@@ -82,6 +82,10 @@ if is_service_enabled tls-proxy; then

     NOVA_SERVICE_PROTOCOL="https"

 fi

+# Whether to use TLS for comms between the VNC/SPICE/serial proxy

+# services and the compute node

+NOVA_CONSOLE_PROXY_COMPUTE_TLS=${NOVA_CONSOLE_PROXY_COMPUTE_TLS:-False}

+

 # Public facing bits

 NOVA_SERVICE_HOST=${NOVA_SERVICE_HOST:-$SERVICE_HOST}

 NOVA_SERVICE_PORT=${NOVA_SERVICE_PORT:-8774}

@@ -197,6 +201,13 @@ function is_n-cell_enabled {

     return 1

 }

+# is_nova_console_proxy_compute_tls_enabled() - Test if the Nova Console Proxy

+# service has TLS enabled

+function is_nova_console_proxy_compute_tls_enabled {

+    [[ ${NOVA_CONSOLE_PROXY_COMPUTE_TLS} = "True" ]] && return 0

+    return 1

+}

+

 # Helper to clean iptables rules

 function clean_iptables {

     # Delete rules

@@ -524,6 +535,17 @@ function create_nova_conf {

         iniset $NOVA_CONF vnc server_proxyclient_address "$VNCSERVER_PROXYCLIENT_ADDRESS"

         iniset $NOVA_CONF vnc novncproxy_host "$NOVA_SERVICE_LISTEN_ADDRESS"

         iniset $NOVA_CONF vnc xvpvncproxy_host "$NOVA_SERVICE_LISTEN_ADDRESS"

+

+        if is_nova_console_proxy_compute_tls_enabled ; then

+            iniset $NOVA_CONF vnc auth_schemes "vencrypt"

+            iniset $NOVA_CONF vnc vencrypt_client_key "/etc/pki/nova-novnc/client-key.pem"

+            iniset $NOVA_CONF vnc vencrypt_client_cert "/etc/pki/nova-novnc/client-cert.pem"

+            iniset $NOVA_CONF vnc vencrypt_ca_certs "/etc/pki/nova-novnc/ca-cert.pem"

+

+            sudo mkdir -p /etc/pki/nova-novnc

+            deploy_int_CA /etc/pki/nova-novnc/ca-cert.pem

+            deploy_int_cert /etc/pki/nova-novnc/client-cert.pem /etc/pki/nova-novnc/client-key.pem

+        fi

     else

         iniset $NOVA_CONF vnc enabled false

     fi

@@ -149,6 +149,18 @@ EOF

         fi

     fi

+    if is_nova_console_proxy_compute_tls_enabled ; then

+        if is_service_enabled n-novnc ; then

+            echo "vnc_tls = 1" | sudo tee -a $QEMU_CONF

+            echo "vnc_tls_x509_verify = 1" | sudo tee -a $QEMU_CONF

+

+            sudo mkdir -p /etc/pki/libvirt-vnc

+            sudo chown libvirt-qemu:libvirt-qemu /etc/pki/libvirt-vnc

+            deploy_int_CA /etc/pki/libvirt-vnc/ca-cert.pem

+            deploy_int_cert /etc/pki/libvirt-vnc/server-cert.pem /etc/pki/libvirt-vnc/server-key.pem

+        fi

+    fi

+

     # Service needs to be started on redhat/fedora -- do a restart for

     # sanity after fiddling the config.

     restart_service $LIBVIRT_DAEMON

@@ -340,6 +340,24 @@ function make_root_CA {

     fi

 }

+# Deploy the service cert & key to a service specific

+# location

+function deploy_int_cert {

+    local cert_target_file=$1

+    local key_target_file=$2

+

+    sudo cp "$INT_CA_DIR/$DEVSTACK_CERT_NAME.crt" "$cert_target_file"

+    sudo cp "$INT_CA_DIR/private/$DEVSTACK_CERT_NAME.key" "$key_target_file"

+}

+

+# Deploy the intermediate CA cert bundle file to a service

+# specific location

+function deploy_int_CA {

+    local ca_target_file=$1

+

+    sudo cp "$INT_CA_DIR/ca-chain.pem" "$ca_target_file"

+}

+

 # If a non-system python-requests is installed then it will use the

 # built-in CA certificate store rather than the distro-specific

 # CA certificate store. Detect this and symlink to the correct