8d163a21f5
With tls-everywhere enabled the connection from haproxy to the nova novnc proxy was not encrypted. Now we request a certificate and configue haproxy and the novnc proxy to encrypt this remaining part in a vnc connection to be encrypted as well. Change-Id: Ia0c8c452f0121298bef58409bd0bdbe4caa54e42 Closes-Bug: #1785700 Depends-On: Ice51fe175bdc1cb14fa49cf53d1f38e9728bbb60 Depends-On: I4667706633205c240f2efb51663e6efbce5e344e
210 lines
7.9 KiB
YAML
210 lines
7.9 KiB
YAML
heat_template_version: rocky
|
|
|
|
description: >
|
|
OpenStack Nova Vncproxy service configured with Puppet
|
|
|
|
parameters:
|
|
ServiceData:
|
|
default: {}
|
|
description: Dictionary packing service data
|
|
type: json
|
|
ServiceNetMap:
|
|
default: {}
|
|
description: Mapping of service_name -> network name. Typically set
|
|
via parameter_defaults in the resource registry. This
|
|
mapping overrides those in ServiceNetMapDefaults.
|
|
type: json
|
|
DefaultPasswords:
|
|
default: {}
|
|
type: json
|
|
RoleName:
|
|
default: ''
|
|
description: Role name on which the service is applied
|
|
type: string
|
|
RoleParameters:
|
|
default: {}
|
|
description: Parameters specific to the role
|
|
type: json
|
|
EndpointMap:
|
|
default: {}
|
|
description: Mapping of service endpoint -> protocol. Typically set
|
|
via parameter_defaults in the resource registry.
|
|
type: json
|
|
StackUpdateType:
|
|
type: string
|
|
description: >
|
|
Type of update, to differentiate between UPGRADE and UPDATE cases
|
|
when StackAction is UPDATE (both are the same stack action).
|
|
constraints:
|
|
- allowed_values: ['', 'UPGRADE', 'FASTFORWARDUPGRADE']
|
|
default: ''
|
|
MonitoringSubscriptionNovaVNCProxy:
|
|
default: 'overcloud-nova-vncproxy'
|
|
type: string
|
|
NovaVncproxyLoggingSource:
|
|
type: json
|
|
default:
|
|
tag: openstack.nova.vncproxy
|
|
path: /var/log/nova/nova-vncproxy.log
|
|
EnableInternalTLS:
|
|
type: boolean
|
|
default: false
|
|
UseTLSTransportForVnc:
|
|
type: boolean
|
|
default: true
|
|
description: If set to true and if EnableInternalTLS is enabled, it will
|
|
enable TLS transaport for libvirt VNC and configure the
|
|
relevant keys for libvirt.
|
|
InternalTLSVncCAFile:
|
|
default: '/etc/pki/CA/certs/vnc.crt'
|
|
type: string
|
|
description: Specifies the CA cert to use for VNC TLS.
|
|
LibvirtVncCACert:
|
|
type: string
|
|
default: ''
|
|
description: This specifies the CA certificate to use for VNC TLS.
|
|
This file will be symlinked to the default CA path,
|
|
which is /etc/pki/libvirt-vnc/ca-cert.pem.
|
|
This parameter should be used if the default (which comes from
|
|
the InternalTLSVncCAFile parameter) is not desired. The current
|
|
default reflects TripleO's default CA, which is FreeIPA.
|
|
It will only be used if internal TLS is enabled.
|
|
|
|
conditions:
|
|
|
|
use_tls_for_vnc:
|
|
and:
|
|
- equals:
|
|
- {get_param: EnableInternalTLS}
|
|
- true
|
|
- equals:
|
|
- {get_param: UseTLSTransportForVnc}
|
|
- true
|
|
|
|
libvirt_vnc_specific_ca_unset:
|
|
equals:
|
|
- {get_param: LibvirtVncCACert}
|
|
- ''
|
|
|
|
allow_noauth:
|
|
# Allow noauth VNC connections during P->Q upgrade. Remove in Rocky.
|
|
equals: [{get_param: StackUpdateType}, 'UPGRADE']
|
|
|
|
|
|
resources:
|
|
NovaBase:
|
|
type: ./nova-base.yaml
|
|
properties:
|
|
ServiceData: {get_param: ServiceData}
|
|
ServiceNetMap: {get_param: ServiceNetMap}
|
|
DefaultPasswords: {get_param: DefaultPasswords}
|
|
EndpointMap: {get_param: EndpointMap}
|
|
RoleName: {get_param: RoleName}
|
|
RoleParameters: {get_param: RoleParameters}
|
|
|
|
outputs:
|
|
role_data:
|
|
description: Role data for the Nova Vncproxy service.
