Add support for libvirt VNC TLS with option of a dedicated CA

Configures ca/certs/key for nova-novnc vencrypt.

A dedicated IPA sub-CA can optionally be used to restrict access.
A custom certmonger helper is used to support this as certmonger currently
has limited support for IPA sub-CAs.

Depends-On: I24a9841ba04c95df27599b4d7ac2da8416e751e5
Change-Id: Ic73bcbdbecc1bc05f43acdd5480370f37ead3fb8

files/cm_ipa_subca_wrapper.py

@@ -0,0 +1,75 @@
+#!/usr/bin/python
+from __future__ import print_function
+try:
+    import ConfigParser as configparser
+except ImportError:
+    import configparser
+import os
+import sys
+import subprocess
+
+CM_SUBMIT_STATUS_ISSUED = 0
+CM_SUBMIT_STATUS_UNCONFIGURED = 4
+
+def main():
+    if len(sys.argv) < 3:
+        return CM_SUBMIT_STATUS_UNCONFIGURED
+    sub_ca = sys.argv[1]
+    wrapped_command = sys.argv[2:]
+
+    operation = os.environ.get('CERTMONGER_OPERATION')
+    os.environ['CERTMONGER_CA_NICKNAME'] = 'IPA'
+
+    if operation == 'FETCH-ROOTS' and sub_ca.lower() != 'ipa':
+        config = configparser.ConfigParser()
+        try:
+            with open('/etc/ipa/default.conf') as fp:
+                config.readfp(fp)
+        except:
+            return CM_SUBMIT_STATUS_UNCONFIGURED
+        host = config.get('global', 'host')
+        realm = config.get('global', 'realm')
+        if host is None or realm is None:
+            return CM_SUBMIT_STATUS_UNCONFIGURED
+        principal = 'host/{}@{}'.format(host, realm)
+        os.environ['KRB5CCNAME'] = '/tmp/krb5cc_cm_ipa_subca_wrapper'
+        try:
+            subprocess.check_call([
+                '/usr/bin/kinit', '-k', principal
+            ])
+        except:
+            return CM_SUBMIT_STATUS_UNCONFIGURED
+
+        try:
+            data = subprocess.check_output([
+                '/usr/bin/ipa', 'ca-show', sub_ca
+            ])
+        except:
+            return CM_SUBMIT_STATUS_ISSUED
+
+        config = {}
+        for line in data.split('\n'):
+            line = line.strip()
+            try:
+                key, value = line.split(': ')
+            except:
+                continue
+            config[key] = value
+
+        if config.get('Name').lower() != sub_ca.lower():
+            return CM_SUBMIT_STATUS_ISSUED
+
+        print(realm, sub_ca, 'CA')
+        print('-----BEGIN CERTIFICATE-----')
+        certificate = config['Certificate']
+        for i in range((len(certificate)/64) + 1):
+            print(certificate[i*64:(i+1)*64])
+        print('-----END CERTIFICATE-----')
+        sys.stdout.flush()
+    else:
+        os.environ['CERTMONGER_CA_ISSUER'] = sub_ca
+
+    os.execl(wrapped_command[0], *wrapped_command)
+
+if __name__ == '__main__':
+    main()

manifests/certmonger/ca/libvirt_vnc.pp

@@ -0,0 +1,65 @@
+# Copyright 2017 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::certmonger::ca::libvirt_vnc
+#
+# Sets the necessary file that will be used libvirt vnc servers and
+# clients.
+#
+# === Parameters:
+#
+# [*origin_ca_pem*]
+#  (Optional) Path to the CA certificate that libvirt vnc will use. This is not
+#  assumed automatically or uses the system CA bundle as is the case of other
+#  services because a limitation with the file sizes in GNU TLS, which libvirt
+#  uses as a TLS backend.
+#  Defaults to undef
+#
+# [*certmonger_ca*]
+#   (Optional) The CA name that certmonger will use to generate VNC certificates.
+#   If this is not local or IPA then is assumed to be an IPA sub-CA and will be
+#   added to the certmonger CA list.
+#   Defaults to hiera('certmonger_ca_vnc', 'local').
+#
+class tripleo::certmonger::ca::libvirt_vnc(
+  $origin_ca_pem = undef,
+  $certmonger_ca = hiera('certmonger_ca_vnc', 'local'),
+){
+  if $origin_ca_pem {
+    $ensure_file = 'link'
+  } else {
+    $ensure_file = 'absent'
+  }
+  file { '/etc/pki/libvirt-vnc/ca-cert.pem':
+    ensure => $ensure_file,
+    mode   => '0644',
+    target => $origin_ca_pem,
+  }
+
+  if ! ($certmonger_ca in [ 'local', 'IPA', 'ipa' ]) {
+    $wrapper_path = '/usr/libexec/certmonger/cm_ipa_subca_wrapper'
+    $ipa_helper_path = '/usr/libexec/certmonger/ipa-submit'
+    file { $wrapper_path:
+      source => 'puppet:///modules/tripleo/cm_ipa_subca_wrapper.py',
+      mode   => '0755',
+      notify => Service['certmonger']
+    }
+    -> exec { "Add ${certmonger_ca} IPA subCA to certmonger":
+      command => "getcert add-ca -c ${certmonger_ca} -e '${wrapper_path} ${certmonger_ca} ${ipa_helper_path}'",
+      path    => ['/usr/bin', '/bin'],
+      unless  => "getcert list-cas -c ${certmonger_ca} | grep '${wrapper_path} ${certmonger_ca}'",
+      notify  => Service['certmonger']
+    }
+  }
+}

