Browse Source

Add support for libvirt VNC TLS

Configures certs/key for nova-novnc vencrypt when TLS is enabled on the
internal network. A dedicated IPA sub-CA can be used to restrict access,
however by default the main IPA CA is used.

Depends-On: Ic73bcbdbecc1bc05f43acdd5480370f37ead3fb8
Change-Id: I67ffd847dc2d1949833a9d7039ad51e4364e02da
changes/69/536469/10
Oliver Walsh 4 years ago
parent
commit
37a339d2b0
  1. 135
      docker/services/nova-libvirt.yaml
  2. 57
      docker/services/nova-vnc-proxy.yaml
  3. 9
      puppet/all-nodes-config.j2.yaml
  4. 22
      puppet/services/certmonger-user.yaml
  5. 93
      puppet/services/nova-libvirt.yaml
  6. 97
      puppet/services/nova-vnc-proxy.yaml
  7. 8
      releasenotes/notes/vnc_tls-b3707d0134697cc7.yaml

135
docker/services/nova-libvirt.yaml

@ -46,8 +46,7 @@ parameters:
default: true
description: If set to true and if EnableInternalTLS is enabled, it will
set the libvirt URI's transport to tls and configure the
relevant keys for libvirt. NOTE. this is currently being
ignored and TLS for libvirtd is always disabled for now.
relevant keys for libvirt.
DockerNovaMigrationSshdPort:
default: 2022
description: Port that dockerized nova migration target sshd service
@ -80,6 +79,44 @@ parameters:
description: >
The Ceph cluster name must be at least 1 character and contain only
letters and numbers.
UseTLSTransportForVnc:
type: boolean
default: true
description: If set to true and if EnableInternalTLS is enabled, it will
enable TLS transaport for libvirt VNC and configure the
relevant keys for libvirt.
InternalTLSCAFile:
default: '/etc/ipa/ca.crt'
type: string
description: Specifies the default CA cert to use if TLS is used for
services in the internal network.
InternalTLSVncCAFile:
default: '/etc/ipa/vnc.crt'
type: string
description: Specifies the CA cert to use for VNC TLS.
LibvirtCACert:
type: string
default: ''
description: This specifies the CA certificate to use for TLS in libvirt.
This file will be symlinked to the default CA path in libvirt,
which is /etc/pki/CA/cacert.pem. Note that due to limitations
GNU TLS, which is the TLS backend for libvirt, the file must
be less than 65K (so we can't use the system's CA bundle).
This parameter should be used if the default (which comes from
the InternalTLSCAFile parameter) is not desired. The current
default reflects TripleO's default CA, which is FreeIPA.
It will only be used if internal TLS is enabled.
LibvirtVncCACert:
type: string
default: ''
description: This specifies the CA certificate to use for VNC TLS.
This file will be symlinked to the default CA path,
which is /etc/pki/libvirt-vnc/ca-cert.pem.
This parameter should be used if the default (which comes from
the InternalTLSVncCAFile parameter) is not desired. The current
default reflects TripleO's default CA, which is FreeIPA.
It will only be used if internal TLS is enabled.
conditions:
@ -92,6 +129,11 @@ conditions:
- {get_param: UseTLSTransportForLiveMigration}
- true
libvirt_specific_ca_unset:
equals:
- {get_param: LibvirtCACert}
- ''
need_libvirt_secret:
or:
- equals:
@ -101,6 +143,21 @@ conditions:
- {get_param: CinderEnableRbdBackend}
- true
use_tls_for_vnc:
and:
- equals:
- {get_param: EnableInternalTLS}
- true
- equals:
- {get_param: UseTLSTransportForVnc}
- true
libvirt_vnc_specific_ca_unset:
equals:
- {get_param: LibvirtVncCACert}
- ''
resources:
ContainersCommon:
@ -152,23 +209,42 @@ outputs:
- /usr/sbin/libvirtd --listen
- /usr/sbin/libvirtd
config_files:
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
- source: "/var/lib/kolla/config_files/src-ceph/"
dest: "/etc/ceph/"
merge: true
preserve_properties: true
list_concat:
-
- source: "/var/lib/kolla/config_files/src/*"
dest: "/"
merge: true
preserve_properties: true
- source: "/var/lib/kolla/config_files/src-ceph/"
dest: "/etc/ceph/"
merge: true
preserve_properties: true
- if:
- use_tls_for_vnc
-
- source: /var/lib/kolla/config_files/src-libvirt-vnc-pki/server-*.pem
dest: /etc/pki/libvirt-vnc/
merge: true
preserve_properties: true
- null
permissions:
- path:
str_replace:
template: /etc/ceph/CLUSTER.client.USER.keyring
params:
CLUSTER: {get_param: CephClusterName}
USER: {get_param: CephClientUserName}
owner: nova:nova
perm: '0600'
list_concat:
-
- path:
str_replace:
template: /etc/ceph/CLUSTER.client.USER.keyring
params:
CLUSTER: {get_param: CephClusterName}
USER: {get_param: CephClientUserName}
owner: nova:nova
perm: '0600'
- if:
- use_tls_for_vnc
-
- path: /etc/pki/libvirt-vnc/server-key.pem
owner: root:qemu
perm: '0640'
- null
/var/lib/kolla/config_files/nova_virtlogd.json:
command: /usr/sbin/virtlogd --config /etc/libvirt/virtlogd.conf
config_files:
@ -232,12 +308,33 @@ outputs:
if:
- use_tls_for_live_migration
-
- /etc/ipa/ca.crt:/etc/pki/CA/cacert.pem:ro
- str_replace:
template: "CACERT:/etc/pki/CA/cacert.pem:ro"
params:
CACERT:
if:
- libvirt_specific_ca_unset
- get_param: InternalTLSCAFile
- get_param: LibvirtCACert
- /etc/pki/libvirt/servercert.pem:/etc/pki/libvirt/servercert.pem:ro
- /etc/pki/libvirt/private/serverkey.pem:/etc/pki/libvirt/private/serverkey.pem:ro
- /etc/pki/libvirt/clientcert.pem:/etc/pki/libvirt/clientcert.pem:ro
- /etc/pki/libvirt/private/clientkey.pem:/etc/pki/libvirt/private/clientkey.pem:ro
- null
-
if:
- use_tls_for_vnc
-
- str_replace:
template: "CACERT:/etc/pki/libvirt-vnc/ca-cert.pem:ro"
params:
CACERT:
if:
- libvirt_vnc_specific_ca_unset
- get_param: InternalTLSVncCAFile
- get_param: LibvirtVncCACert
- /etc/pki/libvirt-vnc:/var/lib/kolla/config_files/src-libvirt-vnc-pki:ro
- null
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
step_4:

