openstack
/
tripleo-heat-templates
Code Issues Proposed changes

Revert "Revert "SSL support for haproxy -> novnc proxy connection"" 

We now have the change merged into master:
https://review.openstack.org/#/c/589434/

With tls-everywhere enabled the connection from haproxy to the nova novnc
proxy was not encrypted. Now we request a certificate and configue haproxy
and the novnc proxy to encrypt this remaining part in a vnc connection to
be encrypted as well.

This reverts commit c6fa26d152.

Change-Id: I88c129aff9cd009d9d841780274a68ea397a2012
This commit is contained in:
Martin Schuppert 2018-08-21 12:19:27 +00:00
parent c6fa26d152
commit 9e838d1558
3 changed files with 36 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
docker/services/nova-vnc-proxy.yaml
View File

@ -139,10 +139,17 @@ outputs:
dest: "/"
merge: true
preserve_properties: true
- source: "/var/lib/kolla/config_files/src-tls/*"
dest: "/"
merge: true
preserve_properties: true
optional: true
permissions:
- path: /var/log/nova
owner: nova:nova
recurse: true
- path: /etc/pki/tls/private/novnc_proxy.key
owner: root:nova
docker_config:
step_4:
nova_vnc_proxy:
@ -173,6 +180,8 @@ outputs:
- get_param: LibvirtVncCACert
- /etc/pki/libvirt-vnc/client-cert.pem:/etc/pki/libvirt-vnc/client-cert.pem:ro
- /etc/pki/libvirt-vnc/client-key.pem:/etc/pki/libvirt-vnc/client-key.pem:ro
- /etc/pki/tls/certs/novnc_proxy.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/novnc_proxy.crt:ro
- /etc/pki/tls/private/novnc_proxy.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/novnc_proxy.key:ro
- null
environment:
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS

19
puppet/services/nova-vnc-proxy.yaml
View File

@ -135,6 +135,9 @@ outputs:
nova::vncproxy::vencrypt_key: /etc/pki/libvirt-vnc/client-key.pem
nova::vncproxy::vencrypt_cert: /etc/pki/libvirt-vnc/client-cert.pem
nova::vncproxy::vencrypt_ca: /etc/pki/libvirt-vnc/ca-cert.pem
nova::ssl_only: true
nova::cert: /etc/pki/tls/certs/novnc_proxy.crt
nova::key: /etc/pki/tls/private/novnc_proxy.key
generate_service_certificates: true
tripleo::certmonger::ca::libvirt_vnc::origin_ca_pem:
if:
@ -162,6 +165,19 @@ outputs:
template: "libvirt-vnc/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
novnc_proxy_certificates_specs:
service_certificate: '/etc/pki/tls/certs/novnc_proxy.crt'
service_key: '/etc/pki/tls/private/novnc_proxy.key'
hostname:
str_replace:
template: "%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]}
principal:
str_replace:
template: "novnc-proxy/%{hiera('fqdn_NETWORK')}"
params:
NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]}
- {}
service_config_settings:
fluentd:
@ -182,4 +198,7 @@ outputs:
- service: libvirt-vnc
network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
type: node
- service: novnc-proxy
network: {get_param: [ServiceNetMap, NovaApiNetwork]}
type: node
- null

8
releasenotes/notes/nova_novnc_proxy_ssl_support-edc7bc13d0cd6d2b.yaml Normal file
View File

@ -0,0 +1,8 @@
---
fixes:
- |
When tls-everywhere is configured we have TLS connection from
client -> haproxy and novncproxy -> vnc server (instance), but the
connection from haproxy to the nova novnc proxy was not encrypted. Now
we request a certificate and configue haproxy and the novnc proxy to
encrypt this remaining part in a vnc connection to be encrypted as well.