openstack
/
tripleo-heat-templates
Code Issues Proposed changes

Add support for libvirt VNC TLS 

Configures certs/key for nova-novnc vencrypt when TLS is enabled on the
internal network. A dedicated IPA sub-CA can be used to restrict access,
however by default the main IPA CA is used.

Depends-On: Ic73bcbdbecc1bc05f43acdd5480370f37ead3fb8
Change-Id: I67ffd847dc2d1949833a9d7039ad51e4364e02da
This commit is contained in:
Oliver Walsh 2018-01-22 17:19:14 +00:00
parent c96b58c028
commit 37a339d2b0
7 changed files with 379 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

103
docker/services/nova-libvirt.yaml
View File

@ -46,8 +46,7 @@ parameters:
default: true default: true
description: If set to true and if EnableInternalTLS is enabled, it will description: If set to true and if EnableInternalTLS is enabled, it will
set the libvirt URI's transport to tls and configure the set the libvirt URI's transport to tls and configure the
relevant keys for libvirt. NOTE. this is currently being relevant keys for libvirt.
ignored and TLS for libvirtd is always disabled for now.
DockerNovaMigrationSshdPort: DockerNovaMigrationSshdPort:
default: 2022 default: 2022
description: Port that dockerized nova migration target sshd service description: Port that dockerized nova migration target sshd service
@ -80,6 +79,44 @@ parameters:
description: > description: >
The Ceph cluster name must be at least 1 character and contain only The Ceph cluster name must be at least 1 character and contain only
letters and numbers. letters and numbers.
UseTLSTransportForVnc:
type: boolean
default: true
description: If set to true and if EnableInternalTLS is enabled, it will
enable TLS transaport for libvirt VNC and configure the
relevant keys for libvirt.
InternalTLSCAFile:
default: '/etc/ipa/ca.crt'
type: string
description: Specifies the default CA cert to use if TLS is used for
services in the internal network.
InternalTLSVncCAFile:
default: '/etc/ipa/vnc.crt'
type: string
description: Specifies the CA cert to use for VNC TLS.
LibvirtCACert:
type: string
default: ''
description: This specifies the CA certificate to use for TLS in libvirt.
This file will be symlinked to the default CA path in libvirt,
which is /etc/pki/CA/cacert.pem. Note that due to limitations
GNU TLS, which is the TLS backend for libvirt, the file must
be less than 65K (so we can't use the system's CA bundle).
This parameter should be used if the default (which comes from
the InternalTLSCAFile parameter) is not desired. The current
default reflects TripleO's default CA, which is FreeIPA.
It will only be used if internal TLS is enabled.
LibvirtVncCACert:
type: string
default: ''
description: This specifies the CA certificate to use for VNC TLS.
This file will be symlinked to the default CA path,
which is /etc/pki/libvirt-vnc/ca-cert.pem.
This parameter should be used if the default (which comes from
the InternalTLSVncCAFile parameter) is not desired. The current
default reflects TripleO's default CA, which is FreeIPA.
It will only be used if internal TLS is enabled.
conditions: conditions:
@ -92,6 +129,11 @@ conditions:
- {get_param: UseTLSTransportForLiveMigration} - {get_param: UseTLSTransportForLiveMigration}
