Add support for libvirt VNC TLS
Configures certs/key for nova-novnc vencrypt when TLS is enabled on the internal network. A dedicated IPA sub-CA can be used to restrict access, however by default the main IPA CA is used. Depends-On: Ic73bcbdbecc1bc05f43acdd5480370f37ead3fb8 Change-Id: I67ffd847dc2d1949833a9d7039ad51e4364e02da
This commit is contained in:
parent
c96b58c028
commit
37a339d2b0
|
@ -46,8 +46,7 @@ parameters:
|
||||||
default: true
|
default: true
|
||||||
description: If set to true and if EnableInternalTLS is enabled, it will
|
description: If set to true and if EnableInternalTLS is enabled, it will
|
||||||
set the libvirt URI's transport to tls and configure the
|
set the libvirt URI's transport to tls and configure the
|
||||||
relevant keys for libvirt. NOTE. this is currently being
|
relevant keys for libvirt.
|
||||||
ignored and TLS for libvirtd is always disabled for now.
|
|
||||||
DockerNovaMigrationSshdPort:
|
DockerNovaMigrationSshdPort:
|
||||||
default: 2022
|
default: 2022
|
||||||
description: Port that dockerized nova migration target sshd service
|
description: Port that dockerized nova migration target sshd service
|
||||||
|
@ -80,6 +79,44 @@ parameters:
|
||||||
description: >
|
description: >
|
||||||
The Ceph cluster name must be at least 1 character and contain only
|
The Ceph cluster name must be at least 1 character and contain only
|
||||||
letters and numbers.
|
letters and numbers.
|
||||||
|
UseTLSTransportForVnc:
|
||||||
|
type: boolean
|
||||||
|
default: true
|
||||||
|
description: If set to true and if EnableInternalTLS is enabled, it will
|
||||||
|
enable TLS transaport for libvirt VNC and configure the
|
||||||
|
relevant keys for libvirt.
|
||||||
|
InternalTLSCAFile:
|
||||||
|
default: '/etc/ipa/ca.crt'
|
||||||
|
type: string
|
||||||
|
description: Specifies the default CA cert to use if TLS is used for
|
||||||
|
services in the internal network.
|
||||||
|
InternalTLSVncCAFile:
|
||||||
|
default: '/etc/ipa/vnc.crt'
|
||||||
|
type: string
|
||||||
|
description: Specifies the CA cert to use for VNC TLS.
|
||||||
|
LibvirtCACert:
|
||||||
|
type: string
|
||||||
|
default: ''
|
||||||
|
description: This specifies the CA certificate to use for TLS in libvirt.
|
||||||
|
This file will be symlinked to the default CA path in libvirt,
|
||||||
|
which is /etc/pki/CA/cacert.pem. Note that due to limitations
|
||||||
|
GNU TLS, which is the TLS backend for libvirt, the file must
|
||||||
|
be less than 65K (so we can't use the system's CA bundle).
|
||||||
|
This parameter should be used if the default (which comes from
|
||||||
|
the InternalTLSCAFile parameter) is not desired. The current
|
||||||
|
default reflects TripleO's default CA, which is FreeIPA.
|
||||||
|
It will only be used if internal TLS is enabled.
|
||||||
|
LibvirtVncCACert:
|
||||||
|
type: string
|
||||||
|
default: ''
|
||||||
|
description: This specifies the CA certificate to use for VNC TLS.
|
||||||
|
This file will be symlinked to the default CA path,
|
||||||
|
which is /etc/pki/libvirt-vnc/ca-cert.pem.
|
||||||
|
This parameter should be used if the default (which comes from
|
||||||
|
the InternalTLSVncCAFile parameter) is not desired. The current
|
||||||
|
default reflects TripleO's default CA, which is FreeIPA.
|
||||||
|
It will only be used if internal TLS is enabled.
