Configure server_certs_key_passphrase for Octavia
A recent change[1] to Octavia added a parameter named
server_certs_key_passphrase, which means that TripleO should
generate a password for it to avoid using the default value.
Closes-Bug: #1821751
[1] I06d329ca53bc36bd27f7870ae7c7ca0cf18575b2
Change-Id: Id6c0d156715147c6559dc39098a6eaabf77ac426
(cherry picked from commit e8ae4607b4)
This commit is contained in:
Nir Magnezi
parent
d83ceb023d
commit
bdcd8132a1
|
|
@ -28,6 +28,11 @@
|
||||||
# (Optional) Path for private key used to sign certificates
|
# (Optional) Path for private key used to sign certificates
|
||||||
# Defaults to $::os_service_default
|
# Defaults to $::os_service_default
|
||||||
#
|
#
|
||||||
|
# [*server_certs_key_passphrase*]
|
||||||
|
# (Optional) Passphrase for encrypting Amphora Certificates and Private Keys.
|
||||||
|
# Defaults to $::os_service_default
|
||||||
|
#
|
||||||
|
#
|
||||||
# [*ca_private_key_passphrase*]
|
# [*ca_private_key_passphrase*]
|
||||||
# (Optional) CA password used to sign certificates
|
# (Optional) CA password used to sign certificates
|
||||||
# Defaults to $::os_service_default
|
# Defaults to $::os_service_default
|
||||||
|
|
@ -69,21 +74,22 @@
|
||||||
# Defaults to 'octavia'
|
# Defaults to 'octavia'
|
||||||
#
|
#
|
||||||
class octavia::certificates (
|
class octavia::certificates (
|
||||||
$cert_generator = $::os_service_default,
|
$cert_generator = $::os_service_default,
|
||||||
$cert_manager = $::os_service_default,
|
$cert_manager = $::os_service_default,
|
||||||
$region_name = $::os_service_default,
|
$region_name = $::os_service_default,
|
||||||
$endpoint_type = $::os_service_default,
|
$endpoint_type = $::os_service_default,
|
||||||
$ca_certificate = $::os_service_default,
|
$ca_certificate = $::os_service_default,
|
||||||
$ca_private_key = $::os_service_default,
|
$ca_private_key = $::os_service_default,
|
||||||
$ca_private_key_passphrase = $::os_service_default,
|
$server_certs_key_passphrase = $::os_service_default,
|
||||||
$client_ca = undef,
|
$ca_private_key_passphrase = $::os_service_default,
|
||||||
$client_cert = $::os_service_default,
|
$client_ca = undef,
|
||||||
$ca_certificate_data = undef,
|
$client_cert = $::os_service_default,
|
||||||
$ca_private_key_data = undef,
|
$ca_certificate_data = undef,
|
||||||
$client_ca_data = undef,
|
$ca_private_key_data = undef,
|
||||||
$client_cert_data = undef,
|
$client_ca_data = undef,
|
||||||
$file_permission_owner = 'octavia',
|
$client_cert_data = undef,
|
||||||
$file_permission_group = 'octavia'
|
$file_permission_owner = 'octavia',
|
||||||
|
$file_permission_group = 'octavia'
|
||||||
) {
|
) {
|
||||||
|
|
||||||
include ::octavia::deps
|
include ::octavia::deps
|
||||||
|
|
@ -91,16 +97,17 @@ class octavia::certificates (
|
||||||
$client_ca_real = pick($client_ca, $ca_certificate)
|
$client_ca_real = pick($client_ca, $ca_certificate)
|
||||||
|
|
||||||
octavia_config {
|
octavia_config {
|
||||||
'certificates/cert_generator' : value => $cert_generator;
|
'certificates/cert_generator' : value => $cert_generator;
|
||||||
'certificates/cert_manager' : value => $cert_manager;
|
'certificates/cert_manager' : value => $cert_manager;
|
||||||
'certificates/region_name' : value => $region_name;
|
'certificates/region_name' : value => $region_name;
|
||||||
'certificates/endpoint_type' : value => $endpoint_type;
|
'certificates/endpoint_type' : value => $endpoint_type;
|
||||||
'certificates/ca_certificate' : value => $ca_certificate;
|
'certificates/ca_certificate' : value => $ca_certificate;
|
||||||
'certificates/ca_private_key' : value => $ca_private_key;
|
'certificates/ca_private_key' : value => $ca_private_key;
|
||||||
'certificates/ca_private_key_passphrase' : value => $ca_private_key_passphrase;
|
'certificates/server_certs_key_passphrase' : value => $server_certs_key_passphrase;