- true - true
libvirt_specific_ca_unset:
equals:
- {get_param: LibvirtCACert}
- ''
need_libvirt_secret: need_libvirt_secret:
or: or:
- equals: - equals:
@ -101,6 +143,21 @@ conditions:
- {get_param: CinderEnableRbdBackend} - {get_param: CinderEnableRbdBackend}
- true - true
use_tls_for_vnc:
and:
- equals:
- {get_param: EnableInternalTLS}
- true
- equals:
- {get_param: UseTLSTransportForVnc}
- true
libvirt_vnc_specific_ca_unset:
equals:
- {get_param: LibvirtVncCACert}
- ''
resources: resources:
ContainersCommon: ContainersCommon:
@ -152,6 +209,8 @@ outputs:
- /usr/sbin/libvirtd --listen - /usr/sbin/libvirtd --listen
- /usr/sbin/libvirtd - /usr/sbin/libvirtd
config_files: config_files:
list_concat:
-
- source: "/var/lib/kolla/config_files/src/*" - source: "/var/lib/kolla/config_files/src/*"
dest: "/" dest: "/"
merge: true merge: true
@ -160,7 +219,17 @@ outputs:
dest: "/etc/ceph/" dest: "/etc/ceph/"
merge: true merge: true
preserve_properties: true preserve_properties: true
- if:
- use_tls_for_vnc
-
- source: /var/lib/kolla/config_files/src-libvirt-vnc-pki/server-*.pem
dest: /etc/pki/libvirt-vnc/
merge: true
preserve_properties: true
- null
permissions: permissions:
list_concat:
-
- path: - path:
str_replace: str_replace:
template: /etc/ceph/CLUSTER.client.USER.keyring template: /etc/ceph/CLUSTER.client.USER.keyring
@ -169,6 +238,13 @@ outputs:
USER: {get_param: CephClientUserName} USER: {get_param: CephClientUserName}
owner: nova:nova owner: nova:nova
perm: '0600' perm: '0600'
- if:
- use_tls_for_vnc
-
- path: /etc/pki/libvirt-vnc/server-key.pem
owner: root:qemu
perm: '0640'
- null
/var/lib/kolla/config_files/nova_virtlogd.json: /var/lib/kolla/config_files/nova_virtlogd.json:
command: /usr/sbin/virtlogd --config /etc/libvirt/virtlogd.conf command: /usr/sbin/virtlogd --config /etc/libvirt/virtlogd.conf
config_files: config_files:
@ -232,12 +308,33 @@ outputs:
if: if:
- use_tls_for_live_migration - use_tls_for_live_migration
- -
- /etc/ipa/ca.crt:/etc/pki/CA/cacert.pem:ro - str_replace:
template: "CACERT:/etc/pki/CA/cacert.pem:ro"
params:
CACERT:
if:
- libvirt_specific_ca_unset
- get_param: InternalTLSCAFile
- get_param: LibvirtCACert
- /etc/pki/libvirt/servercert.pem:/etc/pki/libvirt/servercert.pem:ro - /etc/pki/libvirt/servercert.pem:/etc/pki/libvirt/servercert.pem:ro
- /etc/pki/libvirt/private/serverkey.pem:/etc/pki/libvirt/private/serverkey.pem:ro - /etc/pki/libvirt/private/serverkey.pem:/etc/pki/libvirt/private/serverkey.pem:ro
- /etc/pki/libvirt/clientcert.pem:/etc/pki/libvirt/clientcert.pem:ro - /etc/pki/libvirt/clientcert.pem:/etc/pki/libvirt/clientcert.pem:ro
- /etc/pki/libvirt/private/clientkey.pem:/etc/pki/libvirt/private/clientkey.pem:ro - /etc/pki/libvirt/private/clientkey.pem:/etc/pki/libvirt/private/clientkey.pem:ro
- null - null
-
if:
- use_tls_for_vnc
-
- str_replace:
template: "CACERT:/etc/pki/libvirt-vnc/ca-cert.pem:ro"
params:
CACERT:
if:
- libvirt_vnc_specific_ca_unset
- get_param: InternalTLSVncCAFile
- get_param: LibvirtVncCACert
- /etc/pki/libvirt-vnc:/var/lib/kolla/config_files/src-libvirt-vnc-pki:ro
- null
environment: environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
step_4: step_4:

