Allow different key/cert for the admin apache vhost
The admin endpoint might be serving with a different IP and servername, so it might need a different set of keys/certs. This commit gives it the ability to do so, while still having backwards compatibility, since, if no admin key/cert is given, it will use the pair that the public endpoint uses. Change-Id: I8725bb39f6473e4837cbd0c553295c2340f20913
This commit is contained in:
parent
afe07b4155
commit
353c396520
|
@ -57,6 +57,14 @@
|
|||
# (optional) Path to SSL key
|
||||
# Default to apache::vhost 'ssl_*' defaults.
|
||||
#
|
||||
# [*ssl_cert_admin*]
|
||||
# (optional) Path to SSL certificate for the admin endpoint.
|
||||
# Default to apache::vhost 'ssl_*' defaults.
|
||||
#
|
||||
# [*ssl_key_admin*]
|
||||
# (optional) Path to SSL key for the admin endpoint.
|
||||
# Default to apache::vhost 'ssl_*' defaults.
|
||||
#
|
||||
# [*ssl_chain*]
|
||||
# (optional) SSL chain
|
||||
# Default to apache::vhost 'ssl_*' defaults.
|
||||
|
@ -168,6 +176,8 @@ class keystone::wsgi::apache (
|
|||
$workers = 1,
|
||||
$ssl_cert = undef,
|
||||
$ssl_key = undef,
|
||||
$ssl_cert_admin = undef,
|
||||
$ssl_key_admin = undef,
|
||||
$ssl_chain = undef,
|
||||
$ssl_ca = undef,
|
||||
$ssl_crl_path = undef,
|
||||
|
@ -198,6 +208,14 @@ class keystone::wsgi::apache (
|
|||
# mod_ssl package is placing a ssl.conf file after the confd_dir is purged
|
||||
# on Puppet 4.
|
||||
Class['::apache::mod::ssl'] -> File[$::apache::confd_dir]
|
||||
# Attempt to use the admin cert/key, else default to the public one.
|
||||
# Since it's possible that no cert/key were given, we allow this to be
|
||||
# empty with pick_default
|
||||
$ssl_cert_admin_real = pick_default($ssl_cert_admin, $ssl_cert)
|
||||
$ssl_key_admin_real = pick_default($ssl_key_admin, $ssl_key)
|
||||
} else {
|
||||
$ssl_cert_admin_real = undef
|
||||
$ssl_key_admin_real = undef
|
||||
}
|
||||
|
||||
# The httpd package is untagged, but needs to have ordering enforced,
|
||||
|
@ -347,8 +365,8 @@ class keystone::wsgi::apache (
|
|||
docroot_group => 'keystone',
|
||||
priority => $priority,
|
||||
ssl => $ssl,
|
||||
ssl_cert => $ssl_cert,
|
||||
ssl_key => $ssl_key,
|
||||
ssl_cert => $ssl_cert_admin_real,
|
||||
ssl_key => $ssl_key_admin_real,
|
||||
ssl_chain => $ssl_chain,
|
||||
ssl_ca => $ssl_ca,
|
||||
ssl_crl_path => $ssl_crl_path,
|
||||
|
|
|
@ -0,0 +1,5 @@
|
|||
---
|
||||
features:
|
||||
- It is now possible to set a specific certificate and key files for the
|
||||
admin endpoint when it's deployed over apache. It used to be the case that
|
||||
the public and admin endpoints had to match.
|
|
@ -296,6 +296,42 @@ describe 'keystone::wsgi::apache' do
|
|||
)}
|
||||
end
|
||||
|
||||
describe 'when setting ssl cert and key' do
|
||||
let :params do
|
||||
{
|
||||
:ssl_cert => 'some cert',
|
||||
:ssl_key => 'some key',
|
||||
}
|
||||
end
|
||||
it { is_expected.to contain_apache__vhost('keystone_wsgi_main').with(
|
||||
'ssl_cert' => 'some cert',
|
||||
'ssl_key' => 'some key',
|
||||
)}
|
||||
it { is_expected.to contain_apache__vhost('keystone_wsgi_admin').with(
|
||||
'ssl_cert' => 'some cert',
|
||||
'ssl_key' => 'some key',
|
||||
)}
|
||||
end
|
||||
|
||||
describe 'when setting different ssl cert and key for admin' do
|
||||
let :params do
|
||||
{
|
||||
:ssl_cert => 'some cert',
|
||||
:ssl_key => 'some key',
|
||||
:ssl_cert_admin => 'some cert admin',
|
||||
:ssl_key_admin => 'some key admin',
|
||||
}
|
||||
end
|
||||
it { is_expected.to contain_apache__vhost('keystone_wsgi_main').with(
|
||||
'ssl_cert' => 'some cert',
|
||||
'ssl_key' => 'some key',
|
||||
)}
|
||||
it { is_expected.to contain_apache__vhost('keystone_wsgi_admin').with(
|
||||
'ssl_cert' => 'some cert admin',
|
||||
'ssl_key' => 'some key admin',
|
||||
)}
|
||||
end
|
||||
|
||||
describe 'when overriding parameters using wsgi chunked request' do
|
||||
let :params do
|
||||
{
|
||||
|
|
Loading…
Reference in New Issue