|
||||||
'controller_worker/client_ca' : value => $client_ca_real;
|
'certificates/ca_private_key_passphrase' : value => $ca_private_key_passphrase;
|
||||||
'haproxy_amphora/client_cert' : value => $client_cert;
|
'controller_worker/client_ca' : value => $client_ca_real;
|
||||||
'haproxy_amphora/server_ca' : value => $ca_certificate;
|
'haproxy_amphora/client_cert' : value => $client_cert;
|
||||||
|
'haproxy_amphora/server_ca' : value => $ca_certificate;
|
||||||
}
|
}
|
||||||
|
|
||||||
# The file creation will create the parent directory for each file if necessary, but
|
# The file creation will create the parent directory for each file if necessary, but
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,4 @@
|
||||||
|
---
|
||||||
|
features:
|
||||||
|
- The passphrase for config option 'server_certs_key_passphrase', that was
|
||||||
|
recently added to Octavia, will now be auto-generated.
|
||||||
|
|
@ -11,6 +11,7 @@ describe 'octavia::certificates' do
|
||||||
is_expected.to contain_octavia_config('certificates/endpoint_type').with_value('<SERVICE DEFAULT>')
|
is_expected.to contain_octavia_config('certificates/endpoint_type').with_value('<SERVICE DEFAULT>')
|
||||||
is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('<SERVICE DEFAULT>')
|
is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('<SERVICE DEFAULT>')
|
||||||
is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('<SERVICE DEFAULT>')
|
is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('<SERVICE DEFAULT>')
|
||||||
|
is_expected.to contain_octavia_config('certificates/server_certs_key_passphrase').with_value('<SERVICE DEFAULT>')
|
||||||
is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('<SERVICE DEFAULT>')
|
is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('<SERVICE DEFAULT>')
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
@ -23,14 +24,15 @@ describe 'octavia::certificates' do
|
||||||
|
|
||||||
context 'when certificates are configured' do
|
context 'when certificates are configured' do
|
||||||
let :params do
|
let :params do
|
||||||
{ :cert_generator => 'local_cert_generator',
|
{ :cert_generator => 'local_cert_generator',
|
||||||
:cert_manager => 'barbican_cert_manager',
|
:cert_manager => 'barbican_cert_manager',
|
||||||
:region_name => 'RegionOne',
|
:region_name => 'RegionOne',
|
||||||
:endpoint_type => 'internalURL',
|
:endpoint_type => 'internalURL',
|
||||||
:ca_certificate => '/etc/octavia/ca.pem',
|
:ca_certificate => '/etc/octavia/ca.pem',
|
||||||
:ca_private_key => '/etc/octavia/key.pem',
|
:ca_private_key => '/etc/octavia/key.pem',
|
||||||
:ca_private_key_passphrase => 'secure123',
|
:server_certs_key_passphrase => 'secure123',
|
||||||
:client_cert => '/etc/octavia/client.pem'
|
:ca_private_key_passphrase => 'secure123',
|
||||||
|
:client_cert => '/etc/octavia/client.pem'
|
||||||
}
|
}
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
@ -41,6 +43,7 @@ describe 'octavia::certificates' do
|
||||||
is_expected.to contain_octavia_config('certificates/endpoint_type').with_value('internalURL')
|
is_expected.to contain_octavia_config('certificates/endpoint_type').with_value('internalURL')
|
||||||
is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('/etc/octavia/ca.pem')
|
is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('/etc/octavia/ca.pem')
|
||||||
is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('/etc/octavia/key.pem')
|
is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('/etc/octavia/key.pem')
|
||||||
|
is_expected.to contain_octavia_config('certificates/server_certs_key_passphrase').with_value('secure123')
|
||||||
is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('secure123')
|
is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('secure123')
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
