openstack/puppet-cinder
Code Issues Proposed changes

Move SSL parameters to api.pp

Browse Source 
Most of the other services configure their SSL options in the api.pp.
So for consistency, they were moved here too. The old SSL parameters
have been kept for backwards compatibility, so they should still
work.

This also configures TLS in the correct group. As Cinder uses
sslutils from oslo_service. So with the previous configuration.
puppet-cinder didn't actually enable TLS.

Change-Id: I4d35016cb1ecda7e4dc133de7c58e0f239ff8517
This commit is contained in:
Juan Antonio Osorio Robles
2016-06-16 10:33:29 +03:00
parent 3694309557
commit 1e312dc8d8
5 changed files with 97 additions and 89 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
manifests/api.pp
View File

@@ -155,6 +155,22 @@
# middleware should parse the proxy headers or not.(boolean value) # middleware should parse the proxy headers or not.(boolean value)
# Defaults to $::os_service_default # Defaults to $::os_service_default
# #
# [*use_ssl*]
# (optional) Enable SSL on the API server
# Defaults to false
#
# [*cert_file*]
# (optional) Certificate file to use when starting API server securely
# Defaults to $::os_service_default
#
# [*key_file*]
# (optional) Private key file to use when starting API server securely
# Defaults to $::os_service_default
#
# [*ca_file*]
# (optional) CA certificate file to use to verify connecting clients
# Defaults to $::os_service_default
#
class cinder::api ( class cinder::api (
$keystone_password, $keystone_password,
$keystone_enabled = true, $keystone_enabled = true,
@@ -187,6 +203,10 @@ class cinder::api (
$osapi_max_limit = $::os_service_default, $osapi_max_limit = $::os_service_default,
$service_name = $::cinder::params::api_service, $service_name = $::cinder::params::api_service,
$enable_proxy_headers_parsing = $::os_service_default, $enable_proxy_headers_parsing = $::os_service_default,
$use_ssl = false,
$cert_file = $::os_service_default,
$key_file = $::os_service_default,
$ca_file = $::os_service_default,
# DEPRECATED PARAMETERS # DEPRECATED PARAMETERS
$validation_options = {}, $validation_options = {},
) inherits cinder::params { ) inherits cinder::params {
@@ -197,6 +217,21 @@ class cinder::api (
validate_bool($manage_service) validate_bool($manage_service)
validate_bool($enabled) validate_bool($enabled)
# Keep backwards compatibility with SSL values being set in init.pp
$use_ssl_real = pick($::cinder::use_ssl, $use_ssl)
$cert_file_real = pick($::cinder::cert_file, $cert_file)
$key_file_real = pick($::cinder::key_file, $key_file)
$ca_file_real = pick($::cinder::ca_file, $ca_file)
if $use_ssl_real {
if is_service_default($cert_file_real) {
fail('The cert_file parameter is required when use_ssl is set to true')
}
if is_service_default($key_file_real) {
fail('The key_file parameter is required when use_ssl is set to true')
}
}
Cinder_config<||> ~> Service[$service_name] Cinder_config<||> ~> Service[$service_name]
Cinder_api_paste_ini<||> ~> Service[$service_name] Cinder_api_paste_ini<||> ~> Service[$service_name]
Class['cinder::policy'] ~> Service[$service_name] Class['cinder::policy'] ~> Service[$service_name]
@@ -304,6 +339,15 @@ class cinder::api (
} }
} }
# SSL Options
if $use_ssl_real {
cinder_config {
'ssl/cert_file' : value => $cert_file_real;
'ssl/key_file' : value => $key_file_real;
'ssl/ca_file' : value => $ca_file_real;
}
}
if (!is_service_default($ratelimits)) { if (!is_service_default($ratelimits)) {
cinder_api_paste_ini { cinder_api_paste_ini {
'filter:ratelimit/paste.filter_factory': value => $ratelimits_factory; 'filter:ratelimit/paste.filter_factory': value => $ratelimits_factory;

