Merge "Enable nova server to be run in SSL mode"

2014-06-04 08:52:41 +00:00
parent 4b4de89d09 31048d2de9
commit ca16cbf55c
2 changed files with 112 additions and 0 deletions
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -175,6 +175,27 @@
 #   (optional) Syslog facility to receive log lines.
 #   Defaults to 'LOG_USER'
 #
+# [*use_ssl*]
+#   (optional) Enable SSL on the API server
+#   Defaults to false, not set
+#
+# [*enabled_ssl_apis*]
+#   (optional) List of APIs to SSL enable
+#   Defaults to []
+#   Possible values : 'ec2', 'osapi_compute', 'metadata'
+#
+# [*cert_file*]
+#   (optinal) Certificate file to use when starting API server securely
+#   Defaults to false, not set
+#
+# [*key_file*]
+#   (optional) Private key file to use when starting API server securely
+#   Defaults to false, not set
+#
+# [*ca_file*]
+#   (optional) CA certificate file to use to verify connecting clients
+#   Defaults to false, not set_
+#
 # [*nova_user_id*]
 #   (optional) Create the nova user with the specified gid.
 #   Changing to a new uid after specifying a different uid previously,
@@ -271,6 +292,11 @@ class nova(
  $periodic_interval        = '60',
  $report_interval          = '10',
  $rootwrap_config          = '/etc/nova/rootwrap.conf',
+  $use_ssl                  = false,
+  $enabled_ssl_apis         = ['ec2', 'metadata', 'osapi_compute'],
+  $ca_file                  = false,
+  $cert_file                = false,
+  $key_file                 = false,
  $nova_user_id             = undef,
  $nova_group_id            = undef,
  $nova_public_key          = undef,
@@ -299,6 +325,20 @@ class nova(
    warning('The nova_cluster_id parameter is deprecated and has no effect.')
  }

+  validate_array($enabled_ssl_apis)
+  if empty($enabled_ssl_apis) and $use_ssl {
+      warning('enabled_ssl_apis is empty but use_ssl is set to true')
+  }
+
+  if $use_ssl {
+    if !$cert_file {
+      fail('The cert_file parameter is required when use_ssl is set to true')
+    }
+    if !$key_file {
+      fail('The key_file parameter is required when use_ssl is set to true')
+    }
+  }
+
  if $rabbit_use_ssl {
    if !$kombu_ssl_ca_certs {
      fail('The kombu_ssl_ca_certs parameter is required when rabbit_use_ssl is set to true')
@@ -548,6 +588,31 @@ class nova(
    }
  }

+  # SSL Options
+  if $use_ssl {
+    nova_config {
+      'DEFAULT/enabled_ssl_apis' : value => $enabled_ssl_apis;
+      'DEFAULT/ssl_cert_file' :    value => $cert_file;
+      'DEFAULT/ssl_key_file' :     value => $key_file;
+    }
+    if $ca_file {
+      nova_config { 'DEFAULT/ssl_ca_file' :
+        value => $ca_file,
+      }
+    } else {
+      nova_config { 'DEFAULT/ssl_ca_file' :
+        ensure => absent,
+      }
+    }
+  } else {
+    nova_config {
+      'DEFAULT/enabled_ssl_apis' : ensure => absent;
+      'DEFAULT/ssl_cert_file' :    ensure => absent;
+      'DEFAULT/ssl_key_file' :     ensure => absent;
+      'DEFAULT/ssl_ca_file' :      ensure => absent;
+    }
+  }
+
  if $logdir {
    warning('The logdir parameter is deprecated, use log_dir instead.')
    $log_dir_real = $logdir
--- a/spec/classes/nova_init_spec.rb
+++ b/spec/classes/nova_init_spec.rb
@@ -536,6 +536,53 @@ describe 'nova' do
      end
    end

+    context 'with SSL socket options set' do
+      let :params do
+        {
+          :use_ssl          => true,
+          :enabled_ssl_apis => ['ec2'],
+          :cert_file        => '/path/to/cert',
+          :ca_file          => '/path/to/ca',
+          :key_file         => '/path/to/key',
+        }
+      end
+
+      it { should contain_nova_config('DEFAULT/enabled_ssl_apis').with_value(['ec2']) }
+      it { should contain_nova_config('DEFAULT/ssl_ca_file').with_value('/path/to/ca') }
+      it { should contain_nova_config('DEFAULT/ssl_cert_file').with_value('/path/to/cert') }
+      it { should contain_nova_config('DEFAULT/ssl_key_file').with_value('/path/to/key') }
+    end
+
+    context 'with SSL socket options set with wrong parameters' do
+      let :params do
+        {
+          :use_ssl          => true,
+          :enabled_ssl_apis => ['ec2'],
+          :ca_file          => '/path/to/ca',
+          :key_file         => '/path/to/key',
+        }
+      end
+
+      it_raises 'a Puppet::Error', /The cert_file parameter is required when use_ssl is set to true/
+    end
+
+    context 'with SSL socket options set to false' do
+      let :params do
+        {
+          :use_ssl          => false,
+          :enabled_ssl_apis => [],
+          :cert_file        => false,
+          :ca_file          => false,
+          :key_file         => false,
+        }
+      end
+
+      it { should contain_nova_config('DEFAULT/enabled_ssl_apis').with_ensure('absent') }
+      it { should contain_nova_config('DEFAULT/ssl_ca_file').with_ensure('absent') }
+      it { should contain_nova_config('DEFAULT/ssl_cert_file').with_ensure('absent') }
+      it { should contain_nova_config('DEFAULT/ssl_key_file').with_ensure('absent') }
+    end
+
  end

  context 'on Debian platforms' do