Allow different key/cert for the admin apache vhost
The admin endpoint might be serving with a different IP and servername, so it might need a different set of keys/certs. This commit gives it the ability to do so, while still having backwards compatibility, since, if no admin key/cert is given, it will use the pair that the public endpoint uses. Change-Id: I8725bb39f6473e4837cbd0c553295c2340f20913
This commit is contained in:
Juan Antonio Osorio Robles
@@ -57,6 +57,14 @@
|
|||||||
# (optional) Path to SSL key
|
# (optional) Path to SSL key
|
||||||
# Default to apache::vhost 'ssl_*' defaults.
|
# Default to apache::vhost 'ssl_*' defaults.
|
||||||
#
|
#
|
||||||
|
# [*ssl_cert_admin*]
|
||||||
|
# (optional) Path to SSL certificate for the admin endpoint.
|
||||||
|
# Default to apache::vhost 'ssl_*' defaults.
|
||||||
|
#
|
||||||
|
# [*ssl_key_admin*]
|
||||||
|
# (optional) Path to SSL key for the admin endpoint.
|
||||||
|
# Default to apache::vhost 'ssl_*' defaults.
|
||||||
|
#
|
||||||
# [*ssl_chain*]
|
# [*ssl_chain*]
|
||||||
# (optional) SSL chain
|
# (optional) SSL chain
|
||||||
# Default to apache::vhost 'ssl_*' defaults.
|
# Default to apache::vhost 'ssl_*' defaults.
|
||||||
@@ -168,6 +176,8 @@ class keystone::wsgi::apache (
|
|||||||
$workers = 1,
|
$workers = 1,
|
||||||
$ssl_cert = undef,
|
$ssl_cert = undef,
|
||||||
$ssl_key = undef,
|
$ssl_key = undef,
|
||||||
|
$ssl_cert_admin = undef,
|
||||||
|
$ssl_key_admin = undef,
|
||||||
$ssl_chain = undef,
|
$ssl_chain = undef,
|
||||||
$ssl_ca = undef,
|
$ssl_ca = undef,
|
||||||
$ssl_crl_path = undef,
|
$ssl_crl_path = undef,
|
||||||
@@ -198,6 +208,14 @@ class keystone::wsgi::apache (
|
|||||||
# mod_ssl package is placing a ssl.conf file after the confd_dir is purged
|
# mod_ssl package is placing a ssl.conf file after the confd_dir is purged
|
||||||
# on Puppet 4.
|
# on Puppet 4.
|
||||||
Class['::apache::mod::ssl'] -> File[$::apache::confd_dir]
|
Class['::apache::mod::ssl'] -> File[$::apache::confd_dir]
|
||||||
|
# Attempt to use the admin cert/key, else default to the public one.
|
||||||
|
# Since it's possible that no cert/key were given, we allow this to be
|
||||||
|
# empty with pick_default
|
||||||
|
$ssl_cert_admin_real = pick_default($ssl_cert_admin, $ssl_cert)
|
||||||
|
$ssl_key_admin_real = pick_default($ssl_key_admin, $ssl_key)
|
||||||
|
} else {
|
||||||
|
$ssl_cert_admin_real = undef
|
||||||
|
$ssl_key_admin_real = undef
|
||||||
}
|
}
|
||||||
|
|
||||||
# The httpd package is untagged, but needs to have ordering enforced,
|
# The httpd package is untagged, but needs to have ordering enforced,
|
||||||
@@ -347,8 +365,8 @@ class keystone::wsgi::apache (
|
|||||||
docroot_group => 'keystone',
|
docroot_group => 'keystone',
|
||||||
priority => $priority,
|
priority => $priority,
|
||||||
ssl => $ssl,
|
ssl => $ssl,
|
||||||
ssl_cert => $ssl_cert,
|
ssl_cert => $ssl_cert_admin_real,
|
||||||
ssl_key => $ssl_key,
|
ssl_key => $ssl_key_admin_real,
|
||||||
ssl_chain => $ssl_chain,
|
ssl_chain => $ssl_chain,
|
||||||
ssl_ca => $ssl_ca,
|
ssl_ca => $ssl_ca,
|
||||||
ssl_crl_path => $ssl_crl_path,
|
ssl_crl_path => $ssl_crl_path,
|
||||||
|
|||||||
@@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
features:
|
||||||
|
- It is now possible to set a specific certificate and key files for the
|
||||||
|
admin endpoint when it's deployed over apache. It used to be the case that
|
||||||
|
the public and admin endpoints had to match.
|
||||||
@@ -296,6 +296,42 @@ describe 'keystone::wsgi::apache' do
|
|||||||
)}
|
)}
|
||||||
end
|
end
|
||||||
|
|
||||||
|
describe 'when setting ssl cert and key' do
|
||||||
|
let :params do
|
||||||
|
{
|
||||||
|
:ssl_cert => 'some cert',
|
||||||
|
:ssl_key => 'some key',
|
||||||
|
}
|
||||||
|
end
|
||||||
|
it { is_expected.to contain_apache__vhost('keystone_wsgi_main').with(
|
||||||
|
'ssl_cert' => 'some cert',
|
||||||
|
'ssl_key' => 'some key',
|
||||||
|
)}
|
||||||
|
it { is_expected.to contain_apache__vhost('keystone_wsgi_admin').with(
|
||||||
|
'ssl_cert' => 'some cert',
|
||||||
|
'ssl_key' => 'some key',
|
||||||
|
)}
|
||||||
|
end
|
||||||
|
|
||||||
|
describe 'when setting different ssl cert and key for admin' do
|
||||||
|
let :params do
|
||||||
|
{
|
||||||
|
:ssl_cert => 'some cert',
|
||||||
|
:ssl_key => 'some key',
|
||||||
|
:ssl_cert_admin => 'some cert admin',
|
||||||
|
:ssl_key_admin => 'some key admin',
|
||||||
|
}
|
||||||
|
end
|
||||||
|
it { is_expected.to contain_apache__vhost('keystone_wsgi_main').with(
|
||||||
|
'ssl_cert' => 'some cert',
|
||||||
|
'ssl_key' => 'some key',
|
||||||
|
)}
|
||||||
|
it { is_expected.to contain_apache__vhost('keystone_wsgi_admin').with(
|
||||||
|
'ssl_cert' => 'some cert admin',
|
||||||
|
'ssl_key' => 'some key admin',
|
||||||
|
)}
|
||||||
|
end
|
||||||
|
|
||||||
describe 'when overriding parameters using wsgi chunked request' do
|
describe 'when overriding parameters using wsgi chunked request' do
|
||||||
let :params do
|
let :params do
|
||||||
{
|
{
|
||||||
|
|||||||
Reference in New Issue
Block a user