Merge "Add ssl deployment to novnc console type"

2016-02-05 00:05:42 +00:00 · 2016-02-05 00:05:42 +00:00 · ad233ca9e9
commit ad233ca9e9
parent 23dd237aa9 9a0529c03e
4 changed files with 57 additions and 0 deletions
--- a/playbooks/roles/os_nova/defaults/main.yml
+++ b/playbooks/roles/os_nova/defaults/main.yml
@ -156,6 +156,11 @@ nova_console_keymap: en-us
 # Set the console type. Presently the only options are ["spice", "novnc"].
 nova_console_type: spice

+# Nova console ssl info, presently only used by novnc console type
+nova_console_ssl_dir: "/etc/nova/ssl"
+nova_console_ssl_cert: "{{ nova_console_ssl_dir }}/nova-console.pem"
+nova_console_ssl_key: "{{ nova_console_ssl_dir }}/nova-console.key"
+
 ## Nova global config
 nova_cpu_mode: host-model
 nova_linuxnet_interface_driver: nova.network.linux_net.NeutronLinuxBridgeInterfaceDriver
--- a/playbooks/roles/os_nova/tasks/nova_console_novnc_install.yml
+++ b/playbooks/roles/os_nova/tasks/nova_console_novnc_install.yml
@ -88,3 +88,9 @@
  tags:
    - nova-install
    - nova-novnc-pip-packages
+
+- include: nova_console_novnc_ssl.yml
+  when: nova_console_user_ssl_cert is defined and nova_console_user_ssl_key is defined
+  tags:
+    - nova-novnc
+    - nova-novnc-ssl
--- a/playbooks/roles/os_nova/tasks/nova_console_novnc_ssl.yml
+++ b/playbooks/roles/os_nova/tasks/nova_console_novnc_ssl.yml
@ -0,0 +1,39 @@
+---
+# Copyright 2016, Logan Vig <logan2211@gmail.com>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Ensure ssl cert directory exists
+  file:
+    path: "{{ nova_console_ssl_dir }}"
+    state: directory
+    owner: "nova"
+    group: "nova"
+    mode: "0755"
+
+- name: Prepare combined nova-console SSL and CA certs
+  local_action: command cat {{ nova_console_user_ssl_cert }} {{ nova_console_user_ssl_ca_cert is defined | ternary(nova_console_user_ssl_ca_cert,'') }}
+  register: nova_console_user_ssl_combined
+
+- name: Drop user provided ssl cert and key
+  copy:
+    src: "{{ item.src | default(omit) }}"
+    content: "{{ item.content | default(omit) }}"
+    dest: "{{ item.dest }}"
+    owner: "nova"
+    group: "nova"
+    mode: "{{ item.mode }}"
+  with_items:
+    - { content: "{{ nova_console_user_ssl_combined.stdout ~ '\n' }}", dest: "{{ nova_console_ssl_cert }}", mode: "0644" }
+    - { src: "{{ nova_console_user_ssl_key }}", dest: "{{ nova_console_ssl_key }}", mode: "0640" }
+  notify: Restart nova services
--- a/playbooks/roles/os_nova/templates/nova.conf.j2
+++ b/playbooks/roles/os_nova/templates/nova.conf.j2
@ -59,6 +59,13 @@ allow_resize_to_same_host = True
 image_cache_manager_interval = {{ nova_image_cache_manager_interval }}
 resume_guests_state_on_host_boot = {{ nova_resume_guests_state_on_host_boot }}

+{% if nova_console_user_ssl_cert is defined and nova_console_user_ssl_key is defined and inventory_hostname in groups['nova_console'] %}
+# Console SSL keys
+ssl_only = true
+cert = {{ nova_console_ssl_cert }}
+key = {{ nova_console_ssl_key }}
+{% endif %}
+
 # Api's
 enabled_apis = {{ nova_enabled_apis }}
 osapi_compute_workers = {{ nova_osapi_compute_workers | default(api_threads) }}