57
docker/services/nova-vnc-proxy.yaml
View File

@ -40,6 +40,46 @@ parameters:
default: false default: false
description: Remove package if the service is being disabled during upgrade description: Remove package if the service is being disabled during upgrade
type: boolean type: boolean
EnableInternalTLS:
type: boolean
default: false
UseTLSTransportForVnc:
type: boolean
default: true
description: If set to true and if EnableInternalTLS is enabled, it will
enable TLS transaport for libvirt VNC and configure the
relevant keys for libvirt.
InternalTLSVncCAFile:
default: '/etc/ipa/vnc.crt'
type: string
description: Specifies the CA cert to use for VNC TLS.
LibvirtVncCACert:
type: string
default: ''
description: This specifies the CA certificate to use for VNC TLS.
This file will be symlinked to the default CA path,
which is /etc/pki/libvirt-vnc/ca-cert.pem.
This parameter should be used if the default (which comes from
the InternalTLSVncCAFile parameter) is not desired. The current
default reflects TripleO's default CA, which is FreeIPA.
It will only be used if internal TLS is enabled.
conditions:
use_tls_for_vnc:
and:
- equals:
- {get_param: EnableInternalTLS}
- true
- equals:
- {get_param: UseTLSTransportForVnc}
- true
libvirt_vnc_specific_ca_unset:
equals:
- {get_param: LibvirtVncCACert}
- ''
resources: resources:
@ -119,8 +159,25 @@ outputs:
- -
- /var/lib/kolla/config_files/nova_vnc_proxy.json:/var/lib/kolla/config_files/config.json:ro - /var/lib/kolla/config_files/nova_vnc_proxy.json:/var/lib/kolla/config_files/config.json:ro
- /var/lib/config-data/puppet-generated/nova/:/var/lib/kolla/config_files/src:ro - /var/lib/config-data/puppet-generated/nova/:/var/lib/kolla/config_files/src:ro
-
if:
- use_tls_for_vnc
-
- str_replace:
template: "CACERT:/etc/pki/libvirt-vnc/ca-cert.pem:ro"
params:
CACERT:
if:
- libvirt_vnc_specific_ca_unset
- get_param: InternalTLSVncCAFile
- get_param: LibvirtVncCACert
- /etc/pki/libvirt-vnc/client-cert.pem:/etc/pki/libvirt-vnc/client-cert.pem:ro
- /etc/pki/libvirt-vnc/client-key.pem:/etc/pki/libvirt-vnc/client-key.pem:ro
- null
environment: environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
metadata_settings:
get_attr: [NovaVncProxyPuppetBase, role_data, metadata_settings]
host_prep_tasks: {get_attr: [NovaLogging, host_prep_tasks]} host_prep_tasks: {get_attr: [NovaLogging, host_prep_tasks]}
upgrade_tasks: upgrade_tasks:
- name: Check if nova vncproxy is deployed - name: Check if nova vncproxy is deployed

9
puppet/all-nodes-config.j2.yaml
View File

@ -58,12 +58,6 @@ parameters:
constraints: constraints:
- allowed_values: ['', 'UPGRADE', 'FASTFORWARDUPGRADE'] - allowed_values: ['', 'UPGRADE', 'FASTFORWARDUPGRADE']
default: '' default: ''
# NOTE(jaosorior): This is being set as IPA as it's the first
# CA we'll actually be testing out. But we can change this if
# people request it.
CertmongerCA:
type: string
default: 'IPA'
EnableInternalTLS: EnableInternalTLS:
type: boolean type: boolean
default: false default: false
@ -75,7 +69,6 @@ parameters:
type: string type: string
{%- endfor %} {%- endfor %}
resources: resources:
allNodesConfigImpl: allNodesConfigImpl:
@ -213,8 +206,6 @@ resources:
cloud_name_{{network.name_lower}}: {get_param: cloud_name_{{network.name_lower}}} cloud_name_{{network.name_lower}}: {get_param: cloud_name_{{network.name_lower}}}
{%- endfor %} {%- endfor %}
cloud_name_ctlplane: {get_param: cloud_name_ctlplane} cloud_name_ctlplane: {get_param: cloud_name_ctlplane}
# TLS parameters
certmonger_ca: {get_param: CertmongerCA}
enable_internal_tls: {get_param: EnableInternalTLS} enable_internal_tls: {get_param: EnableInternalTLS}
outputs: outputs:

18
puppet/services/certmonger-user.yaml
View File

@ -37,6 +37,17 @@ parameters:
default: 'http://ipa-ca/ipa/crl/MasterCRL.bin' default: 'http://ipa-ca/ipa/crl/MasterCRL.bin'
description: URI where to get the CRL to be configured in the nodes. description: URI where to get the CRL to be configured in the nodes.
type: string type: string
# NOTE(jaosorior): This is being set as IPA as it's the first
# CA we'll actually be testing out. But we can change this if
# people request it.
CertmongerCA:
type: string
default: 'IPA'
# TODO: default to a dedicated CA once the ipa sub-CA setup has been
# automated and upgrades are addressed
CertmongerVncCA:
type: string
default: 'IPA'
conditions: conditions:
@ -48,10 +59,11 @@ outputs:
value: value:
service_name: certmonger_user service_name: certmonger_user
config_settings: config_settings:
tripleo::certmonger::ca::crl::crl_source:
if: if:
- internal_tls_enabled - internal_tls_enabled
- {get_param: DefaultCRLURL} - tripleo::certmonger::ca::crl::crl_source: {get_param: DefaultCRLURL}
- null certmonger_ca: {get_param: CertmongerCA}
certmonger_ca_vnc: {get_param: CertmongerVncCA}
- {}
step_config: | step_config: |
include ::tripleo::profile::base::certmonger_user include ::tripleo::profile::base::certmonger_user

