From 37430d6d4f80edc6685eb9f3029abef9d63d209c Mon Sep 17 00:00:00 2001
From: "Manoj Alva(ma257n)" <ma257n@att.com>
Date: Thu, 20 May 2021 13:54:47 +0000
Subject: [PATCH] Support for VNC display in vino

- Added enableVNC in vino crd
- Updated flavor-template yaml with changes for enableVNC
  attribute.
- Added server side TLS certificate support  for secure
  communication using initContainer to generate the same.
- Added password authentication ( password to be set
  in qemu.conf)

Depends-On: Iaffcb1497fbf0f8ce24a25b38564854b9ad61083
Relates-To: #8
Closes: #8
Change-Id: Iaf351db5e5d0a6b8852e14e11d7cbddf3f368d73
---
 .../bases/airship.airshipit.org_vinoes.yaml   |  4 ++
 config/manager/create_tls_cert.sh             | 70 +++++++++++++++++++
 config/manager/daemonset-template.yaml        | 28 ++++++++
 config/manager/flavor-templates.yaml          |  6 +-
 config/manager/kustomization.yaml             | 12 +++-
 config/manager/qemu.conf                      |  6 ++
 config/samples/vino_cr.yaml                   |  1 +
 config/samples/vino_cr_4_workers_1_cp.yaml    |  1 +
 pkg/api/v1/vino_builder.go                    |  2 +
 pkg/api/v1/vino_types.go                      |  2 +
 pkg/managers/bmh.go                           |  2 +
 11 files changed, 130 insertions(+), 4 deletions(-)
 create mode 100755 config/manager/create_tls_cert.sh
 create mode 100644 config/manager/qemu.conf

