Merge "Add ability to use global logging.conf"
diff --git a/README.rst b/README.rst
index 4229b90..4b5f63e 100644
--- a/README.rst
+++ b/README.rst
@@ -951,6 +951,7 @@
Enable transport + authentication for VNC over TLS
---------------------
+# Only for Queens. Communication between noVNC proxy service and QEMU
By default communication between nova-novncproxy and qemu service is unsecure.
@@ -962,31 +963,62 @@
controller:
novncproxy:
+ # This section responsible for communication between noVNC proxy and client machine
tls:
enabled: True
+ # This section responsible for communication between nova-novncproxy and qemu service
+ vencrypt:
+ tls:
+ enabled: True
You able to set custom certificates in pillar:
- nova:
- compute:
- qemu:
- vnc:
- tls:
- cacert (certificate content)
- cert (certificate content)
- key (certificate content)
+nova:
+ compute:
+ qemu:
+ vnc:
+ tls:
+ cacert (certificate content)
+ cert (certificate content)
+ key (certificate content)
+
+nova:
+ controller:
+ novncproxy:
+ tls:
+ server:
+ cert (certificate content)
+ key (certificate content)
+ vencrypt:
+ tls:
+ cacert (certificate content)
+ cert (certificate content)
+ key (certificate content)
+
+
+You can read more about it here:
+ https://docs.openstack.org/nova/queens/admin/remote-console-access.html
+
+Enable communication between noVNC proxy and client machine over TLS
+---------------------
+
+By default communication between noVNC proxy and client machine is unsecure.
+
+ controller:
+ novncproxy:
+ tls:
+ enabled: True
nova:
controller:
novncproxy:
tls:
- cacert (certificate content)
- cert (certificate content)
- key (certificate content)
- allfile (certificate content)
+ server:
+ cert (certificate content)
+ key (certificate content)
You can read more about it here:
- https://docs.openstack.org/nova/queens/admin/remote-console-access.html
+ https://docs.openstack.org/mitaka/config-reference/dashboard/configure.html
Documentation and Bugs
======================
diff --git a/nova/controller.sls b/nova/controller.sls
index 45b5ac0..2ea0510 100644
--- a/nova/controller.sls
+++ b/nova/controller.sls
@@ -64,18 +64,19 @@
- user: user_nova
{%- endif %}
-{%- if controller.novncproxy.tls.get('enabled', False) %}
+# Only for Queens. Communication between noVNC proxy service and QEMU
+{%- if controller.version not in ['mitaka', 'newton', 'ocata', 'pike'] %}
+{%- if controller.novncproxy.vencrypt.tls.get('enabled', False) %}
-{%- set ca_file=controller.novncproxy.tls.get('ca_file') %}
-{%- set key_file=controller.novncproxy.tls.get('key_file') %}
-{%- set cert_file=controller.novncproxy.tls.get('cert_file') %}
-{%- set all_file=controller.novncproxy.tls.get('all_file') %}
+{%- set ca_file=controller.novncproxy.vencrypt.tls.get('ca_file') %}
+{%- set key_file=controller.novncproxy.vencrypt.tls.get('key_file') %}
+{%- set cert_file=controller.novncproxy.vencrypt.tls.get('cert_file') %}
-novncproxy_ca_nova_compute:
-{%- if controller.novncproxy.tls.cacert is defined %}
+novncproxy_vencrypt_ca:
+{%- if controller.novncproxy.vencrypt.tls.cacert is defined %}
file.managed:
- name: {{ ca_file }}
- - contents_pillar: nova:controller:novncproxy:tls:cacert
+ - contents_pillar: nova:controller:novncproxy:vencrypt:tls:cacert
- mode: 444
- makedirs: true
- watch_in:
@@ -85,11 +86,11 @@
- name: {{ ca_file }}
{%- endif %}
-novncproxy_public_cert:
-{%- if controller.novncproxy.tls.cert is defined %}
+novncproxy_vencrypt_public_cert:
+{%- if controller.novncproxy.vencrypt.tls.cert is defined %}
file.managed:
- name: {{ cert_file }}
- - contents_pillar: nova:controller:novncproxy:tls:cert
+ - contents_pillar: nova:controller:novncproxy:vencrypt:tls:cert
- mode: 440
- makedirs: true
{%- else %}
@@ -97,30 +98,49 @@
- name: {{ cert_file }}
{%- endif %}
-novncproxy_private_key:
-{%- if controller.novncproxy.tls.key is defined %}
+novncproxy_vencrypt_private_key:
+{%- if controller.novncproxy.vencrypt.tls.key is defined %}
file.managed:
- name: {{ key_file }}
- - contents_pillar: nova:controller:novncproxy:tls:key
+ - contents_pillar: nova:controller:novncproxy:vencrypt:tls:key
- mode: 400
- makedirs: true
{%- else %}
file.exists:
- name: {{ key_file }}
{%- endif %}
+{%- endif %}
+{%- endif %}
-novncproxy_all_file:
-{%- if controller.novncproxy.tls.allfile is defined %}
+{%- if controller.novncproxy.tls.get('enabled', False) %}