81
puppet/services/nova-libvirt.yaml
View File

@ -75,13 +75,22 @@ parameters:
default: true default: true
description: If set to true and if EnableInternalTLS is enabled, it will description: If set to true and if EnableInternalTLS is enabled, it will
set the libvirt URI's transport to tls and configure the set the libvirt URI's transport to tls and configure the
relevant keys for libvirt. NOTE. this is currently being relevant keys for libvirt.
ignored and TLS for libvirtd is always disabled for now. UseTLSTransportForVnc:
type: boolean
default: true
description: If set to true and if EnableInternalTLS is enabled, it will
enable TLS transaport for libvirt VNC and configure the
relevant keys for libvirt.
InternalTLSCAFile: InternalTLSCAFile:
default: '/etc/ipa/ca.crt' default: '/etc/ipa/ca.crt'
type: string type: string
description: Specifies the default CA cert to use if TLS is used for description: Specifies the default CA cert to use if TLS is used for
services in the internal network. services in the internal network.
InternalTLSVncCAFile:
default: '/etc/ipa/vnc.crt'
type: string
description: Specifies the CA cert to use for VNC TLS.
LibvirtCACert: LibvirtCACert:
type: string type: string
default: '' default: ''
@ -94,6 +103,16 @@ parameters:
the InternalTLSCAFile parameter) is not desired. The current the InternalTLSCAFile parameter) is not desired. The current
default reflects TripleO's default CA, which is FreeIPA. default reflects TripleO's default CA, which is FreeIPA.
It will only be used if internal TLS is enabled. It will only be used if internal TLS is enabled.
LibvirtVncCACert:
type: string
default: ''
description: This specifies the CA certificate to use for VNC TLS.
This file will be symlinked to the default CA path,
which is /etc/pki/libvirt-vnc/ca-cert.pem.
This parameter should be used if the default (which comes from
the InternalTLSVncCAFile parameter) is not desired. The current
default reflects TripleO's default CA, which is FreeIPA.
It will only be used if internal TLS is enabled.
MigrationSshKey: MigrationSshKey:
type: json type: json
description: > description: >
@ -128,6 +147,21 @@ conditions:
- {get_param: LibvirtCACert} - {get_param: LibvirtCACert}
- '' - ''
use_tls_for_vnc:
and:
- equals:
- {get_param: EnableInternalTLS}
- true
- equals:
- {get_param: UseTLSTransportForVnc}
- true
libvirt_vnc_specific_ca_unset:
equals:
- {get_param: LibvirtVncCACert}
- ''
resources: resources:
NovaBase: NovaBase:
type: ./nova-base.yaml type: ./nova-base.yaml
@ -234,13 +268,54 @@ outputs:
params: params:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
- {} - {}
-
if:
- use_tls_for_vnc
-
nova::compute::libvirt::qemu::vnc_tls: true
nova::compute::libvirt::qemu::vnc_tls_verify: true
generate_service_certificates: true
tripleo::certmonger::ca::libvirt_vnc::origin_ca_pem:
if:
- libvirt_vnc_specific_ca_unset
- get_param: InternalTLSVncCAFile
- get_param: LibvirtVncCACert
tripleo::certmonger::libvirt_vnc_dirs::certificate_dir: '/etc/pki/libvirt-vnc'
libvirt_vnc_certificates_specs:
libvirt-vnc-server-cert:
cacertfile:
if:
- libvirt_vnc_specific_ca_unset
- get_param: InternalTLSVncCAFile
- null
service_certificate: '/etc/pki/libvirt-vnc/server-cert.pem'
service_key: '/etc/pki/libvirt-vnc/server-key.pem'
hostname:
str_replace:
template: "%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
principal:
str_replace:
template: "libvirt-vnc/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
- {}
step_config: | step_config: |
include tripleo::profile::base::nova::libvirt include tripleo::profile::base::nova::libvirt
metadata_settings: metadata_settings:
if: list_concat:
- if:
- use_tls_for_live_migration - use_tls_for_live_migration
- -
- service: libvirt - service: libvirt
network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
type: node type: node
- null - null
- if:
- use_tls_for_vnc
-
- service: libvirt-vnc
network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
type: node
- null