@ -53,19 +56,21 @@ describe 'octavia::certificates' do
|
||||||
|
|
||||||
context 'when certificates are configured with data provided' do
|
context 'when certificates are configured with data provided' do
|
||||||
let :params do
|
let :params do
|
||||||
{ :ca_certificate => '/etc/octavia/ca.pem',
|
{ :ca_certificate => '/etc/octavia/ca.pem',
|
||||||
:ca_private_key => '/etc/octavia/key.pem',
|
:ca_private_key => '/etc/octavia/key.pem',
|
||||||
:ca_private_key_passphrase => 'secure123',
|
:server_certs_key_passphrase => 'secure123',
|
||||||
:client_cert => '/etc/octavia/client.pem',
|
:ca_private_key_passphrase => 'secure123',
|
||||||
:ca_certificate_data => 'on_my_authority_this_is_a_certificate',
|
:client_cert => '/etc/octavia/client.pem',
|
||||||
:ca_private_key_data => 'this_is_my_private_key_woot_woot',
|
:ca_certificate_data => 'on_my_authority_this_is_a_certificate',
|
||||||
:client_cert_data => 'certainly_for_the_client',
|
:ca_private_key_data => 'this_is_my_private_key_woot_woot',
|
||||||
|
:client_cert_data => 'certainly_for_the_client',
|
||||||
}
|
}
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'configures octavia certificate manager' do
|
it 'configures octavia certificate manager' do
|
||||||
is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('/etc/octavia/ca.pem')
|
is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('/etc/octavia/ca.pem')
|
||||||
is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('/etc/octavia/key.pem')
|
is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('/etc/octavia/key.pem')
|
||||||
|
is_expected.to contain_octavia_config('certificates/server_certs_key_passphrase').with_value('secure123')
|
||||||
is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('secure123')
|
is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('secure123')
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
@ -108,19 +113,21 @@ describe 'octavia::certificates' do
|
||||||
|
|
||||||
context 'when certificates are configured with data provided but different paths' do
|
context 'when certificates are configured with data provided but different paths' do
|
||||||
let :params do
|
let :params do
|
||||||
{ :ca_certificate => '/etc/octavia/ca.pem',
|
{ :ca_certificate => '/etc/octavia/ca.pem',
|
||||||
:ca_private_key => '/etc/octavia1/key.pem',
|
:ca_private_key => '/etc/octavia1/key.pem',
|
||||||
:ca_private_key_passphrase => 'secure123',
|
:server_certs_key_passphrase => 'secure123',
|
||||||
:client_cert => '/etc/octavia2/client.pem',
|
:ca_private_key_passphrase => 'secure123',
|
||||||
:ca_certificate_data => 'on_my_authority_this_is_a_certificate',
|
:client_cert => '/etc/octavia2/client.pem',
|
||||||
:ca_private_key_data => 'this_is_my_private_key_woot_woot',
|
:ca_certificate_data => 'on_my_authority_this_is_a_certificate',
|
||||||
:client_cert_data => 'certainly_for_the_client',
|
:ca_private_key_data => 'this_is_my_private_key_woot_woot',
|
||||||
|
:client_cert_data => 'certainly_for_the_client',
|
||||||
}
|
}
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'configures octavia certificate manager' do
|
it 'configures octavia certificate manager' do
|
||||||
is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('/etc/octavia/ca.pem')
|
is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('/etc/octavia/ca.pem')
|
||||||
is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('/etc/octavia1/key.pem')
|
is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('/etc/octavia1/key.pem')
|
||||||
|
is_expected.to contain_octavia_config('certificates/server_certs_key_passphrase').with_value('secure123')
|
||||||
is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('secure123')
|
is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('secure123')
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue