Use sensible defaults for novnc TLS minimum versions and ciphers

We recently introduced a change that allowed operators to pass novnc TLS cipher parameters to puppet-nova: https://review.opendev.org/#/c/723920/10 Unfortunately, the default values for NovaVNCProxySSLCiphers and NovaVNCProxySSLMinimumVersion conflict with puppet-nova and causes TLS-e deployments to fail with the following error during the overcloud deployment: /var/log/containers/nova/nova-novncproxy.log:2020-08-03 04:45:41.120 8 ERROR nova oslo_config.cfg.ConfigFileValueError: Value for option ssl_minimum_version from LocationInfo(location=<Locations.user: (4, True)>, detail='/etc/nova/nova.conf') is not valid: Valid values are [default, tlsv1_1, tlsv1_2, tlsv1_3], but found '' This is because the values don't match what puppet-nova is expecting and it causes the containers to fail. This commit attempts to add some resonable defaults in THT that align more closely with the puppet-nova defaults. It also only sets the ciphers if they're set by the end user. Change-Id: I2663bc9154846cc4642c3a030be0c57df4f25e1b
2020-08-03 11:45:18 -05:00 · 2020-08-03 11:45:18 -05:00 · e1d2ece785
commit e1d2ece785
parent 9154b0920c
1 changed files with 12 additions and 3 deletions
--- a/deployment/nova/nova-vnc-proxy-container-puppet.yaml
+++ b/deployment/nova/nova-vnc-proxy-container-puppet.yaml
@ -73,12 +73,12 @@ parameters:
                 preference string format and allowed values.
  NovaVNCProxySSLMinimumVersion:
    type: string
-    default: ''
+    default: 'default'
    description: Minimum allowed SSL/TLS protocol version.  Valid values are
                 'default', 'tlsv1_1', 'tlsv1_2', and 'tlsv1_3'.  A value of
                 'default' will use the underlying system OpenSSL defaults.
    constraints:
-    - allowed_values: ['', 'default', 'tlsv1_1', 'tlsv1_2', 'tlsv1_3']
+    - allowed_values: ['default', 'tlsv1_1', 'tlsv1_2', 'tlsv1_3']
  StackUpdateType:
    type: string
    description: >
@ -105,6 +105,11 @@ conditions:
      - {get_param: LibvirtVncCACert}
      - ''

+  proxy_ssl_ciphers_unset:
+    equals:
+      - {get_param: NovaVNCProxySSLCiphers}
+      - ''
+
  allow_noauth:
    # Allow noauth VNC connections during P->Q upgrade. Remove in Rocky.
    equals: [{get_param: StackUpdateType}, 'UPGRADE']
@ -171,7 +176,11 @@ outputs:
                nova::vncproxy::vencrypt_cert: /etc/pki/libvirt-vnc/client-cert.pem
                nova::vncproxy::vencrypt_ca: /etc/pki/libvirt-vnc/ca-cert.pem
                nova::ssl_only: true
-                nova::console_ssl_ciphers: {get_param: NovaVNCProxySSLCiphers}
+                nova::console_ssl_ciphers:
+                  if:
+                    - proxy_ssl_ciphers_unset
+                    - null
+                    - get_param: NovaVNCProxySSLCiphers
                nova::console_ssl_minimum_version: {get_param: NovaVNCProxySSLMinimumVersion}
                nova::cert: /etc/pki/tls/certs/novnc_proxy.crt
                nova::key: /etc/pki/tls/private/novnc_proxy.key