Implement SSL for spice consoles

Implementing this bug will also fix the iframe security violation we currently see in modern browser due to mixed HTTP content in HTTPS site

Is this not solved by offloading on the LB? The option for the spice console to be "https" is there, but it won't setup any certs.

Switching importance to wishlist as this is a new feature request.

Removing the milestone set until someone picks this up.

You can have your loadbalancer/reverse_proxy do a SSL termination, then you forward content using traditional tcp to your consoles. This should be fine if you consider your cloud management network as secure.

However, you'll have an issue with novnc "Protocol mismatch". Your clients will see an https page, but the nova_console receives ws:// traffic (insecure form).

This could be easily fixed by editing your spice console in /usr/share/spice-html5/spice_auto.html:
               var default_port = window.location.port;
                if (window.location.protocol == 'http:') {
                    if (!default_port) { default_port = 80; }
                }
                else if (window.location.protocol == 'https:') {
                    if (!default_port) { default_port = 443; }
                    scheme = "wss://";
                }
The protocol mismatch error will disappear. It's better than nothing.
Keep in mind that it's not a fully secure end-to-end solution, but it prevents session snooping.

Reviewed: https://review.openstack.org/226462
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible/commit/?id=a944d049fb14380e81692c19267c2eec443c386a
Submitter: Jenkins
Branch: master

commit a944d049fb14380e81692c19267c2eec443c386a
Author: Jimmy McCrory <email address hidden>
Date: Tue Sep 22 10:46:48 2015 -0700

    Install spice-html5 from source

    'ws://' is currently hardcoded within the spice_auto.html file included
    in the packaged release of spice-html5, raising a security error when
    accessing consoles over HTTPS.

    Remove the existing apt package and install spice-html5 from source
    instead since this issue has been corrected as of spice-html5-0.1.6.

    Change-Id: Ie308a477143037963f903f2ac21b2b1f0328fcb3
    Partial-Bug: #1424797

Reviewed: https://review.openstack.org/232697
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible/commit/?id=391bdaad804cb5ebacc30c48a830c8828e7025db
Submitter: Jenkins
Branch: kilo

commit 391bdaad804cb5ebacc30c48a830c8828e7025db
Author: Jimmy McCrory <email address hidden>
Date: Tue Sep 22 10:46:48 2015 -0700

    Install spice-html5 from source

    'ws://' is currently hardcoded within the spice_auto.html file included
    in the packaged release of spice-html5, raising a security error when
    accessing consoles over HTTPS.

    Remove the existing apt package and install spice-html5 from source
    instead since this issue has been corrected as of spice-html5-0.1.6.

    Change-Id: Ie308a477143037963f903f2ac21b2b1f0328fcb3
    Partial-Bug: #1424797
    (cherry picked from commit a944d049fb14380e81692c19267c2eec443c386a)

This is already in liberty/mitaka.