openstack/openstack-helm
Code Issues Proposed changes

Allow enabling vencrypt for VNC

Browse Source 
This patchset allows enabling vencrypt for VNC, based on a
downstream patchset. [1]

Primary differences:
- uses HTK to render the cert instead of its own template
- leaves the creation of a separate (sub)issuer for vencrypt as
  outside the scope of this (and the libvirt) chart.

1. https://github.com/vexxhost/atmosphere/pull/483

Co-Authored-By: Oleksandr Kozachenko okozachenko1203@gmail.com

Change-Id: If377faebc4c65f37b08a3c8aab2fed844a07c26f
This commit is contained in:
Mosher, Jaymes (jm616v) 2023-07-10 23:13:35 -06:00
parent 818b067071
commit bee2353cae
6 changed files with 35 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
nova/Chart.yaml
View File

@ -14,7 +14,7 @@ apiVersion: v1
appVersion: v1.0.0 appVersion: v1.0.0
description: OpenStack-Helm Nova description: OpenStack-Helm Nova
name: nova name: nova
version: 0.3.18 version: 0.3.19
home: https://docs.openstack.org/nova/latest/ home: https://docs.openstack.org/nova/latest/
icon: https://www.openstack.org/themes/openstack/images/project-mascots/Nova/OpenStack_Project_Nova_vertical.png icon: https://www.openstack.org/themes/openstack/images/project-mascots/Nova/OpenStack_Project_Nova_vertical.png
sources: sources:

3
nova/templates/certificates.yaml
View File

@ -17,6 +17,9 @@ limitations under the License.
{{- if .Values.manifests.deployment_novncproxy }} {{- if .Values.manifests.deployment_novncproxy }}
{{ dict "envAll" . "service" "compute_novnc_proxy" "type" "internal" | include "helm-toolkit.manifests.certificates" }} {{ dict "envAll" . "service" "compute_novnc_proxy" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
{{- end }} {{- end }}
{{- if (contains "vencrypt" .Values.conf.nova.vnc.auth_schemes) -}}
{{ dict "envAll" . "service" "compute_novnc_vencrypt" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
{{- end }}
{{- if .Values.manifests.deployment_placement }} {{- if .Values.manifests.deployment_placement }}
{{ dict "envAll" . "service" "placement" "type" "internal" | include "helm-toolkit.manifests.certificates" }} {{ dict "envAll" . "service" "placement" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
{{- end }} {{- end }}

12
nova/templates/configmap-etc.yaml
View File

@ -188,6 +188,18 @@ limitations under the License.
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}
{{- if (contains "vencrypt" .Values.conf.nova.vnc.auth_schemes) -}}
{{- if empty .Values.conf.nova.vnc.vencrypt_client_key }}
{{- $_ := set $envAll.Values.conf.nova.vnc "vencrypt_client_key" "/etc/pki/nova-novncproxy/tls.key" -}}
{{- end }}
{{- if empty .Values.conf.nova.vnc.vencrypt_client_cert }}
{{- $_ := set $envAll.Values.conf.nova.vnc "vencrypt_client_cert" "/etc/pki/nova-novncproxy/tls.crt" -}}
{{- end }}
{{- if empty .Values.conf.nova.vnc.vencrypt_ca_certs }}
{{- $_ := set $envAll.Values.conf.nova.vnc "vencrypt_ca_certs" "/etc/pki/nova-novncproxy/ca.crt" -}}
{{- end }}
{{- end }}
{{- if eq .Values.console.console_kind "spice"}} {{- if eq .Values.console.console_kind "spice"}}
{{- $_ := "false" | set .Values.conf.nova.vnc "enabled" -}} {{- $_ := "false" | set .Values.conf.nova.vnc "enabled" -}}
{{- $_ := "true" | set .Values.conf.nova.spice "enabled" -}} {{- $_ := "true" | set .Values.conf.nova.spice "enabled" -}}

