api: allow ssl communications with registry

Add missing options to allow Glance API to connect to Glance Registry
when SSL is enabled on both services.
Also switching SSL options to os_service_default to avoid useless
conditions in manifests.

Change-Id: Ia40228fc165ef8ce1213fed7f5eec4de1c12c013
This commit is contained in:
Emilien Macchi 2016-03-09 13:20:25 -05:00
parent bf7765f66d
commit 7bf43b2b13
2 changed files with 96 additions and 88 deletions

View File

@ -175,15 +175,30 @@
# #
# [*cert_file*] # [*cert_file*]
# (optinal) Certificate file to use when starting API server securely # (optinal) Certificate file to use when starting API server securely
# Defaults to false, not set # Defaults to $::os_service_default
# #
# [*key_file*] # [*key_file*]
# (optional) Private key file to use when starting API server securely # (optional) Private key file to use when starting API server securely
# Defaults to false, not set # Defaults to $::os_service_default
# #
# [*ca_file*] # [*ca_file*]
# (optional) CA certificate file to use to verify connecting clients # (optional) CA certificate file to use to verify connecting clients
# Defaults to false, not set # Defaults to $::os_service_default
#
# [*registry_client_cert_file*]
# (optinal) The path to the cert file to use in SSL connections to the
# registry server.
# Defaults to $::os_service_default
#
# [*registry_client_key_file*]
# (optinal) The path to the private key file to use in SSL connections to the
# registry server.
# Defaults to $::os_service_default
#
# [*registry_client_ca_file*]
# (optinal) The path to the CA certificate file to use in SSL connections to the
# registry server.
# Defaults to $::os_service_default
# #
# [*stores*] # [*stores*]
# (optional) List of which store classes and store class locations are # (optional) List of which store classes and store class locations are
@ -254,60 +269,63 @@
# #
class glance::api( class glance::api(
$keystone_password, $keystone_password,
$package_ensure = 'present', $package_ensure = 'present',
$verbose = undef, $verbose = undef,
$debug = undef, $debug = undef,
$bind_host = '0.0.0.0', $bind_host = '0.0.0.0',
$bind_port = '9292', $bind_port = '9292',
$backlog = '4096', $backlog = '4096',
$workers = $::processorcount, $workers = $::processorcount,
$log_file = undef, $log_file = undef,
$log_dir = undef, $log_dir = undef,
$registry_host = '0.0.0.0', $registry_host = '0.0.0.0',
$registry_port = '9191', $registry_port = '9191',
$registry_client_protocol = 'http', $registry_client_protocol = 'http',
$scrub_time = $::os_service_default, $scrub_time = $::os_service_default,
$delayed_delete = $::os_service_default, $delayed_delete = $::os_service_default,
$auth_type = 'keystone', $auth_type = 'keystone',
$auth_region = $::os_service_default, $auth_region = $::os_service_default,
$auth_uri = 'http://127.0.0.1:5000/', $auth_uri = 'http://127.0.0.1:5000/',
$identity_uri = 'http://127.0.0.1:35357/', $identity_uri = 'http://127.0.0.1:35357/',
$memcached_servers = $::os_service_default, $memcached_servers = $::os_service_default,
$pipeline = 'keystone', $pipeline = 'keystone',
$keystone_tenant = 'services', $keystone_tenant = 'services',
$keystone_user = 'glance', $keystone_user = 'glance',
$manage_service = true, $manage_service = true,
$enabled = true, $enabled = true,
$use_syslog = undef, $use_syslog = undef,
$use_stderr = undef, $use_stderr = undef,
$log_facility = undef, $log_facility = undef,
$show_image_direct_url = false, $show_image_direct_url = false,
$show_multiple_locations = $::os_service_default, $show_multiple_locations = $::os_service_default,
$location_strategy = $::os_service_default, $location_strategy = $::os_service_default,
$purge_config = false, $purge_config = false,
$cert_file = false, $cert_file = $::os_service_default,
$key_file = false, $key_file = $::os_service_default,
$ca_file = false, $ca_file = $::os_service_default,
$stores = false, $registry_client_cert_file = $::os_service_default,
$default_store = undef, $registry_client_key_file = $::os_service_default,
$multi_store = false, $registry_client_ca_file = $::os_service_default,
$database_connection = undef, $stores = false,
$database_idle_timeout = undef, $default_store = undef,
$database_min_pool_size = undef, $multi_store = false,
$database_max_pool_size = undef, $database_connection = undef,
$database_max_retries = undef, $database_idle_timeout = undef,
$database_retry_interval = undef, $database_min_pool_size = undef,
$database_max_overflow = undef, $database_max_pool_size = undef,
$image_cache_max_size = $::os_service_default, $database_max_retries = undef,
$image_cache_stall_time = $::os_service_default, $database_retry_interval = undef,
$image_cache_dir = '/var/lib/glance/image-cache', $database_max_overflow = undef,
$os_region_name = 'RegionOne', $image_cache_max_size = $::os_service_default,
$signing_dir = $::os_service_default, $image_cache_stall_time = $::os_service_default,
$token_cache_time = $::os_service_default, $image_cache_dir = '/var/lib/glance/image-cache',
$validate = false, $os_region_name = 'RegionOne',
$validation_options = {}, $signing_dir = $::os_service_default,
$token_cache_time = $::os_service_default,
$validate = false,
$validation_options = {},
# DEPRECATED PARAMETERS # DEPRECATED PARAMETERS
$known_stores = false, $known_stores = false,
) inherits glance { ) inherits glance {
include ::glance::policy include ::glance::policy
@ -452,32 +470,13 @@ class glance::api(
} }
# SSL Options # SSL Options
if $cert_file { glance_api_config {
glance_api_config { 'DEFAULT/cert_file': value => $cert_file;
'DEFAULT/cert_file' : value => $cert_file; 'DEFAULT/key_file' : value => $key_file;
} 'DEFAULT/ca_file' : value => $ca_file;
} else { 'DEFAULT/registry_client_ca_file': value => $registry_client_ca_file;
glance_api_config { 'DEFAULT/registry_client_cert_file': value => $registry_client_cert_file;
'DEFAULT/cert_file': ensure => absent; 'DEFAULT/registry_client_key_file': value => $registry_client_key_file;
}
}
if $key_file {
glance_api_config {
'DEFAULT/key_file' : value => $key_file;
}
} else {
glance_api_config {
'DEFAULT/key_file': ensure => absent;
}
}
if $ca_file {
glance_api_config {
'DEFAULT/ca_file' : value => $ca_file;
}
} else {
glance_api_config {
'DEFAULT/ca_file': ensure => absent;
}
} }
if $manage_service { if $manage_service {

