openstack
/
puppet-octavia
Code Issues Proposed changes

Set show_diff to false on certificates 

Certificate should be considered secrets
and we should not output the diffs.

Also fixes up the testing to test all the
parameters set on the file resources.

Closes-Bug: 1804884
Change-Id: I0db84f4b9d97bf22d06478ded126a1f209c9b69a
(cherry picked from commit 45ecee290b)
This commit is contained in:
Tobias Urdin 2018-11-23 21:18:38 +01:00
parent ea17af17d9
commit 79e9f63091
3 changed files with 104 additions and 80 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
manifests/certificates.pp
View File

@ -117,13 +117,14 @@ class octavia::certificates (
tag => 'octavia-certificate',
})
file { $ca_certificate:
ensure => file,
content => $ca_certificate_data,
group => $file_permission_owner,
owner => $file_permission_group,
mode => '0755',
replace => true,
tag => 'octavia-certificate',
ensure => file,
content => $ca_certificate_data,
group => $file_permission_owner,
owner => $file_permission_group,
mode => '0755',
replace => true,
show_diff => false,
tag => 'octavia-certificate',
}
}
if $ca_private_key_data {
@ -138,13 +139,14 @@ class octavia::certificates (
tag => 'octavia-certificate',
})
file { $ca_private_key:
ensure => file,
content => $ca_private_key_data,
group => $file_permission_owner,
owner => $file_permission_group,
mode => '0755',
replace => true,
tag => 'octavia-certificate',
ensure => file,
content => $ca_private_key_data,
group => $file_permission_owner,
owner => $file_permission_group,
mode => '0755',
replace => true,
show_diff => false,
tag => 'octavia-certificate',
}
}
if $client_ca and $client_ca_data {
@ -156,13 +158,14 @@ class octavia::certificates (
tag => 'octavia-certificate',
})
file { $client_ca:
ensure => file,
content => $client_ca_data,
group => $file_permission_owner,
owner => $file_permission_group,
mode => '0755',
replace => true,
tag => 'octavia-certificate',
ensure => file,
content => $client_ca_data,
group => $file_permission_owner,
owner => $file_permission_group,
mode => '0755',
replace => true,
show_diff => false,
tag => 'octavia-certificate',
}
}
if $client_cert_data {
@ -177,13 +180,14 @@ class octavia::certificates (
tag => 'octavia-certificate',
})
file { $client_cert:
ensure => file,
content => $client_cert_data,
group => $file_permission_owner,
owner => $file_permission_group,
mode => '0755',
replace => true,
tag => 'octavia-certificate',
ensure => file,
content => $client_cert_data,
group => $file_permission_owner,
owner => $file_permission_group,
mode => '0755',
replace => true,
show_diff => false,
tag => 'octavia-certificate',
}
}
}

8
releasenotes/notes/certificate-no-diff-4e4d156963752b6d.yaml Normal file
View File

@ -0,0 +1,8 @@
---
security:
- |
Certificate changes no longer shows diffs in output.
fixes:
- |
Fixed a bug where certificate changes would show the diffs.
Certificate are now considered secrets and not displayed.

