openstack/tripleo-heat-templates
Code Issues Proposed changes

SSL support for haproxy -> novnc proxy connection

Browse Source 
With tls-everywhere enabled the connection from haproxy to the nova novnc
proxy was not encrypted. Now we request a certificate and configue haproxy
and the novnc proxy to encrypt this remaining part in a vnc connection to
be encrypted as well.

Change-Id: Ia0c8c452f0121298bef58409bd0bdbe4caa54e42
Closes-Bug: #1785700
Depends-On: Ice51fe175bdc1cb14fa49cf53d1f38e9728bbb60
Depends-On: I4667706633205c240f2efb51663e6efbce5e344e
This commit is contained in:
Martin Schuppert 2018-08-07 13:34:02 +02:00
parent 21dadd4ef3
commit 8d163a21f5
3 changed files with 36 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
docker/services/nova-vnc-proxy.yaml
View File

@ -151,10 +151,17 @@ outputs:
dest: "/"
merge: true
preserve_properties: true
- source: "/var/lib/kolla/config_files/src-tls/*"
dest: "/"
merge: true
preserve_properties: true
optional: true
permissions:
- path: /var/log/nova
owner: nova:nova
recurse: true
- path: /etc/pki/tls/private/novnc_proxy.key
owner: root:nova
docker_config:
step_4:
nova_vnc_proxy:
@ -185,6 +192,8 @@ outputs:
- get_param: LibvirtVncCACert
- /etc/pki/libvirt-vnc/client-cert.pem:/etc/pki/libvirt-vnc/client-cert.pem:ro
- /etc/pki/libvirt-vnc/client-key.pem:/etc/pki/libvirt-vnc/client-key.pem:ro
- /etc/pki/tls/certs/novnc_proxy.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/novnc_proxy.crt:ro
- /etc/pki/tls/private/novnc_proxy.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/novnc_proxy.key:ro
- null
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS

19
puppet/services/nova-vnc-proxy.yaml
View File

@ -140,6 +140,9 @@ outputs:
nova::vncproxy::vencrypt_key: /etc/pki/libvirt-vnc/client-key.pem
nova::vncproxy::vencrypt_cert: /etc/pki/libvirt-vnc/client-cert.pem
nova::vncproxy::vencrypt_ca: /etc/pki/libvirt-vnc/ca-cert.pem
nova::ssl_only: true
nova::cert: /etc/pki/tls/certs/novnc_proxy.crt
nova::key: /etc/pki/tls/private/novnc_proxy.key
generate_service_certificates: true
tripleo::certmonger::ca::libvirt_vnc::origin_ca_pem:
if:
@ -167,6 +170,19 @@ outputs:
template: "libvirt-vnc/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
novnc_proxy_certificates_specs:
service_certificate: '/etc/pki/tls/certs/novnc_proxy.crt'
service_key: '/etc/pki/tls/private/novnc_proxy.key'
hostname:
str_replace:
template: "%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]}
principal:
str_replace:
template: "novnc-proxy/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]}
- {}
service_config_settings:
fluentd:
@ -187,4 +203,7 @@ outputs:
- service: libvirt-vnc
network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
type: node
- service: novnc-proxy
network: {get_param: [ServiceNetMap, NovaApiNetwork]}
type: node
- null

8
releasenotes/notes/nova_novnc_proxy_ssl_support-edc7bc13d0cd6d2b.yaml Normal file
View File

@ -0,0 +1,8 @@
---
fixes:
- |
When tls-everywhere is configured we have TLS connection from
client -> haproxy and novncproxy -> vnc server (instance), but the
connection from haproxy to the nova novnc proxy was not encrypted. Now
we request a certificate and configue haproxy and the novnc proxy to
encrypt this remaining part in a vnc connection to be encrypted as well.