From 1587c21d7fd48444a9398c08f22df4c1ae188c31 Mon Sep 17 00:00:00 2001 From: Martin Schuppert Date: Tue, 7 Aug 2018 10:14:04 +0200 Subject: [PATCH] SSL support for haproxy -> novnc proxy connection With tls-everywhere enabled the connection from haproxy to the nova novnc proxy was not encrypted. Now we request a certificate and configue haproxy and the novnc proxy to encrypt this remaining part in a vnc connection to be encrypted as well. Change-Id: I4667706633205c240f2efb51663e6efbce5e344e Related-bug: #1785700 Depends-On: Ice51fe175bdc1cb14fa49cf53d1f38e9728bbb60 --- manifests/certmonger/novnc_proxy.pp | 91 +++++++++++++++++++ manifests/haproxy.pp | 9 ++ manifests/profile/base/certmonger_user.pp | 16 ++++ ...nc_proxy_ssl_support-507a776063403a8e.yaml | 7 ++ 4 files changed, 123 insertions(+) create mode 100644 manifests/certmonger/novnc_proxy.pp create mode 100644 releasenotes/notes/nova_novnc_proxy_ssl_support-507a776063403a8e.yaml diff --git a/manifests/certmonger/novnc_proxy.pp b/manifests/certmonger/novnc_proxy.pp new file mode 100644 index 000000000..b7d6e979b --- /dev/null +++ b/manifests/certmonger/novnc_proxy.pp @@ -0,0 +1,91 @@ +# Copyright 2018 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. You may obtain +# a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +# License for the specific language governing permissions and limitations +# under the License. +# +# == Class: tripleo::certmonger::novnc_proxy +# +# Request a certificate for MongoDB and do the necessary setup. +# +# === Parameters +# +# [*hostname*] +# The hostname of the node. this will be set in the CN of the certificate. +# +# [*service_certificate*] +# The path to the certificate that will be used for TLS in this service. +# +# [*service_key*] +# The path to the key that will be used for TLS in this service. +# +# [*service_pem*] +# The file in PEM format that the HAProxy service will use as a certificate. +# +# [*certmonger_ca*] +# (Optional) The CA that certmonger will use to generate the certificates. +# Defaults to hiera('certmonger_ca', 'local'). +# +# [*postsave_cmd*] +# (Optional) Specifies the command to execute after requesting a certificate. +# If nothing is given, it will default to: "systemctl restart ${service name}" +# Defaults to undef. +# +# [*principal*] +# (Optional) The service principal that is set for the service in kerberos. +# Defaults to undef +# +# [*notify_service*] +# (Optional) Service to reload when certificate is created/renewed +# Defaults to $::nova::params::libvirt_service_name +# +class tripleo::certmonger::novnc_proxy ( + $hostname, + $service_certificate, + $service_key, + $certmonger_ca = hiera('certmonger_ca', 'local'), + $notify_service = undef, + $postsave_cmd = undef, + $principal = undef, +) { + include ::certmonger + include ::nova::params + + $notify_service_real = pick($notify_service, $::nova::params::vncproxy_service_name) + + $postsave_cmd_real = pick($postsave_cmd, "systemctl restart ${::nova::params::vncproxy_service_name}") + + certmonger_certificate { 'novnc-proxy' : + ensure => 'present', + certfile => $service_certificate, + keyfile => $service_key, + hostname => $hostname, + dnsname => $hostname, + principal => $principal, + postsave_cmd => $postsave_cmd_real, + ca => $certmonger_ca, + wait => true, + tag => 'novnc-proxy', + require => Class['::certmonger'], + } + + file { $service_certificate : + require => Certmonger_certificate['novnc-proxy'], + mode => '0644' + } + file { $service_key : + require => Certmonger_certificate['novnc-proxy'], + mode => '0640' + } + + File[$service_certificate] ~> Service<| title == $notify_service_real |> + File[$service_key] ~> Service<| title == $notify_service_real |> +} diff --git a/manifests/haproxy.pp b/manifests/haproxy.pp index 118814dcb..a372660f3 100644 --- a/manifests/haproxy.pp +++ b/manifests/haproxy.pp @@ -1086,6 +1086,14 @@ class tripleo::haproxy ( } if $nova_novncproxy { + if $enable_internal_tls { + # we need to make sure we use ssl for checks. + $haproxy_member_options_real = delete($haproxy_member_options, 'check') + $novncproxy_ssl_member_options = ['check-ssl'] + } else { + $haproxy_member_options_real = $haproxy_member_options + $novncproxy_ssl_member_options = [] + } ::tripleo::haproxy::endpoint { 'nova_novncproxy': public_virtual_ip => $public_virtual_ip, internal_ip => $nova_api_vip, @@ -1099,6 +1107,7 @@ class tripleo::haproxy ( }), public_ssl_port => $ports[nova_novnc_ssl_port], service_network => $nova_novncproxy_network, + member_options => union($haproxy_member_options_real, $internal_tls_member_options, $novncproxy_ssl_member_options), } } diff --git a/manifests/profile/base/certmonger_user.pp b/manifests/profile/base/certmonger_user.pp index 18938ff2b..f325bf83c 100644 --- a/manifests/profile/base/certmonger_user.pp +++ b/manifests/profile/base/certmonger_user.pp @@ -117,6 +117,16 @@ # it will create. # Defaults to hiera('tripleo::profile::base::neutron::certificate_specs', {}). # +# [*novnc_proxy_certificates_specs*] +# (Optional) The specifications to give to certmonger for the certificate(s) +# it will create. +# Defaults to hiera('novnc_proxy_certificates_specs',{}) +# +# [*novnc_proxy_postsave_cmd*] +# (Optional) If set, it overrides the default way to restart novnc proxy when the +# certificate is renewed. +# Defaults to undef +# class tripleo::profile::base::certmonger_user ( $certmonger_ca = hiera('certmonger_ca', 'local'), $apache_certificates_specs = hiera('apache_certificates_specs', {}), @@ -135,6 +145,8 @@ class tripleo::profile::base::certmonger_user ( $odl_certificate_specs = hiera('tripleo::profile::base::neutron::opendaylight::certificate_specs', {}), $ovs_certificate_specs = hiera('tripleo::profile::base::neutron::plugins::ovs::opendaylight::certificate_specs', {}), $neutron_certificate_specs = hiera('tripleo::profile::base::neutron::certificate_specs', {}), + $novnc_proxy_certificates_specs = hiera('novnc_proxy_certificates_specs',{}), + $novnc_proxy_postsave_cmd = undef, ) { include ::certmonger @@ -206,4 +218,8 @@ class tripleo::profile::base::certmonger_user ( unless empty($neutron_certificate_specs) { ensure_resource('class', 'tripleo::certmonger::neutron', $neutron_certificate_specs) } + unless empty($novnc_proxy_certificates_specs) { + ensure_resource('class', 'tripleo::certmonger::novnc_proxy', $novnc_proxy_certificates_specs, + {'postsave_cmd' => $novnc_proxy_postsave_cmd}) + } } diff --git a/releasenotes/notes/nova_novnc_proxy_ssl_support-507a776063403a8e.yaml b/releasenotes/notes/nova_novnc_proxy_ssl_support-507a776063403a8e.yaml new file mode 100644 index 000000000..b35b43cf8 --- /dev/null +++ b/releasenotes/notes/nova_novnc_proxy_ssl_support-507a776063403a8e.yaml @@ -0,0 +1,7 @@ +--- +fixes: + - | + with tls-everywhere enabled the connection from haproxy to the nova novnc + proxy was not encrypted. Now we request a certificate and configue haproxy + and the novnc proxy to encrypt this remaining part in a vnc connection to + be encrypted as well.