From 9a0529c03e9db8038756989214ae5578885fdf0c Mon Sep 17 00:00:00 2001 From: Logan V Date: Thu, 14 Jan 2016 20:14:48 -0600 Subject: [PATCH] Add ssl deployment to novnc console type Deploy user SSL keys for novnc console containers so users viewing the console in Horizon will be able to access the console over https. Example configuration: nova_console_type: novnc nova_novncproxy_proto: https nova_console_user_ssl_cert: ~/certs/horizon.pem nova_console_user_ssl_key: ~/certs/horizon.key nova_console_user_ssl_ca_cert: "{{ ssl_ca_cert }}" Change-Id: Icb66631ac0b00afe12519fd742e3198e828a10cc --- playbooks/roles/os_nova/defaults/main.yml | 5 +++ .../tasks/nova_console_novnc_install.yml | 6 +++ .../os_nova/tasks/nova_console_novnc_ssl.yml | 39 +++++++++++++++++++ .../roles/os_nova/templates/nova.conf.j2 | 7 ++++ 4 files changed, 57 insertions(+) create mode 100644 playbooks/roles/os_nova/tasks/nova_console_novnc_ssl.yml diff --git a/playbooks/roles/os_nova/defaults/main.yml b/playbooks/roles/os_nova/defaults/main.yml index c5cf68a5aa..efcf32d3dc 100644 --- a/playbooks/roles/os_nova/defaults/main.yml +++ b/playbooks/roles/os_nova/defaults/main.yml @@ -156,6 +156,11 @@ nova_console_keymap: en-us # Set the console type. Presently the only options are ["spice", "novnc"]. nova_console_type: spice +# Nova console ssl info, presently only used by novnc console type +nova_console_ssl_dir: "/etc/nova/ssl" +nova_console_ssl_cert: "{{ nova_console_ssl_dir }}/nova-console.pem" +nova_console_ssl_key: "{{ nova_console_ssl_dir }}/nova-console.key" + ## Nova global config nova_cpu_mode: host-model nova_linuxnet_interface_driver: nova.network.linux_net.NeutronLinuxBridgeInterfaceDriver diff --git a/playbooks/roles/os_nova/tasks/nova_console_novnc_install.yml b/playbooks/roles/os_nova/tasks/nova_console_novnc_install.yml index ae569ad910..8ef6819c0f 100644 --- a/playbooks/roles/os_nova/tasks/nova_console_novnc_install.yml +++ b/playbooks/roles/os_nova/tasks/nova_console_novnc_install.yml @@ -88,3 +88,9 @@ tags: - nova-install - nova-novnc-pip-packages + +- include: nova_console_novnc_ssl.yml + when: nova_console_user_ssl_cert is defined and nova_console_user_ssl_key is defined + tags: + - nova-novnc + - nova-novnc-ssl diff --git a/playbooks/roles/os_nova/tasks/nova_console_novnc_ssl.yml b/playbooks/roles/os_nova/tasks/nova_console_novnc_ssl.yml new file mode 100644 index 0000000000..003fcaaa23 --- /dev/null +++ b/playbooks/roles/os_nova/tasks/nova_console_novnc_ssl.yml @@ -0,0 +1,39 @@ +--- +# Copyright 2016, Logan Vig +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +- name: Ensure ssl cert directory exists + file: + path: "{{ nova_console_ssl_dir }}" + state: directory + owner: "nova" + group: "nova" + mode: "0755" + +- name: Prepare combined nova-console SSL and CA certs + local_action: command cat {{ nova_console_user_ssl_cert }} {{ nova_console_user_ssl_ca_cert is defined | ternary(nova_console_user_ssl_ca_cert,'') }} + register: nova_console_user_ssl_combined + +- name: Drop user provided ssl cert and key + copy: + src: "{{ item.src | default(omit) }}" + content: "{{ item.content | default(omit) }}" + dest: "{{ item.dest }}" + owner: "nova" + group: "nova" + mode: "{{ item.mode }}" + with_items: + - { content: "{{ nova_console_user_ssl_combined.stdout ~ '\n' }}", dest: "{{ nova_console_ssl_cert }}", mode: "0644" } + - { src: "{{ nova_console_user_ssl_key }}", dest: "{{ nova_console_ssl_key }}", mode: "0640" } + notify: Restart nova services diff --git a/playbooks/roles/os_nova/templates/nova.conf.j2 b/playbooks/roles/os_nova/templates/nova.conf.j2 index 8449ee3080..2c558667b5 100644 --- a/playbooks/roles/os_nova/templates/nova.conf.j2 +++ b/playbooks/roles/os_nova/templates/nova.conf.j2 @@ -59,6 +59,13 @@ allow_resize_to_same_host = True image_cache_manager_interval = {{ nova_image_cache_manager_interval }} resume_guests_state_on_host_boot = {{ nova_resume_guests_state_on_host_boot }} +{% if nova_console_user_ssl_cert is defined and nova_console_user_ssl_key is defined and inventory_hostname in groups['nova_console'] %} +# Console SSL keys +ssl_only = true +cert = {{ nova_console_ssl_cert }} +key = {{ nova_console_ssl_key }} +{% endif %} + # Api's enabled_apis = {{ nova_enabled_apis }} osapi_compute_workers = {{ nova_osapi_compute_workers | default(api_threads) }}