Support populating certificate files
This patch extends octavia::certificates to support populating certificate and key files using data passed in string form. Change-Id: I8d46bad372b8c24b290500ee6040207cb808ba23
This commit is contained in:
parent
9faccf9cac
commit
a5e4f235d1
@ -20,11 +20,36 @@
|
|||||||
# (Optional) Path for client certificate used to connect to amphorae.
|
# (Optional) Path for client certificate used to connect to amphorae.
|
||||||
# Defaults to $::os_service_default
|
# Defaults to $::os_service_default
|
||||||
#
|
#
|
||||||
|
# [*ca_certificate_data*]
|
||||||
|
# (Optional) CA certificate for Octavia
|
||||||
|
# Defaults to undef
|
||||||
|
#
|
||||||
|
# [*ca_private_key_data*]
|
||||||
|
# (Optional) CA private key for signing certificates
|
||||||
|
# Defaults to undef
|
||||||
|
#
|
||||||
|
# [*client_cert_data*]
|
||||||
|
# (Optional) Client certificate used for connecting to amphorae
|
||||||
|
# Defaults to undef
|
||||||
|
#
|
||||||
|
# [*file_permission_owner*]
|
||||||
|
# (Optional) User account for file owner.
|
||||||
|
# Defaults to 'octavia'
|
||||||
|
#
|
||||||
|
# [*file_permission_group*]
|
||||||
|
# (Optional) User group for file permissions
|
||||||
|
# Defaults to 'octavia'
|
||||||
|
#
|
||||||
class octavia::certificates (
|
class octavia::certificates (
|
||||||
$ca_certificate = $::os_service_default,
|
$ca_certificate = $::os_service_default,
|
||||||
$ca_private_key = $::os_service_default,
|
$ca_private_key = $::os_service_default,
|
||||||
$ca_private_key_passphrase = $::os_service_default,
|
$ca_private_key_passphrase = $::os_service_default,
|
||||||
$client_cert = $::os_service_default,
|
$client_cert = $::os_service_default,
|
||||||
|
$ca_certificate_data = undef,
|
||||||
|
$ca_private_key_data = undef,
|
||||||
|
$client_cert_data = undef,
|
||||||
|
$file_permission_owner = 'octavia',
|
||||||
|
$file_permission_group = 'octavia'
|
||||||
) {
|
) {
|
||||||
|
|
||||||
include ::octavia::deps
|
include ::octavia::deps
|
||||||
@ -37,4 +62,64 @@ class octavia::certificates (
|
|||||||
'haproxy_amphora/client_cert' : value => $client_cert;
|
'haproxy_amphora/client_cert' : value => $client_cert;
|
||||||
'haproxy_amphora/server_ca' : value => $ca_certificate;
|
'haproxy_amphora/server_ca' : value => $ca_certificate;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# The file creation will create the parent directory for each file if necessary, but
|
||||||
|
# only to one level.
|
||||||
|
if $ca_certificate_data {
|
||||||
|
if is_service_default($ca_certificate) {
|
||||||
|
fail('You must provide a path for storing the CA certificate')
|
||||||
|
}
|
||||||
|
ensure_resource('file', dirname($ca_certificate), {
|
||||||
|
ensure => directory,
|
||||||
|
owner => $file_permission_owner,
|
||||||
|
group => $file_permission_group,
|
||||||
|
mode => '0755'
|
||||||
|
})
|
||||||
|
file { $ca_certificate:
|
||||||
|
ensure => file,
|
||||||
|
content => $ca_certificate_data,
|
||||||
|
group => $file_permission_owner,
|
||||||
|
owner => $file_permission_group,
|
||||||
|
mode => '0755',
|
||||||
|
replace => true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if $ca_private_key_data {
|
||||||
|
if is_service_default($ca_private_key) {
|
||||||
|
fail('You must provide a path for storing the CA private key')
|
||||||
|
}
|
||||||
|
ensure_resource('file', dirname($ca_private_key), {
|
||||||
|
ensure => directory,
|
||||||
|
owner => $file_permission_owner,
|
||||||
|
group => $file_permission_group,
|
||||||
|
mode => '0755'
|
||||||
|
})
|
||||||
|
file { $ca_private_key:
|
||||||
|
ensure => file,
|
||||||
|
content => $ca_private_key_data,
|
||||||
|
group => $file_permission_owner,
|
||||||
|
owner => $file_permission_group,
|
||||||
|
mode => '0755',
|
||||||
|
replace => true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if $client_cert_data {
|
||||||
|
if is_service_default($client_cert) {
|
||||||
|
fail('You must provide a path for storing the client certificate')
|
||||||
|
}
|
||||||
|
ensure_resource('file', dirname($client_cert), {
|
||||||
|
ensure => directory,
|
||||||
|
owner => $file_permission_owner,
|
||||||
|
group => $file_permission_group,
|
||||||
|
mode => '0755'
|
||||||
|
})
|
||||||
|
file { $client_cert:
|
||||||
|
ensure => file,
|
||||||
|
content => $client_cert_data,
|
||||||
|
group => $file_permission_owner,
|
||||||
|
owner => $file_permission_group,
|
||||||
|
mode => '0755',
|
||||||
|
replace => true
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
features:
|
||||||
|
- |
|
||||||
|
Adds parameters to 'octavia::certificates' to support populating certificate
|
||||||
|
and key files with data provided.
