From 662b9122e5f924e5166edc8a7fff33b8abb6cf7c Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Sun, 3 Apr 2022 02:39:27 +0900 Subject: [PATCH] keystone_auth: Support ssl parameters This change adds support for SSL parameters of [keystone_auth] section. Note: Management of [keystone_auth] parameters is removed from the authtoken class. However this is effectively same, because Magnum reads [keystone_authtoken] parameters in case [keystone_auth] parameters are not set. Change-Id: I3acc6a64b7789633ab068d8bbdcb2b9c11f2fb2d --- manifests/keystone/authtoken.pp | 6 ---- manifests/keystone/keystone_auth.pp | 29 +++++++++++++++++++ ...ystone_auth-ssl-opts-cf0803fbac010e56.yaml | 10 +++++++ .../classes/magnum_keystone_authtoken_spec.rb | 14 --------- .../magnum_keystone_keystone_auth_spec.rb | 16 ++++++++++ 5 files changed, 55 insertions(+), 20 deletions(-) create mode 100644 releasenotes/notes/keystone_auth-ssl-opts-cf0803fbac010e56.yaml diff --git a/manifests/keystone/authtoken.pp b/manifests/keystone/authtoken.pp index c48e20e..8ae9825 100644 --- a/manifests/keystone/authtoken.pp +++ b/manifests/keystone/authtoken.pp @@ -275,10 +275,4 @@ class magnum::keystone::authtoken( service_type => $service_type, interface => $interface, } - magnum_config { - 'keystone_auth/cafile' : value => $cafile; - 'keystone_auth/keyfile' : value => $keyfile; - 'keystone_auth/certfile' : value => $certfile; - 'keystone_auth/insecure' : value => $insecure; - } } diff --git a/manifests/keystone/keystone_auth.pp b/manifests/keystone/keystone_auth.pp index 436375a..c0d464f 100644 --- a/manifests/keystone/keystone_auth.pp +++ b/manifests/keystone/keystone_auth.pp @@ -36,6 +36,24 @@ # (Optional) Authentication type to load # Defaults to 'password' # +# [*cafile*] +# (Optional) A PEM encoded Certificate Authority to use when verifying HTTPs +# connections. +# Defaults to $::os_service_default. +# +# [*certfile*] +# (Optional) Required if identity server requires client certificate +# Defaults to $::os_service_default. +# +# [*keyfile*] +# (Optional) Required if identity server requires client certificate +# Defaults to $::os_service_default. +# +# [*insecure*] +# (Optional) If true, explicitly allow TLS without checking server cert +# against any certificate authorities. +# Defaults to $::os_service_default +# class magnum::keystone::keystone_auth( $username = 'magnum', $password = $::os_service_default, @@ -45,6 +63,10 @@ class magnum::keystone::keystone_auth( $project_domain_name = 'Default', $system_scope = $::os_service_default, $auth_type = 'password', + $cafile = $::os_service_default, + $keyfile = $::os_service_default, + $certfile = $::os_service_default, + $insecure = $::os_service_default, ) { include magnum::deps @@ -71,4 +93,11 @@ class magnum::keystone::keystone_auth( 'keystone_auth/auth_type' : value => $auth_type; } } + + magnum_config { + 'keystone_auth/cafile' : value => $cafile; + 'keystone_auth/keyfile' : value => $keyfile; + 'keystone_auth/certfile' : value => $certfile; + 'keystone_auth/insecure' : value => $insecure; + } } diff --git a/releasenotes/notes/keystone_auth-ssl-opts-cf0803fbac010e56.yaml b/releasenotes/notes/keystone_auth-ssl-opts-cf0803fbac010e56.yaml new file mode 100644 index 0000000..053ddd5 --- /dev/null +++ b/releasenotes/notes/keystone_auth-ssl-opts-cf0803fbac010e56.yaml @@ -0,0 +1,10 @@ +--- +features: + - | + The ``magnum::keystone::keystone_auth`` class now supports the following + parameters. + + - ``cafile`` + - ``certfile`` + - ``keyfile`` + - ``insecure`` diff --git a/spec/classes/magnum_keystone_authtoken_spec.rb b/spec/classes/magnum_keystone_authtoken_spec.rb