Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-models / reclass-system / ab68fe5af787e55661137cf9a693f8ff56de533f^! / . / salt / minion / ca / qemu-vnc_ca.yml
commitab68fe5af787e55661137cf9a693f8ff56de533f[log] [tgz]
authorOleksandr Shyshko <oshyshko@mirantis.com>Fri Jun 15 18:30:14 2018 +0300
committeroshyshko <oshyshko@mirantis.com>Tue Jul 10 15:03:09 2018 +0000
treecb54f6df4245b3f6fab8dd620e92261a05bd12a6
parent764cb41f3efe77706169359a8fe2cb8065bee987 [diff] [blame]
Added libvirt_vnc server and novnc-proxy client certificate templates

cluster:config
- system.salt.minion.ca.qemu-vnc_ca
cluster:compute
- system.nova.compute.libvirt.ssl.vnc
cluster:control
- system.nova.control.novncproxy
  haproxy:
    proxy:
      listen:
        nova_novnc:
          type: None          
cluster:proxy
   nginx:
    server:
      site:
        nginx_proxy_novnc:
          proxy:
            protocol: https

Related-Prod: PROD-19979

Change-Id: I60ec258cd048100a73d99b92ef87be771dc393b0

diff --git a/salt/minion/ca/qemu-vnc_ca.yml b/salt/minion/ca/qemu-vnc_ca.yml
new file mode 100644
index 0000000..53778f1
--- /dev/null
+++ b/salt/minion/ca/qemu-vnc_ca.yml

@@ -0,0 +1,30 @@
+parameters:
+  _param:
+    qemu_vnc_ca_common_name: QEMU VNC CA
+    qemu_vnc_ca_country: cz
+    qemu_vnc_ca_locality: Prague
+    qemu_vnc_ca_organization: Mirantis
+    qemu_vnc_ca_days_valid_authority: 3650
+    qemu_vnc_ca_days_valid_certificate: 365
+  salt:
+    minion:
+      ca:
+        qemu_vnc_ca:
+          # We recommend using a dedicated certificate authority solely for the VNC service.
+          # This authority may be a child of the master certificate authority used for the OpenStack deployment.
+          # This is because libvirt does not currently have a mechanism to restrict what certificates can be presented by the proxy server.
+          # https://docs.openstack.org/nova/queens/admin/remote-console-access.html
+          common_name: ${_param:qemu_vnc_ca_common_name}
+          country: ${_param:qemu_vnc_ca_country}
+          locality: ${_param:qemu_vnc_ca_locality}
+          organization: ${_param:qemu_vnc_ca_organization}
+          signing_policy:
+            cert_server:
+              type: v3_edge_cert_server
+              minions: 'cmp*'
+            cert_client:
+              type: v3_edge_cert_client
+              minions: 'ctl*'
+          days_valid:
+            authority: ${_param:qemu_vnc_ca_days_valid_authority}
+            certificate: ${_param:qemu_vnc_ca_days_valid_certificate}