|
||||||
|
|
||||||
|
|
||||||
conditions:
|
conditions:
|
||||||
|
|
||||||
|
@ -92,6 +129,11 @@ conditions:
|
||||||
- {get_param: UseTLSTransportForLiveMigration}
|
- {get_param: UseTLSTransportForLiveMigration}
|
||||||
- true
|
- true
|
||||||
|
|
||||||
|
libvirt_specific_ca_unset:
|
||||||
|
equals:
|
||||||
|
- {get_param: LibvirtCACert}
|
||||||
|
- ''
|
||||||
|
|
||||||
need_libvirt_secret:
|
need_libvirt_secret:
|
||||||
or:
|
or:
|
||||||
- equals:
|
- equals:
|
||||||
|
@ -101,6 +143,21 @@ conditions:
|
||||||
- {get_param: CinderEnableRbdBackend}
|
- {get_param: CinderEnableRbdBackend}
|
||||||
- true
|
- true
|
||||||
|
|
||||||
|
use_tls_for_vnc:
|
||||||
|
and:
|
||||||
|
- equals:
|
||||||
|
- {get_param: EnableInternalTLS}
|
||||||
|
- true
|
||||||
|
- equals:
|
||||||
|
- {get_param: UseTLSTransportForVnc}
|
||||||
|
- true
|
||||||
|
|
||||||
|
libvirt_vnc_specific_ca_unset:
|
||||||
|
equals:
|
||||||
|
- {get_param: LibvirtVncCACert}
|
||||||
|
- ''
|
||||||
|
|
||||||
|
|
||||||
resources:
|
resources:
|
||||||
|
|
||||||
ContainersCommon:
|
ContainersCommon:
|
||||||
|
@ -152,6 +209,8 @@ outputs:
|
||||||
- /usr/sbin/libvirtd --listen
|
- /usr/sbin/libvirtd --listen
|
||||||
- /usr/sbin/libvirtd
|
- /usr/sbin/libvirtd
|
||||||
config_files:
|
config_files:
|
||||||
|
list_concat:
|
||||||
|
-
|
||||||
- source: "/var/lib/kolla/config_files/src/*"
|
- source: "/var/lib/kolla/config_files/src/*"
|
||||||
dest: "/"
|
dest: "/"
|
||||||
merge: true
|
merge: true
|
||||||
|
@ -160,7 +219,17 @@ outputs:
|
||||||
dest: "/etc/ceph/"
|
dest: "/etc/ceph/"
|
||||||
merge: true
|
merge: true
|
||||||
preserve_properties: true
|
preserve_properties: true
|
||||||
|
- if:
|
||||||
|
- use_tls_for_vnc
|
||||||
|
-
|
||||||
|
- source: /var/lib/kolla/config_files/src-libvirt-vnc-pki/server-*.pem
|
||||||
|
dest: /etc/pki/libvirt-vnc/
|
||||||
|
merge: true
|
||||||
|
preserve_properties: true
|
||||||
|
- null
|
||||||
permissions:
|
permissions:
|
||||||
|
list_concat:
|
||||||
|
-
|
||||||
- path:
|
- path:
|
||||||
str_replace:
|
str_replace:
|
||||||
template: /etc/ceph/CLUSTER.client.USER.keyring
|
template: /etc/ceph/CLUSTER.client.USER.keyring
|
||||||
|
@ -169,6 +238,13 @@ outputs:
|
||||||
USER: {get_param: CephClientUserName}
|
USER: {get_param: CephClientUserName}
|
||||||
owner: nova:nova
|
owner: nova:nova
|
||||||
perm: '0600'
|
perm: '0600'
|
||||||
|
- if:
|
||||||
|
- use_tls_for_vnc
|
||||||
|
-
|
||||||
|
- path: /etc/pki/libvirt-vnc/server-key.pem
|
||||||
|
owner: root:qemu
|
||||||
|
perm: '0640'
|
||||||
|
- null
|
||||||
/var/lib/kolla/config_files/nova_virtlogd.json:
|
/var/lib/kolla/config_files/nova_virtlogd.json:
|
||||||
command: /usr/sbin/virtlogd --config /etc/libvirt/virtlogd.conf
|
command: /usr/sbin/virtlogd --config /etc/libvirt/virtlogd.conf
|
||||||
config_files:
|
config_files:
|
||||||
|
@ -232,12 +308,33 @@ outputs:
|
||||||
if:
|
if:
|
||||||