|
@ -1,53 +1,209 @@
|
|||||||
require 'spec_helper'
|
require 'spec_helper'
|
||||||
|
|
||||||
describe 'octavia::certificates' do
|
describe 'octavia::certificates' do
|
||||||
|
shared_examples_for 'certificates' do
|
||||||
|
|
||||||
let :default_params do
|
context 'with default params' do
|
||||||
{ :ca_certificate => '<SERVICE DEFAULT>',
|
it 'configures octavia certificate manager' do
|
||||||
:ca_private_key => '<SERVICE DEFAULT>',
|
is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('<SERVICE DEFAULT>')
|
||||||
:ca_private_key_passphrase => '<SERVICE DEFAULT>',
|
is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('<SERVICE DEFAULT>')
|
||||||
:client_cert => '<SERVICE DEFAULT>' }
|
is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('<SERVICE DEFAULT>')
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'with default params' do
|
it 'configures octavia authentication credentials' do
|
||||||
let :params do
|
is_expected.to contain_octavia_config('controller_worker/client_ca').with_value('<SERVICE DEFAULT>')
|
||||||
default_params
|
is_expected.to contain_octavia_config('haproxy_amphora/client_cert').with_value('<SERVICE DEFAULT>')
|
||||||
|
is_expected.to contain_octavia_config('haproxy_amphora/server_ca').with_value('<SERVICE DEFAULT>')
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'configures octavia certificate manager' do
|
context 'when certificates are configured' do
|
||||||
is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('<SERVICE DEFAULT>')
|
let :params do
|
||||||
is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('<SERVICE DEFAULT>')
|
|
||||||
is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('<SERVICE DEFAULT>')
|
|
||||||
end
|
|
||||||
|
|
||||||
it 'configures octavia authentication credentials' do
|
|
||||||
is_expected.to contain_octavia_config('controller_worker/client_ca').with_value('<SERVICE DEFAULT>')
|
|
||||||
is_expected.to contain_octavia_config('haproxy_amphora/client_cert').with_value('<SERVICE DEFAULT>')
|
|
||||||
is_expected.to contain_octavia_config('haproxy_amphora/server_ca').with_value('<SERVICE DEFAULT>')
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
context 'when certificates are configured' do
|
|
||||||
let :params do
|
|
||||||
default_params.merge(
|
|
||||||
{ :ca_certificate => '/etc/octavia/ca.pem',
|
{ :ca_certificate => '/etc/octavia/ca.pem',
|
||||||
:ca_private_key => '/etc/octavia/key.pem',
|
:ca_private_key => '/etc/octavia/key.pem',
|
||||||
:ca_private_key_passphrase => 'secure123',
|
:ca_private_key_passphrase => 'secure123',
|
||||||
:client_cert => '/etc/octavia/client.pem'
|
:client_cert => '/etc/octavia/client.pem'
|
||||||
}
|
}
|
||||||
)
|
end
|
||||||
|
|
||||||
|
it 'configures octavia certificate manager' do
|
||||||
|
is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('/etc/octavia/ca.pem')
|
||||||
|
is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('/etc/octavia/key.pem')
|
||||||
|
is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('secure123')
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'configures octavia authentication credentials' do
|
||||||
|
is_expected.to contain_octavia_config('controller_worker/client_ca').with_value('/etc/octavia/ca.pem')
|
||||||
|
is_expected.to contain_octavia_config('haproxy_amphora/client_cert').with_value('/etc/octavia/client.pem')
|
||||||
|
is_expected.to contain_octavia_config('haproxy_amphora/server_ca').with_value('/etc/octavia/ca.pem')
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'configures octavia certificate manager' do
|
context 'when certificates are configured with data provided' do
|
||||||
is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('/etc/octavia/ca.pem')
|
let :params do
|
||||||
