Enable TLS encryption between the OpenStack compute nodes and VNC clients

Enable TLS encryption between the OpenStack compute nodes and VNC clientsΒΆ

The Virtual Network Computing (VNC) provides a remote console or remote desktop access to guest virtual machines through either the OpenStack dashboard or the command-line interface. The OpenStack Compute service users can access their instances using the VNC clients through the VNC proxy. MCP enables you to encrypt the communication between the VNC clients and OpenStack compute nodes with TLS.

Note

The procedures included in this section apply to new MCP OpenStack deployments only, unless specified otherwise.

To enable TLS encryption for VNC:

  1. Open your Reclass model Git repository on the cluster level.

  2. Enable the TLS encryption of communications between the OpenStack compute nodes and VNC proxy:

    Note

    The data encryption over TLS between the OpenStack compute nodes and VNC proxy is supported starting with the OpenStack Pike release.

    1. In openstack/compute/init.yml, enable the TLS encryption on the OpenStack compute nodes:

      - system.nova.compute.libvirt.ssl.vnc
      
      parameters:
        _param:
          ...
          nova_vncproxy_url: https://${_param:cluster_public_host}:6080
      
    2. In openstack/control.yml, enable the TLS encryption on the VNC proxy:

      - system.nova.control.novncproxy.tls
      
      parameters:
        _param:
          ...
          nova_vncproxy_url: https://${_param:cluster_public_host}:6080
      
    3. In openstack/proxy.yml, define the HTTPS protocol for the nginx_proxy_novnc site:

      nginx:
        server:
          site:
            nginx_proxy_novnc:
              proxy:
                protocol: https
      
  3. Enable the TLS encryption of communications between VNC proxy and VNC clients in openstack/control.yml:

    Note

    The data encryption over TLS between VNC proxy and VNC clients is supported starting with the OpenStack Queens release.

    nova:
      controller:
        novncproxy:
          tls:
            enabled: True
    
  4. Available from 2019.2.4 Optional. Specify a required TLS version and allowed SSL ciphers to use by the Nova console proxy server:

    nova:
      controller:
        novncproxy:
          tls:
            enabled: True
            version: <tls version>
            ciphers: <ciphers>
    
    • The <tls_version> value is one of default, tlsv1_1, tlsv1_2, or tlsv1_3. Depending on your Python version, not all TLS versions may be available, in which case a graceful fallback to the newest possible version will be performed.

    • The <ciphers> value is a coma-separated list of allowed SSL ciphers, depending on your system and OpenSSL version. To obtain the list of available ciphers, run openssl ciphers on an OpenStack controller node.

  5. Apply the changes:

    salt 'cmp*' state.apply nova
    salt 'ctl*' state.apply nova
    salt 'prx*' state.apply nginx