Add support for [console] allowed_origins

Change-Id: I08e3a74ba6fa1c976f824e69fd4a7efee1fd460c Signed-off-by: Takashi Kajinami <kajinamit@oss.nttdata.com>
2025-11-06 23:35:42 +09:00
parent a2b048e9d4
commit bc46894a4b
3 changed files with 21 additions and 3 deletions
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -236,6 +236,11 @@
 #   (optional) SSL key file (if separate from cert).
 #   Defaults to $facts['os_service_default']
 #
+# [*console_allowed_origins*]
+#   (optional) List of allowed origins to the console websockey proxy to allow
+#   connections from other origin hostnames.
+#   Defaults to $facts['os_service_default']
+#
 # [*console_ssl_ciphers*]
 #   (optional) OpenSSL cipher preference string that specifies what ciphers to
 #   allow for TLS connections from clients.  See the man page for the OpenSSL
@@ -396,6 +401,7 @@ class nova (
  $source_is_ipv6                          = $facts['os_service_default'],
  $cert                                    = $facts['os_service_default'],
  $key                                     = $facts['os_service_default'],
+  $console_allowed_origins                 = $facts['os_service_default'],
  $console_ssl_ciphers                     = $facts['os_service_default'],
  $console_ssl_minimum_version             = $facts['os_service_default'],
  $notification_transport_url              = $facts['os_service_default'],
@@ -494,6 +500,7 @@ class nova (
    'DEFAULT/source_is_ipv6':                value => $source_is_ipv6;
    'DEFAULT/cert':                          value => $cert;
    'DEFAULT/key':                           value => $key;
+    'console/allowed_origins':               value => join(any2array($console_allowed_origins), ',');
    'console/ssl_ciphers':                   value => join(any2array($console_ssl_ciphers), ':');
    'console/ssl_minimum_version':           value => $console_ssl_minimum_version;
    'DEFAULT/my_ip':                         value => $my_ip;
--- a/releasenotes/notes/console_allowed_origins-440032ce51e96ab1.yaml
+++ b/releasenotes/notes/console_allowed_origins-440032ce51e96ab1.yaml
@@ -0,0 +1,4 @@
+---
+features:
+  - |
+    The new ``nova::console_allowed_origins`` parameter has been added.
--- a/spec/classes/nova_init_spec.rb
+++ b/spec/classes/nova_init_spec.rb
@@ -90,6 +90,7 @@ describe 'nova' do
        is_expected.to contain_nova_config('DEFAULT/source_is_ipv6').with_value('<SERVICE DEFAULT>')
        is_expected.to contain_nova_config('DEFAULT/cert').with_value('<SERVICE DEFAULT>')
        is_expected.to contain_nova_config('DEFAULT/key').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_nova_config('console/allowed_origins').with_value('<SERVICE DEFAULT>')
        is_expected.to contain_nova_config('console/ssl_ciphers').with_value('<SERVICE DEFAULT>')
        is_expected.to contain_nova_config('console/ssl_minimum_version').with_value('<SERVICE DEFAULT>')
        is_expected.to contain_nova_config('DEFAULT/dhcp_domain').with_value('<SERVICE DEFAULT>')
@@ -154,6 +155,7 @@ describe 'nova' do
          :source_is_ipv6                     => false,
          :cert                               => '/etc/ssl/private/snakeoil.pem',
          :key                                => '/etc/ssl/certs/snakeoil.pem',
+          :console_allowed_origins            => 'http://example.com',
          :console_ssl_ciphers                => 'kEECDH+aECDSA+AES:kEECDH+AES+aRSA:kEDH+aRSA+AES',
          :console_ssl_minimum_version        => 'tlsv1_2',
          :dhcp_domain                        => 'foo',
@@ -246,6 +248,7 @@ describe 'nova' do
        is_expected.to contain_nova_config('DEFAULT/source_is_ipv6').with_value(false)
        is_expected.to contain_nova_config('DEFAULT/cert').with_value('/etc/ssl/private/snakeoil.pem')
        is_expected.to contain_nova_config('DEFAULT/key').with_value('/etc/ssl/certs/snakeoil.pem')
+        is_expected.to contain_nova_config('console/allowed_origins').with_value('http://example.com')
        is_expected.to contain_nova_config('console/ssl_ciphers').with_value('kEECDH+aECDSA+AES:kEECDH+AES+aRSA:kEDH+aRSA+AES')
        is_expected.to contain_nova_config('console/ssl_minimum_version').with_value('tlsv1_2')
        is_expected.to contain_nova_config('DEFAULT/dhcp_domain').with_value('foo')
@@ -340,13 +343,17 @@ describe 'nova' do
      it { is_expected.to contain_nova_config('DEFAULT/initial_disk_allocation_ratio').with_value(3.0) }
    end

-    context 'with array used for console_ssl_ciphers' do
+    context 'with array used for console parameters' do
      let :params do
        {
-          :console_ssl_ciphers => ['kEECDH+aECDSA+AES', 'kEECDH+AES+aRSA', 'kEDH+aRSA+AES']
+          :console_allowed_origins => ['http://192.0.2.1', 'http://192.0.2.2'],
+          :console_ssl_ciphers     => ['kEECDH+aECDSA+AES', 'kEECDH+AES+aRSA', 'kEDH+aRSA+AES']
        }
      end
-      it {is_expected.to contain_nova_config('console/ssl_ciphers').with_value('kEECDH+aECDSA+AES:kEECDH+AES+aRSA:kEDH+aRSA+AES') }
+      it {
+        is_expected.to contain_nova_config('console/allowed_origins').with_value('http://192.0.2.1,http://192.0.2.2')
+        is_expected.to contain_nova_config('console/ssl_ciphers').with_value('kEECDH+aECDSA+AES:kEECDH+AES+aRSA:kEDH+aRSA+AES')
+      }
    end
  end