Allow enabling vencrypt for VNC

This patchset allows enabling vencrypt for VNC, based on a
downstream patchset. [1]

Primary differences:
- uses HTK to render the cert instead of its own template
- leaves the creation of a separate (sub)issuer for vencrypt as
  outside the scope of this (and the libvirt) chart.

1. https://github.com/vexxhost/atmosphere/pull/483

Co-Authored-By: Oleksandr Kozachenko okozachenko1203@gmail.com

Change-Id: If377faebc4c65f37b08a3c8aab2fed844a07c26f

nova/Chart.yaml

@@ -14,7 +14,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Nova
 name: nova
-version: 0.3.18
+version: 0.3.19
 home: https://docs.openstack.org/nova/latest/
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Nova/OpenStack_Project_Nova_vertical.png
 sources:

nova/templates/certificates.yaml

@@ -17,6 +17,9 @@ limitations under the License.
 {{- if .Values.manifests.deployment_novncproxy }}
 {{ dict "envAll" . "service" "compute_novnc_proxy" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
 {{- end }}
+{{- if (contains "vencrypt" .Values.conf.nova.vnc.auth_schemes) -}}
+{{ dict "envAll" . "service" "compute_novnc_vencrypt" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
+{{- end }}
 {{- if .Values.manifests.deployment_placement }}
 {{ dict "envAll" . "service" "placement" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
 {{- end }}

nova/templates/configmap-etc.yaml

@@ -188,6 +188,18 @@ limitations under the License.
 {{- end -}}
 {{- end -}}
 
+{{- if (contains "vencrypt" .Values.conf.nova.vnc.auth_schemes) -}}
+{{- if empty .Values.conf.nova.vnc.vencrypt_client_key }}
+{{- $_ := set $envAll.Values.conf.nova.vnc "vencrypt_client_key" "/etc/pki/nova-novncproxy/tls.key" -}}
+{{- end }}
+{{- if empty .Values.conf.nova.vnc.vencrypt_client_cert }}
+{{- $_ := set $envAll.Values.conf.nova.vnc "vencrypt_client_cert" "/etc/pki/nova-novncproxy/tls.crt" -}}
+{{- end }}
+{{- if empty .Values.conf.nova.vnc.vencrypt_ca_certs }}
+{{- $_ := set $envAll.Values.conf.nova.vnc "vencrypt_ca_certs" "/etc/pki/nova-novncproxy/ca.crt" -}}
+{{- end }}
+{{- end }}
+
 {{- if eq .Values.console.console_kind "spice"}}
 {{- $_ := "false" | set .Values.conf.nova.vnc "enabled" -}}
 {{- $_ := "true" | set .Values.conf.nova.spice "enabled" -}}

nova/templates/deployment-novncproxy.yaml

@@ -28,6 +28,8 @@ tcpSocket:
 {{- $mounts_nova_novncproxy := .Values.pod.mounts.nova_novncproxy.nova_novncproxy }}
 {{- $mounts_nova_novncproxy_init := .Values.pod.mounts.nova_novncproxy.init_novncproxy }}
 
+{{- $vencrypt_enabled := (contains "vencrypt" .Values.conf.nova.vnc.auth_schemes) }}
+
 {{- $serviceAccountName := "nova-novncproxy" }}
 {{ tuple $envAll "novncproxy" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
 ---
@@ -144,6 +146,7 @@ spec:
               mountPath: /tmp/pod-shared
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal "path" "/etc/mysql/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_novnc_proxy.novncproxy.internal "path" "/etc/nova/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- dict "enabled" $vencrypt_enabled "name" .Values.secrets.tls.compute_novnc_proxy.vencrypt.internal "path" "/etc/pki/nova-novncproxy" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal "path" "/etc/rabbitmq/certs" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
 {{ if $mounts_nova_novncproxy.volumeMounts }}{{ toYaml $mounts_nova_novncproxy.volumeMounts | indent 12 }}{{ end }}
       volumes:
@@ -163,6 +166,7 @@ spec:
           emptyDir: {}
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_novnc_proxy.novncproxy.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- dict "enabled" $vencrypt_enabled "name" .Values.secrets.tls.compute_novnc_proxy.vencrypt.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{ if $mounts_nova_novncproxy.volumes }}{{ toYaml $mounts_nova_novncproxy.volumes | indent 8 }}{{ end }}
 {{- end }}

nova/values.yaml

@@ -1369,6 +1369,7 @@ conf:
       instance_usage_audit_period: hour
       resume_guests_state_on_host_boot: True
     vnc:
+      auth_schemes: none
       novncproxy_host: 0.0.0.0
       server_listen: 0.0.0.0
       # This would be set by each compute nodes's ip
@@ -1556,6 +1557,8 @@ secrets:
       novncproxy:
         public: nova-novncproxy-tls-public
         internal: nova-novncproxy-tls-proxy
+      vencrypt:
+        internal: nova-novncproxy-vencrypt
     compute_metadata:
       metadata:
         public: metadata-tls-public
@@ -1840,6 +1843,17 @@ endpoints:
       novnc_proxy:
         default: 6080
         public: 80
+  # This endpoint is only to allow configuring the cert used specifically for
+  # vencrypt.  Specifically, the same CA/issuer needs to be used to sign both
+  # this cert, and the libvirt/qemu certs.
+  compute_novnc_vencrypt:
+    hosts:
+      default: nova-novncproxy
+    host_fqdn_override:
+      default:
+        commonName: nova-novncproxy
+        usages:
+          - client auth
   compute_spice_proxy:
     name: nova
     hosts:

releasenotes/notes/nova.yaml

@@ -87,4 +87,5 @@ nova:
   - 0.3.16 Use service tokens
   - 0.3.17 Set targeted dependency of nova-compute with ovn networking backend
   - 0.3.18 Fix nova ssh keys permission
+  - 0.3.19 Add support for enabling vencrypt
 ...