Update notes on how to enable TLS for VNC

Add warning to security docs about enabling TLS for VNC on existing deployments, as this can prevent console access to existing virtual machines. Change-Id: Ib9e6a9fc4de2e3013e19f7eb252aacd5ae70d4d4
2021-12-22 12:10:54 +00:00 · 2021-12-22 12:10:54 +00:00 · 15bd4920ed
commit 15bd4920ed
parent d13b50fd8a
1 changed files with 8 additions and 2 deletions
--- a/doc/source/user/security/ssl-certificates.rst
+++ b/doc/source/user/security/ssl-certificates.rst
@ -347,8 +347,14 @@ detail.

 .. _OpenStack Nova Docs for remote console access: https://docs.openstack.org/nova/latest/admin/remote-console-access.html#vnc-proxy-security

-In OpenStack-Ansible TLS to haproxy is configured in haproxy, TLS to noVNC is
-not currently enabled and TLS to Compute nodes is enabled by default.
+In OpenStack-Ansible TLS to haproxy is configured in haproxy, TLS from
+haproxy to noVNC is not currently enabled and TLS from nVNC to Compute nodes
+is enabled by default.
+
+Changes will not apply to any existing running guests on the compute node,
+so this configuration should be done before launching any instances. For
+existing deployments it is recommended that you migrate instances off the
+compute node before enabling.

 To help with the transition from unencrypted VNC to VeNCrypt,
 initially noVNC proxy auth scheme allows for both encrypted and