- use_tls_for_live_migration
|
- use_tls_for_live_migration
|
||||||
-
|
-
|
||||||
- /etc/ipa/ca.crt:/etc/pki/CA/cacert.pem:ro
|
- str_replace:
|
||||||
|
template: "CACERT:/etc/pki/CA/cacert.pem:ro"
|
||||||
|
params:
|
||||||
|
CACERT:
|
||||||
|
if:
|
||||||
|
- libvirt_specific_ca_unset
|
||||||
|
- get_param: InternalTLSCAFile
|
||||||
|
- get_param: LibvirtCACert
|
||||||
- /etc/pki/libvirt/servercert.pem:/etc/pki/libvirt/servercert.pem:ro
|
- /etc/pki/libvirt/servercert.pem:/etc/pki/libvirt/servercert.pem:ro
|
||||||
- /etc/pki/libvirt/private/serverkey.pem:/etc/pki/libvirt/private/serverkey.pem:ro
|
- /etc/pki/libvirt/private/serverkey.pem:/etc/pki/libvirt/private/serverkey.pem:ro
|
||||||
- /etc/pki/libvirt/clientcert.pem:/etc/pki/libvirt/clientcert.pem:ro
|
- /etc/pki/libvirt/clientcert.pem:/etc/pki/libvirt/clientcert.pem:ro
|
||||||
- /etc/pki/libvirt/private/clientkey.pem:/etc/pki/libvirt/private/clientkey.pem:ro
|
- /etc/pki/libvirt/private/clientkey.pem:/etc/pki/libvirt/private/clientkey.pem:ro
|
||||||
- null
|
- null
|
||||||
|
-
|
||||||
|
if:
|
||||||
|
- use_tls_for_vnc
|
||||||
|
-
|
||||||
|
- str_replace:
|
||||||
|
template: "CACERT:/etc/pki/libvirt-vnc/ca-cert.pem:ro"
|
||||||
|
params:
|
||||||
|
CACERT:
|
||||||
|
if:
|
||||||
|
- libvirt_vnc_specific_ca_unset
|
||||||
|
- get_param: InternalTLSVncCAFile
|
||||||
|
- get_param: LibvirtVncCACert
|
||||||
|
- /etc/pki/libvirt-vnc:/var/lib/kolla/config_files/src-libvirt-vnc-pki:ro
|
||||||
|
- null
|
||||||
environment:
|
environment:
|
||||||
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
||||||
step_4:
|
step_4:
|
||||||
|
|
|
@ -40,6 +40,46 @@ parameters:
|
||||||
default: false
|
default: false
|
||||||
description: Remove package if the service is being disabled during upgrade
|
description: Remove package if the service is being disabled during upgrade
|
||||||
type: boolean
|
type: boolean
|
||||||
|
EnableInternalTLS:
|
||||||
|
type: boolean
|
||||||
|
default: false
|
||||||
|
UseTLSTransportForVnc:
|
||||||
|
type: boolean
|
||||||
|
default: true
|
||||||
|
description: If set to true and if EnableInternalTLS is enabled, it will
|
||||||
|
enable TLS transaport for libvirt VNC and configure the
|
||||||
|
relevant keys for libvirt.
|
||||||
|
InternalTLSVncCAFile:
|
||||||
|
default: '/etc/ipa/vnc.crt'
|
||||||
|
type: string
|
||||||
|
description: Specifies the CA cert to use for VNC TLS.
|
||||||
|
LibvirtVncCACert:
|
||||||
|
type: string
|
||||||
|
default: ''
|
||||||
|
description: This specifies the CA certificate to use for VNC TLS.
|
||||||
|
This file will be symlinked to the default CA path,
|
||||||
|
which is /etc/pki/libvirt-vnc/ca-cert.pem.
|
||||||
|
This parameter should be used if the default (which comes from
|
||||||
|
the InternalTLSVncCAFile parameter) is not desired. The current
|
||||||
|
default reflects TripleO's default CA, which is FreeIPA.
|
||||||
|
It will only be used if internal TLS is enabled.
