Added libvirt_vnc server and novnc-proxy client certificate templates
cluster:config
- system.salt.minion.ca.qemu-vnc_ca
cluster:compute
- system.nova.compute.libvirt.ssl.vnc
cluster:control
- system.nova.control.novncproxy
haproxy:
proxy:
listen:
nova_novnc:
type: None
cluster:proxy
nginx:
server:
site:
nginx_proxy_novnc:
proxy:
protocol: https
Related-Prod: PROD-19979
Change-Id: I60ec258cd048100a73d99b92ef87be771dc393b0
diff --git a/salt/minion/ca/qemu-vnc_ca.yml b/salt/minion/ca/qemu-vnc_ca.yml
new file mode 100644
index 0000000..53778f1
--- /dev/null
+++ b/salt/minion/ca/qemu-vnc_ca.yml
@@ -0,0 +1,30 @@
+parameters:
+ _param:
+ qemu_vnc_ca_common_name: QEMU VNC CA
+ qemu_vnc_ca_country: cz
+ qemu_vnc_ca_locality: Prague
+ qemu_vnc_ca_organization: Mirantis
+ qemu_vnc_ca_days_valid_authority: 3650
+ qemu_vnc_ca_days_valid_certificate: 365
+ salt:
+ minion:
+ ca:
+ qemu_vnc_ca:
+ # We recommend using a dedicated certificate authority solely for the VNC service.
+ # This authority may be a child of the master certificate authority used for the OpenStack deployment.
+ # This is because libvirt does not currently have a mechanism to restrict what certificates can be presented by the proxy server.
+ # https://docs.openstack.org/nova/queens/admin/remote-console-access.html
+ common_name: ${_param:qemu_vnc_ca_common_name}
+ country: ${_param:qemu_vnc_ca_country}
+ locality: ${_param:qemu_vnc_ca_locality}
+ organization: ${_param:qemu_vnc_ca_organization}
+ signing_policy:
+ cert_server:
+ type: v3_edge_cert_server
+ minions: 'cmp*'
+ cert_client:
+ type: v3_edge_cert_client
+ minions: 'ctl*'
+ days_valid:
+ authority: ${_param:qemu_vnc_ca_days_valid_authority}
+ certificate: ${_param:qemu_vnc_ca_days_valid_certificate}
diff --git a/salt/minion/cert/libvirtd/vnc_server.yml b/salt/minion/cert/libvirtd/vnc_server.yml
new file mode 100644
index 0000000..c49852e
--- /dev/null
+++ b/salt/minion/cert/libvirtd/vnc_server.yml
@@ -0,0 +1,27 @@
+parameters:
+ _param:
+ qemu_vnc_server_ssl_key_file: /etc/pki/libvirt-vnc/server-key.pem
+ qemu_vnc_server_ssl_cert_file: /etc/pki/libvirt-vnc/server-cert.pem
+ qemu_vnc_ssl_ca_file: /etc/pki/libvirt-vnc/ca-cert.pem
+ salt_minion_ca_host: cfg01.${_param:cluster_domain}
+ qemu_vnc_ca_authority: qemu_vnc_ca
+ salt:
+ minion:
+ cert:
+ qemu_vnc_server:
+ host: ${_param:salt_minion_ca_host}
+ authority: ${_param:qemu_vnc_ca_authority}
+ common_name: ${linux:system:name}.${_param:cluster_domain}
+ signing_policy: cert_server
+ alternative_names: >
+ IP:${_param:cluster_local_address},
+ DNS:${_param:cluster_local_address},
+ DNS:${linux:system:name},
+ DNS:${linux:network:fqdn}
+ key_usage: "digitalSignature,nonRepudiation,keyEncipherment"
+ key_file: ${_param:qemu_vnc_server_ssl_key_file}
+ cert_file: ${_param:qemu_vnc_server_ssl_cert_file}
+ ca_file: ${_param:qemu_vnc_ssl_ca_file}
+ user: libvirt-qemu
+ group: libvirt-qemu
+ mode: 640
diff --git a/salt/minion/cert/vnc/init.yml b/salt/minion/cert/vnc/init.yml
new file mode 100644
index 0000000..6f7f6ee
--- /dev/null
+++ b/salt/minion/cert/vnc/init.yml
@@ -0,0 +1,4 @@
+parameters:
+ _param:
+ salt_minion_ca_host: cfg01.${_param:cluster_domain}
+ qemu_vnc_ca_authority: qemu_vnc_ca
diff --git a/salt/minion/cert/vnc/novncproxy_client.yml b/salt/minion/cert/vnc/novncproxy_client.yml
new file mode 100644
index 0000000..7f695eb
--- /dev/null
+++ b/salt/minion/cert/vnc/novncproxy_client.yml
@@ -0,0 +1,29 @@
+classes:
+- system.salt.minion.cert.vnc
+parameters:
+ _param:
+ novncproxy_client_ssl_key_file: /etc/pki/nova-novncproxy/client-key.pem
+ novncproxy_client_ssl_cert_file: /etc/pki/nova-novncproxy/client-cert.pem
+ novncproxy_ssl_ca_file: /etc/pki/nova-novncproxy/ca-cert.pem
+ nova_websocketproxy_ssl_all_file: /var/lib/nova/self.pem
+ salt:
+ minion:
+ cert:
+ libvirt_novnc_client:
+ host: ${_param:salt_minion_ca_host}
+ authority: ${_param:qemu_vnc_ca_authority}
+ common_name: ${linux:system:name}.${_param:cluster_domain}
+ signing_policy: cert_client
+ alternative_names: >
+ IP:${_param:cluster_local_address},
+ DNS:${_param:cluster_local_address},
+ DNS:${linux:system:name},
+ DNS:${linux:network:fqdn}
+ key_usage: "digitalSignature,nonRepudiation,keyEncipherment"
+ key_file: ${_param:novncproxy_client_ssl_key_file}
+ cert_file: ${_param:novncproxy_client_ssl_cert_file}
+ ca_file: ${_param:novncproxy_ssl_ca_file}
+ all_file: ${_param:nova_websocketproxy_ssl_all_file}
+ user: nova
+ group: nova
+ mode: 640