|
|
value:
|
|
service_name: nova_vnc_proxy
|
|
monitoring_subscription: {get_param: MonitoringSubscriptionNovaVNCProxy}
|
|
config_settings:
|
|
map_merge:
|
|
- get_attr: [NovaBase, role_data, config_settings]
|
|
- nova::vncproxy::enabled: true
|
|
nova::vncproxy::common::vncproxy_protocol: {get_param: [EndpointMap, NovaVNCProxyPublic, protocol]}
|
|
nova::vncproxy::common::vncproxy_host: {get_param: [EndpointMap, NovaVNCProxyPublic, host_nobrackets]}
|
|
nova::vncproxy::common::vncproxy_port: {get_param: [EndpointMap, NovaVNCProxyPublic, port]}
|
|
# NOTE: bind IP is found in hiera replacing the network name with the local node IP
|
|
# for the given network; replacement examples (eg. for internal_api):
|
|
# internal_api -> IP
|
|
# internal_api_uri -> [IP]
|
|
# internal_api_subnet - > IP/CIDR
|
|
nova::vncproxy::host:
|
|
str_replace:
|
|
template:
|
|
"%{hiera('$NETWORK')}"
|
|
params:
|
|
$NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]}
|
|
tripleo.nova_vnc_proxy.firewall_rules:
|
|
'137 nova_vnc_proxy':
|
|
dport:
|
|
- 6080
|
|
- 13080
|
|
-
|
|
if:
|
|
- use_tls_for_vnc
|
|
-
|
|
nova::vncproxy::allow_vencrypt: true
|
|
nova::vncproxy::allow_noauth: {if: [allow_noauth, true, false]}
|
|
nova::vncproxy::vencrypt_key: /etc/pki/libvirt-vnc/client-key.pem
|
|
nova::vncproxy::vencrypt_cert: /etc/pki/libvirt-vnc/client-cert.pem
|
|
nova::vncproxy::vencrypt_ca: /etc/pki/libvirt-vnc/ca-cert.pem
|
|
nova::ssl_only: true
|
|
nova::cert: /etc/pki/tls/certs/novnc_proxy.crt
|
|
nova::key: /etc/pki/tls/private/novnc_proxy.key
|
|
generate_service_certificates: true
|
|
tripleo::certmonger::ca::libvirt_vnc::origin_ca_pem:
|
|
if:
|
|
- libvirt_vnc_specific_ca_unset
|
|
- get_param: InternalTLSVncCAFile
|
|
- get_param: LibvirtVncCACert
|
|
tripleo::certmonger::libvirt_vnc_dirs::certificate_dir: '/etc/pki/libvirt-vnc'
|
|
libvirt_vnc_certificates_specs:
|
|
libvirt-vnc-client-cert:
|
|
cacertfile:
|
|
if:
|
|
- libvirt_vnc_specific_ca_unset
|
|
- get_param: InternalTLSVncCAFile
|
|
- null
|
|
service_certificate: '/etc/pki/libvirt-vnc/client-cert.pem'
|
|
service_key: '/etc/pki/libvirt-vnc/client-key.pem'
|
|
notify_service: '%{::nova::params::vncproxy_service_name}'
|
|
hostname:
|
|
str_replace:
|
|
template: "%{hiera('fqdn_NETWORK')}"
|
|
params:
|
|
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
|
principal:
|
|
str_replace:
|
|
template: "libvirt-vnc/%{hiera('fqdn_NETWORK')}"
|
|
params:
|
|
NETWORK: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
|
novnc_proxy_certificates_specs:
|
|
service_certificate: '/etc/pki/tls/certs/novnc_proxy.crt'
|
|
service_key: '/etc/pki/tls/private/novnc_proxy.key'
|
|
hostname:
|
|
str_replace:
|
|
template: "%{hiera('fqdn_NETWORK')}"
|
|
params:
|
|
NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]}
|
|
principal:
|
|
str_replace:
|
|
template: "novnc-proxy/%{hiera('fqdn_NETWORK')}"
|
|
params:
|
|
NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]}
|
|
- {}
|
|
service_config_settings:
|
|
fluentd:
|
|
tripleo_fluentd_groups_nova_vnc_proxy:
|
|
- nova
|
|
tripleo_fluentd_sources_nova_vnc_proxy:
|
|
- {get_param: NovaVncproxyLoggingSource}
|
|
step_config: |
|
|
include tripleo::profile::base::nova::vncproxy
|
|
upgrade_tasks:
|
|
- name: Stop nova_vnc_proxy service
|
|
when: step|int == 1
|
|
service: name=openstack-nova-consoleauth state=stopped
|
|
metadata_settings:
|
|
if:
|
|
- use_tls_for_vnc
|
|
-
|
|
- service: libvirt-vnc
|
|
network: {get_param: [ServiceNetMap, NovaLibvirtNetwork]}
|
|
type: node
|
|
- service: novnc-proxy
|
|
network: {get_param: [ServiceNetMap, NovaApiNetwork]}
|
|
type: node
|
|
- null
|