116
spec/classes/octavia_certificates_spec.rb
View File

@ -77,37 +77,34 @@ describe 'octavia::certificates' do
it 'populates certificate files' do
is_expected.to contain_file('/etc/octavia/ca.pem').with({
'ensure' => 'file',
'owner' => 'octavia',
'group' => 'octavia',
'mode' => '0755',
'tag' => 'octavia-certificate',
})
is_expected.to contain_file('/etc/octavia/ca.pem').with({
'content' => 'on_my_authority_this_is_a_certificate',
'tag' => 'octavia-certificate',
'ensure' => 'file',
'content' => 'on_my_authority_this_is_a_certificate',
'owner' => 'octavia',
'group' => 'octavia',
'mode' => '0755',
'replace' => true,
'show_diff' => false,
'tag' => 'octavia-certificate',
})
is_expected.to contain_file('/etc/octavia/key.pem').with({
'ensure' => 'file',
'owner' => 'octavia',
'group' => 'octavia',
'mode' => '0755',
'tag' => 'octavia-certificate',
})
is_expected.to contain_file('/etc/octavia/key.pem').with({
'content' => 'this_is_my_private_key_woot_woot',
'tag' => 'octavia-certificate',
'ensure' => 'file',
'content' => 'this_is_my_private_key_woot_woot',
'owner' => 'octavia',
'group' => 'octavia',
'mode' => '0755',
'replace' => true,
'show_diff' => false,
'tag' => 'octavia-certificate',
})
is_expected.to contain_file('/etc/octavia/client.pem').with({
'ensure' => 'file',
'owner' => 'octavia',
'group' => 'octavia',
'mode' => '0755',
'tag' => 'octavia-certificate',
})
is_expected.to contain_file('/etc/octavia/client.pem').with({
'content' => 'certainly_for_the_client',
'tag' => 'octavia-certificate',
'ensure' => 'file',
'content' => 'certainly_for_the_client',
'owner' => 'octavia',
'group' => 'octavia',
'mode' => '0755',
'replace' => true,
'show_diff' => false,
'tag' => 'octavia-certificate',
})
is_expected.to contain_file('/etc/octavia').with({
'ensure' => 'directory',
@ -145,26 +142,35 @@ describe 'octavia::certificates' do
it 'populates certificate files' do
is_expected.to contain_file('/etc/octavia/ca.pem').with({
'ensure' => 'file',
'owner' => 'octavia',
'group' => 'octavia',
'mode' => '0755',
'ensure' => 'file',
'content' => 'on_my_authority_this_is_a_certificate',
'owner' => 'octavia',
'group' => 'octavia',
'mode' => '0755',
'replace' => true,
'show_diff' => false,
'tag' => 'octavia-certificate',
})
is_expected.to contain_file('/etc/octavia/ca.pem').with_content('on_my_authority_this_is_a_certificate')
is_expected.to contain_file('/etc/octavia1/key.pem').with({
'ensure' => 'file',
'owner' => 'octavia',
'group' => 'octavia',
'mode' => '0755',
'ensure' => 'file',
'content' => 'this_is_my_private_key_woot_woot',
'owner' => 'octavia',
'group' => 'octavia',
'mode' => '0755',
'replace' => true,
'show_diff' => false,
'tag' => 'octavia-certificate',
})
is_expected.to contain_file('/etc/octavia1/key.pem').with_content('this_is_my_private_key_woot_woot')
is_expected.to contain_file('/etc/octavia2/client.pem').with({
'ensure' => 'file',
'owner' => 'octavia',
'group' => 'octavia',
'mode' => '0755',
'ensure' => 'file',
'content' => 'certainly_for_the_client',
'owner' => 'octavia',
'group' => 'octavia',
'mode' => '0755',
'replace' => true,
'show_diff' => false,
'tag' => 'octavia-certificate',
})
is_expected.to contain_file('/etc/octavia2/client.pem').with_content('certainly_for_the_client')
is_expected.to contain_file('/etc/octavia').with({
'ensure' => 'directory',
'owner' => 'octavia',
@ -255,19 +261,25 @@ describe 'octavia::certificates' do
it 'populates certificate files' do
is_expected.to contain_file('/etc/octavia/ca.pem').with({
'ensure' => 'file',
'owner' => 'octavia',
'group' => 'octavia',
'mode' => '0755',
'ensure' => 'file',
'content' => 'my_ca_certificate',
'owner' => 'octavia',
'group' => 'octavia',
'mode' => '0755',
'replace' => true,
'show_diff' => false,
'tag' => 'octavia-certificate',
})
is_expected.to contain_file('/etc/octavia/ca.pem').with_content('my_ca_certificate')
is_expected.to contain_file('/etc/octavia/client_ca.pem').with({
'ensure' => 'file',
'owner' => 'octavia',
'group' => 'octavia',
'mode' => '0755',
'ensure' => 'file',
'content' => 'my_client_ca',
'owner' => 'octavia',
'group' => 'octavia',
'mode' => '0755',
'replace' => true,
'show_diff' => false,
'tag' => 'octavia-certificate',
})
is_expected.to contain_file('/etc/octavia/client_ca.pem').with_content('my_client_ca')
is_expected.to contain_file('/etc/octavia').with({
'ensure' => 'directory',
'owner' => 'octavia',