|
||||||
|
|
||||||
|
|
||||||
|
conditions:
|
||||||
|
|
||||||
|
use_tls_for_vnc:
|
||||||
|
and:
|
||||||
|
- equals:
|
||||||
|
- {get_param: EnableInternalTLS}
|
||||||
|
- true
|
||||||
|
- equals:
|
||||||
|
- {get_param: UseTLSTransportForVnc}
|
||||||
|
- true
|
||||||
|
|
||||||
|
libvirt_vnc_specific_ca_unset:
|
||||||
|
equals:
|
||||||
|
- {get_param: LibvirtVncCACert}
|
||||||
|
- ''
|
||||||
|
|
||||||
resources:
|
resources:
|
||||||
|
|
||||||
|
@ -119,8 +159,25 @@ outputs:
|
||||||
-
|
-
|
||||||
- /var/lib/kolla/config_files/nova_vnc_proxy.json:/var/lib/kolla/config_files/config.json:ro
|
- /var/lib/kolla/config_files/nova_vnc_proxy.json:/var/lib/kolla/config_files/config.json:ro
|
||||||
- /var/lib/config-data/puppet-generated/nova/:/var/lib/kolla/config_files/src:ro
|
- /var/lib/config-data/puppet-generated/nova/:/var/lib/kolla/config_files/src:ro
|
||||||
|
-
|
||||||
|
if:
|
||||||
|
- use_tls_for_vnc
|
||||||
|
-
|
||||||
|
- str_replace:
|
||||||
|
template: "CACERT:/etc/pki/libvirt-vnc/ca-cert.pem:ro"
|
||||||
|
params:
|
||||||
|
CACERT:
|
||||||
|
if:
|
||||||
|
- libvirt_vnc_specific_ca_unset
|
||||||
|
- get_param: InternalTLSVncCAFile
|
||||||
|
- get_param: LibvirtVncCACert
|
||||||
|
- /etc/pki/libvirt-vnc/client-cert.pem:/etc/pki/libvirt-vnc/client-cert.pem:ro
|
||||||
|
- /etc/pki/libvirt-vnc/client-key.pem:/etc/pki/libvirt-vnc/client-key.pem:ro
|
||||||
|
- null
|
||||||
environment:
|
environment:
|
||||||
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
||||||
|
metadata_settings:
|
||||||
|
get_attr: [NovaVncProxyPuppetBase, role_data, metadata_settings]
|
||||||
host_prep_tasks: {get_attr: [NovaLogging, host_prep_tasks]}
|
host_prep_tasks: {get_attr: [NovaLogging, host_prep_tasks]}
|
||||||
upgrade_tasks:
|
upgrade_tasks:
|
||||||
- name: Check if nova vncproxy is deployed
|
- name: Check if nova vncproxy is deployed
|
||||||
|
|
|
@ -58,12 +58,6 @@ parameters:
|
||||||
constraints:
|
constraints:
|
||||||
- allowed_values: ['', 'UPGRADE', 'FASTFORWARDUPGRADE']
|
- allowed_values: ['', 'UPGRADE', 'FASTFORWARDUPGRADE']
|
||||||
default: ''
|
default: ''
|
||||||
# NOTE(jaosorior): This is being set as IPA as it's the first
|
|
||||||
# CA we'll actually be testing out. But we can change this if
|
|
||||||
# people request it.
|
|
||||||
CertmongerCA:
|
|
||||||
type: string
|
|
||||||
default: 'IPA'
|
|
||||||
EnableInternalTLS:
|
EnableInternalTLS:
|
||||||
type: boolean
|
type: boolean
|
||||||
default: false
|
default: false
|
||||||
|
@ -75,7 +69,6 @@ parameters:
|
||||||
type: string
|
type: string
|
||||||
{%- endfor %}
|
{%- endfor %}
|
||||||
|
|
||||||
|
|
||||||
resources:
|
resources:
|
||||||
|
|
||||||
allNodesConfigImpl:
|
allNodesConfigImpl:
|
||||||
|
@ -213,8 +206,6 @@ resources:
|
||||||
cloud_name_{{network.name_lower}}: {get_param: cloud_name_{{network.name_lower}}}
|
cloud_name_{{network.name_lower}}: {get_param: cloud_name_{{network.name_lower}}}
|
||||||
{%- endfor %}
|
{%- endfor %}
|
||||||
cloud_name_ctlplane: {get_param: cloud_name_ctlplane}
|
cloud_name_ctlplane: {get_param: cloud_name_ctlplane}
|
||||||
# TLS parameters
|
|
||||||
certmonger_ca: {get_param: CertmongerCA}
|
|
||||||
enable_internal_tls: {get_param: EnableInternalTLS}
|
enable_internal_tls: {get_param: EnableInternalTLS}
|
||||||
|
|
||||||
outputs:
|
outputs:
|
||||||
|
|
|
@ -37,6 +37,17 @@ parameters:
|
||||||
default: 'http://ipa-ca/ipa/crl/MasterCRL.bin'
|
default: 'http://ipa-ca/ipa/crl/MasterCRL.bin'
|
||||||
description: URI where to get the CRL to be configured in the nodes.