4
nova/templates/deployment-novncproxy.yaml
View File

@ -28,6 +28,8 @@ tcpSocket:
{{- $mounts_nova_novncproxy := .Values.pod.mounts.nova_novncproxy.nova_novncproxy }} {{- $mounts_nova_novncproxy := .Values.pod.mounts.nova_novncproxy.nova_novncproxy }}
{{- $mounts_nova_novncproxy_init := .Values.pod.mounts.nova_novncproxy.init_novncproxy }} {{- $mounts_nova_novncproxy_init := .Values.pod.mounts.nova_novncproxy.init_novncproxy }}
{{- $vencrypt_enabled := (contains "vencrypt" .Values.conf.nova.vnc.auth_schemes) }}
{{- $serviceAccountName := "nova-novncproxy" }} {{- $serviceAccountName := "nova-novncproxy" }}
{{ tuple $envAll "novncproxy" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }} {{ tuple $envAll "novncproxy" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
--- ---
@ -144,6 +146,7 @@ spec:
mountPath: /tmp/pod-shared mountPath: /tmp/pod-shared
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_novnc_proxy.novncproxy.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_novnc_proxy.novncproxy.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- dict "enabled" $vencrypt_enabled "name" .Values.secrets.tls.compute_novnc_proxy.vencrypt.internal "path" "/etc/pki/nova-novncproxy" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
{{ if $mounts_nova_novncproxy.volumeMounts }}{{ toYaml $mounts_nova_novncproxy.volumeMounts | indent 12 }}{{ end }} {{ if $mounts_nova_novncproxy.volumeMounts }}{{ toYaml $mounts_nova_novncproxy.volumeMounts | indent 12 }}{{ end }}
volumes: volumes:
@ -163,6 +166,7 @@ spec:
emptyDir: {} emptyDir: {}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_novnc_proxy.novncproxy.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_novnc_proxy.novncproxy.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- dict "enabled" $vencrypt_enabled "name" .Values.secrets.tls.compute_novnc_proxy.vencrypt.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
{{ if $mounts_nova_novncproxy.volumes }}{{ toYaml $mounts_nova_novncproxy.volumes | indent 8 }}{{ end }} {{ if $mounts_nova_novncproxy.volumes }}{{ toYaml $mounts_nova_novncproxy.volumes | indent 8 }}{{ end }}
{{- end }} {{- end }}

14
nova/values.yaml
View File

@ -1369,6 +1369,7 @@ conf:
instance_usage_audit_period: hour instance_usage_audit_period: hour
resume_guests_state_on_host_boot: True resume_guests_state_on_host_boot: True
vnc: vnc:
auth_schemes: none
novncproxy_host: 0.0.0.0 novncproxy_host: 0.0.0.0
server_listen: 0.0.0.0 server_listen: 0.0.0.0
# This would be set by each compute nodes's ip # This would be set by each compute nodes's ip
@ -1556,6 +1557,8 @@ secrets:
novncproxy: novncproxy:
public: nova-novncproxy-tls-public public: nova-novncproxy-tls-public
internal: nova-novncproxy-tls-proxy internal: nova-novncproxy-tls-proxy
vencrypt:
internal: nova-novncproxy-vencrypt
compute_metadata: compute_metadata:
metadata: metadata:
public: metadata-tls-public public: metadata-tls-public
@ -1840,6 +1843,17 @@ endpoints:
novnc_proxy: novnc_proxy:
default: 6080 default: 6080
public: 80 public: 80
# This endpoint is only to allow configuring the cert used specifically for
# vencrypt. Specifically, the same CA/issuer needs to be used to sign both
# this cert, and the libvirt/qemu certs.
compute_novnc_vencrypt:
hosts:
default: nova-novncproxy
host_fqdn_override:
default:
commonName: nova-novncproxy
usages:
- client auth
compute_spice_proxy: compute_spice_proxy:
name: nova name: nova
hosts: hosts:

1
releasenotes/notes/nova.yaml
View File

@ -87,4 +87,5 @@ nova:
- 0.3.16 Use service tokens - 0.3.16 Use service tokens
- 0.3.17 Set targeted dependency of nova-compute with ovn networking backend - 0.3.17 Set targeted dependency of nova-compute with ovn networking backend
- 0.3.18 Fix nova ssh keys permission - 0.3.18 Fix nova ssh keys permission
- 0.3.19 Add support for enabling vencrypt
... ...