97
puppet/services/nova-vnc-proxy.yaml
View File

@ -30,6 +30,14 @@ parameters:
description: Mapping of service endpoint -> protocol. Typically set description: Mapping of service endpoint -> protocol. Typically set
via parameter_defaults in the resource registry. via parameter_defaults in the resource registry.
type: json type: json
StackUpdateType:
type: string
description: >
Type of update, to differentiate between UPGRADE and UPDATE cases
when StackAction is UPDATE (both are the same stack action).
constraints:
- allowed_values: ['', 'UPGRADE', 'FASTFORWARDUPGRADE']
default: ''
MonitoringSubscriptionNovaVNCProxy: MonitoringSubscriptionNovaVNCProxy:
default: 'overcloud-nova-vncproxy' default: 'overcloud-nova-vncproxy'
type: string type: string
@ -38,6 +46,50 @@ parameters:
default: default:
tag: openstack.nova.vncproxy tag: openstack.nova.vncproxy
path: /var/log/nova/nova-vncproxy.log path: /var/log/nova/nova-vncproxy.log
EnableInternalTLS:
type: boolean
default: false
UseTLSTransportForVnc:
type: boolean
default: true
description: If set to true and if EnableInternalTLS is enabled, it will
enable TLS transaport for libvirt VNC and configure the
relevant keys for libvirt.
InternalTLSVncCAFile:
default: '/etc/ipa/vnc.crt'
type: string
description: Specifies the CA cert to use for VNC TLS.
LibvirtVncCACert:
type: string
default: ''
description: This specifies the CA certificate to use for VNC TLS.
This file will be symlinked to the default CA path,
which is /etc/pki/libvirt-vnc/ca-cert.pem.
This parameter should be used if the default (which comes from
the InternalTLSVncCAFile parameter) is not desired. The current
default reflects TripleO's default CA, which is FreeIPA.
It will only be used if internal TLS is enabled.
conditions:
use_tls_for_vnc:
and:
- equals:
- {get_param: EnableInternalTLS}
- true
- equals:
- {get_param: UseTLSTransportForVnc}
- true
libvirt_vnc_specific_ca_unset:
equals:
- {get_param: LibvirtVncCACert}
- ''
allow_noauth:
# Allow noauth VNC connections during P->Q upgrade. Remove in Rocky.
equals: [{get_param: StackUpdateType}, 'UPGRADE']
resources: resources:
NovaBase: NovaBase:
@ -74,6 +126,43 @@ outputs:
dport: dport:
- 6080 - 6080
- 13080 - 13080
-
if:
- use_tls_for_vnc
-
nova::vncproxy::allow_vencrypt: true
nova::vncproxy::allow_noauth: {if: [allow_noauth, true, false]}
nova::vncproxy::vencrypt_key: /etc/pki/libvirt-vnc/client-key.pem
nova::vncproxy::vencrypt_cert: /etc/pki/libvirt-vnc/client-cert.pem
nova::vncproxy::vencrypt_ca: /etc/pki/libvirt-vnc/ca-cert.pem
generate_service_certificates: true
tripleo::certmonger::ca::libvirt_vnc::origin_ca_pem:
if:
- libvirt_vnc_specific_ca_unset
- get_param: InternalTLSVncCAFile
- get_param: LibvirtVncCACert
tripleo::certmonger::libvirt_vnc_dirs::certificate_dir: '/etc/pki/libvirt-vnc'
libvirt_vnc_certificates_specs:
libvirt-vnc-client-cert:
cacertfile:
if:
- libvirt_vnc_specific_ca_unset
- get_param: InternalTLSVncCAFile
- null
service_certificate: '/etc/pki/libvirt-vnc/client-cert.pem'
service_key: '/etc/pki/libvirt-vnc/client-key.pem'
notify_service: '%{::nova::params::vncproxy_service_name}'
hostname:
str_replace:
template: "%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
principal:
str_replace:
template: "libvirt-vnc/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
- {}
service_config_settings: service_config_settings:
fluentd: fluentd:
tripleo_fluentd_groups_nova_vnc_proxy: tripleo_fluentd_groups_nova_vnc_proxy:
@ -86,3 +175,11 @@ outputs:
- name: Stop nova_vnc_proxy service - name: Stop nova_vnc_proxy service
when: step|int == 1 when: step|int == 1
service: name=openstack-nova-consoleauth state=stopped service: name=openstack-nova-consoleauth state=stopped
metadata_settings:
if:
- use_tls_for_vnc
-
- service: libvirt-vnc
network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
type: node
- null

8
releasenotes/notes/vnc_tls-b3707d0134697cc7.yaml Normal file
View File

@ -0,0 +1,8 @@
---
features:
- |
If TLS on the internal network is enabled, the nova-novnc to libvirt vnc
transport defaults to using TLS. This can be changed by setting the
``UseTLSTransportForVnc`` parameter, which is ``true`` by default.
A dedicated IPA sub-CA can be specified by the ``LibvirtVncCACert``
parameter. By default the main IPA CA will be used.