diff --git a/config/crd/bases/airship.airshipit.org_vinoes.yaml b/config/crd/bases/airship.airshipit.org_vinoes.yaml
index d0d5d23..d59b06d 100644
--- a/config/crd/bases/airship.airshipit.org_vinoes.yaml
+++ b/config/crd/bases/airship.airshipit.org_vinoes.yaml
@@ -183,6 +183,10 @@ spec:
                             type: string
                         type: object
                       type: array
+                    enableVNC:
+                      description: EnableVNC create VNC for graphical interaction
+                        with the VM that will be created.
+                      type: boolean
                     libvirtTemplate:
                       description: NamespacedName to be used to spawn VMs
                       properties:
diff --git a/config/manager/create_tls_cert.sh b/config/manager/create_tls_cert.sh
new file mode 100755
index 0000000..a7d90d6
--- /dev/null
+++ b/config/manager/create_tls_cert.sh
@@ -0,0 +1,70 @@
+#!/bin/bash
+set -xe
+set -o pipefail
+
+echo "Target directory location = $1"
+# check if certificates are already present
+# TBD should validity of existing certs be checked.
+if  [ -f $1/ca-cert.pem ] && [ -f $1/server-cert.pem ] && [ -f $1/server-key.pem ]
+then
+       echo "ca-cert.pem, server-cert.pem and server-key.pem already present"
+       exit 0
+else
+# create a temp dir
+TMP=$(mktemp -d)
+cd ${TMP}
+# create ca certificate
+echo ' cn = airshipit.org
+  ca
+  cert_signing_key' > ca-template.info
+
+(umask 277 && certtool --generate-privkey > ca-key.pem)
+
+certtool --generate-self-signed \
+	 --template ca-template.info \
+	 --load-privkey ca-key.pem \
+	 --outfile ca-cert.pem
+
+rm ca-template.info
+
+echo ' organization = airshipit.org
+ cn = server
+  tls_www_server
+   encryption_key
+    signing_key' > server-template.info
+
+(umask 277 && certtool --generate-privkey > server-key.pem)
+
+# create server certificate
+certtool --generate-certificate \
+         --template server-template.info \
+         --load-privkey server-key.pem \
+         --load-ca-certificate ca-cert.pem \
+         --load-ca-privkey ca-key.pem \
+         --outfile server-cert.pem
+
+rm server-template.info
+
+# copy the required certs in the target location
+echo "Copy the required certs to target location : $1"
+cp *.pem $1
+
+#echo ' country = Country
+# state = State
+# locality = City
+# organization = Name of your organization
+# cn = Client Host Name
+# tls_www_client
+# encryption_key
+# signing_key' > client-template.info
+
+#(umask 277 && certtool --generate-privkey > client-key.pem)
+
+#certtool --generate-certificate
+#          --template client-template.info
+#	  --load-privkey client-key.pem
+# 	  --load-ca-certificate ca-cert.pem
+#	  --load-ca-privkey ca_key.pem
+#	  --outfile client-cert.pem
+fi
+exit 0
diff --git a/config/manager/daemonset-template.yaml b/config/manager/daemonset-template.yaml
index 86432db..0e584c8 100644
--- a/config/manager/daemonset-template.yaml
+++ b/config/manager/daemonset-template.yaml
@@ -15,6 +15,18 @@ spec:
       hostNetwork: true
       hostPID: true
       hostIPC: true
+      initContainers:
+        - name: create-libvirt-vnc-certs
+          image: quay.io/airshipit/gnu-tls:latest-minideb
+          imagePullPolicy: IfNotPresent
+          command: ["/usr/local/bin/create_tls_cert.sh"]
+          args: [ "/etc/pki/libvirt-vnc"]
+          volumeMounts:
+            - name: etc-pki-libvirt-vnc
+              mountPath: "/etc/pki/libvirt-vnc"
+            - name: usr-local-bin
+              mountPath: "/usr/local/bin"
+
       containers:
         - name: libvirt
           command:
@@ -51,6 +63,11 @@ spec:
               mountPath: /etc/libvirt/storage
             - name: var-lib-vino
               mountPath: /var/lib/vino
+            - name: etc-libvirt
+              mountPath: /etc/libvirt
+            - name: etc-pki-libvirt-vnc
+              mountPath: /etc/pki/libvirt-vnc
+
         - name: sushy
           image: quay.io/metal3-io/sushy-tools
           imagePullPolicy: IfNotPresent
@@ -208,3 +225,14 @@ spec:
           hostPath:
             path: /var/lib/vino
             type: DirectoryOrCreate
+        - name: etc-libvirt
+          configMap:
+            name: vino-libvirt-qemu-conf
+            defaultMode: 0555
+        - name: etc-pki-libvirt-vnc
+          hostPath:
+            path: /etc/pki/libvirt-vnc
+        - name: usr-local-bin
+          configMap:
+            name: vino-create-libvirt-vnc-cert
+            defaultMode: 0777
diff --git a/config/manager/flavor-templates.yaml b/config/manager/flavor-templates.yaml
index aa12dec..7644e0f 100644
--- a/config/manager/flavor-templates.yaml
+++ b/config/manager/flavor-templates.yaml
@@ -87,8 +87,8 @@ flavorTemplates:
             <target type='serial'/>
           </console>
 
-          {% if domain.enable_vnc | default(false) %}
-          <graphics type='vnc' autoport='yes' listen='0.0.0.0'>
+          {% if domain.enableVNC | default(false) %}
+          <graphics type='vnc' autoport='yes' passwd='{{ domain.vncPassword }}' listen='0.0.0.0'>
             <listen type='address' address='0.0.0.0'/>
           </graphics>
           {% endif %}
@@ -206,7 +206,7 @@ flavorTemplates:
             <target type='serial'/>
           </console>
 
