diff --git a/manifests/certificates.pp b/manifests/certificates.pp new file mode 100644 index 00000000..a8333760 --- /dev/null +++ b/manifests/certificates.pp @@ -0,0 +1,40 @@ +# == Class: octavia::certificates +# +# Configure the octavia certificates for TLS authentication +# +# === Parameters +# +# [*ca_certificate*] +# (Optional) Path to the CA certificate for Octavia +# Defaults to $::os_service_default +# +# [*ca_private_key*] +# (Optional) Path for private key used to sign certificates +# Defaults to $::os_service_default +# +# [*ca_private_key_passphrase*] +# (Optional) CA password used to sign certificates +# Defaults to $::os_service_default +# +# [*client_cert*] +# (Optional) Path for client certificate used to connect to amphorae. +# Defaults to $::os_service_default +# +class octavia::certificates ( + $ca_certificate = $::os_service_default, + $ca_private_key = $::os_service_default, + $ca_private_key_passphrase = $::os_service_default, + $client_cert = $::os_service_default, +) { + + include ::octavia::deps + + octavia_config { + 'certificates/ca_certificate' : value => $ca_certificate; + 'certificates/ca_private_key' : value => $ca_private_key; + 'certificates/ca_private_key_passphrase' : value => $ca_private_key_passphrase; + 'controller_worker/client_ca' : value => $ca_certificate; + 'haproxy_amphora/client_cert' : value => $client_cert; + 'haproxy_amphora/server_ca' : value => $ca_certificate; + } +} diff --git a/releasenotes/notes/add-certificates-configuration-6e956bd99e5c2a2b.yaml b/releasenotes/notes/add-certificates-configuration-6e956bd99e5c2a2b.yaml new file mode 100644 index 00000000..a0367f75 --- /dev/null +++ b/releasenotes/notes/add-certificates-configuration-6e956bd99e5c2a2b.yaml @@ -0,0 +1,4 @@ +--- +features: + - You can now configure the paths for the certificates which are used to the + public key infrastructure system which is used to authenticate to amphorae. \ No newline at end of file diff --git a/spec/classes/octavia_certificates_spec.rb b/spec/classes/octavia_certificates_spec.rb new file mode 100644 index 00000000..11192848 --- /dev/null +++ b/spec/classes/octavia_certificates_spec.rb @@ -0,0 +1,53 @@ +require 'spec_helper' + +describe 'octavia::certificates' do + + let :default_params do + { :ca_certificate => '', + :ca_private_key => '', + :ca_private_key_passphrase => '', + :client_cert => '' } + end + + context 'with default params' do + let :params do + default_params + end + + it 'configures octavia certificate manager' do + is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('') + is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('') + is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('') + end + + it 'configures octavia authentication credentials' do + is_expected.to contain_octavia_config('controller_worker/client_ca').with_value('') + is_expected.to contain_octavia_config('haproxy_amphora/client_cert').with_value('') + is_expected.to contain_octavia_config('haproxy_amphora/server_ca').with_value('') + end + end + + context 'when certificates are configured' do + let :params do + default_params.merge( + { :ca_certificate => '/etc/octavia/ca.pem', + :ca_private_key => '/etc/octavia/key.pem', + :ca_private_key_passphrase => 'secure123', + :client_cert => '/etc/octavia/client.pem' + } + ) + end + + it 'configures octavia certificate manager' do + is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('/etc/octavia/ca.pem') + is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('/etc/octavia/key.pem') + is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('secure123') + end + + it 'configures octavia authentication credentials' do + is_expected.to contain_octavia_config('controller_worker/client_ca').with_value('/etc/octavia/ca.pem') + is_expected.to contain_octavia_config('haproxy_amphora/client_cert').with_value('/etc/octavia/client.pem') + is_expected.to contain_octavia_config('haproxy_amphora/server_ca').with_value('/etc/octavia/ca.pem') + end + end +end