Revert "Revert "SSL support for haproxy -> novnc proxy connection""
We now have the change merged into master:
https://review.openstack.org/#/c/589434/
With tls-everywhere enabled the connection from haproxy to the nova novnc
proxy was not encrypted. Now we request a certificate and configue haproxy
and the novnc proxy to encrypt this remaining part in a vnc connection to
be encrypted as well.
This reverts commit c6fa26d152
.
Change-Id: I88c129aff9cd009d9d841780274a68ea397a2012
This commit is contained in:
parent
c6fa26d152
commit
9e838d1558
|
@ -139,10 +139,17 @@ outputs:
|
|||
dest: "/"
|
||||
merge: true
|
||||
preserve_properties: true
|
||||
- source: "/var/lib/kolla/config_files/src-tls/*"
|
||||
dest: "/"
|
||||
merge: true
|
||||
preserve_properties: true
|
||||
optional: true
|
||||
permissions:
|
||||
- path: /var/log/nova
|
||||
owner: nova:nova
|
||||
recurse: true
|
||||
- path: /etc/pki/tls/private/novnc_proxy.key
|
||||
owner: root:nova
|
||||
docker_config:
|
||||
step_4:
|
||||
nova_vnc_proxy:
|
||||
|
@ -173,6 +180,8 @@ outputs:
|
|||
- get_param: LibvirtVncCACert
|
||||
- /etc/pki/libvirt-vnc/client-cert.pem:/etc/pki/libvirt-vnc/client-cert.pem:ro
|
||||
- /etc/pki/libvirt-vnc/client-key.pem:/etc/pki/libvirt-vnc/client-key.pem:ro
|
||||
- /etc/pki/tls/certs/novnc_proxy.crt:/var/lib/kolla/config_files/src-tls/etc/pki/tls/certs/novnc_proxy.crt:ro
|
||||
- /etc/pki/tls/private/novnc_proxy.key:/var/lib/kolla/config_files/src-tls/etc/pki/tls/private/novnc_proxy.key:ro
|
||||
- null
|
||||
environment:
|
||||
- KOLLA_CONFIG_STRATEGY=COPY_ALWAYS
|
||||
|
|
|
@ -135,6 +135,9 @@ outputs:
|
|||
nova::vncproxy::vencrypt_key: /etc/pki/libvirt-vnc/client-key.pem
|
||||
nova::vncproxy::vencrypt_cert: /etc/pki/libvirt-vnc/client-cert.pem
|
||||
nova::vncproxy::vencrypt_ca: /etc/pki/libvirt-vnc/ca-cert.pem
|
||||
nova::ssl_only: true
|
||||
nova::cert: /etc/pki/tls/certs/novnc_proxy.crt
|
||||
nova::key: /etc/pki/tls/private/novnc_proxy.key
|
||||
generate_service_certificates: true
|
||||
tripleo::certmonger::ca::libvirt_vnc::origin_ca_pem:
|
||||
if:
|
||||
|
@ -162,6 +165,19 @@ outputs:
|
|||
template: "libvirt-vnc/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
||||
novnc_proxy_certificates_specs:
|
||||
service_certificate: '/etc/pki/tls/certs/novnc_proxy.crt'
|
||||
service_key: '/etc/pki/tls/private/novnc_proxy.key'
|
||||
hostname:
|
||||
str_replace:
|
||||
template: "%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]}
|
||||
principal:
|
||||
str_replace:
|
||||
template: "novnc-proxy/%{hiera('fqdn_NETWORK')}"
|
||||
params:
|
||||
NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]}
|
||||
- {}
|
||||
service_config_settings:
|
||||
fluentd:
|
||||
|
@ -182,4 +198,7 @@ outputs:
|
|||
- service: libvirt-vnc
|
||||
network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
||||
type: node
|
||||
- service: novnc-proxy
|
||||
network: {get_param: [ServiceNetMap, NovaApiNetwork]}
|
||||
type: node
|
||||
- null
|
||||
|
|
|
@ -0,0 +1,8 @@
|
|||
---
|
||||
fixes:
|
||||
- |
|
||||
When tls-everywhere is configured we have TLS connection from
|
||||
client -> haproxy and novncproxy -> vnc server (instance), but the
|
||||
connection from haproxy to the nova novnc proxy was not encrypted. Now
|
||||
we request a certificate and configue haproxy and the novnc proxy to
|
||||
encrypt this remaining part in a vnc connection to be encrypted as well.
|
Loading…
Reference in New Issue