View File

@ -146,9 +146,12 @@ describe 'glance::api' do
end end
it 'is_expected.to have no ssl options' do it 'is_expected.to have no ssl options' do
is_expected.to contain_glance_api_config('DEFAULT/ca_file').with_ensure('absent') is_expected.to contain_glance_api_config('DEFAULT/ca_file').with_value('<SERVICE DEFAULT>')
is_expected.to contain_glance_api_config('DEFAULT/cert_file').with_ensure('absent') is_expected.to contain_glance_api_config('DEFAULT/cert_file').with_value('<SERVICE DEFAULT>')
is_expected.to contain_glance_api_config('DEFAULT/key_file').with_ensure('absent') is_expected.to contain_glance_api_config('DEFAULT/key_file').with_value('<SERVICE DEFAULT>')
is_expected.to contain_glance_api_config('DEFAULT/registry_client_ca_file').with_value('<SERVICE DEFAULT>')
is_expected.to contain_glance_api_config('DEFAULT/registry_client_cert_file').with_value('<SERVICE DEFAULT>')
is_expected.to contain_glance_api_config('DEFAULT/registry_client_key_file').with_value('<SERVICE DEFAULT>')
end end
it 'is_expected.to configure itself for keystone if that is the auth_type' do it 'is_expected.to configure itself for keystone if that is the auth_type' do
@ -233,9 +236,12 @@ describe 'glance::api' do
describe 'with ssl options' do describe 'with ssl options' do
let :params do let :params do
default_params.merge({ default_params.merge({
:ca_file => '/tmp/ca_file', :ca_file => '/tmp/ca_file',
:cert_file => '/tmp/cert_file', :cert_file => '/tmp/cert_file',
:key_file => '/tmp/key_file' :key_file => '/tmp/key_file',
:registry_client_ca_file => '/tmp/registry_ca_file',
:registry_client_key_file => '/tmp/registry_key_file',
:registry_client_cert_file => '/tmp/registry_cert_file',
}) })
end end
@ -243,6 +249,9 @@ describe 'glance::api' do
it { is_expected.to contain_glance_api_config('DEFAULT/ca_file').with_value('/tmp/ca_file') } it { is_expected.to contain_glance_api_config('DEFAULT/ca_file').with_value('/tmp/ca_file') }
it { is_expected.to contain_glance_api_config('DEFAULT/cert_file').with_value('/tmp/cert_file') } it { is_expected.to contain_glance_api_config('DEFAULT/cert_file').with_value('/tmp/cert_file') }
it { is_expected.to contain_glance_api_config('DEFAULT/key_file').with_value('/tmp/key_file') } it { is_expected.to contain_glance_api_config('DEFAULT/key_file').with_value('/tmp/key_file') }
it { is_expected.to contain_glance_api_config('DEFAULT/registry_client_ca_file').with_value('/tmp/registry_ca_file') }
it { is_expected.to contain_glance_api_config('DEFAULT/registry_client_key_file').with_value('/tmp/registry_key_file') }
it { is_expected.to contain_glance_api_config('DEFAULT/registry_client_cert_file').with_value('/tmp/registry_cert_file') }
end end
end end
describe 'with stores by default' do describe 'with stores by default' do