heat_template_version: rocky description: > OpenStack Nova Vncproxy service configured with Puppet parameters: ServiceData: default: {} description: Dictionary packing service data type: json ServiceNetMap: default: {} description: Mapping of service_name -> network name. Typically set via parameter_defaults in the resource registry. This mapping overrides those in ServiceNetMapDefaults. type: json DefaultPasswords: default: {} type: json RoleName: default: '' description: Role name on which the service is applied type: string RoleParameters: default: {} description: Parameters specific to the role type: json EndpointMap: default: {} description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json StackUpdateType: type: string description: > Type of update, to differentiate between UPGRADE and UPDATE cases when StackAction is UPDATE (both are the same stack action). constraints: - allowed_values: ['', 'UPGRADE', 'FASTFORWARDUPGRADE'] default: '' MonitoringSubscriptionNovaVNCProxy: default: 'overcloud-nova-vncproxy' type: string NovaVncproxyLoggingSource: type: json default: tag: openstack.nova.vncproxy path: /var/log/nova/nova-vncproxy.log EnableInternalTLS: type: boolean default: false UseTLSTransportForVnc: type: boolean default: true description: If set to true and if EnableInternalTLS is enabled, it will enable TLS transaport for libvirt VNC and configure the relevant keys for libvirt. InternalTLSVncCAFile: default: '/etc/pki/CA/certs/vnc.crt' type: string description: Specifies the CA cert to use for VNC TLS. LibvirtVncCACert: type: string default: '' description: This specifies the CA certificate to use for VNC TLS. This file will be symlinked to the default CA path, which is /etc/pki/libvirt-vnc/ca-cert.pem. This parameter should be used if the default (which comes from the InternalTLSVncCAFile parameter) is not desired. The current default reflects TripleO's default CA, which is FreeIPA. It will only be used if internal TLS is enabled. conditions: use_tls_for_vnc: and: - equals: - {get_param: EnableInternalTLS} - true - equals: - {get_param: UseTLSTransportForVnc} - true libvirt_vnc_specific_ca_unset: equals: - {get_param: LibvirtVncCACert} - '' allow_noauth: # Allow noauth VNC connections during P->Q upgrade. Remove in Rocky. equals: [{get_param: StackUpdateType}, 'UPGRADE'] resources: NovaBase: type: ./nova-base.yaml properties: ServiceData: {get_param: ServiceData} ServiceNetMap: {get_param: ServiceNetMap} DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} RoleName: {get_param: RoleName} RoleParameters: {get_param: RoleParameters} outputs: role_data: description: Role data for the Nova Vncproxy service. value: service_name: nova_vnc_proxy monitoring_subscription: {get_param: MonitoringSubscriptionNovaVNCProxy} config_settings: map_merge: - get_attr: [NovaBase, role_data, config_settings] - nova::vncproxy::enabled: true nova::vncproxy::common::vncproxy_protocol: {get_param: [EndpointMap, NovaVNCProxyPublic, protocol]} nova::vncproxy::common::vncproxy_host: {get_param: [EndpointMap, NovaVNCProxyPublic, host_nobrackets]} nova::vncproxy::common::vncproxy_port: {get_param: [EndpointMap, NovaVNCProxyPublic, port]} # NOTE: bind IP is found in hiera replacing the network name with the local node IP # for the given network; replacement examples (eg. for internal_api): # internal_api -> IP # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR nova::vncproxy::host: str_replace: template: "%{hiera('$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]} tripleo.nova_vnc_proxy.firewall_rules: '137 nova_vnc_proxy': dport: - 6080 - 13080 - if: - use_tls_for_vnc - nova::vncproxy::allow_vencrypt: true nova::vncproxy::allow_noauth: {if: [allow_noauth, true, false]} nova::vncproxy::vencrypt_key: /etc/pki/libvirt-vnc/client-key.pem nova::vncproxy::vencrypt_cert: /etc/pki/libvirt-vnc/client-cert.pem nova::vncproxy::vencrypt_ca: /etc/pki/libvirt-vnc/ca-cert.pem generate_service_certificates: true tripleo::certmonger::ca::libvirt_vnc::origin_ca_pem: if: - libvirt_vnc_specific_ca_unset - get_param: InternalTLSVncCAFile - get_param: LibvirtVncCACert tripleo::certmonger::libvirt_vnc_dirs::certificate_dir: '/etc/pki/libvirt-vnc' libvirt_vnc_certificates_specs: libvirt-vnc-client-cert: cacertfile: if: - libvirt_vnc_specific_ca_unset - get_param: InternalTLSVncCAFile - null service_certificate: '/etc/pki/libvirt-vnc/client-cert.pem' service_key: '/etc/pki/libvirt-vnc/client-key.pem' notify_service: '%{::nova::params::vncproxy_service_name}' hostname: str_replace: template: "%{hiera('fqdn_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} principal: str_replace: template: "libvirt-vnc/%{hiera('fqdn_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} - {} service_config_settings: fluentd: tripleo_fluentd_groups_nova_vnc_proxy: - nova tripleo_fluentd_sources_nova_vnc_proxy: - {get_param: NovaVncproxyLoggingSource} step_config: | include tripleo::profile::base::nova::vncproxy upgrade_tasks: - name: Stop nova_vnc_proxy service when: step|int == 1 service: name=openstack-nova-consoleauth state=stopped metadata_settings: if: - use_tls_for_vnc - - service: libvirt-vnc network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} type: node - null