57
docker/services/nova-vnc-proxy.yaml

@ -40,6 +40,46 @@ parameters:
default: false
description: Remove package if the service is being disabled during upgrade
type: boolean
EnableInternalTLS:
type: boolean
default: false
UseTLSTransportForVnc:
type: boolean
default: true
description: If set to true and if EnableInternalTLS is enabled, it will
enable TLS transaport for libvirt VNC and configure the
relevant keys for libvirt.
InternalTLSVncCAFile:
default: '/etc/ipa/vnc.crt'
type: string
description: Specifies the CA cert to use for VNC TLS.
LibvirtVncCACert:
type: string
default: ''
description: This specifies the CA certificate to use for VNC TLS.
This file will be symlinked to the default CA path,
which is /etc/pki/libvirt-vnc/ca-cert.pem.
This parameter should be used if the default (which comes from
the InternalTLSVncCAFile parameter) is not desired. The current
default reflects TripleO's default CA, which is FreeIPA.
It will only be used if internal TLS is enabled.
conditions:
use_tls_for_vnc:
and:
- equals:
- {get_param: EnableInternalTLS}
- true
- equals:
- {get_param: UseTLSTransportForVnc}
- true
libvirt_vnc_specific_ca_unset:
equals:
- {get_param: LibvirtVncCACert}
- ''
resources:
@ -119,8 +159,25 @@ outputs:
-
- /var/lib/kolla/config_files/nova_vnc_proxy.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/nova/:/var/lib/kolla/config_files/src:ro
-
if:
- use_tls_for_vnc
-
- str_replace:
template: "CACERT:/etc/pki/libvirt-vnc/ca-cert.pem:ro"
params:
CACERT:
if:
- libvirt_vnc_specific_ca_unset
- get_param: InternalTLSVncCAFile
- get_param: LibvirtVncCACert
- /etc/pki/libvirt-vnc/client-cert.pem:/etc/pki/libvirt-vnc/client-cert.pem:ro
- /etc/pki/libvirt-vnc/client-key.pem:/etc/pki/libvirt-vnc/client-key.pem:ro
- null
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
metadata_settings:
get_attr: [NovaVncProxyPuppetBase, role_data, metadata_settings]
host_prep_tasks: {get_attr: [NovaLogging, host_prep_tasks]}
upgrade_tasks:
- name: Check if nova vncproxy is deployed