|
description: URI where to get the CRL to be configured in the nodes.
|
||||||
type: string
|
type: string
|
||||||
|
# NOTE(jaosorior): This is being set as IPA as it's the first
|
||||||
|
# CA we'll actually be testing out. But we can change this if
|
||||||
|
# people request it.
|
||||||
|
CertmongerCA:
|
||||||
|
type: string
|
||||||
|
default: 'IPA'
|
||||||
|
# TODO: default to a dedicated CA once the ipa sub-CA setup has been
|
||||||
|
# automated and upgrades are addressed
|
||||||
|
CertmongerVncCA:
|
||||||
|
type: string
|
||||||
|
default: 'IPA'
|
||||||
|
|
||||||
conditions:
|
conditions:
|
||||||
|
|
||||||
|
@ -48,10 +59,11 @@ outputs:
|
||||||
value:
|
value:
|
||||||
service_name: certmonger_user
|
service_name: certmonger_user
|
||||||
config_settings:
|
config_settings:
|
||||||
tripleo::certmonger::ca::crl::crl_source:
|
|
||||||
if:
|
if:
|
||||||
- internal_tls_enabled
|
- internal_tls_enabled
|
||||||
- {get_param: DefaultCRLURL}
|
- tripleo::certmonger::ca::crl::crl_source: {get_param: DefaultCRLURL}
|
||||||
- null
|
certmonger_ca: {get_param: CertmongerCA}
|
||||||
|
certmonger_ca_vnc: {get_param: CertmongerVncCA}
|
||||||
|
- {}
|
||||||
step_config: |
|
step_config: |
|
||||||
include ::tripleo::profile::base::certmonger_user
|
include ::tripleo::profile::base::certmonger_user
|
||||||
|
|
|
@ -75,13 +75,22 @@ parameters:
|
||||||
default: true
|
default: true
|
||||||
description: If set to true and if EnableInternalTLS is enabled, it will
|
description: If set to true and if EnableInternalTLS is enabled, it will
|
||||||
set the libvirt URI's transport to tls and configure the
|
set the libvirt URI's transport to tls and configure the
|
||||||
relevant keys for libvirt. NOTE. this is currently being
|
relevant keys for libvirt.
|
||||||
ignored and TLS for libvirtd is always disabled for now.
|
UseTLSTransportForVnc:
|
||||||
|
type: boolean
|
||||||
|
default: true
|
||||||
|
description: If set to true and if EnableInternalTLS is enabled, it will
|
||||||
|
enable TLS transaport for libvirt VNC and configure the
|
||||||
|
relevant keys for libvirt.
|
||||||
InternalTLSCAFile:
|
InternalTLSCAFile:
|
||||||
default: '/etc/ipa/ca.crt'
|
default: '/etc/ipa/ca.crt'
|
||||||
type: string
|
type: string
|
||||||
description: Specifies the default CA cert to use if TLS is used for
|
description: Specifies the default CA cert to use if TLS is used for
|
||||||
services in the internal network.
|
services in the internal network.
|
||||||
|
InternalTLSVncCAFile:
|
||||||
|
default: '/etc/ipa/vnc.crt'
|
||||||
|
type: string
|
||||||
|
description: Specifies the CA cert to use for VNC TLS.
|
||||||
LibvirtCACert:
|
LibvirtCACert:
|
||||||
type: string
|
type: string
|
||||||
default: ''
|
default: ''
|
||||||
|
@ -94,6 +103,16 @@ parameters:
|
||||||
the InternalTLSCAFile parameter) is not desired. The current
|
the InternalTLSCAFile parameter) is not desired. The current
|
||||||
default reflects TripleO's default CA, which is FreeIPA.