manifests/certmonger/libvirt_vnc.pp

@@ -0,0 +1,103 @@
+# Copyright 2017 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Resource: tripleo::certmonger::libvirt_vnc
+#
+# Request a certificate for libvirt-vnc and do the necessary setup.
+#
+# === Parameters
+#
+# [*hostname*]
+#   The hostname of the node. this will be set in the CN of the certificate.
+#
+# [*service_certificate*]
+#   The path to the certificate that will be used for TLS in this service.
+#
+# [*service_key*]
+#   The path to the key that will be used for TLS in this service.
+#
+# [*certmonger_ca*]
+#   (Optional) The CA that certmonger will use to generate the certificates.
+#   Defaults to hiera('certmonger_ca_vnc', 'local').
+#
+# [*postsave_cmd*]
+#   (Optional) Specifies the command to execute after requesting a certificate.
+#   If nothing is given, it will default to: "systemctl reload ${service name}"
+#   Defaults to undef.
+#
+# [*principal*]
+#   (Optional) The service principal that is set for the service in kerberos.
+#   Defaults to undef
+#
+# [*cacertfile*]
+#   (Optional) Specifies that path to write the CA cerftificate to.
+#   Defaults to undef
+#
+# [*notify_service*]
+#   (Optional) Service to reload when certificate is created/renewed
+#   Defaults to $::nova::params::libvirt_service_name
+#
+define tripleo::certmonger::libvirt_vnc (
+  $hostname,
+  $service_certificate,
+  $service_key,
+  $certmonger_ca    = hiera('certmonger_ca_vnc', 'local'),
+  $postsave_cmd     = undef,
+  $principal        = undef,
+  $cacertfile       = undef,
+  $notify_service   = undef,
+) {
+  include ::certmonger
+  include ::nova::params
+
+  $notify_service_real = pick($notify_service, $::nova::params::libvirt_service_name)
+
+  $postsave_cmd_real = pick($postsave_cmd, "systemctl reload ${notify_service_real}")
+
+  certmonger_certificate { $name :
+    ensure       => 'present',
+    certfile     => $service_certificate,
+    keyfile      => $service_key,
+    hostname     => $hostname,
+    dnsname      => $hostname,
+    principal    => $principal,
+    postsave_cmd => $postsave_cmd_real,
+    ca           => $certmonger_ca,
+    cacertfile   => $cacertfile,
+    wait         => true,
+    tag          => 'libvirt-cert',
+    require      => Class['::certmonger'],
+  }
+
+  if $cacertfile {
+    file { $cacertfile :
+      require => Certmonger_certificate[$name],
+      mode    => '0644'
+    }
+    ~> Service<| title == $notify_service_real |>
+  }
+
+  file { $service_certificate :
+    require => Certmonger_certificate[$name],
+    mode    => '0644'
+  }
+  file { $service_key :
+    require => Certmonger_certificate[$name],
+    group   => 'qemu',
+    mode    => '0640'
+  }
+
+  File[$service_certificate] ~> Service<| title == $notify_service_real |>
+  File[$service_key] ~> Service<| title == $notify_service_real |>
+}