is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('/etc/octavia/key.pem')
|
{ :ca_certificate => '/etc/octavia/ca.pem',
|
||||||
is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('secure123')
|
:ca_private_key => '/etc/octavia/key.pem',
|
||||||
|
:ca_private_key_passphrase => 'secure123',
|
||||||
|
:client_cert => '/etc/octavia/client.pem',
|
||||||
|
:ca_certificate_data => 'on_my_authority_this_is_a_certificate',
|
||||||
|
:ca_private_key_data => 'this_is_my_private_key_woot_woot',
|
||||||
|
:client_cert_data => 'certainly_for_the_client',
|
||||||
|
}
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'configures octavia certificate manager' do
|
||||||
|
is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('/etc/octavia/ca.pem')
|
||||||
|
is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('/etc/octavia/key.pem')
|
||||||
|
is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('secure123')
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'configures octavia authentication credentials' do
|
||||||
|
is_expected.to contain_octavia_config('controller_worker/client_ca').with_value('/etc/octavia/ca.pem')
|
||||||
|
is_expected.to contain_octavia_config('haproxy_amphora/client_cert').with_value('/etc/octavia/client.pem')
|
||||||
|
is_expected.to contain_octavia_config('haproxy_amphora/server_ca').with_value('/etc/octavia/ca.pem')
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'populates certificate files' do
|
||||||
|
is_expected.to contain_file('/etc/octavia/ca.pem').with({
|
||||||
|
'ensure' => 'file',
|
||||||
|
'owner' => 'octavia',
|
||||||
|
'group' => 'octavia',
|
||||||
|
'mode' => '0755',
|
||||||
|
})
|
||||||
|
is_expected.to contain_file('/etc/octavia/ca.pem').with_content('on_my_authority_this_is_a_certificate')
|
||||||
|
is_expected.to contain_file('/etc/octavia/key.pem').with({
|
||||||
|
'ensure' => 'file',
|
||||||
|
'owner' => 'octavia',
|
||||||
|
'group' => 'octavia',
|
||||||
|
'mode' => '0755',
|
||||||
|
})
|
||||||
|
is_expected.to contain_file('/etc/octavia/key.pem').with_content('this_is_my_private_key_woot_woot')
|
||||||
|
is_expected.to contain_file('/etc/octavia/client.pem').with({
|
||||||
|
'ensure' => 'file',
|
||||||
|
'owner' => 'octavia',
|
||||||
|
'group' => 'octavia',
|
||||||
|
'mode' => '0755',
|
||||||
|
})
|
||||||
|
is_expected.to contain_file('/etc/octavia/client.pem').with_content('certainly_for_the_client')
|
||||||
|
is_expected.to contain_file('/etc/octavia').with({
|
||||||
|
'ensure' => 'directory',
|
||||||
|
'owner' => 'octavia',
|
||||||
|
'group' => 'octavia',
|
||||||
|
'mode' => '0755',
|
||||||
|
})
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'configures octavia authentication credentials' do
|
context 'when certificates are configured with data provided but different paths' do
|
||||||
is_expected.to contain_octavia_config('controller_worker/client_ca').with_value('/etc/octavia/ca.pem')
|
let :params do
|
||||||
is_expected.to contain_octavia_config('haproxy_amphora/client_cert').with_value('/etc/octavia/client.pem')
|
{ :ca_certificate => '/etc/octavia/ca.pem',
|
||||||
is_expected.to contain_octavia_config('haproxy_amphora/server_ca').with_value('/etc/octavia/ca.pem')
|
:ca_private_key => '/etc/octavia1/key.pem',
|
||||||
|
:ca_private_key_passphrase => 'secure123',
|
||||||
|
:client_cert => '/etc/octavia2/client.pem',
|
||||||
|
:ca_certificate_data => 'on_my_authority_this_is_a_certificate',
|
||||||
|
:ca_private_key_data => 'this_is_my_private_key_woot_woot',
|
||||||
|
:client_cert_data => 'certainly_for_the_client',
|
||||||
|
}
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'configures octavia certificate manager' do
|
||||||
|
is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('/etc/octavia/ca.pem')
