Add certificate configuration for PKI

Octavia uses PKI in order to securely communicate over REST between the control plane and the amphorae. However, there is no option to currently configure these options at the moment. This patch adds a class which helps configure these options to be able to successfully communicate with PKI. It is important that the SSL certificates must still be generated by the user. Change-Id: Ifbf5cd5118e6d02c514589ecbce9d49096faf242
2017-07-27 15:07:53 -04:00 · 2017-07-27 15:07:53 -04:00 · 8b4707a1f5
commit 8b4707a1f5
parent 9e378dc179
3 changed files with 97 additions and 0 deletions
--- a/manifests/certificates.pp
+++ b/manifests/certificates.pp
@ -0,0 +1,40 @@
+# == Class: octavia::certificates
+#
+#  Configure the octavia certificates for TLS authentication
+#
+# === Parameters
+#
+# [*ca_certificate*]
+#   (Optional) Path to the CA certificate for Octavia
+#   Defaults to $::os_service_default
+#
+# [*ca_private_key*]
+#   (Optional) Path for private key used to sign certificates
+#   Defaults to $::os_service_default
+#
+# [*ca_private_key_passphrase*]
+#   (Optional) CA password used to sign certificates
+#   Defaults to $::os_service_default
+#
+# [*client_cert*]
+#   (Optional) Path for client certificate used to connect to amphorae.
+#   Defaults to $::os_service_default
+#
+class octavia::certificates (
+  $ca_certificate            = $::os_service_default,
+  $ca_private_key            = $::os_service_default,
+  $ca_private_key_passphrase = $::os_service_default,
+  $client_cert               = $::os_service_default,
+) {
+
+  include ::octavia::deps
+
+  octavia_config {
+    'certificates/ca_certificate'            : value => $ca_certificate;
+    'certificates/ca_private_key'            : value => $ca_private_key;
+    'certificates/ca_private_key_passphrase' : value => $ca_private_key_passphrase;
+    'controller_worker/client_ca'            : value => $ca_certificate;
+    'haproxy_amphora/client_cert'            : value => $client_cert;
+    'haproxy_amphora/server_ca'              : value => $ca_certificate;
+  }
+}
--- a/releasenotes/notes/add-certificates-configuration-6e956bd99e5c2a2b.yaml
+++ b/releasenotes/notes/add-certificates-configuration-6e956bd99e5c2a2b.yaml
@ -0,0 +1,4 @@
+---
+features:
+  - You can now configure the paths for the certificates which are used to the
+    public key infrastructure system which is used to authenticate to amphorae.
--- a/spec/classes/octavia_certificates_spec.rb
+++ b/spec/classes/octavia_certificates_spec.rb
@ -0,0 +1,53 @@
+require 'spec_helper'
+
+describe 'octavia::certificates' do
+
+  let :default_params do
+    { :ca_certificate            => '<SERVICE DEFAULT>',
+      :ca_private_key            => '<SERVICE DEFAULT>',
+      :ca_private_key_passphrase => '<SERVICE DEFAULT>',
+      :client_cert               => '<SERVICE DEFAULT>' }
+  end
+
+  context 'with default params' do
+    let :params do
+      default_params
+    end
+
+    it 'configures octavia certificate manager' do
+      is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('<SERVICE DEFAULT>')
+      is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('<SERVICE DEFAULT>')
+      is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('<SERVICE DEFAULT>')
+    end
+
+    it 'configures octavia authentication credentials' do
+      is_expected.to contain_octavia_config('controller_worker/client_ca').with_value('<SERVICE DEFAULT>')
+      is_expected.to contain_octavia_config('haproxy_amphora/client_cert').with_value('<SERVICE DEFAULT>')
+      is_expected.to contain_octavia_config('haproxy_amphora/server_ca').with_value('<SERVICE DEFAULT>')
+    end
+  end
+
+  context 'when certificates are configured' do
+    let :params do
+      default_params.merge(
+        { :ca_certificate            => '/etc/octavia/ca.pem',
+          :ca_private_key            => '/etc/octavia/key.pem',
+          :ca_private_key_passphrase => 'secure123',
+          :client_cert               => '/etc/octavia/client.pem'
+        }
+      )
+    end
+
+    it 'configures octavia certificate manager' do
+      is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('/etc/octavia/ca.pem')
+      is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('/etc/octavia/key.pem')
+      is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('secure123')
+    end
+
+    it 'configures octavia authentication credentials' do
+      is_expected.to contain_octavia_config('controller_worker/client_ca').with_value('/etc/octavia/ca.pem')
+      is_expected.to contain_octavia_config('haproxy_amphora/client_cert').with_value('/etc/octavia/client.pem')
+      is_expected.to contain_octavia_config('haproxy_amphora/server_ca').with_value('/etc/octavia/ca.pem')
+    end
+  end
+end