openstack/puppet-nova
Code Issues Proposed changes

Merge "Enable nova server to be run in SSL mode"

Browse Source
This commit is contained in:
Jenkins
2014-06-04 08:52:41 +00:00
committed by Gerrit Code Review
parent 4b4de89d09 31048d2de9
commit ca16cbf55c
2 changed files with 112 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

65
manifests/init.pp
View File

@@ -175,6 +175,27 @@
# (optional) Syslog facility to receive log lines. # (optional) Syslog facility to receive log lines.
# Defaults to 'LOG_USER' # Defaults to 'LOG_USER'
# #
# [*use_ssl*]
# (optional) Enable SSL on the API server
# Defaults to false, not set
#
# [*enabled_ssl_apis*]
# (optional) List of APIs to SSL enable
# Defaults to []
# Possible values : 'ec2', 'osapi_compute', 'metadata'
#
# [*cert_file*]
# (optinal) Certificate file to use when starting API server securely
# Defaults to false, not set
#
# [*key_file*]
# (optional) Private key file to use when starting API server securely
# Defaults to false, not set
#
# [*ca_file*]
# (optional) CA certificate file to use to verify connecting clients
# Defaults to false, not set_
#
# [*nova_user_id*] # [*nova_user_id*]
# (optional) Create the nova user with the specified gid. # (optional) Create the nova user with the specified gid.
# Changing to a new uid after specifying a different uid previously, # Changing to a new uid after specifying a different uid previously,
@@ -271,6 +292,11 @@ class nova(
$periodic_interval = '60', $periodic_interval = '60',
$report_interval = '10', $report_interval = '10',
$rootwrap_config = '/etc/nova/rootwrap.conf', $rootwrap_config = '/etc/nova/rootwrap.conf',
$use_ssl = false,
$enabled_ssl_apis = ['ec2', 'metadata', 'osapi_compute'],
$ca_file = false,
$cert_file = false,
$key_file = false,
$nova_user_id = undef, $nova_user_id = undef,
$nova_group_id = undef, $nova_group_id = undef,
$nova_public_key = undef, $nova_public_key = undef,
@@ -299,6 +325,20 @@ class nova(
warning('The nova_cluster_id parameter is deprecated and has no effect.') warning('The nova_cluster_id parameter is deprecated and has no effect.')
} }
validate_array($enabled_ssl_apis)
if empty($enabled_ssl_apis) and $use_ssl {
warning('enabled_ssl_apis is empty but use_ssl is set to true')
}
if $use_ssl {
if !$cert_file {
fail('The cert_file parameter is required when use_ssl is set to true')
}
if !$key_file {
fail('The key_file parameter is required when use_ssl is set to true')
}
}
if $rabbit_use_ssl { if $rabbit_use_ssl {
if !$kombu_ssl_ca_certs { if !$kombu_ssl_ca_certs {
fail('The kombu_ssl_ca_certs parameter is required when rabbit_use_ssl is set to true') fail('The kombu_ssl_ca_certs parameter is required when rabbit_use_ssl is set to true')
@@ -548,6 +588,31 @@ class nova(
} }
} }
# SSL Options
if $use_ssl {
nova_config {
'DEFAULT/enabled_ssl_apis' : value => $enabled_ssl_apis;
'DEFAULT/ssl_cert_file' : value => $cert_file;
'DEFAULT/ssl_key_file' : value => $key_file;
}
if $ca_file {
nova_config { 'DEFAULT/ssl_ca_file' :
value => $ca_file,
}
} else {
nova_config { 'DEFAULT/ssl_ca_file' :
ensure => absent,
}
}
} else {
nova_config {
'DEFAULT/enabled_ssl_apis' : ensure => absent;
'DEFAULT/ssl_cert_file' : ensure => absent;
'DEFAULT/ssl_key_file' : ensure => absent;
'DEFAULT/ssl_ca_file' : ensure => absent;
}
}
if $logdir { if $logdir {
warning('The logdir parameter is deprecated, use log_dir instead.') warning('The logdir parameter is deprecated, use log_dir instead.')
$log_dir_real = $logdir $log_dir_real = $logdir

47
spec/classes/nova_init_spec.rb
View File

@@ -536,6 +536,53 @@ describe 'nova' do
end end
end end
context 'with SSL socket options set' do
let :params do
{
:use_ssl => true,
:enabled_ssl_apis => ['ec2'],
:cert_file => '/path/to/cert',
:ca_file => '/path/to/ca',
:key_file => '/path/to/key',
}
end
it { should contain_nova_config('DEFAULT/enabled_ssl_apis').with_value(['ec2']) }
it { should contain_nova_config('DEFAULT/ssl_ca_file').with_value('/path/to/ca') }
it { should contain_nova_config('DEFAULT/ssl_cert_file').with_value('/path/to/cert') }
it { should contain_nova_config('DEFAULT/ssl_key_file').with_value('/path/to/key') }
end
context 'with SSL socket options set with wrong parameters' do
let :params do
{
:use_ssl => true,
:enabled_ssl_apis => ['ec2'],
:ca_file => '/path/to/ca',
:key_file => '/path/to/key',
}
end
it_raises 'a Puppet::Error', /The cert_file parameter is required when use_ssl is set to true/
end
context 'with SSL socket options set to false' do
let :params do
{
:use_ssl => false,
:enabled_ssl_apis => [],
:cert_file => false,
:ca_file => false,
:key_file => false,
}
end
it { should contain_nova_config('DEFAULT/enabled_ssl_apis').with_ensure('absent') }
it { should contain_nova_config('DEFAULT/ssl_ca_file').with_ensure('absent') }
it { should contain_nova_config('DEFAULT/ssl_cert_file').with_ensure('absent') }
it { should contain_nova_config('DEFAULT/ssl_key_file').with_ensure('absent') }
end
end end
context 'on Debian platforms' do context 'on Debian platforms' do