From e1d2ece7858bb03a00ee2412b8044e3ab34d7202 Mon Sep 17 00:00:00 2001
From: Lance Bragstad <lbragstad@gmail.com>
Date: Mon, 3 Aug 2020 11:45:18 -0500
Subject: [PATCH] Use sensible defaults for novnc TLS minimum versions and
 ciphers

We recently introduced a change that allowed operators to pass novnc TLS
cipher parameters to puppet-nova:

  https://review.opendev.org/#/c/723920/10

Unfortunately, the default values for NovaVNCProxySSLCiphers and
NovaVNCProxySSLMinimumVersion conflict with puppet-nova and causes TLS-e
deployments to fail with the following error during the overcloud
deployment:

  /var/log/containers/nova/nova-novncproxy.log:2020-08-03 04:45:41.120 8
  ERROR nova oslo_config.cfg.ConfigFileValueError: Value for option
  ssl_minimum_version from LocationInfo(location=<Locations.user: (4,
  True)>, detail='/etc/nova/nova.conf') is not valid: Valid values are
  [default, tlsv1_1, tlsv1_2, tlsv1_3], but found ''

This is because the values don't match what puppet-nova is expecting and
it causes the containers to fail.

This commit attempts to add some resonable defaults in THT that align
more closely with the puppet-nova defaults. It also only sets the
ciphers if they're set by the end user.

Change-Id: I2663bc9154846cc4642c3a030be0c57df4f25e1b
---
 .../nova/nova-vnc-proxy-container-puppet.yaml     | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/deployment/nova/nova-vnc-proxy-container-puppet.yaml b/deployment/nova/nova-vnc-proxy-container-puppet.yaml
index 0f1c587ca0..c8b4479f7a 100644
--- a/deployment/nova/nova-vnc-proxy-container-puppet.yaml
+++ b/deployment/nova/nova-vnc-proxy-container-puppet.yaml
@@ -73,12 +73,12 @@ parameters:
                  preference string format and allowed values.
   NovaVNCProxySSLMinimumVersion:
     type: string
-    default: ''
+    default: 'default'
     description: Minimum allowed SSL/TLS protocol version.  Valid values are
                  'default', 'tlsv1_1', 'tlsv1_2', and 'tlsv1_3'.  A value of
                  'default' will use the underlying system OpenSSL defaults.
     constraints:
-    - allowed_values: ['', 'default', 'tlsv1_1', 'tlsv1_2', 'tlsv1_3']
+    - allowed_values: ['default', 'tlsv1_1', 'tlsv1_2', 'tlsv1_3']
   StackUpdateType:
     type: string
     description: >
@@ -105,6 +105,11 @@ conditions:
       - {get_param: LibvirtVncCACert}
       - ''
 
+  proxy_ssl_ciphers_unset:
+    equals:
+      - {get_param: NovaVNCProxySSLCiphers}
+      - ''
+
   allow_noauth:
     # Allow noauth VNC connections during P->Q upgrade. Remove in Rocky.
     equals: [{get_param: StackUpdateType}, 'UPGRADE']
@@ -171,7 +176,11 @@ outputs:
                 nova::vncproxy::vencrypt_cert: /etc/pki/libvirt-vnc/client-cert.pem
                 nova::vncproxy::vencrypt_ca: /etc/pki/libvirt-vnc/ca-cert.pem
                 nova::ssl_only: true
-                nova::console_ssl_ciphers: {get_param: NovaVNCProxySSLCiphers}
+                nova::console_ssl_ciphers:
+                  if:
+                    - proxy_ssl_ciphers_unset
+                    - null
+                    - get_param: NovaVNCProxySSLCiphers
                 nova::console_ssl_minimum_version: {get_param: NovaVNCProxySSLMinimumVersion}
                 nova::cert: /etc/pki/tls/certs/novnc_proxy.crt
                 nova::key: /etc/pki/tls/private/novnc_proxy.key