Merge "nova: add support for TLS between novnc proxy & compute nodes"

Author: Zuul

lib/nova

@@ -82,6 +82,10 @@ if is_service_enabled tls-proxy; then
     NOVA_SERVICE_PROTOCOL="https"
 fi
 
+# Whether to use TLS for comms between the VNC/SPICE/serial proxy
+# services and the compute node
+NOVA_CONSOLE_PROXY_COMPUTE_TLS=${NOVA_CONSOLE_PROXY_COMPUTE_TLS:-False}
+
 # Public facing bits
 NOVA_SERVICE_HOST=${NOVA_SERVICE_HOST:-$SERVICE_HOST}
 NOVA_SERVICE_PORT=${NOVA_SERVICE_PORT:-8774}
@@ -197,6 +201,13 @@ function is_n-cell_enabled {
     return 1
 }
 
+# is_nova_console_proxy_compute_tls_enabled() - Test if the Nova Console Proxy
+# service has TLS enabled
+function is_nova_console_proxy_compute_tls_enabled {
+    [[ ${NOVA_CONSOLE_PROXY_COMPUTE_TLS} = "True" ]] && return 0
+    return 1
+}
+
 # Helper to clean iptables rules
 function clean_iptables {
     # Delete rules
@@ -524,6 +535,17 @@ function create_nova_conf {
         iniset $NOVA_CONF vnc server_proxyclient_address "$VNCSERVER_PROXYCLIENT_ADDRESS"
         iniset $NOVA_CONF vnc novncproxy_host "$NOVA_SERVICE_LISTEN_ADDRESS"
         iniset $NOVA_CONF vnc xvpvncproxy_host "$NOVA_SERVICE_LISTEN_ADDRESS"
+
+        if is_nova_console_proxy_compute_tls_enabled ; then
+            iniset $NOVA_CONF vnc auth_schemes "vencrypt"
+            iniset $NOVA_CONF vnc vencrypt_client_key "/etc/pki/nova-novnc/client-key.pem"
+            iniset $NOVA_CONF vnc vencrypt_client_cert "/etc/pki/nova-novnc/client-cert.pem"
+            iniset $NOVA_CONF vnc vencrypt_ca_certs "/etc/pki/nova-novnc/ca-cert.pem"
+
+            sudo mkdir -p /etc/pki/nova-novnc
+            deploy_int_CA /etc/pki/nova-novnc/ca-cert.pem
+            deploy_int_cert /etc/pki/nova-novnc/client-cert.pem /etc/pki/nova-novnc/client-key.pem
+        fi
     else
         iniset $NOVA_CONF vnc enabled false
     fi

lib/nova_plugins/functions-libvirt

@@ -149,6 +149,18 @@ EOF
         fi
     fi
 
+    if is_nova_console_proxy_compute_tls_enabled ; then
+        if is_service_enabled n-novnc ; then
+            echo "vnc_tls = 1" | sudo tee -a $QEMU_CONF
+            echo "vnc_tls_x509_verify = 1" | sudo tee -a $QEMU_CONF
+
+            sudo mkdir -p /etc/pki/libvirt-vnc
+            sudo chown libvirt-qemu:libvirt-qemu /etc/pki/libvirt-vnc
+            deploy_int_CA /etc/pki/libvirt-vnc/ca-cert.pem
+            deploy_int_cert /etc/pki/libvirt-vnc/server-cert.pem /etc/pki/libvirt-vnc/server-key.pem
+        fi
+    fi
+
     # Service needs to be started on redhat/fedora -- do a restart for
     # sanity after fiddling the config.
     restart_service $LIBVIRT_DAEMON

lib/tls

@@ -340,6 +340,24 @@ function make_root_CA {
     fi
 }
 
+# Deploy the service cert & key to a service specific
+# location
+function deploy_int_cert {
+    local cert_target_file=$1
+    local key_target_file=$2
+
+    sudo cp "$INT_CA_DIR/$DEVSTACK_CERT_NAME.crt" "$cert_target_file"
+    sudo cp "$INT_CA_DIR/private/$DEVSTACK_CERT_NAME.key" "$key_target_file"
+}
+
+# Deploy the intermediate CA cert bundle file to a service
+# specific location
+function deploy_int_CA {
+    local ca_target_file=$1
+
+    sudo cp "$INT_CA_DIR/ca-chain.pem" "$ca_target_file"
+}
+
 # If a non-system python-requests is installed then it will use the
 # built-in CA certificate store rather than the distro-specific
 # CA certificate store. Detect this and symlink to the correct