-          {% if domain.enable_vnc | default(false) %}
+          {% if domain.enableVNC | default(false) %}
           <graphics type='vnc' autoport='yes' listen='0.0.0.0'>
             <listen type='address' address='0.0.0.0'/>
           </graphics>
diff --git a/config/manager/kustomization.yaml b/config/manager/kustomization.yaml
index f7a7b31..a39972d 100644
--- a/config/manager/kustomization.yaml
+++ b/config/manager/kustomization.yaml
@@ -26,4 +26,14 @@ configMapGenerator:
   options:
     disableNameSuffixHash: true
   files:
-    - storage-templates.yaml
\ No newline at end of file
+    - storage-templates.yaml
+- name: libvirt-qemu-conf
+  options:
+    disableNameSuffixHash: true
+  files:
+    - qemu.conf
+- name: create-libvirt-vnc-cert
+  options:
+    disableNameSuffixHash: true
+  files:
+    - create_tls_cert.sh
diff --git a/config/manager/qemu.conf b/config/manager/qemu.conf
new file mode 100644
index 0000000..90c3443
--- /dev/null
+++ b/config/manager/qemu.conf
@@ -0,0 +1,6 @@
+stdio_handler = "file"
+user = "root"
+group = "root"
+security_driver = "none"
+vnc_tls = 1
+#vnc_tls_x509_verify = 1
diff --git a/config/samples/vino_cr.yaml b/config/samples/vino_cr.yaml
index dfb0b4c..7079976 100644
--- a/config/samples/vino_cr.yaml
+++ b/config/samples/vino_cr.yaml
@@ -38,6 +38,7 @@ spec:
           type: network
           network: management
           mtu: 1500
+      enableVNC: true
   bmcCredentials:
     username: admin
     password: passw0rd
diff --git a/config/samples/vino_cr_4_workers_1_cp.yaml b/config/samples/vino_cr_4_workers_1_cp.yaml
index 19b5b26..7d72c29 100644
--- a/config/samples/vino_cr_4_workers_1_cp.yaml
+++ b/config/samples/vino_cr_4_workers_1_cp.yaml
@@ -42,6 +42,7 @@ spec:
           type: network
           network: management
           mtu: 1500
+      enableVNC: true
     - name: worker
       count: 4
       bmhLabels:
diff --git a/pkg/api/v1/vino_builder.go b/pkg/api/v1/vino_builder.go
index 7c95b45..2aff3e9 100644
--- a/pkg/api/v1/vino_builder.go
+++ b/pkg/api/v1/vino_builder.go
@@ -40,6 +40,8 @@ type BuilderDomain struct {
 	Name           string `json:"name,omitempty"`
 	Role           string `json:"role,omitempty"`
 	BootMACAddress string `json:"bootMACAddress,omitempty"`
+	EnableVNC      bool   `json:"enableVNC,omitempty"`
+	VNCPassword    string `json:"vncPassword,omitempty"`
 
 	Interfaces []BuilderNetworkInterface `json:"interfaces,omitempty"`
 }
diff --git a/pkg/api/v1/vino_types.go b/pkg/api/v1/vino_types.go
index 1f59075..28c1943 100644
--- a/pkg/api/v1/vino_types.go
+++ b/pkg/api/v1/vino_types.go
@@ -145,6 +145,8 @@ type NodeSet struct {
 	RootDeviceName string `json:"rootDeviceName,omitempty"`
 	// BootInterfaceName interface name to use to boot virtual machines
 	BootInterfaceName string `json:"bootInterfaceName,omitempty"`
+	// EnableVNC create VNC for graphical interaction with the VM that will be created.
+	EnableVNC bool `json:"enableVNC,omitempty"`
 }
 
 // NamespacedName to be used to spawn VMs
diff --git a/pkg/managers/bmh.go b/pkg/managers/bmh.go
index ca26f62..6c4d75b 100644
--- a/pkg/managers/bmh.go
+++ b/pkg/managers/bmh.go
@@ -208,6 +208,8 @@ func (r *BMHManager) setBMHs(ctx context.Context, pod corev1.Pod) error {
 			}
 			domainValues.Name = roleSuffix
 			domainValues.Role = node.Name
+			domainValues.EnableVNC = node.EnableVNC
+			domainValues.VNCPassword = r.ViNO.Spec.BMCCredentials.Password
 
 			// Append a specific domain to the list
 			domains = append(domains, domainValues.BuilderDomain)