manifests/certmonger/libvirt_vnc_dirs.pp

@@ -0,0 +1,56 @@
+# Copyright 2017 Red Hat, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+#
+# == Class: tripleo::certmonger::libvirt_vnc_dirs
+#
+# Creates the necessary directories for libvirt vnc certificates and keys in the
+# assigned locations if specified. It also assigns the correct SELinux tags.
+#
+# === Parameters:
+#
+# [*certificate_dir*]
+#   (Optional) Directory where libvirt-vnc's certificates will be stored. If left
+#   unspecified, it won't be created.
+#   Defaults to undef
+#
+# [*key_dir*]
+#   (Optional) Directory where libvirt-vnc's keys will be stored.
+#   Defaults to undef
+#
+class tripleo::certmonger::libvirt_vnc_dirs(
+  $certificate_dir = undef,
+  $key_dir         = undef,
+){
+
+  if $certificate_dir {
+    file { $certificate_dir :
+      ensure  => 'directory',
+      selrole => 'object_r',
+      seltype => 'cert_t',
+      seluser => 'system_u',
+    }
+    File[$certificate_dir] ~> Certmonger_certificate<| tag == 'libvirt-vnc-cert' |>
+  }
+
+  if $key_dir {
+    file { $key_dir :
+      ensure  => 'directory',
+      selrole => 'object_r',
+      seltype => 'cert_t',
+      seluser => 'system_u',
+    }
+    File[$key_dir] ~> Certmonger_certificate<| tag == 'libvirt-vnc-cert' |>
+  }
+
+}

manifests/profile/base/certmonger_user.pp

@@ -63,6 +63,16 @@
 #   certificate is renewed.
 #   Defaults to undef
 #
+# [*libvirt_vnc_certificates_specs*]
+#   (Optional) The specifications to give to certmonger for the certificate(s)
+#   it will create.
+#   Defaults to hiera('libvirt_vnc_certificates_specs', {}).
+#
+# [*libvirt_vnc_postsave_cmd*]
+#   (Optional) If set, it overrides the default way to restart services when the
+#   certificate is renewed.
+#   Defaults to undef
+#
 # [*mongodb_certificate_specs*]
 #   (Optional) The specifications to give to certmonger for the certificate(s)
 #   it will create.
@@ -110,6 +120,8 @@ class tripleo::profile::base::certmonger_user (
   $haproxy_postsave_cmd       = undef,
   $libvirt_certificates_specs = hiera('libvirt_certificates_specs', {}),
   $libvirt_postsave_cmd       = undef,
+  $libvirt_vnc_certificates_specs = hiera('libvirt_vnc_certificates_specs', {}),
+  $libvirt_vnc_postsave_cmd       = undef,
   $mongodb_certificate_specs  = hiera('mongodb_certificate_specs',{}),
   $mysql_certificate_specs    = hiera('tripleo::profile::base::database::mysql::certificate_specs', {}),
   $rabbitmq_certificate_specs = hiera('tripleo::profile::base::rabbitmq::certificate_specs', {}),
@@ -133,6 +145,7 @@ class tripleo::profile::base::certmonger_user (
   }
   Certmonger_certificate<||> -> Class['::tripleo::certmonger::ca::crl']
   include ::tripleo::certmonger::ca::libvirt
+  include ::tripleo::certmonger::ca::libvirt_vnc
 
   unless empty($apache_certificates_specs) {
     include ::tripleo::certmonger::apache_dirs
@@ -144,6 +157,11 @@ class tripleo::profile::base::certmonger_user (
     ensure_resources('tripleo::certmonger::libvirt', $libvirt_certificates_specs,
                       {'postsave_cmd' => $libvirt_postsave_cmd})
   }
+  unless empty($libvirt_vnc_certificates_specs) {
+    include ::tripleo::certmonger::libvirt_vnc_dirs
+    ensure_resources('tripleo::certmonger::libvirt_vnc', $libvirt_vnc_certificates_specs,
+                      {'postsave_cmd' => $libvirt_vnc_postsave_cmd})
+  }
   unless empty($haproxy_certificates_specs) {
     include ::tripleo::certmonger::haproxy_dirs
     ensure_resources('tripleo::certmonger::haproxy', $haproxy_certificates_specs,

releasenotes/notes/vnc_tls-7e5f275217117f78.yaml

@@ -0,0 +1,10 @@
+---
+features:
+  - |
+    Add support for libvirt VNC TLS with option of a dedicated CA
+
+    Configures ca/certs/key for nova-novnc vencrypt.
+
+    A dedicated IPA sub-CA can optionally be used to restrict access.
+    A custom certmonger helper is used to support this as certmonger currently
+    has limited support for IPA sub-CAs.