certificates: Require valid absolute path for key/cert path
... to avoid wired failures by file resources. Change-Id: I77c4542bbc2f1fdf18758985f195b215ddd14369
This commit is contained in:
parent
3bcc79f125
commit
7b76c58e5b
|
@ -34,11 +34,11 @@
|
|||
#
|
||||
# [*ca_certificate*]
|
||||
# (Optional) Path to the CA certificate for Octavia
|
||||
# Defaults to $facts['os_service_default']
|
||||
# Defaults to '/etc/ssl/certs/ssl-cert-snakeoil.pem'
|
||||
#
|
||||
# [*ca_private_key*]
|
||||
# (Optional) Path for private key used to sign certificates
|
||||
# Defaults to $facts['os_service_default']
|
||||
# Defaults to '/etc/ssl/private/ssl-cert-snakeoil.key'
|
||||
#
|
||||
# [*server_certs_key_passphrase*]
|
||||
# (Optional) Passphrase for encrypting Amphora Certificates and Private Keys.
|
||||
|
@ -94,27 +94,27 @@
|
|||
# Defaults to 'octavia'
|
||||
#
|
||||
class octavia::certificates (
|
||||
$cert_generator = $facts['os_service_default'],
|
||||
$cert_manager = $facts['os_service_default'],
|
||||
$barbican_auth = $facts['os_service_default'],
|
||||
$service_name = $facts['os_service_default'],
|
||||
$endpoint = $facts['os_service_default'],
|
||||
$region_name = $facts['os_service_default'],
|
||||
$endpoint_type = $facts['os_service_default'],
|
||||
$ca_certificate = $facts['os_service_default'],
|
||||
$ca_private_key = $facts['os_service_default'],
|
||||
$server_certs_key_passphrase = 'insecure-key-do-not-use-this-key',
|
||||
$ca_private_key_passphrase = $facts['os_service_default'],
|
||||
$signing_digest = $facts['os_service_default'],
|
||||
$cert_validity_time = $facts['os_service_default'],
|
||||
$client_ca = undef,
|
||||
$client_cert = $facts['os_service_default'],
|
||||
$ca_certificate_data = undef,
|
||||
$ca_private_key_data = undef,
|
||||
$client_ca_data = undef,
|
||||
$client_cert_data = undef,
|
||||
$file_permission_owner = $::octavia::params::user,
|
||||
$file_permission_group = $::octavia::params::group,
|
||||
$cert_generator = $facts['os_service_default'],
|
||||
$cert_manager = $facts['os_service_default'],
|
||||
$barbican_auth = $facts['os_service_default'],
|
||||
$service_name = $facts['os_service_default'],
|
||||
$endpoint = $facts['os_service_default'],
|
||||
$region_name = $facts['os_service_default'],
|
||||
$endpoint_type = $facts['os_service_default'],
|
||||
Stdlib::Absolutepath $ca_certificate = '/etc/ssl/certs/ssl-cert-snakeoil.pem',
|
||||
Stdlib::Absolutepath $ca_private_key = '/etc/ssl/certs/ssl-cert-snakeoil.key',
|
||||
String[32, 32] $server_certs_key_passphrase = 'insecure-key-do-not-use-this-key',
|
||||
$ca_private_key_passphrase = $facts['os_service_default'],
|
||||
$signing_digest = $facts['os_service_default'],
|
||||
$cert_validity_time = $facts['os_service_default'],
|
||||
Optional[Stdlib::Absolutepath] $client_ca = undef,
|
||||
$client_cert = $facts['os_service_default'],
|
||||
$ca_certificate_data = undef,
|
||||
$ca_private_key_data = undef,
|
||||
$client_ca_data = undef,
|
||||
$client_cert_data = undef,
|
||||
$file_permission_owner = $::octavia::params::user,
|
||||
$file_permission_group = $::octavia::params::group,
|
||||
) inherits octavia::params {
|
||||
|
||||
include octavia::deps
|
||||
|
@ -140,14 +140,6 @@ class octavia::certificates (
|
|||
'haproxy_amphora/server_ca' : value => $ca_certificate;
|
||||
}
|
||||
|
||||
if !$server_certs_key_passphrase {
|
||||
fail('server_certs_key_passphrase is required for Octavia. Please provide a 32 characters passphrase.')
|
||||
}
|
||||
|
||||
if length($server_certs_key_passphrase)!=32 {
|
||||
fail('server_certs_key_passphrase must be 32 characters long.')
|
||||
}
|
||||
|
||||
# The file creation will create the parent directory for each file if necessary, but
|
||||
# only to one level.
|
||||
if $ca_certificate_data {
|
||||
|
@ -173,9 +165,6 @@ class octavia::certificates (
|
|||
}
|
||||
}
|
||||
if $ca_private_key_data {
|
||||
if is_service_default($ca_private_key) {
|
||||
fail('You must provide a path for storing the CA private key')
|
||||
}
|
||||
ensure_resource('file', dirname($ca_private_key), {
|
||||
ensure => directory,
|
||||
owner => $file_permission_owner,
|
||||
|
@ -214,9 +203,6 @@ class octavia::certificates (
|
|||
}
|
||||
}
|
||||
if $client_cert_data {
|
||||
if is_service_default($client_cert) {
|
||||
fail('You must provide a path for storing the client certificate')
|
||||
}
|
||||
ensure_resource('file', dirname($client_cert), {
|
||||
ensure => directory,
|
||||
owner => $file_permission_owner,
|
||||
|
|
|
@ -12,8 +12,8 @@ describe 'octavia::certificates' do
|
|||
is_expected.to contain_octavia_config('certificates/endpoint').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_octavia_config('certificates/region_name').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_octavia_config('certificates/endpoint_type').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('/etc/ssl/certs/ssl-cert-snakeoil.pem')
|
||||
is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('/etc/ssl/certs/ssl-cert-snakeoil.key')
|
||||
is_expected.to contain_octavia_config('certificates/server_certs_key_passphrase').with_value('insecure-key-do-not-use-this-key').with_secret(true)
|
||||
is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('<SERVICE DEFAULT>').with_secret(true)
|
||||
is_expected.to contain_octavia_config('certificates/signing_digest').with_value('<SERVICE DEFAULT>')
|
||||
|
|
Loading…
Reference in New Issue