+{%- set key_file=controller.novncproxy.tls.server.get('key_file') %}
+{%- set cert_file=controller.novncproxy.tls.server.get('cert_file') %}
+
+novncproxy_server_public_cert:
+{%- if controller.novncproxy.tls.server.cert is defined %}
file.managed:
- - name: {{ all_file }}
- - contents_pillar: nova:controller:novncproxy:tls:allfile
+ - name: {{ cert_file }}
+ - contents_pillar: nova:controller:novncproxy:tls:server:cert
- mode: 440
- makedirs: true
+ - watch_in:
+ - service: nova_controller_services
+{%- else %}
+ file.exists:
+ - name: {{ cert_file }}
+{%- endif %}
+
+novncproxy_server_private_key:
+{%- if controller.novncproxy.tls.server.key is defined %}
+ file.managed:
+ - name: {{ key_file }}
+ - contents_pillar: nova:controller:novncproxy:tls:server:key
+ - mode: 400
+ - makedirs: true
{%- else %}
file.exists:
- - name: {{ all_file }}
+ - name: {{ key_file }}
{%- endif %}
-
{%- endif %}
{%- if controller.get('networking', 'default') == "contrail" and controller.version == "juno" %}
diff --git a/nova/files/pike/nova-controller.conf.Debian b/nova/files/pike/nova-controller.conf.Debian
index 2d5ed67..682b675 100644
--- a/nova/files/pike/nova-controller.conf.Debian
+++ b/nova/files/pike/nova-controller.conf.Debian
@@ -2525,6 +2525,11 @@
# Disallow non-encrypted connections. (boolean value)
#ssl_only=false
+{%- if controller.novncproxy.tls.get('enabled', False) %}
+ssl_only=True
+cert={{controller.novncproxy.tls.server.cert_file|yaml_squote}}
+key={{controller.novncproxy.tls.server.key_file|yaml_squote}}
+{%- endif %}
# Set to True if source host is addressed with IPv6. (boolean value)
#source_is_ipv6=false
diff --git a/nova/files/queens/nova-controller.conf.Debian b/nova/files/queens/nova-controller.conf.Debian
index c5610c1..de3178f 100644
--- a/nova/files/queens/nova-controller.conf.Debian
+++ b/nova/files/queens/nova-controller.conf.Debian
@@ -3028,6 +3028,11 @@
# Disallow non-encrypted connections. (boolean value)
#ssl_only = false
+{%- if controller.novncproxy.tls.get('enabled', False) %}
+ssl_only=True
+cert={{controller.novncproxy.tls.server.cert_file|yaml_squote}}
+key={{controller.novncproxy.tls.server.key_file|yaml_squote}}
+{%- endif %}
# Set to True if source host is addressed with IPv6. (boolean value)
#source_is_ipv6 = false
@@ -9848,11 +9853,11 @@
{%- else %}
vncserver_listen={{ controller.bind.get('novncproxy_address', '0.0.0.0') }}
{%- endif %}
-{%- if controller.novncproxy.tls.get('enabled', False) %}
+{%- if controller.novncproxy.vencrypt.tls.get('enabled', False) %}
auth_schemes=vencrypt
-vencrypt_client_key={{controller.novncproxy.tls.key_file|yaml_squote}}
-vencrypt_client_cert={{controller.novncproxy.tls.cert_file|yaml_squote}}
-vencrypt_ca_certs={{controller.novncproxy.tls.ca_file|yaml_squote}}
+vencrypt_client_key={{controller.novncproxy.vencrypt.tls.key_file|yaml_squote}}
+vencrypt_client_cert={{controller.novncproxy.vencrypt.tls.cert_file|yaml_squote}}
+vencrypt_ca_certs={{controller.novncproxy.vencrypt.tls.ca_file|yaml_squote}}
{%- endif %}
#
diff --git a/nova/map.jinja b/nova/map.jinja
index 7894ae7..bc7c9d1 100644
--- a/nova/map.jinja
+++ b/nova/map.jinja
@@ -53,9 +53,18 @@
'novncproxy': {
'tls': {
'enabled': false,
- 'key_file': '/etc/pki/nova-novncproxy/client-key.pem',
- 'cert_file': '/etc/pki/nova-novncproxy/client-cert.pem',
- 'ca_file': '/etc/pki/nova-novncproxy/ca-cert.pem',
+ 'server': {
+ 'key_file': '/etc/pki/nova-novncproxy/server-key.pem',
+ 'cert_file': '/etc/pki/nova-novncproxy/server-cert.pem',
+ }
+ },
+ 'vencrypt': {
+ 'tls': {
+ 'enabled': false,
+ 'key_file': '/etc/pki/nova-novncproxy/client-key.pem',
+ 'cert_file': '/etc/pki/nova-novncproxy/client-cert.pem',
+ 'ca_file': '/etc/pki/nova-novncproxy/ca-cert.pem',
+ }
}
},
},
@@ -80,9 +89,18 @@
'novncproxy': {
'tls': {
'enabled': false,
- 'key_file': '/etc/pki/nova-novncproxy/client-key.pem',
- 'cert_file': '/etc/pki/nova-novncproxy/client-cert.pem',
- 'ca_file': '/etc/pki/nova-novncproxy/ca-cert.pem',
+ 'server': {
+ 'key_file': '/etc/pki/nova-novncproxy/server-key.pem',
+ 'cert_file': '/etc/pki/nova-novncproxy/server-cert.pem',
+ }
+ },
+ 'vencrypt': {
+ 'tls': {
+ 'enabled': false,
+ 'key_file': '/etc/pki/nova-novncproxy/client-key.pem',
+ 'cert_file': '/etc/pki/nova-novncproxy/client-cert.pem',
+ 'ca_file': '/etc/pki/nova-novncproxy/ca-cert.pem',
+ }
}
},
},