chore(libvirt): add nova tls support for vnc

commit: 56484d73689f65eb75142bd648ab11dcb24fad4e [log] [tgz]
author: Mohammed Naser <mnaser@vexxhost.com> Mon Jul 10 17:08:26 2023 -0400
committer: Mohammed Naser <mnaser@vexxhost.com> Mon Jul 10 22:01:23 2023 -0400
tree: 2a35e8b2836db701133a26d8896537924e59246f
parent: c1936eddeccafe3af984caecf53dbe5595f648d5 [diff]
diff --git a/charts/nova/templates/certificate-novnc.yaml b/charts/nova/templates/certificate-novnc.yaml
new file mode 100644
index 0000000..8c5ebb0
--- /dev/null
+++ b/charts/nova/templates/certificate-novnc.yaml

@@ -0,0 +1,31 @@
+{{/*
+Copyright (c) 2023 VEXXHOST, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if (contains "vencrypt" .Values.conf.nova.vnc.auth_schemes) -}}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: nova-novncproxy-vencrypt
+  namespace: {{ .Release.Namespace }}
+spec:
+  secretName: nova-novncproxy-vencrypt
+  commonName: nova-novncproxy
+  usages:
+  - client auth
+  issuerRef:
+    kind: Issuer
+    name: libvirt-vnc
+{{- end -}}

diff --git a/charts/nova/templates/configmap-etc.yaml b/charts/nova/templates/configmap-etc.yaml
index b7638e5..aec97ef 100644
--- a/charts/nova/templates/configmap-etc.yaml
+++ b/charts/nova/templates/configmap-etc.yaml

@@ -85,6 +85,18 @@
 {{- $_ := set $envAll.Values.conf.nova.wsgi "api_paste_config" "/var/lib/openstack/etc/nova/api-paste.ini" -}}
 {{- end }}
 
+{{- if (contains "vencrypt" .Values.conf.nova.vnc.auth_schemes) -}}
+{{- if empty .Values.conf.nova.vnc.vencrypt_client_key }}
+{{- $_ := set $envAll.Values.conf.nova.vnc "vencrypt_client_key" "/etc/pki/nova-novncproxy/tls.key" -}}
+{{- end }}
+{{- if empty .Values.conf.nova.vnc.vencrypt_client_cert }}
+{{- $_ := set $envAll.Values.conf.nova.vnc "vencrypt_client_cert" "/etc/pki/nova-novncproxy/tls.crt" -}}
+{{- end }}
+{{- if empty .Values.conf.nova.vnc.vencrypt_ca_certs }}
+{{- $_ := set $envAll.Values.conf.nova.vnc "vencrypt_ca_certs" "/etc/pki/nova-novncproxy/ca.crt" -}}
+{{- end }}
+{{- end }}
+
 {{- if empty .Values.conf.nova.database.connection -}}
 {{- $connection := tuple "oslo_db" "internal" "nova" "mysql" . | include "helm-toolkit.endpoints.authenticated_endpoint_uri_lookup" -}}
 {{- if .Values.manifests.certificates -}}

diff --git a/charts/nova/templates/deployment-novncproxy.yaml b/charts/nova/templates/deployment-novncproxy.yaml
index 517005d..12e37ff 100644
--- a/charts/nova/templates/deployment-novncproxy.yaml
+++ b/charts/nova/templates/deployment-novncproxy.yaml

@@ -133,6 +133,11 @@
               mountPath: /etc/nova/nova.conf
               subPath: nova.conf
               readOnly: true
+{{- if (contains "vencrypt" .Values.conf.nova.vnc.auth_schemes) -}}
+            - name: vencrypt-certs
+              mountPath: /etc/pki/nova-novncproxy
+              readOnly: true
+{{- end }}
             - name: nova-etc
               mountPath: /etc/nova/logging.conf
               subPath: logging.conf
@@ -161,6 +166,12 @@
           emptyDir: {}
         - name: pod-shared
           emptyDir: {}
+{{- if (contains "vencrypt" .Values.conf.nova.vnc.auth_schemes) -}}
+        - name: vencrypt-certs
+          secret:
+            secretName: nova-novncproxy-vencrypt
+            defaultMode: 0444
+{{- end }}
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.endpoints.oslo_db.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- dict "enabled" .Values.manifests.certificates "name" .Values.secrets.tls.compute_novnc_proxy.novncproxy.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
 {{- dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.endpoints.oslo_messaging.auth.admin.secret.tls.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}

diff --git a/charts/nova/values.yaml b/charts/nova/values.yaml
index b725160..ec04358 100644
--- a/charts/nova/values.yaml
+++ b/charts/nova/values.yaml

@@ -1312,6 +1312,7 @@
       instance_usage_audit_period: hour
       resume_guests_state_on_host_boot: True
     vnc:
+      auth_schemes: none
       novncproxy_host: 0.0.0.0
       server_listen: 0.0.0.0
       # This would be set by each compute nodes's ip
commit	56484d73689f65eb75142bd648ab11dcb24fad4e	[log] [tgz]
author	Mohammed Naser <mnaser@vexxhost.com>	Mon Jul 10 17:08:26 2023 -0400
committer	Mohammed Naser <mnaser@vexxhost.com>	Mon Jul 10 22:01:23 2023 -0400
tree	2a35e8b2836db701133a26d8896537924e59246f
parent	c1936eddeccafe3af984caecf53dbe5595f648d5 [diff]