SSL support for haproxy -> novnc proxy connection

With tls-everywhere enabled the connection from haproxy to the nova novnc
proxy was not encrypted. Now we request a certificate and configue haproxy
and the novnc proxy to encrypt this remaining part in a vnc connection to
be encrypted as well.

Change-Id: Ia0c8c452f0121298bef58409bd0bdbe4caa54e42
Closes-Bug: #1785700
Depends-On: Ice51fe175bdc1cb14fa49cf53d1f38e9728bbb60
Depends-On: I4667706633205c240f2efb51663e6efbce5e344e

docker/services/nova-vnc-proxy.yaml

@@ -151,10 +151,17 @@ outputs:
               dest: "/"
               merge: true
               preserve_properties: true
+            - source: "/var/lib/kolla/config_files/src-tls/*"
+              dest: "/"
+              merge: true
+              preserve_properties: true
+              optional: true
           permissions:
             - path: /var/log/nova
               owner: nova:nova
               recurse: true
+            - path: /etc/pki/tls/private/novnc_proxy.key
+              owner: root:nova
       docker_config:
         step_4:
           nova_vnc_proxy:
@@ -185,6 +192,8 @@ outputs:
                                 - get_param: LibvirtVncCACert
                       - /etc/pki/libvirt-vnc/client-cert.pem:/etc/pki/libvirt-vnc/client-cert.pem:ro
                       - /etc/pki/libvirt-vnc/client-key.pem:/etc/pki/libvirt-vnc/client-key.pem:ro
+                      - /etc/pki/tls/certs/novnc_proxy.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/novnc_proxy.crt:ro
+                      - /etc/pki/tls/private/novnc_proxy.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/novnc_proxy.key:ro
                     - null
             environment:
               - KOLLA_CONFIG_STRATEGY=COPY_ALWAYS

puppet/services/nova-vnc-proxy.yaml

@@ -140,6 +140,9 @@ outputs:
                 nova::vncproxy::vencrypt_key: /etc/pki/libvirt-vnc/client-key.pem
                 nova::vncproxy::vencrypt_cert: /etc/pki/libvirt-vnc/client-cert.pem
                 nova::vncproxy::vencrypt_ca: /etc/pki/libvirt-vnc/ca-cert.pem
+                nova::ssl_only: true
+                nova::cert: /etc/pki/tls/certs/novnc_proxy.crt
+                nova::key: /etc/pki/tls/private/novnc_proxy.key
                 generate_service_certificates: true
                 tripleo::certmonger::ca::libvirt_vnc::origin_ca_pem:
                   if:
@@ -167,6 +170,19 @@ outputs:
                         template: "libvirt-vnc/%{hiera('fqdn_NETWORK')}"
                         params:
                           NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
+                novnc_proxy_certificates_specs:
+                  service_certificate: '/etc/pki/tls/certs/novnc_proxy.crt'
+                  service_key: '/etc/pki/tls/private/novnc_proxy.key'
+                  hostname:
+                    str_replace:
+                      template: "%{hiera('fqdn_NETWORK')}"
+                      params:
+                        NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]}
+                  principal:
+                    str_replace:
+                      template: "novnc-proxy/%{hiera('fqdn_NETWORK')}"
+                      params:
+                        NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]}
               - {}
       service_config_settings:
         fluentd:
@@ -187,4 +203,7 @@ outputs:
             - service: libvirt-vnc
               network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
               type: node
+            - service: novnc-proxy
+              network: {get_param: [ServiceNetMap, NovaApiNetwork]}
+              type: node
           - null

releasenotes/notes/nova_novnc_proxy_ssl_support-edc7bc13d0cd6d2b.yaml

@@ -0,0 +1,8 @@
+---
+fixes:
+  - |
+    When tls-everywhere is configured we have TLS connection from 
+    client -> haproxy and novncproxy -> vnc server (instance), but the 
+    connection from haproxy to the nova novnc proxy was not encrypted. Now 
+    we request a certificate and configue haproxy  and the novnc proxy to
+    encrypt this remaining part in a vnc connection to be encrypted as well.