|
default reflects TripleO's default CA, which is FreeIPA.
|
||||||
It will only be used if internal TLS is enabled.
|
It will only be used if internal TLS is enabled.
|
||||||
|
LibvirtVncCACert:
|
||||||
|
type: string
|
||||||
|
default: ''
|
||||||
|
description: This specifies the CA certificate to use for VNC TLS.
|
||||||
|
This file will be symlinked to the default CA path,
|
||||||
|
which is /etc/pki/libvirt-vnc/ca-cert.pem.
|
||||||
|
This parameter should be used if the default (which comes from
|
||||||
|
the InternalTLSVncCAFile parameter) is not desired. The current
|
||||||
|
default reflects TripleO's default CA, which is FreeIPA.
|
||||||
|
It will only be used if internal TLS is enabled.
|
||||||
MigrationSshKey:
|
MigrationSshKey:
|
||||||
type: json
|
type: json
|
||||||
description: >
|
description: >
|
||||||
|
@ -128,6 +147,21 @@ conditions:
|
||||||
- {get_param: LibvirtCACert}
|
- {get_param: LibvirtCACert}
|
||||||
- ''
|
- ''
|
||||||
|
|
||||||
|
use_tls_for_vnc:
|
||||||
|
and:
|
||||||
|
- equals:
|
||||||
|
- {get_param: EnableInternalTLS}
|
||||||
|
- true
|
||||||
|
- equals:
|
||||||
|
- {get_param: UseTLSTransportForVnc}
|
||||||
|
- true
|
||||||
|
|
||||||
|
libvirt_vnc_specific_ca_unset:
|
||||||
|
equals:
|
||||||
|
- {get_param: LibvirtVncCACert}
|
||||||
|
- ''
|
||||||
|
|
||||||
|
|
||||||
resources:
|
resources:
|
||||||
NovaBase:
|
NovaBase:
|
||||||
type: ./nova-base.yaml
|
type: ./nova-base.yaml
|
||||||
|
@ -234,13 +268,54 @@ outputs:
|
||||||
params:
|
params:
|
||||||
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
||||||
- {}
|
- {}
|
||||||
|
-
|
||||||
|
if:
|
||||||
|
- use_tls_for_vnc
|
||||||
|
-
|
||||||
|
nova::compute::libvirt::qemu::vnc_tls: true
|
||||||
|
nova::compute::libvirt::qemu::vnc_tls_verify: true
|
||||||
|
generate_service_certificates: true
|
||||||
|
tripleo::certmonger::ca::libvirt_vnc::origin_ca_pem:
|
||||||
|
if:
|
||||||
|
- libvirt_vnc_specific_ca_unset
|
||||||
|
- get_param: InternalTLSVncCAFile
|
||||||
|
- get_param: LibvirtVncCACert
|
||||||
|
tripleo::certmonger::libvirt_vnc_dirs::certificate_dir: '/etc/pki/libvirt-vnc'
|
||||||
|
libvirt_vnc_certificates_specs:
|
||||||
|
libvirt-vnc-server-cert:
|
||||||
|
cacertfile:
|
||||||
|
if:
|
||||||
|
- libvirt_vnc_specific_ca_unset
|
||||||
|
- get_param: InternalTLSVncCAFile
|
||||||
|
- null
|
||||||
|
service_certificate: '/etc/pki/libvirt-vnc/server-cert.pem'
|
||||||
|
service_key: '/etc/pki/libvirt-vnc/server-key.pem'
|
||||||
|
hostname:
|
||||||
|
str_replace:
|
||||||
|
template: "%{hiera('fqdn_NETWORK')}"
|
||||||
|
params:
|
||||||
|
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
||||||
|
principal:
|
||||||
|
str_replace:
|
||||||
|
template: "libvirt-vnc/%{hiera('fqdn_NETWORK')}"
|
||||||
|
params:
|
||||||
|
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
||||||
|
- {}
|
||||||
step_config: |
|
step_config: |
|
||||||
include tripleo::profile::base::nova::libvirt
|
include tripleo::profile::base::nova::libvirt
|
||||||
metadata_settings:
|
metadata_settings:
|
||||||
if:
|
list_concat:
|
||||||
|
- if:
|
||||||
- use_tls_for_live_migration
|
- use_tls_for_live_migration
|
||||||
-
|
-
|
||||||
- service: libvirt
|
- service: libvirt
|
||||||
network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
||||||
type: node
|
type: node
|
||||||
- null
|
- null
|
||||||
|
- if:
|
||||||
|
- use_tls_for_vnc
|
||||||
|
-
|
||||||
|
- service: libvirt-vnc
|
||||||
|
network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
||||||
|
type: node
|
||||||
|
- null
|
||||||
|
|
|
@ -30,6 +30,14 @@ parameters:
|
||||||
description: Mapping of service endpoint -> protocol. Typically set
|
description: Mapping of service endpoint -> protocol. Typically set
|
||||||
via parameter_defaults in the resource registry.
