[wip] novncproxy tls

controllers/novanovncproxy_controller.go

@@ -348,11 +348,14 @@ func (r *NovaNoVNCProxyReconciler) generateConfigs(
 		"cell_db_address":        instance.Spec.CellDatabaseHostname,
 		"cell_db_port":           3306,
 		"transport_url":          string(secret.Data[TransportURLSelector]),
-		"openstack_cacert":       "",          // fixme
 		"openstack_region_name":  "regionOne", // fixme
 		"default_project_domain": "Default",   // fixme
 		"default_user_domain":    "Default",   // fixme
 	}
+	if instance.Spec.TLS.GenericService.Enabled() {
+		templateParameters["SSLCertificateFile"] = fmt.Sprintf("/etc/pki/tls/certs/%s.crt", novncproxy.ServiceName)
+		templateParameters["SSLCertificateKeyFile"] = fmt.Sprintf("/etc/pki/tls/private/%s.key", novncproxy.ServiceName)
+	}
 	extraData := map[string]string{}
 	if instance.Spec.CustomServiceConfig != "" {
 		extraData["02-nova-override.conf"] = instance.Spec.CustomServiceConfig

pkg/novametadata/deployment.go

@@ -125,7 +125,6 @@ func StatefulSet(
 	}
 
 	if instance.Spec.TLS.GenericService.Enabled() {
-
 		svc, err := instance.Spec.TLS.GenericService.ToService()
 		if err != nil {
 			return nil, err

pkg/novncproxy/deployment.go

@@ -153,6 +153,11 @@ func StatefulSet(
 				Spec: corev1.PodSpec{
 					ServiceAccountName: instance.Spec.ServiceAccount,
 					Volumes:            volumes,
+					SecurityContext: &corev1.PodSecurityContext{
+						// since we run as NovaUserID, e.g. certs need to be
+						// readable by the user, instead of root
+						FSGroup: ptr.To(nova.NovaUserID),
+					},
 					Containers: []corev1.Container{
 						{
 							Name: instance.Name + "-novncproxy",

templates/nova.conf

@@ -42,6 +42,14 @@ metadata_workers=1
 enabled_apis=metadata
 {{end}}
 
+{{if eq .service_name "nova-novncproxy"}}
+{{ if (index . "SSLCertificateFile") }}
+ssl_only=true
+cert={{.SSLCertificateFile}}
+key={{.SSLCertificateKeyFile}}
+{{end}}
+{{end}}
+
 [oslo_concurrency]
 lock_path = /var/lib/nova/tmp
 
@@ -211,7 +219,6 @@ user_domain_name = {{ .default_user_domain}}
 project_name = service
 username = {{ .nova_keystone_user }}
 password = {{ .nova_keystone_password }}
-cafile = {{ .openstack_cacert }}
 region_name = {{ .openstack_region_name }}
 # This is part of hardening related to CVE-2023-2088
 # https://docs.openstack.org/nova/latest/configuration/config.html#keystone_authtoken.service_token_roles_required
@@ -226,7 +233,6 @@ user_domain_name = {{ .default_user_domain}}
 project_name = service
 username = {{ .nova_keystone_user }}
 password = {{ .nova_keystone_password }}
-cafile = {{ .openstack_cacert }}
 region_name = {{ .openstack_region_name }}
 valid_interfaces = internal
 
@@ -238,7 +244,6 @@ user_domain_name = {{ .default_user_domain}}
 project_name = service
 username = {{ .nova_keystone_user }}
 password = {{ .nova_keystone_password }}
-cafile = {{ .openstack_cacert }}
 region_name = {{ .openstack_region_name }}
 valid_interfaces = internal
 {{if (index . "debug") }}debug=true{{end}}
@@ -251,7 +256,6 @@ user_domain_name = {{ .default_user_domain}}
 project_name = service
 username = {{ .nova_keystone_user }}
 password = {{ .nova_keystone_password }}
-cafile = {{ .openstack_cacert }}
 region_name = {{ .openstack_region_name }}
 valid_interfaces = internal
 {{if eq .service_name "nova-metadata"}}
@@ -267,7 +271,6 @@ user_domain_name = {{ .default_user_domain}}
 project_name = service
 username = {{ .nova_keystone_user }}
 password = {{ .nova_keystone_password }}
-cafile = {{ .openstack_cacert }}
 region_name = {{ .openstack_region_name }}
 catalog_info = volumev3:cinderv3:internalURL
 
@@ -279,7 +282,6 @@ user_domain_name = {{ .default_user_domain}}
 project_name = service
 username = {{ .nova_keystone_user }}
 password = {{ .nova_keystone_password }}
-cafile = {{ .openstack_cacert }}
 region_name = {{ .openstack_region_name }}
 barbican_endpoint_type = internal
 
@@ -292,7 +294,6 @@ user_domain_name = {{ .default_user_domain}}
 project_name = service
 username = {{ .nova_keystone_user }}
 password = {{ .nova_keystone_password }}
-cafile = {{ .openstack_cacert }}
 
 {{ if (index . "compute_driver") }}
 {{if eq .compute_driver "ironic.IronicDriver"}}