Add certificate configuration for PKI
Octavia uses PKI in order to securely communicate over REST between the control plane and the amphorae. However, there is no option to currently configure these options at the moment. This patch adds a class which helps configure these options to be able to successfully communicate with PKI. It is important that the SSL certificates must still be generated by the user. Change-Id: Ifbf5cd5118e6d02c514589ecbce9d49096faf242
This commit is contained in:
parent
9e378dc179
commit
8b4707a1f5
40
manifests/certificates.pp
Normal file
40
manifests/certificates.pp
Normal file
@ -0,0 +1,40 @@
|
|||||||
|
# == Class: octavia::certificates
|
||||||
|
#
|
||||||
|
# Configure the octavia certificates for TLS authentication
|
||||||
|
#
|
||||||
|
# === Parameters
|
||||||
|
#
|
||||||
|
# [*ca_certificate*]
|
||||||
|
# (Optional) Path to the CA certificate for Octavia
|
||||||
|
# Defaults to $::os_service_default
|
||||||
|
#
|
||||||
|
# [*ca_private_key*]
|
||||||
|
# (Optional) Path for private key used to sign certificates
|
||||||
|
# Defaults to $::os_service_default
|
||||||
|
#
|
||||||
|
# [*ca_private_key_passphrase*]
|
||||||
|
# (Optional) CA password used to sign certificates
|
||||||
|
# Defaults to $::os_service_default
|
||||||
|
#
|
||||||
|
# [*client_cert*]
|
||||||
|
# (Optional) Path for client certificate used to connect to amphorae.
|
||||||
|
# Defaults to $::os_service_default
|
||||||
|
#
|
||||||
|
class octavia::certificates (
|
||||||
|
$ca_certificate = $::os_service_default,
|
||||||
|
$ca_private_key = $::os_service_default,
|
||||||
|
$ca_private_key_passphrase = $::os_service_default,
|
||||||
|
$client_cert = $::os_service_default,
|
||||||
|
) {
|
||||||
|
|
||||||
|
include ::octavia::deps
|
||||||
|
|
||||||
|
octavia_config {
|
||||||
|
'certificates/ca_certificate' : value => $ca_certificate;
|
||||||
|
'certificates/ca_private_key' : value => $ca_private_key;
|
||||||
|
'certificates/ca_private_key_passphrase' : value => $ca_private_key_passphrase;
|
||||||
|
'controller_worker/client_ca' : value => $ca_certificate;
|
||||||
|
'haproxy_amphora/client_cert' : value => $client_cert;
|
||||||
|
'haproxy_amphora/server_ca' : value => $ca_certificate;
|
||||||
|
}
|
||||||
|
}
|
@ -0,0 +1,4 @@
|
|||||||
|
---
|
||||||
|
features:
|
||||||
|
- You can now configure the paths for the certificates which are used to the
|
||||||
|
public key infrastructure system which is used to authenticate to amphorae.
|
53
spec/classes/octavia_certificates_spec.rb
Normal file
53
spec/classes/octavia_certificates_spec.rb
Normal file
@ -0,0 +1,53 @@
|
|||||||
|
require 'spec_helper'
|
||||||
|
|
||||||
|
describe 'octavia::certificates' do
|
||||||
|
|
||||||
|
let :default_params do
|
||||||
|
{ :ca_certificate => '<SERVICE DEFAULT>',
|
||||||
|
:ca_private_key => '<SERVICE DEFAULT>',
|
||||||
|
:ca_private_key_passphrase => '<SERVICE DEFAULT>',
|
||||||
|
:client_cert => '<SERVICE DEFAULT>' }
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'with default params' do
|
||||||
|
let :params do
|
||||||
|
default_params
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'configures octavia certificate manager' do
|
||||||
|
is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('<SERVICE DEFAULT>')
|
||||||
|
is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('<SERVICE DEFAULT>')
|
||||||
|
is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('<SERVICE DEFAULT>')
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'configures octavia authentication credentials' do
|
||||||
|
is_expected.to contain_octavia_config('controller_worker/client_ca').with_value('<SERVICE DEFAULT>')
|
||||||
|
is_expected.to contain_octavia_config('haproxy_amphora/client_cert').with_value('<SERVICE DEFAULT>')
|
||||||
|
is_expected.to contain_octavia_config('haproxy_amphora/server_ca').with_value('<SERVICE DEFAULT>')
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'when certificates are configured' do
|
||||||
|
let :params do
|
||||||
|
default_params.merge(
|
||||||
|
{ :ca_certificate => '/etc/octavia/ca.pem',
|
||||||
|
:ca_private_key => '/etc/octavia/key.pem',
|
||||||
|
:ca_private_key_passphrase => 'secure123',
|
||||||
|
:client_cert => '/etc/octavia/client.pem'
|
||||||
|
}
|
||||||
|
)
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'configures octavia certificate manager' do
|
||||||
|
is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('/etc/octavia/ca.pem')
|
||||||
|
is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('/etc/octavia/key.pem')
|
||||||
|
is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('secure123')
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'configures octavia authentication credentials' do
|
||||||
|
is_expected.to contain_octavia_config('controller_worker/client_ca').with_value('/etc/octavia/ca.pem')
|
||||||
|
is_expected.to contain_octavia_config('haproxy_amphora/client_cert').with_value('/etc/octavia/client.pem')
|
||||||
|
is_expected.to contain_octavia_config('haproxy_amphora/server_ca').with_value('/etc/octavia/ca.pem')
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
Loading…
Reference in New Issue
Block a user