67
manifests/init.pp
View File

@@ -229,22 +229,6 @@
# any directory. # any directory.
# Defaults to '/var/log/cinder'. # Defaults to '/var/log/cinder'.
# #
# [*use_ssl*]
# (optional) Enable SSL on the API server
# Defaults to false, not set
#
# [*cert_file*]
# (optinal) Certificate file to use when starting API server securely
# Defaults to false, not set
#
# [*key_file*]
# (optional) Private key file to use when starting API server securely
# Defaults to false, not set
#
# [*ca_file*]
# (optional) CA certificate file to use to verify connecting clients
# Defaults to $::os_service_default
#
# [*storage_availability_zone*] # [*storage_availability_zone*]
# (optional) Availability zone of the node. # (optional) Availability zone of the node.
# Defaults to 'nova' # Defaults to 'nova'
@@ -299,6 +283,25 @@
# (Optional) DEPRECATED. Whether to enable the v2 API (true/false). # (Optional) DEPRECATED. Whether to enable the v2 API (true/false).
# Defaults to undef. # Defaults to undef.
# #
# [*use_ssl*]
# (optional) DEPRECATED. Enable SSL on the API server
# Defaults to undef
#
# [*cert_file*]
# (optional) DEPRECATED. Certificate file to use when starting API server
# securely
# Defaults to undef
#
# [*key_file*]
# (optional) DEPRECATED. Private key file to use when starting API server
# securely
# Defaults to undef
#
# [*ca_file*]
# (optional) DEPRECATED. CA certificate file to use to verify connecting
# clients
# Defaults to undef
#
class cinder ( class cinder (
$database_connection = undef, $database_connection = undef,
$database_idle_timeout = undef, $database_idle_timeout = undef,
@@ -346,10 +349,6 @@ class cinder (
$amqp_username = $::os_service_default, $amqp_username = $::os_service_default,
$amqp_password = $::os_service_default, $amqp_password = $::os_service_default,
$package_ensure = 'present', $package_ensure = 'present',
$use_ssl = false,
$ca_file = $::os_service_default,
$cert_file = false,
$key_file = false,
$api_paste_config = '/etc/cinder/api-paste.ini', $api_paste_config = '/etc/cinder/api-paste.ini',
$use_syslog = undef, $use_syslog = undef,
$use_stderr = undef, $use_stderr = undef,
@@ -367,20 +366,15 @@ class cinder (
$verbose = undef, $verbose = undef,
$enable_v1_api = undef, $enable_v1_api = undef,
$enable_v2_api = undef, $enable_v2_api = undef,
$use_ssl = undef,
$ca_file = undef,
$cert_file = undef,
$key_file = undef,
) inherits cinder::params { ) inherits cinder::params {
include ::cinder::db include ::cinder::db
include ::cinder::logging include ::cinder::logging
if $use_ssl {
if !$cert_file {
fail('The cert_file parameter is required when use_ssl is set to true')
}
if !$key_file {
fail('The key_file parameter is required when use_ssl is set to true')
}
}
if $verbose { if $verbose {
warning('verbose is deprecated, has no effect and will be removed after Newton cycle.') warning('verbose is deprecated, has no effect and will be removed after Newton cycle.')
} }
@@ -477,21 +471,6 @@ class cinder (
'DEFAULT/host': value => $host; 'DEFAULT/host': value => $host;
} }
# SSL Options
if $use_ssl {
cinder_config {
'DEFAULT/ssl_cert_file' : value => $cert_file;
'DEFAULT/ssl_key_file' : value => $key_file;
'DEFAULT/ssl_ca_file' : value => $ca_file;
}
} else {
cinder_config {
'DEFAULT/ssl_cert_file' : ensure => absent;
'DEFAULT/ssl_key_file' : ensure => absent;
'DEFAULT/ssl_ca_file' : ensure => absent;
}
}
# V3 APIs # V3 APIs
cinder_config { cinder_config {
'DEFAULT/enable_v3_api': value => $enable_v3_api; 'DEFAULT/enable_v3_api': value => $enable_v3_api;

3
releasenotes/notes/cinder-api-ssl-08f7be7fe02510c7.yaml Normal file
View File

@@ -0,0 +1,3 @@
---
deprecations:
- The SSL-related options were removed from init.pp and added to api.pp

27
spec/classes/cinder_api_spec.rb
View File

@@ -335,6 +335,33 @@ describe 'cinder::api' do
it_raises 'a Puppet::Error', /Invalid service_name/ it_raises 'a Puppet::Error', /Invalid service_name/
end end
describe 'with SSL socket options set' do
let :params do
req_params.merge!({
:use_ssl => true,
:cert_file => '/path/to/cert',
:ca_file => '/path/to/ca',
:key_file => '/path/to/key',
})
end
it { is_expected.to contain_cinder_config('ssl/ca_file').with_value('/path/to/ca') }
it { is_expected.to contain_cinder_config('ssl/cert_file').with_value('/path/to/cert') }
it { is_expected.to contain_cinder_config('ssl/key_file').with_value('/path/to/key') }
end
describe 'with SSL socket options set wrongly configured' do
let :params do
req_params.merge!({
:use_ssl => true,
:ca_file => '/path/to/ca',
:key_file => '/path/to/key',
})
end
it_raises 'a Puppet::Error', /The cert_file parameter is required when use_ssl is set to true/
end
end end
on_supported_os({ on_supported_os({

45
spec/classes/cinder_spec.rb
View File

@@ -254,51 +254,6 @@ describe 'cinder' do
it { is_expected.to_not contain_class('mysql::bindings::python') } it { is_expected.to_not contain_class('mysql::bindings::python') }
end end
describe 'with SSL socket options set' do
let :params do
{
:use_ssl => true,
:cert_file => '/path/to/cert',
:ca_file => '/path/to/ca',
:key_file => '/path/to/key',
:rabbit_password => 'guest',
}
end
it { is_expected.to contain_cinder_config('DEFAULT/ssl_ca_file').with_value('/path/to/ca') }
it { is_expected.to contain_cinder_config('DEFAULT/ssl_cert_file').with_value('/path/to/cert') }
it { is_expected.to contain_cinder_config('DEFAULT/ssl_key_file').with_value('/path/to/key') }
end
describe 'with SSL socket options set to false' do
let :params do
{
:use_ssl => false,
:cert_file => false,
:ca_file => false,
:key_file => false,
:rabbit_password => 'guest',
}
end
it { is_expected.to contain_cinder_config('DEFAULT/ssl_ca_file').with_ensure('absent') }
it { is_expected.to contain_cinder_config('DEFAULT/ssl_cert_file').with_ensure('absent') }
it { is_expected.to contain_cinder_config('DEFAULT/ssl_key_file').with_ensure('absent') }
end
describe 'with SSL socket options set wrongly configured' do
let :params do
{
:use_ssl => true,
:ca_file => '/path/to/ca',
:key_file => '/path/to/key',
:rabbit_password => 'guest',
}
end
it_raises 'a Puppet::Error', /The cert_file parameter is required when use_ssl is set to true/
end
describe 'with APIs set for Mitaka (proposed)' do describe 'with APIs set for Mitaka (proposed)' do
let :params do let :params do
{ {