From 44a32b37dbb72b7a3b36f9d2c426838c407919ab Mon Sep 17 00:00:00 2001
From: Takashi Kajinami <tkajinam@redhat.com>
Date: Wed, 27 Apr 2022 14:59:39 +0900
Subject: [PATCH] Support more [certificats] parameters

Change-Id: Iabcc22e9fae5b510086370b53c3baa39b589712e
---
 manifests/certificates.pp                            | 12 ++++++++++++
 .../more-certificates-opts-b88e8a352b4851e5.yaml     |  8 ++++++++
 spec/classes/octavia_certificates_spec.rb            |  6 ++++++
 3 files changed, 26 insertions(+)
 create mode 100644 releasenotes/notes/more-certificates-opts-b88e8a352b4851e5.yaml

diff --git a/manifests/certificates.pp b/manifests/certificates.pp
index 7af450f3..6abe038a 100644
--- a/manifests/certificates.pp
+++ b/manifests/certificates.pp
@@ -49,6 +49,14 @@
 #   (Optional) CA password used to sign certificates
 #   Defaults to $::os_service_default
 #
+# [*signing_digest*]
+#   (Optional) Certificate signing digest.
+#   Defaults to $::os_service_default
+#
+# [*cert_validity_time*]
+#   (Optional) The validity time for the Amphora Certificates (in seconds).
+#   Defaults to $::os_service_default
+#
 # [*client_ca*]
 #   (Optional) Path to the client CA certificate.
 #   This option is not needed unless you want to separate the
@@ -97,6 +105,8 @@ class octavia::certificates (
   $ca_private_key              = $::os_service_default,
   $server_certs_key_passphrase = 'insecure-key-do-not-use-this-key',
   $ca_private_key_passphrase   = $::os_service_default,
+  $signing_digest              = $::os_service_default,
+  $cert_validity_time          = $::os_service_default,
   $client_ca                   = undef,
   $client_cert                 = $::os_service_default,
   $ca_certificate_data         = undef,
@@ -123,6 +133,8 @@ class octavia::certificates (
     'certificates/ca_private_key'              : value => $ca_private_key;
     'certificates/server_certs_key_passphrase' : value => $server_certs_key_passphrase;
     'certificates/ca_private_key_passphrase'   : value => $ca_private_key_passphrase;
+    'certificates/signing_digest'              : value => $signing_digest;
+    'certificates/cert_validity_time'          : value => $cert_validity_time;
     'controller_worker/client_ca'              : value => $client_ca_real;
     'haproxy_amphora/client_cert'              : value => $client_cert;
     'haproxy_amphora/server_ca'                : value => $ca_certificate;
diff --git a/releasenotes/notes/more-certificates-opts-b88e8a352b4851e5.yaml b/releasenotes/notes/more-certificates-opts-b88e8a352b4851e5.yaml
new file mode 100644
index 00000000..19c81b72
--- /dev/null
+++ b/releasenotes/notes/more-certificates-opts-b88e8a352b4851e5.yaml
@@ -0,0 +1,8 @@
+---
+features:
+  - |
+    The ``octavia::certificates`` class now supports the following two new
+    parameters.
+
+    - ``signing_digest``
+    - ``cert_validity_time``
diff --git a/spec/classes/octavia_certificates_spec.rb b/spec/classes/octavia_certificates_spec.rb
index 917dbd07..5035c63d 100644
--- a/spec/classes/octavia_certificates_spec.rb
+++ b/spec/classes/octavia_certificates_spec.rb
@@ -15,6 +15,8 @@ describe 'octavia::certificates' do
         is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('<SERVICE DEFAULT>')
         is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_octavia_config('certificates/signing_digest').with_value('<SERVICE DEFAULT>')
+        is_expected.to contain_octavia_config('certificates/cert_validity_time').with_value('<SERVICE DEFAULT>')
       end
 
       it 'configures octavia authentication credentials' do
@@ -37,6 +39,8 @@ describe 'octavia::certificates' do
           :ca_private_key              => '/etc/octavia/key.pem',
           :server_certs_key_passphrase => 'insecure-key-do-not-use-this-key',
           :ca_private_key_passphrase   => 'secure123',
+          :signing_digest              => 'sha256',
+          :cert_validity_time          => 2592000,
           :client_cert                 => '/etc/octavia/client.pem'
         }
       end
@@ -53,6 +57,8 @@ describe 'octavia::certificates' do
         is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('/etc/octavia/key.pem')
         is_expected.to contain_octavia_config('certificates/server_certs_key_passphrase').with_value('insecure-key-do-not-use-this-key')
         is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('secure123')
+        is_expected.to contain_octavia_config('certificates/signing_digest').with_value('sha256')
+        is_expected.to contain_octavia_config('certificates/cert_validity_time').with_value(2592000)
       end
 
       it 'configures octavia authentication credentials' do