Add SSL support for magnum::api

Change-Id: I120a52cfd1e29b1a6899112f1b950cd0eb0d60f0

manifests/api.pp

@@ -33,6 +33,20 @@
 #   (optional) Type of authentication to be used.
 #   Defaults to 'keystone'
 #
+# [*enabled_ssl*]
+#   (Optional) Whether to use ssl or not.
+#   Defaults to 'false'.
+#
+# [*ssl_cert_file*]
+#   (Optional) Location of the SSL certificate file to use for SSL mode.
+#   Required when $enabled_ssl is set to 'true'.
+#   Defaults to $::os_service_default.
+#
+# [*ssl_key_file*]
+#   (Optional) Location of the SSL key file to use for enabling SSL mode.
+#   Required when $enabled_ssl is set to 'true'.
+#   Defaults to $::os_service_default.
+#
 class magnum::api(
   $package_ensure = 'present',
   $enabled        = true,
@@ -41,11 +55,23 @@ class magnum::api(
   $max_limit      = '1000',
   $sync_db        = true,
   $auth_strategy  = 'keystone',
+  $enabled_ssl    = false,
+  $ssl_cert_file  = $::os_service_default,
+  $ssl_key_file   = $::os_service_default,
 ) {
 
   include ::magnum::params
   include ::magnum::policy
 
+  if $enabled_ssl {
+    if is_service_default($ssl_cert_file) {
+      fail('The ssl_cert_file parameter is required when enabled_ssl is true')
+    }
+    if is_service_default($ssl_key_file) {
+      fail('The ssl_key_file parameter is required when enabled_ssl is true')
+    }
+  }
+
   if $sync_db {
     include ::magnum::db::sync
   }
@@ -58,6 +84,9 @@ class magnum::api(
     'api/port' :         value => $port;
     'api/host' :         value => $host;
     'api/max_limit' :    value => $max_limit;
+    'api/enabled_ssl':   value => $enabled_ssl;
+    'api/ssl_cert_file': value => $ssl_cert_file;
+    'api/ssl_key_file':  value => $ssl_key_file;
   }
 
   # Install package
@@ -89,5 +118,4 @@ class magnum::api(
   if $auth_strategy == 'keystone' {
     include ::magnum::keystone::authtoken
   }
-
 }

releasenotes/notes/ssl-api-74d254dc2a0250ce.yaml

@@ -0,0 +1,3 @@
+---
+features:
+  - magnum::api now supports SSL parameters to secure the API endpoint

spec/classes/magnum_api_spec.rb

@@ -16,6 +16,9 @@ describe 'magnum::api' do
       :host              => '127.0.0.1',
       :max_limit         => '1000',
       :sync_db           => 'true',
+      :enabled_ssl       => 'false',
+      :ssl_cert_file     => '<SERVICE DEFAULT>',
+      :ssl_key_file      => '<SERVICE DEFAULT>',
     }
   end
 
@@ -53,6 +56,9 @@ describe 'magnum::api' do
       is_expected.to contain_magnum_config('api/port').with_value(p[:port])
       is_expected.to contain_magnum_config('api/host').with_value(p[:host])
       is_expected.to contain_magnum_config('api/max_limit').with_value(p[:max_limit])
+      is_expected.to contain_magnum_config('api/enabled_ssl').with_value(p[:enabled_ssl])
+      is_expected.to contain_magnum_config('api/ssl_cert_file').with_value('<SERVICE DEFAULT>')
+      is_expected.to contain_magnum_config('api/ssl_key_file').with_value('<SERVICE DEFAULT>')
     end
 
     context 'when overriding parameters' do
@@ -71,6 +77,19 @@ describe 'magnum::api' do
       end
     end
 
+    context 'with SSL enabled' do
+      let :params do
+        {
+          :enabled_ssl   => true,
+          :ssl_cert_file => '/path/to/cert',
+          :ssl_key_file  => '/path/to/key'
+        }
+      end
+
+      it { is_expected.to contain_magnum_config('api/enabled_ssl').with_value(p[:enabled_ssl]) }
+      it { is_expected.to contain_magnum_config('api/ssl_cert_file').with_value(p[:ssl_cert_file]) }
+      it { is_expected.to contain_magnum_config('api/ssl_key_file').with_value(p[:ssl_key_file]) }
+    end
   end
 
  on_supported_os({