Enable secure TUNNELLED mode for NFS

This is the follow up patch for change
Ie4fe217bd119b638f42c682d21572547f02f17b2 which allows
configuring NFS backend for Nova.

To provide enhanced security improvement for migration, this
change enables TUNNELLED mode for migration, in case of
NFS shared storage.

Change-Id: Id0cfc945814e6aa5a5c85643514cf206f42e50f4
Implements: bp tripleo-nova-nfs

puppet/services/nova-compute.yaml

@@ -145,6 +145,11 @@ parameters:
     description: Max number of consecutive build failures before the nova-compute will disable itself.
     type: string
 
+conditions:
+  enable_live_migration_tunnelled:
+    or:
+      - equals: [{get_param: NovaNfsEnabled}, true]
+      - equals: [{get_param: NovaEnableRbdBackend}, true]
 
 resources:
   NovaBase:
@@ -228,7 +233,11 @@ outputs:
             # In future versions of QEMU (2.6, mostly), danpb's native
             # encryption work will obsolete the need to use TUNNELLED transport
             # mode.
-            nova::migration::live_migration_tunnelled: {get_param: NovaEnableRbdBackend}
+            nova::migration::live_migration_tunnelled:
+              if:
+              - enable_live_migration_tunnelled
+              - true
+              - false
             nova::compute::neutron::libvirt_vif_driver: {get_param: NovaComputeLibvirtVifDriver}
             # NOTE: bind IP is found in hiera replacing the network name with the
             # local node IP for the given network; replacement examples