index 92c2f51..0360454 100644 --- a/spec/classes/magnum_keystone_authtoken_spec.rb +++ b/spec/classes/magnum_keystone_authtoken_spec.rb @@ -52,13 +52,6 @@ describe 'magnum::keystone::authtoken' do :service_type => '', :interface => '', )} - - it { - is_expected.to contain_magnum_config('keystone_auth/insecure').with_value('') - is_expected.to contain_magnum_config('keystone_auth/cafile').with_value('') - is_expected.to contain_magnum_config('keystone_auth/certfile').with_value('') - is_expected.to contain_magnum_config('keystone_auth/keyfile').with_value('') - } end context 'when overriding parameters' do @@ -141,13 +134,6 @@ describe 'magnum::keystone::authtoken' do :service_token_roles_required => params[:service_token_roles_required], :interface => params[:interface], )} - - it { - is_expected.to contain_magnum_config('keystone_auth/insecure').with_value(params[:insecure]) - is_expected.to contain_magnum_config('keystone_auth/cafile').with_value(params[:cafile]) - is_expected.to contain_magnum_config('keystone_auth/certfile').with_value(params[:certfile]) - is_expected.to contain_magnum_config('keystone_auth/keyfile').with_value(params[:keyfile]) - } end end diff --git a/spec/classes/magnum_keystone_keystone_auth_spec.rb b/spec/classes/magnum_keystone_keystone_auth_spec.rb index 4ad4b30..5fed1bb 100644 --- a/spec/classes/magnum_keystone_keystone_auth_spec.rb +++ b/spec/classes/magnum_keystone_keystone_auth_spec.rb @@ -11,6 +11,10 @@ describe 'magnum::keystone::keystone_auth' do context 'with default parameters' do it 'configure keystone_auth' do is_expected.not_to contain_magnum_config('keystone_auth/username') + is_expected.to contain_magnum_config('keystone_auth/certfile').with_value('') + is_expected.to contain_magnum_config('keystone_auth/keyfile').with_value('') + is_expected.to contain_magnum_config('keystone_auth/cafile').with_value('') + is_expected.to contain_magnum_config('keystone_auth/insecure').with_value('') end end @@ -30,6 +34,10 @@ describe 'magnum::keystone::keystone_auth' do is_expected.to contain_magnum_config('keystone_auth/project_domain_name').with_value('Default') is_expected.to contain_magnum_config('keystone_auth/system_scope').with_value('') is_expected.to contain_magnum_config('keystone_auth/auth_type').with_value('password') + is_expected.to contain_magnum_config('keystone_auth/cafile').with_value('') + is_expected.to contain_magnum_config('keystone_auth/certfile').with_value('') + is_expected.to contain_magnum_config('keystone_auth/keyfile').with_value('') + is_expected.to contain_magnum_config('keystone_auth/insecure').with_value('') end end @@ -43,6 +51,10 @@ describe 'magnum::keystone::keystone_auth' do :user_domain_name => 'domainX', :project_domain_name => 'domainX', :auth_type => 'v3password', + :cafile => '/path/to/ca.cert', + :certfile => '/path/to/certfile', + :keyfile => '/path/to/key', + :insecure => false, }) end @@ -55,6 +67,10 @@ describe 'magnum::keystone::keystone_auth' do is_expected.to contain_magnum_config('keystone_auth/project_domain_name').with_value(params[:project_domain_name]) is_expected.to contain_magnum_config('keystone_auth/system_scope').with_value('') is_expected.to contain_magnum_config('keystone_auth/auth_type').with_value(params[:auth_type]) + is_expected.to contain_magnum_config('keystone_auth/cafile').with_value('/path/to/ca.cert') + is_expected.to contain_magnum_config('keystone_auth/certfile').with_value('/path/to/certfile') + is_expected.to contain_magnum_config('keystone_auth/keyfile').with_value('/path/to/key') + is_expected.to contain_magnum_config('keystone_auth/insecure').with_value(false) end end