             = $::os_service_default,
   $notification_driver                    = $::os_service_default,
   $notification_topics                    = $::os_service_default,
@@ -639,6 +654,9 @@ but should be one of: ssh-rsa, ssh-dsa, ssh-ecdsa.")
   }
 
   nova_config {
+    'DEFAULT/ssl_only':              value => $ssl_only;
+    'DEFAULT/cert':                  value => $cert;
+    'DEFAULT/key':                   value => $key;
     'DEFAULT/my_ip':                 value => $my_ip;
     'api/auth_strategy':             value => $auth_strategy;
     'DEFAULT/image_service':         value => $image_service;
diff --git a/releasenotes/notes/add-nova-vnc-ssl-params-691909b8a2f2e18e.yaml b/releasenotes/notes/add-nova-vnc-ssl-params-691909b8a2f2e18e.yaml
new file mode 100644
index 000000000..4a7916601
--- /dev/null
+++ b/releasenotes/notes/add-nova-vnc-ssl-params-691909b8a2f2e18e.yaml
@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    Added parameters nova::ssl_only, nova::cert, nova::key to manage
+    SSL options for VNC.
diff --git a/spec/classes/nova_init_spec.rb b/spec/classes/nova_init_spec.rb
index a79433d22..95f5460f4 100644
--- a/spec/classes/nova_init_spec.rb
+++ b/spec/classes/nova_init_spec.rb
@@ -62,6 +62,9 @@ describe 'nova' do
         is_expected.to contain_nova_config('DEFAULT/cpu_allocation_ratio').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_nova_config('DEFAULT/ram_allocation_ratio').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_nova_config('DEFAULT/disk_allocation_ratio').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_nova_config('DEFAULT/ssl_only').with_value(false)
+        is_expected.to contain_nova_config('DEFAULT/cert').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_nova_config('DEFAULT/key').with_value('<SERVICE DEFAULT>')
       end
 
       it 'configures block_device_allocate params' do
@@ -107,6 +110,9 @@ describe 'nova' do
           :block_device_allocate_retries           => '60',
           :block_device_allocate_retries_interval  => '3',
           :my_ip                                   => '192.0.2.1',
+          :ssl_only                                => true,
+          :cert                                    => '/etc/ssl/private/snakeoil.pem',
+          :key                                     => '/etc/ssl/certs/snakeoil.pem',
         }
       end
 
@@ -172,6 +178,9 @@ describe 'nova' do
         is_expected.to contain_nova_config('DEFAULT/report_interval').with_value('60')
         is_expected.to contain_nova_config('os_vif_linux_bridge/use_ipv6').with_value('true')
         is_expected.to contain_nova_config('cinder/os_region_name').with_value('MyRegion')
+        is_expected.to contain_nova_config('DEFAULT/ssl_only').with_value(true)
+        is_expected.to contain_nova_config('DEFAULT/cert').with_value('/etc/ssl/private/snakeoil.pem')
+        is_expected.to contain_nova_config('DEFAULT/key').with_value('/etc/ssl/certs/snakeoil.pem')
       end
 
       context 'with multiple notification_driver' do