|
||||||
|
is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('/etc/octavia1/key.pem')
|
||||||
|
is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('secure123')
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'configures octavia authentication credentials' do
|
||||||
|
is_expected.to contain_octavia_config('controller_worker/client_ca').with_value('/etc/octavia/ca.pem')
|
||||||
|
is_expected.to contain_octavia_config('haproxy_amphora/client_cert').with_value('/etc/octavia2/client.pem')
|
||||||
|
is_expected.to contain_octavia_config('haproxy_amphora/server_ca').with_value('/etc/octavia/ca.pem')
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'populates certificate files' do
|
||||||
|
is_expected.to contain_file('/etc/octavia/ca.pem').with({
|
||||||
|
'ensure' => 'file',
|
||||||
|
'owner' => 'octavia',
|
||||||
|
'group' => 'octavia',
|
||||||
|
'mode' => '0755',
|
||||||
|
})
|
||||||
|
is_expected.to contain_file('/etc/octavia/ca.pem').with_content('on_my_authority_this_is_a_certificate')
|
||||||
|
is_expected.to contain_file('/etc/octavia1/key.pem').with({
|
||||||
|
'ensure' => 'file',
|
||||||
|
'owner' => 'octavia',
|
||||||
|
'group' => 'octavia',
|
||||||
|
'mode' => '0755',
|
||||||
|
})
|
||||||
|
is_expected.to contain_file('/etc/octavia1/key.pem').with_content('this_is_my_private_key_woot_woot')
|
||||||
|
is_expected.to contain_file('/etc/octavia2/client.pem').with({
|
||||||
|
'ensure' => 'file',
|
||||||
|
'owner' => 'octavia',
|
||||||
|
'group' => 'octavia',
|
||||||
|
'mode' => '0755',
|
||||||
|
})
|
||||||
|
is_expected.to contain_file('/etc/octavia2/client.pem').with_content('certainly_for_the_client')
|
||||||
|
is_expected.to contain_file('/etc/octavia').with({
|
||||||
|
'ensure' => 'directory',
|
||||||
|
'owner' => 'octavia',
|
||||||
|
'group' => 'octavia',
|
||||||
|
'mode' => '0755',
|
||||||
|
})
|
||||||
|
is_expected.to contain_file('/etc/octavia1').with({
|
||||||
|
'ensure' => 'directory',
|
||||||
|
'owner' => 'octavia',
|
||||||
|
'group' => 'octavia',
|
||||||
|
'mode' => '0755',
|
||||||
|
})
|
||||||
|
is_expected.to contain_file('/etc/octavia2').with({
|
||||||
|
'ensure' => 'directory',
|
||||||
|
'owner' => 'octavia',
|
||||||
|
'group' => 'octavia',
|
||||||
|
'mode' => '0755',
|
||||||
|
})
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'when CA file name is missing with data provided' do
|
||||||
|
let :params do
|
||||||
|
{ :ca_certificate_data => 'dummy_data'
|
||||||
|
}
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'fails without a filename' do
|
||||||
|
is_expected.to raise_error(Puppet::Error)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'when CA key file name is missing with data provided' do
|
||||||
|
let :params do
|
||||||
|
{ :ca_private_key_data => 'dummy_data'
|
||||||
|
}
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'fails without a filename' do
|
||||||
|
is_expected.to raise_error(Puppet::Error)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'when client cert file name is missing with data provided' do
|
||||||
|
let :params do
|
||||||
|
{ :client_cert_data => 'dummy_data'
|
||||||
|
}
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'fails without a filename' do
|
||||||
|
is_expected.to raise_error(Puppet::Error)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
end
|
||||||
|
|
||||||
|
on_supported_os({
|
||||||
|
:supported_os => OSDefaults.get_supported_os
|
||||||
|
}).each do |os,facts|
|
||||||
|
context "on #{os}" do
|
||||||
|
let (:facts) do
|
||||||
|
facts.merge!(OSDefaults.get_facts())
|
||||||
|
end
|
||||||
|
it_behaves_like 'certificates'
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
Loading…
Reference in New Issue
Block a user