From b9cf4bf7e56aea4669dc9b92e52ed4e0c694a32a Mon Sep 17 00:00:00 2001
From: Gael Chamoulaud <gchamoul@redhat.com>
Date: Tue, 30 Sep 2014 15:33:08 +0200
Subject: [PATCH] Set up NOVNC with https when using SSL on HORIZON

Change-Id: I98d053f2d1558f39fe116a7f90bc6f1b6a4f93f4
Fixes: rhbz#1115896
Signed-off-by: Gael Chamoulaud <gchamoul@redhat.com>
---
 .../packstack/templates/ssl/generate_ssl_certs.sh.erb  |  7 +++++++
 packstack/puppet/templates/horizon.pp                  |  7 +++++++
 packstack/puppet/templates/nova_vncproxy.pp            | 10 ++++++++++
 3 files changed, 24 insertions(+)

diff --git a/packstack/puppet/modules/packstack/templates/ssl/generate_ssl_certs.sh.erb b/packstack/puppet/modules/packstack/templates/ssl/generate_ssl_certs.sh.erb
index c4d4ca0a8..ff0656fdb 100755
--- a/packstack/puppet/modules/packstack/templates/ssl/generate_ssl_certs.sh.erb
+++ b/packstack/puppet/modules/packstack/templates/ssl/generate_ssl_certs.sh.erb
@@ -51,3 +51,10 @@ cp /etc/pki/CA/cacert.pem $SSLCHAIN
 openssl genrsa 2048 > $SSLKEY 2> /dev/null
 answers $FQDN | openssl req -new -nodes -key $SSLKEY -out ${SSLCERT}.req
 yes | openssl ca -in ${SSLCERT}.req -out ${SSLCERT}
+
+# gen key and self signed cert for novnc
+SSL_NOVA_NOVNC_CERT=/etc/nova/nova.crt
+SSL_NOVA_NOVNC_KEY=/etc/nova/nova.key
+answers $FQDN | openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 -keyout $SSL_NOVA_NOVNC_KEY -out $SSL_NOVA_NOVNC_CERT
+chown root.nova $SSL_NOVA_NOVNC_CERT $SSL_NOVA_NOVNC_KEY
+chmod 440 $SSL_NOVA_NOVNC_CERT $SSL_NOVA_NOVNC_KEY
diff --git a/packstack/puppet/templates/horizon.pp b/packstack/puppet/templates/horizon.pp
index 4998785fc..867874fcd 100644
--- a/packstack/puppet/templates/horizon.pp
+++ b/packstack/puppet/templates/horizon.pp
@@ -41,6 +41,13 @@ if %(CONFIG_HORIZON_SSL)s {
     require => File['/etc/pki/tls/certs/ps_generate_ssl_certs.ssh'],
     notify  => Service['httpd'],
     before  => Class['horizon'],
+  } ->
+  exec { 'nova-novncproxy-restart':
+    # ps_generate_ssl_certs.ssh is generating ssl certs for nova-novncproxy
+    # so openstack-nova-novncproxy should be restarted.
+    path      => ['/sbin', '/usr/sbin', '/bin', '/usr/bin'],
+    command   => 'systemctl restart openstack-nova-novncproxy.service',
+    logoutput => 'on_failure',
   }
 
   apache::listen { '443': }
diff --git a/packstack/puppet/templates/nova_vncproxy.pp b/packstack/puppet/templates/nova_vncproxy.pp
index e2333fe10..e598bcf2a 100644
--- a/packstack/puppet/templates/nova_vncproxy.pp
+++ b/packstack/puppet/templates/nova_vncproxy.pp
@@ -1,3 +1,13 @@
+$is_using_ssl_on_horizon = '%(CONFIG_HORIZON_SSL)s'
+
+if $is_using_ssl_on_horizon == 'y' {
+  nova_config {
+    'DEFAULT/ssl_only': value => 'true';
+    'DEFAULT/cert':     value => '/etc/nova/nova.crt';
+    'DEFAULT/key':      value => '/etc/nova/nova.key';
+  }
+}
+
 class {"nova::vncproxy":
     enabled => true,
 }