[wip] novncproxy tls

stuggi · Dec 19, 2023 · 7b5e2ff · 7b5e2ff
1 parent 56abcbd
commit 7b5e2ff
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 8 deletions.
diff --git a/controllers/novanovncproxy_controller.go b/controllers/novanovncproxy_controller.go
@@ -348,11 +348,14 @@ func (r *NovaNoVNCProxyReconciler) generateConfigs(
 		"cell_db_address":        instance.Spec.CellDatabaseHostname,
 		"cell_db_port":           3306,
 		"transport_url":          string(secret.Data[TransportURLSelector]),
-		"openstack_cacert":       "",          // fixme
 		"openstack_region_name":  "regionOne", // fixme
 		"default_project_domain": "Default",   // fixme
 		"default_user_domain":    "Default",   // fixme
 	}
+	if instance.Spec.TLS.GenericService.Enabled() {
+		templateParameters["SSLCertificateFile"] = fmt.Sprintf("/etc/pki/tls/certs/%s.crt", novncproxy.ServiceName)
+		templateParameters["SSLCertificateKeyFile"] = fmt.Sprintf("/etc/pki/tls/private/%s.key", novncproxy.ServiceName)
+	}
 	extraData := map[string]string{}
 	if instance.Spec.CustomServiceConfig != "" {
 		extraData["02-nova-override.conf"] = instance.Spec.CustomServiceConfig

diff --git a/templates/nova.conf b/templates/nova.conf
@@ -42,6 +42,14 @@ metadata_workers=1
 enabled_apis=metadata
 {{end}}
 
+{{if eq .service_name "nova-novncproxy"}}
+{{ if (index . "SSLCertificateFile") }}
+ssl_only=true
+cert={{.SSLCertificateFile}}
+key={{.SSLCertificateKeyFile}}
+{{end}}
+{{end}}
+
 [oslo_concurrency]
 lock_path = /var/lib/nova/tmp
 
@@ -211,7 +219,6 @@ user_domain_name = {{ .default_user_domain}}
 project_name = service
 username = {{ .nova_keystone_user }}
 password = {{ .nova_keystone_password }}
-cafile = {{ .openstack_cacert }}
 region_name = {{ .openstack_region_name }}
 # This is part of hardening related to CVE-2023-2088
 # https://docs.openstack.org/nova/latest/configuration/config.html#keystone_authtoken.service_token_roles_required
@@ -226,7 +233,6 @@ user_domain_name = {{ .default_user_domain}}
 project_name = service
 username = {{ .nova_keystone_user }}
 password = {{ .nova_keystone_password }}
-cafile = {{ .openstack_cacert }}
 region_name = {{ .openstack_region_name }}
 valid_interfaces = internal
 
@@ -238,7 +244,6 @@ user_domain_name = {{ .default_user_domain}}
 project_name = service
 username = {{ .nova_keystone_user }}
 password = {{ .nova_keystone_password }}
-cafile = {{ .openstack_cacert }}
 region_name = {{ .openstack_region_name }}
 valid_interfaces = internal
 {{if (index . "debug") }}debug=true{{end}}
@@ -251,7 +256,6 @@ user_domain_name = {{ .default_user_domain}}
 project_name = service
 username = {{ .nova_keystone_user }}
 password = {{ .nova_keystone_password }}
-cafile = {{ .openstack_cacert }}
 region_name = {{ .openstack_region_name }}
 valid_interfaces = internal
 {{if eq .service_name "nova-metadata"}}
@@ -267,7 +271,6 @@ user_domain_name = {{ .default_user_domain}}
 project_name = service
 username = {{ .nova_keystone_user }}
 password = {{ .nova_keystone_password }}
-cafile = {{ .openstack_cacert }}
 region_name = {{ .openstack_region_name }}
 catalog_info = volumev3:cinderv3:internalURL
 
@@ -279,7 +282,6 @@ user_domain_name = {{ .default_user_domain}}
 project_name = service
 username = {{ .nova_keystone_user }}
 password = {{ .nova_keystone_password }}
-cafile = {{ .openstack_cacert }}
 region_name = {{ .openstack_region_name }}
 barbican_endpoint_type = internal
 
@@ -292,7 +294,6 @@ user_domain_name = {{ .default_user_domain}}
 project_name = service
 username = {{ .nova_keystone_user }}
 password = {{ .nova_keystone_password }}
-cafile = {{ .openstack_cacert }}
 
 {{ if (index . "compute_driver") }}
 {{if eq .compute_driver "ironic.IronicDriver"}}