9
puppet/all-nodes-config.j2.yaml

@ -58,12 +58,6 @@ parameters:
constraints:
- allowed_values: ['', 'UPGRADE', 'FASTFORWARDUPGRADE']
default: ''
# NOTE(jaosorior): This is being set as IPA as it's the first
# CA we'll actually be testing out. But we can change this if
# people request it.
CertmongerCA:
type: string
default: 'IPA'
EnableInternalTLS:
type: boolean
default: false
@ -75,7 +69,6 @@ parameters:
type: string
{%- endfor %}
resources:
allNodesConfigImpl:
@ -213,8 +206,6 @@ resources:
cloud_name_{{network.name_lower}}: {get_param: cloud_name_{{network.name_lower}}}
{%- endfor %}
cloud_name_ctlplane: {get_param: cloud_name_ctlplane}
# TLS parameters
certmonger_ca: {get_param: CertmongerCA}
enable_internal_tls: {get_param: EnableInternalTLS}
outputs:

22
puppet/services/certmonger-user.yaml

@ -37,6 +37,17 @@ parameters:
default: 'http://ipa-ca/ipa/crl/MasterCRL.bin'
description: URI where to get the CRL to be configured in the nodes.
type: string
# NOTE(jaosorior): This is being set as IPA as it's the first
# CA we'll actually be testing out. But we can change this if
# people request it.
CertmongerCA:
type: string
default: 'IPA'
# TODO: default to a dedicated CA once the ipa sub-CA setup has been
# automated and upgrades are addressed
CertmongerVncCA:
type: string
default: 'IPA'
conditions:
@ -48,10 +59,11 @@ outputs:
value:
service_name: certmonger_user
config_settings:
tripleo::certmonger::ca::crl::crl_source:
if:
- internal_tls_enabled
- {get_param: DefaultCRLURL}
- null
if:
- internal_tls_enabled
- tripleo::certmonger::ca::crl::crl_source: {get_param: DefaultCRLURL}
certmonger_ca: {get_param: CertmongerCA}
certmonger_ca_vnc: {get_param: CertmongerVncCA}
- {}
step_config: |
include ::tripleo::profile::base::certmonger_user

93
puppet/services/nova-libvirt.yaml

@ -75,13 +75,22 @@ parameters:
default: true
description: If set to true and if EnableInternalTLS is enabled, it will
set the libvirt URI's transport to tls and configure the
relevant keys for libvirt. NOTE. this is currently being
ignored and TLS for libvirtd is always disabled for now.
relevant keys for libvirt.
UseTLSTransportForVnc:
type: boolean
default: true
description: If set to true and if EnableInternalTLS is enabled, it will
enable TLS transaport for libvirt VNC and configure the
relevant keys for libvirt.
InternalTLSCAFile:
default: '/etc/ipa/ca.crt'
type: string
description: Specifies the default CA cert to use if TLS is used for
services in the internal network.
InternalTLSVncCAFile:
default: '/etc/ipa/vnc.crt'
type: string
description: Specifies the CA cert to use for VNC TLS.
LibvirtCACert:
type: string
default: ''
@ -94,6 +103,16 @@ parameters:
the InternalTLSCAFile parameter) is not desired. The current
default reflects TripleO's default CA, which is FreeIPA.
It will only be used if internal TLS is enabled.
LibvirtVncCACert:
type: string
default: ''
description: This specifies the CA certificate to use for VNC TLS.
This file will be symlinked to the default CA path,
which is /etc/pki/libvirt-vnc/ca-cert.pem.
This parameter should be used if the default (which comes from
the InternalTLSVncCAFile parameter) is not desired. The current
default reflects TripleO's default CA, which is FreeIPA.
It will only be used if internal TLS is enabled.
MigrationSshKey:
type: json
description: >
@ -128,6 +147,21 @@ conditions:
- {get_param: LibvirtCACert}
- ''
use_tls_for_vnc:
and:
- equals:
- {get_param: EnableInternalTLS}
- true
- equals:
- {get_param: UseTLSTransportForVnc}
- true
libvirt_vnc_specific_ca_unset:
equals:
- {get_param: LibvirtVncCACert}
- ''
resources:
NovaBase:
type: ./nova-base.yaml
@ -234,13 +268,54 @@ outputs:
params:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
- {}
-
if:
- use_tls_for_vnc
-
nova::compute::libvirt::qemu::vnc_tls: true
nova::compute::libvirt::qemu::vnc_tls_verify: true
generate_service_certificates: true
tripleo::certmonger::ca::libvirt_vnc::origin_ca_pem:
if:
- libvirt_vnc_specific_ca_unset
- get_param: InternalTLSVncCAFile
- get_param: LibvirtVncCACert
tripleo::certmonger::libvirt_vnc_dirs::certificate_dir: '/etc/pki/libvirt-vnc'
libvirt_vnc_certificates_specs:
libvirt-vnc-server-cert:
cacertfile:
if:
- libvirt_vnc_specific_ca_unset
- get_param: InternalTLSVncCAFile
- null
service_certificate: '/etc/pki/libvirt-vnc/server-cert.pem'
service_key: '/etc/pki/libvirt-vnc/server-key.pem'
hostname:
str_replace:
template: "%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
principal:
str_replace:
template: "libvirt-vnc/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
- {}
step_config: |
include tripleo::profile::base::nova::libvirt
metadata_settings:
if:
- use_tls_for_live_migration
-
- service: libvirt
network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
type: node
- null
list_concat:
- if:
- use_tls_for_live_migration
-
- service: libvirt
network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
type: node
- null
- if:
- use_tls_for_vnc
-
- service: libvirt-vnc
network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
type: node
- null

