SSL support for haproxy -> novnc proxy connection

With tls-everywhere enabled the connection from haproxy to the nova novnc proxy was not encrypted. Now we request a certificate and configue haproxy and the novnc proxy to encrypt this remaining part in a vnc connection to be encrypted as well. Change-Id: I4667706633205c240f2efb51663e6efbce5e344e Related-bug: #1785700 Depends-On: Ice51fe175bdc1cb14fa49cf53d1f38e9728bbb60
2018-08-07 10:14:04 +02:00 · 2018-08-07 10:14:04 +02:00 · 1587c21d7f
commit 1587c21d7f
parent d656c6f3c2
4 changed files with 123 additions and 0 deletions
--- a/manifests/certmonger/novnc_proxy.pp
+++ b/manifests/certmonger/novnc_proxy.pp
@ -0,0 +1,91 @@
+# Copyright 2018 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::certmonger::novnc_proxy
+#
+# Request a certificate for MongoDB and do the necessary setup.
+#
+# === Parameters
+#
+# [*hostname*]
+#   The hostname of the node. this will be set in the CN of the certificate.
+#
+# [*service_certificate*]
+#   The path to the certificate that will be used for TLS in this service.
+#
+# [*service_key*]
+#   The path to the key that will be used for TLS in this service.
+#
+# [*service_pem*]
+#   The file in PEM format that the HAProxy service will use as a certificate.
+#
+# [*certmonger_ca*]
+#   (Optional) The CA that certmonger will use to generate the certificates.
+#   Defaults to hiera('certmonger_ca', 'local').
+#
+# [*postsave_cmd*]
+#   (Optional) Specifies the command to execute after requesting a certificate.
+#   If nothing is given, it will default to: "systemctl restart ${service name}"
+#   Defaults to undef.
+#
+# [*principal*]
+#   (Optional) The service principal that is set for the service in kerberos.
+#   Defaults to undef
+#
+# [*notify_service*]
+#   (Optional) Service to reload when certificate is created/renewed
+#   Defaults to $::nova::params::libvirt_service_name
+#
+class tripleo::certmonger::novnc_proxy (
+  $hostname,
+  $service_certificate,
+  $service_key,
+  $certmonger_ca = hiera('certmonger_ca', 'local'),
+  $notify_service   = undef,
+  $postsave_cmd  = undef,
+  $principal     = undef,
+) {
+  include ::certmonger
+  include ::nova::params
+
+  $notify_service_real = pick($notify_service, $::nova::params::vncproxy_service_name)
+
+  $postsave_cmd_real = pick($postsave_cmd, "systemctl restart ${::nova::params::vncproxy_service_name}")
+
+  certmonger_certificate { 'novnc-proxy' :
+    ensure       => 'present',
+    certfile     => $service_certificate,
+    keyfile      => $service_key,
+    hostname     => $hostname,
+    dnsname      => $hostname,
+    principal    => $principal,
+    postsave_cmd => $postsave_cmd_real,
+    ca           => $certmonger_ca,
+    wait         => true,
+    tag          => 'novnc-proxy',
+    require      => Class['::certmonger'],
+  }
+
+  file { $service_certificate :
+    require => Certmonger_certificate['novnc-proxy'],
+    mode    => '0644'
+  }
+  file { $service_key :
+    require => Certmonger_certificate['novnc-proxy'],
+    mode    => '0640'
+  }
+
+  File[$service_certificate] ~> Service<| title == $notify_service_real |>
+  File[$service_key] ~> Service<| title == $notify_service_real |>
+}
--- a/manifests/haproxy.pp
+++ b/manifests/haproxy.pp
@ -1086,6 +1086,14 @@ class tripleo::haproxy (
  }

  if $nova_novncproxy {
+    if $enable_internal_tls {
+      # we need to make sure we use ssl for checks.
+      $haproxy_member_options_real   = delete($haproxy_member_options, 'check')
+      $novncproxy_ssl_member_options = ['check-ssl']
+    } else {
+      $haproxy_member_options_real   = $haproxy_member_options
+      $novncproxy_ssl_member_options = []
+    }
    ::tripleo::haproxy::endpoint { 'nova_novncproxy':
      public_virtual_ip => $public_virtual_ip,
      internal_ip       => $nova_api_vip,
@ -1099,6 +1107,7 @@ class tripleo::haproxy (
      }),
      public_ssl_port   => $ports[nova_novnc_ssl_port],
      service_network   => $nova_novncproxy_network,
+      member_options    => union($haproxy_member_options_real, $internal_tls_member_options, $novncproxy_ssl_member_options),
    }
  }

--- a/manifests/profile/base/certmonger_user.pp
+++ b/manifests/profile/base/certmonger_user.pp
@ -117,6 +117,16 @@
 #   it will create.
 #   Defaults to hiera('tripleo::profile::base::neutron::certificate_specs', {}).
 #
+# [*novnc_proxy_certificates_specs*]
+#   (Optional) The specifications to give to certmonger for the certificate(s)
+#   it will create.
+#   Defaults to hiera('novnc_proxy_certificates_specs',{})
+#
+# [*novnc_proxy_postsave_cmd*]
+#   (Optional) If set, it overrides the default way to restart novnc proxy when the
+#   certificate is renewed.
+#   Defaults to undef
+#
 class tripleo::profile::base::certmonger_user (
  $certmonger_ca              = hiera('certmonger_ca', 'local'),
  $apache_certificates_specs  = hiera('apache_certificates_specs', {}),
@ -135,6 +145,8 @@ class tripleo::profile::base::certmonger_user (
  $odl_certificate_specs      = hiera('tripleo::profile::base::neutron::opendaylight::certificate_specs', {}),
  $ovs_certificate_specs      = hiera('tripleo::profile::base::neutron::plugins::ovs::opendaylight::certificate_specs', {}),
  $neutron_certificate_specs  = hiera('tripleo::profile::base::neutron::certificate_specs', {}),
+  $novnc_proxy_certificates_specs = hiera('novnc_proxy_certificates_specs',{}),
+  $novnc_proxy_postsave_cmd   = undef,
 ) {
  include ::certmonger

@ -206,4 +218,8 @@ class tripleo::profile::base::certmonger_user (
  unless empty($neutron_certificate_specs) {
    ensure_resource('class', 'tripleo::certmonger::neutron', $neutron_certificate_specs)
  }
+  unless empty($novnc_proxy_certificates_specs) {
+    ensure_resource('class', 'tripleo::certmonger::novnc_proxy', $novnc_proxy_certificates_specs,
+                      {'postsave_cmd' => $novnc_proxy_postsave_cmd})
+  }
 }
--- a/releasenotes/notes/nova_novnc_proxy_ssl_support-507a776063403a8e.yaml
+++ b/releasenotes/notes/nova_novnc_proxy_ssl_support-507a776063403a8e.yaml
@ -0,0 +1,7 @@
+---
+fixes:
+  - |
+    with tls-everywhere enabled the connection from haproxy to the nova novnc
+    proxy was not encrypted. Now we request a certificate and configue haproxy
+    and the novnc proxy to encrypt this remaining part in a vnc connection to
+    be encrypted as well.