Merge "nova: add support for TLS between novnc proxy & compute nodes"
This commit is contained in:
Zuul
Gerrit Code Review
commit
9f71c4ad4e
22
lib/nova
22
lib/nova
|
|
@ -82,6 +82,10 @@ if is_service_enabled tls-proxy; then
|
|||
NOVA_SERVICE_PROTOCOL="https"
|
||||
fi
|
||||
|
||||
# Whether to use TLS for comms between the VNC/SPICE/serial proxy
|
||||
# services and the compute node
|
||||
NOVA_CONSOLE_PROXY_COMPUTE_TLS=${NOVA_CONSOLE_PROXY_COMPUTE_TLS:-False}
|
||||
|
||||
# Public facing bits
|
||||
NOVA_SERVICE_HOST=${NOVA_SERVICE_HOST:-$SERVICE_HOST}
|
||||
NOVA_SERVICE_PORT=${NOVA_SERVICE_PORT:-8774}
|
||||
|
|
@ -197,6 +201,13 @@ function is_n-cell_enabled {
|
|||
return 1
|
||||
}
|
||||
|
||||
# is_nova_console_proxy_compute_tls_enabled() - Test if the Nova Console Proxy
|
||||
# service has TLS enabled
|
||||
function is_nova_console_proxy_compute_tls_enabled {
|
||||
[[ ${NOVA_CONSOLE_PROXY_COMPUTE_TLS} = "True" ]] && return 0
|
||||
return 1
|
||||
}
|
||||
|
||||
# Helper to clean iptables rules
|
||||
function clean_iptables {
|
||||
# Delete rules
|
||||
|
|
@ -524,6 +535,17 @@ function create_nova_conf {
|
|||
iniset $NOVA_CONF vnc server_proxyclient_address "$VNCSERVER_PROXYCLIENT_ADDRESS"
|
||||
iniset $NOVA_CONF vnc novncproxy_host "$NOVA_SERVICE_LISTEN_ADDRESS"
|
||||
iniset $NOVA_CONF vnc xvpvncproxy_host "$NOVA_SERVICE_LISTEN_ADDRESS"
|
||||
|
||||
if is_nova_console_proxy_compute_tls_enabled ; then
|
||||
iniset $NOVA_CONF vnc auth_schemes "vencrypt"
|
||||
iniset $NOVA_CONF vnc vencrypt_client_key "/etc/pki/nova-novnc/client-key.pem"
|
||||
iniset $NOVA_CONF vnc vencrypt_client_cert "/etc/pki/nova-novnc/client-cert.pem"
|
||||
iniset $NOVA_CONF vnc vencrypt_ca_certs "/etc/pki/nova-novnc/ca-cert.pem"
|
||||
|
||||
sudo mkdir -p /etc/pki/nova-novnc
|
||||
deploy_int_CA /etc/pki/nova-novnc/ca-cert.pem
|
||||
deploy_int_cert /etc/pki/nova-novnc/client-cert.pem /etc/pki/nova-novnc/client-key.pem
|
||||
fi
|
||||
else
|
||||
iniset $NOVA_CONF vnc enabled false
|
||||
fi
|
||||
|
|
|
|||
|
|
@ -149,6 +149,18 @@ EOF
|
|||
fi
|
||||
fi
|
||||
|
||||
if is_nova_console_proxy_compute_tls_enabled ; then
|
||||
if is_service_enabled n-novnc ; then
|
||||
echo "vnc_tls = 1" | sudo tee -a $QEMU_CONF
|
||||
echo "vnc_tls_x509_verify = 1" | sudo tee -a $QEMU_CONF
|
||||
|
||||
sudo mkdir -p /etc/pki/libvirt-vnc
|
||||
sudo chown libvirt-qemu:libvirt-qemu /etc/pki/libvirt-vnc
|
||||
deploy_int_CA /etc/pki/libvirt-vnc/ca-cert.pem
|
||||
deploy_int_cert /etc/pki/libvirt-vnc/server-cert.pem /etc/pki/libvirt-vnc/server-key.pem
|
||||
fi
|
||||
fi
|
||||
|
||||
# Service needs to be started on redhat/fedora -- do a restart for
|
||||
# sanity after fiddling the config.
|
||||
restart_service $LIBVIRT_DAEMON
|
||||
|
|
|
|||
18
lib/tls
18
lib/tls
|
|
@ -340,6 +340,24 @@ function make_root_CA {
|
|||
fi
|
||||
}
|
||||
|
||||
# Deploy the service cert & key to a service specific
|
||||
# location
|
||||
function deploy_int_cert {
|
||||
local cert_target_file=$1
|
||||
local key_target_file=$2
|
||||
|
||||
sudo cp "$INT_CA_DIR/$DEVSTACK_CERT_NAME.crt" "$cert_target_file"
|
||||
sudo cp "$INT_CA_DIR/private/$DEVSTACK_CERT_NAME.key" "$key_target_file"
|
||||
}
|
||||
|
||||
# Deploy the intermediate CA cert bundle file to a service
|
||||
# specific location
|
||||
function deploy_int_CA {
|
||||
local ca_target_file=$1
|
||||
|
||||
sudo cp "$INT_CA_DIR/ca-chain.pem" "$ca_target_file"
|
||||
}
|
||||
|
||||
# If a non-system python-requests is installed then it will use the
|
||||
# built-in CA certificate store rather than the distro-specific
|
||||
# CA certificate store. Detect this and symlink to the correct
|
||||
|
|
|
|||
Loading…
Reference in New Issue