97
puppet/services/nova-vnc-proxy.yaml

@ -30,6 +30,14 @@ parameters:
description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry.
type: json
StackUpdateType:
type: string
description: >
Type of update, to differentiate between UPGRADE and UPDATE cases
when StackAction is UPDATE (both are the same stack action).
constraints:
- allowed_values: ['', 'UPGRADE', 'FASTFORWARDUPGRADE']
default: ''
MonitoringSubscriptionNovaVNCProxy:
default: 'overcloud-nova-vncproxy'
type: string
@ -38,6 +46,50 @@ parameters:
default:
tag: openstack.nova.vncproxy
path: /var/log/nova/nova-vncproxy.log
EnableInternalTLS:
type: boolean
default: false
UseTLSTransportForVnc:
type: boolean
default: true
description: If set to true and if EnableInternalTLS is enabled, it will
enable TLS transaport for libvirt VNC and configure the
relevant keys for libvirt.
InternalTLSVncCAFile:
default: '/etc/ipa/vnc.crt'
type: string
description: Specifies the CA cert to use for VNC TLS.
LibvirtVncCACert:
type: string
default: ''
description: This specifies the CA certificate to use for VNC TLS.
This file will be symlinked to the default CA path,
which is /etc/pki/libvirt-vnc/ca-cert.pem.
This parameter should be used if the default (which comes from
the InternalTLSVncCAFile parameter) is not desired. The current
default reflects TripleO's default CA, which is FreeIPA.
It will only be used if internal TLS is enabled.
conditions:
use_tls_for_vnc:
and:
- equals:
- {get_param: EnableInternalTLS}
- true
- equals:
- {get_param: UseTLSTransportForVnc}
- true
libvirt_vnc_specific_ca_unset:
equals:
- {get_param: LibvirtVncCACert}
- ''
allow_noauth:
# Allow noauth VNC connections during P->Q upgrade. Remove in Rocky.
equals: [{get_param: StackUpdateType}, 'UPGRADE']
resources:
NovaBase:
@ -74,6 +126,43 @@ outputs:
dport:
- 6080
- 13080
-
if:
- use_tls_for_vnc
-
nova::vncproxy::allow_vencrypt: true
nova::vncproxy::allow_noauth: {if: [allow_noauth, true, false]}
nova::vncproxy::vencrypt_key: /etc/pki/libvirt-vnc/client-key.pem
nova::vncproxy::vencrypt_cert: /etc/pki/libvirt-vnc/client-cert.pem
nova::vncproxy::vencrypt_ca: /etc/pki/libvirt-vnc/ca-cert.pem
generate_service_certificates: true
tripleo::certmonger::ca::libvirt_vnc::origin_ca_pem:
if:
- libvirt_vnc_specific_ca_unset
- get_param: InternalTLSVncCAFile
- get_param: LibvirtVncCACert
tripleo::certmonger::libvirt_vnc_dirs::certificate_dir: '/etc/pki/libvirt-vnc'
libvirt_vnc_certificates_specs:
libvirt-vnc-client-cert:
cacertfile:
if:
- libvirt_vnc_specific_ca_unset
- get_param: InternalTLSVncCAFile
- null
service_certificate: '/etc/pki/libvirt-vnc/client-cert.pem'
service_key: '/etc/pki/libvirt-vnc/client-key.pem'
notify_service: '%{::nova::params::vncproxy_service_name}'
hostname:
str_replace:
template: "%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
principal:
str_replace:
template: "libvirt-vnc/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
- {}
service_config_settings:
fluentd:
tripleo_fluentd_groups_nova_vnc_proxy:
@ -86,3 +175,11 @@ outputs:
- name: Stop nova_vnc_proxy service
when: step|int == 1
service: name=openstack-nova-consoleauth state=stopped
metadata_settings:
if:
- use_tls_for_vnc
-
- service: libvirt-vnc
network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
type: node
- null

8
releasenotes/notes/vnc_tls-b3707d0134697cc7.yaml

@ -0,0 +1,8 @@
---
features:
- |
If TLS on the internal network is enabled, the nova-novnc to libvirt vnc
transport defaults to using TLS. This can be changed by setting the
``UseTLSTransportForVnc`` parameter, which is ``true`` by default.
A dedicated IPA sub-CA can be specified by the ``LibvirtVncCACert``
parameter. By default the main IPA CA will be used.
Loading…
Cancel
Save