diff --git a/manifests/wsgi/apache.pp b/manifests/wsgi/apache.pp index ec121dc0a..e4ac4141c 100644 --- a/manifests/wsgi/apache.pp +++ b/manifests/wsgi/apache.pp @@ -57,6 +57,14 @@ # (optional) Path to SSL key # Default to apache::vhost 'ssl_*' defaults. # +# [*ssl_cert_admin*] +# (optional) Path to SSL certificate for the admin endpoint. +# Default to apache::vhost 'ssl_*' defaults. +# +# [*ssl_key_admin*] +# (optional) Path to SSL key for the admin endpoint. +# Default to apache::vhost 'ssl_*' defaults. +# # [*ssl_chain*] # (optional) SSL chain # Default to apache::vhost 'ssl_*' defaults. @@ -168,6 +176,8 @@ class keystone::wsgi::apache ( $workers = 1, $ssl_cert = undef, $ssl_key = undef, + $ssl_cert_admin = undef, + $ssl_key_admin = undef, $ssl_chain = undef, $ssl_ca = undef, $ssl_crl_path = undef, @@ -198,6 +208,14 @@ class keystone::wsgi::apache ( # mod_ssl package is placing a ssl.conf file after the confd_dir is purged # on Puppet 4. Class['::apache::mod::ssl'] -> File[$::apache::confd_dir] + # Attempt to use the admin cert/key, else default to the public one. + # Since it's possible that no cert/key were given, we allow this to be + # empty with pick_default + $ssl_cert_admin_real = pick_default($ssl_cert_admin, $ssl_cert) + $ssl_key_admin_real = pick_default($ssl_key_admin, $ssl_key) + } else { + $ssl_cert_admin_real = undef + $ssl_key_admin_real = undef } # The httpd package is untagged, but needs to have ordering enforced, @@ -347,8 +365,8 @@ class keystone::wsgi::apache ( docroot_group => 'keystone', priority => $priority, ssl => $ssl, - ssl_cert => $ssl_cert, - ssl_key => $ssl_key, + ssl_cert => $ssl_cert_admin_real, + ssl_key => $ssl_key_admin_real, ssl_chain => $ssl_chain, ssl_ca => $ssl_ca, ssl_crl_path => $ssl_crl_path, diff --git a/releasenotes/notes/Add-cert-and-key-files-specifically-for-the-admin-endpoint-815e0109247d6f70.yaml b/releasenotes/notes/Add-cert-and-key-files-specifically-for-the-admin-endpoint-815e0109247d6f70.yaml new file mode 100644 index 000000000..cdcd82b11 --- /dev/null +++ b/releasenotes/notes/Add-cert-and-key-files-specifically-for-the-admin-endpoint-815e0109247d6f70.yaml @@ -0,0 +1,5 @@ +--- +features: + - It is now possible to set a specific certificate and key files for the + admin endpoint when it's deployed over apache. It used to be the case that + the public and admin endpoints had to match. diff --git a/spec/classes/keystone_wsgi_apache_spec.rb b/spec/classes/keystone_wsgi_apache_spec.rb index e0c025db2..0ed76e0af 100644 --- a/spec/classes/keystone_wsgi_apache_spec.rb +++ b/spec/classes/keystone_wsgi_apache_spec.rb @@ -296,6 +296,42 @@ describe 'keystone::wsgi::apache' do )} end + describe 'when setting ssl cert and key' do + let :params do + { + :ssl_cert => 'some cert', + :ssl_key => 'some key', + } + end + it { is_expected.to contain_apache__vhost('keystone_wsgi_main').with( + 'ssl_cert' => 'some cert', + 'ssl_key' => 'some key', + )} + it { is_expected.to contain_apache__vhost('keystone_wsgi_admin').with( + 'ssl_cert' => 'some cert', + 'ssl_key' => 'some key', + )} + end + + describe 'when setting different ssl cert and key for admin' do + let :params do + { + :ssl_cert => 'some cert', + :ssl_key => 'some key', + :ssl_cert_admin => 'some cert admin', + :ssl_key_admin => 'some key admin', + } + end + it { is_expected.to contain_apache__vhost('keystone_wsgi_main').with( + 'ssl_cert' => 'some cert', + 'ssl_key' => 'some key', + )} + it { is_expected.to contain_apache__vhost('keystone_wsgi_admin').with( + 'ssl_cert' => 'some cert admin', + 'ssl_key' => 'some key admin', + )} + end + describe 'when overriding parameters using wsgi chunked request' do let :params do {