|
via parameter_defaults in the resource registry.
|
||||||
type: json
|
type: json
|
||||||
|
StackUpdateType:
|
||||||
|
type: string
|
||||||
|
description: >
|
||||||
|
Type of update, to differentiate between UPGRADE and UPDATE cases
|
||||||
|
when StackAction is UPDATE (both are the same stack action).
|
||||||
|
constraints:
|
||||||
|
- allowed_values: ['', 'UPGRADE', 'FASTFORWARDUPGRADE']
|
||||||
|
default: ''
|
||||||
MonitoringSubscriptionNovaVNCProxy:
|
MonitoringSubscriptionNovaVNCProxy:
|
||||||
default: 'overcloud-nova-vncproxy'
|
default: 'overcloud-nova-vncproxy'
|
||||||
type: string
|
type: string
|
||||||
|
@ -38,6 +46,50 @@ parameters:
|
||||||
default:
|
default:
|
||||||
tag: openstack.nova.vncproxy
|
tag: openstack.nova.vncproxy
|
||||||
path: /var/log/nova/nova-vncproxy.log
|
path: /var/log/nova/nova-vncproxy.log
|
||||||
|
EnableInternalTLS:
|
||||||
|
type: boolean
|
||||||
|
default: false
|
||||||
|
UseTLSTransportForVnc:
|
||||||
|
type: boolean
|
||||||
|
default: true
|
||||||
|
description: If set to true and if EnableInternalTLS is enabled, it will
|
||||||
|
enable TLS transaport for libvirt VNC and configure the
|
||||||
|
relevant keys for libvirt.
|
||||||
|
InternalTLSVncCAFile:
|
||||||
|
default: '/etc/ipa/vnc.crt'
|
||||||
|
type: string
|
||||||
|
description: Specifies the CA cert to use for VNC TLS.
|
||||||
|
LibvirtVncCACert:
|
||||||
|
type: string
|
||||||
|
default: ''
|
||||||
|
description: This specifies the CA certificate to use for VNC TLS.
|
||||||
|
This file will be symlinked to the default CA path,
|
||||||
|
which is /etc/pki/libvirt-vnc/ca-cert.pem.
|
||||||
|
This parameter should be used if the default (which comes from
|
||||||
|
the InternalTLSVncCAFile parameter) is not desired. The current
|
||||||
|
default reflects TripleO's default CA, which is FreeIPA.
|
||||||
|
It will only be used if internal TLS is enabled.
|
||||||
|
|
||||||
|
conditions:
|
||||||
|
|
||||||
|
use_tls_for_vnc:
|
||||||
|
and:
|
||||||
|
- equals:
|
||||||
|
- {get_param: EnableInternalTLS}
|
||||||
|
- true
|
||||||
|
- equals:
|
||||||
|
- {get_param: UseTLSTransportForVnc}
|
||||||
|
- true
|
||||||
|
|
||||||
|
libvirt_vnc_specific_ca_unset:
|
||||||
|
equals:
|
||||||
|
- {get_param: LibvirtVncCACert}
|
||||||
|
- ''
|
||||||
|
|
||||||
|
allow_noauth:
|
||||||
|
# Allow noauth VNC connections during P->Q upgrade. Remove in Rocky.
|
||||||
|
equals: [{get_param: StackUpdateType}, 'UPGRADE']
|
||||||
|
|
||||||
|
|
||||||
resources:
|
resources:
|
||||||
NovaBase:
|
NovaBase:
|
||||||
|
@ -74,6 +126,43 @@ outputs:
|
||||||
dport:
|
dport:
|
||||||
- 6080
|
- 6080
|
||||||
- 13080
|
- 13080
|
||||||
|
-
|
||||||
|
if:
|
||||||
|
- use_tls_for_vnc
|
||||||
|
-
|
||||||
|
nova::vncproxy::allow_vencrypt: true
|
||||||
|
nova::vncproxy::allow_noauth: {if: [allow_noauth, true, false]}
|
||||||
|
nova::vncproxy::vencrypt_key: /etc/pki/libvirt-vnc/client-key.pem
|
||||||
|
nova::vncproxy::vencrypt_cert: /etc/pki/libvirt-vnc/client-cert.pem
|
||||||
|
nova::vncproxy::vencrypt_ca: /etc/pki/libvirt-vnc/ca-cert.pem
|
||||||
|
generate_service_certificates: true
|
||||||
|
tripleo::certmonger::ca::libvirt_vnc::origin_ca_pem:
|
||||||
|
if:
|
||||||
|
- libvirt_vnc_specific_ca_unset
|
||||||
|
- get_param: InternalTLSVncCAFile
|
||||||
|
- get_param: LibvirtVncCACert
|
||||||
|
tripleo::certmonger::libvirt_vnc_dirs::certificate_dir: '/etc/pki/libvirt-vnc'
|
||||||
|
libvirt_vnc_certificates_specs:
|
||||||
|
libvirt-vnc-client-cert:
|
||||||
|
cacertfile:
|
||||||
|
if:
|
||||||
|
- libvirt_vnc_specific_ca_unset
|
||||||
|
- get_param: InternalTLSVncCAFile
|
||||||
|
- null
|
||||||
|
service_certificate: '/etc/pki/libvirt-vnc/client-cert.pem'
|
||||||
|
service_key: '/etc/pki/libvirt-vnc/client-key.pem'
|
||||||
|
notify_service: '%{::nova::params::vncproxy_service_name}'
|
||||||
|
hostname:
|
||||||
|
str_replace:
|
||||||
|
template: "%{hiera('fqdn_NETWORK')}"
|
||||||
|
params:
|
||||||
|
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
||||||
|
principal:
|
||||||
|
str_replace:
|
||||||
|
template: "libvirt-vnc/%{hiera('fqdn_NETWORK')}"
|
||||||
|
params:
|
||||||
|
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
||||||
|
- {}
|
||||||
service_config_settings:
|
service_config_settings:
|
||||||
fluentd:
|
fluentd:
|
||||||
tripleo_fluentd_groups_nova_vnc_proxy:
|
tripleo_fluentd_groups_nova_vnc_proxy:
|
||||||
|
@ -86,3 +175,11 @@ outputs:
|
||||||
- name: Stop nova_vnc_proxy service
|
- name: Stop nova_vnc_proxy service
|
||||||
when: step|int == 1
|
when: step|int == 1
|
||||||
service: name=openstack-nova-consoleauth state=stopped
|
service: name=openstack-nova-consoleauth state=stopped
|
||||||
|
metadata_settings:
|
||||||
|
if:
|
||||||
|
- use_tls_for_vnc
|
||||||
|
-
|
||||||
|
- service: libvirt-vnc
|
||||||
|
network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
||||||
|
type: node
|
||||||
|
- null
|
||||||
|
|
|
@ -0,0 +1,8 @@
|
||||||
|
---
|
||||||
|
features:
|
||||||
|
- |
|
||||||
|
If TLS on the internal network is enabled, the nova-novnc to libvirt vnc
|
||||||
|
transport defaults to using TLS. This can be changed by setting the
|
||||||
|
``UseTLSTransportForVnc`` parameter, which is ``true`` by default.
|
||||||
|
A dedicated IPA sub-CA can be specified by the ``LibvirtVncCACert``
|
||||||
|
parameter. By default the main IPA CA will be used.
|
Loading…
Reference in New Issue