openstack
/
puppet-octavia
Code Issues Proposed changes

certificates: Require valid absolute path for file path options 

... to avoid wired failures by file resources.

Note:
The new hard-coded default values are picked up from octavia defaults.

Change-Id: I77c4542bbc2f1fdf18758985f195b215ddd14369
This commit is contained in:
Takashi Kajinami 2024-02-26 10:16:41 +09:00
parent 6a2cdadbad
commit f94fdc15de
2 changed files with 31 additions and 78 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

66
manifests/certificates.pp
View File

@ -34,11 +34,11 @@
#
# [*ca_certificate*]
# (Optional) Path to the CA certificate for Octavia
# Defaults to $facts['os_service_default']
# Defaults to '/etc/ssl/certs/ssl-cert-snakeoil.pem'
#
# [*ca_private_key*]
# (Optional) Path for private key used to sign certificates
# Defaults to $facts['os_service_default']
# Defaults to '/etc/ssl/private/ssl-cert-snakeoil.key'
#
# [*server_certs_key_passphrase*]
# (Optional) Passphrase for encrypting Amphora Certificates and Private Keys.
@ -94,27 +94,27 @@
# Defaults to 'octavia'
#
class octavia::certificates (
$cert_generator = $facts['os_service_default'],
$cert_manager = $facts['os_service_default'],
$barbican_auth = $facts['os_service_default'],
$service_name = $facts['os_service_default'],
$endpoint = $facts['os_service_default'],
$region_name = $facts['os_service_default'],
$endpoint_type = $facts['os_service_default'],
$ca_certificate = $facts['os_service_default'],
$ca_private_key = $facts['os_service_default'],
$server_certs_key_passphrase = 'insecure-key-do-not-use-this-key',
$ca_private_key_passphrase = $facts['os_service_default'],
$signing_digest = $facts['os_service_default'],
$cert_validity_time = $facts['os_service_default'],
$client_ca = undef,
$client_cert = $facts['os_service_default'],
$ca_certificate_data = undef,
$ca_private_key_data = undef,
$client_ca_data = undef,
$client_cert_data = undef,
$file_permission_owner = $::octavia::params::user,
$file_permission_group = $::octavia::params::group,
$cert_generator = $facts['os_service_default'],
$cert_manager = $facts['os_service_default'],
$barbican_auth = $facts['os_service_default'],
$service_name = $facts['os_service_default'],
$endpoint = $facts['os_service_default'],
$region_name = $facts['os_service_default'],
$endpoint_type = $facts['os_service_default'],
Stdlib::Absolutepath $ca_certificate = '/etc/ssl/certs/ssl-cert-snakeoil.pem',
Stdlib::Absolutepath $ca_private_key = '/etc/ssl/certs/ssl-cert-snakeoil.key',
String[32, 32] $server_certs_key_passphrase = 'insecure-key-do-not-use-this-key',
$ca_private_key_passphrase = $facts['os_service_default'],
$signing_digest = $facts['os_service_default'],
$cert_validity_time = $facts['os_service_default'],
Optional[Stdlib::Absolutepath] $client_ca = undef,
Stdlib::Absolutepath $client_cert = '/etc/octavia/certs/client.pem',
$ca_certificate_data = undef,
$ca_private_key_data = undef,
$client_ca_data = undef,
$client_cert_data = undef,
$file_permission_owner = $::octavia::params::user,
$file_permission_group = $::octavia::params::group,
) inherits octavia::params {
include octavia::deps
@ -140,20 +140,9 @@ class octavia::certificates (
'haproxy_amphora/server_ca' : value => $ca_certificate;
}
if !$server_certs_key_passphrase {
fail('server_certs_key_passphrase is required for Octavia. Please provide a 32 characters passphrase.')
}
if length($server_certs_key_passphrase)!=32 {
fail('server_certs_key_passphrase must be 32 characters long.')
}
# The file creation will create the parent directory for each file if necessary, but
# only to one level.
if $ca_certificate_data {
if is_service_default($ca_certificate) {
fail('You must provide a path for storing the CA certificate')
}
ensure_resource('file', dirname($ca_certificate), {
ensure => directory,
owner => $file_permission_owner,
@ -172,10 +161,8 @@ class octavia::certificates (
tag => 'octavia-certificate',
}
}
if $ca_private_key_data {
if is_service_default($ca_private_key) {
fail('You must provide a path for storing the CA private key')
}
ensure_resource('file', dirname($ca_private_key), {
ensure => directory,
owner => $file_permission_owner,
@ -194,6 +181,7 @@ class octavia::certificates (
tag => 'octavia-certificate',
}
}
if $client_ca and $client_ca_data {
ensure_resource('file', dirname($client_ca), {
ensure => directory,
@ -213,10 +201,8 @@ class octavia::certificates (
tag => 'octavia-certificate',
}
}
if $client_cert_data {
if is_service_default($client_cert) {
fail('You must provide a path for storing the client certificate')
}
ensure_resource('file', dirname($client_cert), {
ensure => directory,
owner => $file_permission_owner,

43
spec/classes/octavia_certificates_spec.rb
View File

@ -12,8 +12,8 @@ describe 'octavia::certificates' do
is_expected.to contain_octavia_config('certificates/endpoint').with_value('<SERVICE DEFAULT>')
is_expected.to contain_octavia_config('certificates/region_name').with_value('<SERVICE DEFAULT>')
is_expected.to contain_octavia_config('certificates/endpoint_type').with_value('<SERVICE DEFAULT>')
is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('<SERVICE DEFAULT>')
is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('<SERVICE DEFAULT>')
is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('/etc/ssl/certs/ssl-cert-snakeoil.pem')
is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('/etc/ssl/certs/ssl-cert-snakeoil.key')
is_expected.to contain_octavia_config('certificates/server_certs_key_passphrase').with_value('insecure-key-do-not-use-this-key').with_secret(true)
is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('<SERVICE DEFAULT>').with_secret(true)
is_expected.to contain_octavia_config('certificates/signing_digest').with_value('<SERVICE DEFAULT>')
@ -21,9 +21,9 @@ describe 'octavia::certificates' do
end
it 'configures octavia authentication credentials' do
is_expected.to contain_octavia_config('controller_worker/client_ca').with_value('<SERVICE DEFAULT>')
is_expected.to contain_octavia_config('haproxy_amphora/client_cert').with_value('<SERVICE DEFAULT>')
is_expected.to contain_octavia_config('haproxy_amphora/server_ca').with_value('<SERVICE DEFAULT>')
is_expected.to contain_octavia_config('controller_worker/client_ca').with_value('/etc/ssl/certs/ssl-cert-snakeoil.pem')
is_expected.to contain_octavia_config('haproxy_amphora/client_cert').with_value('/etc/octavia/certs/client.pem')
is_expected.to contain_octavia_config('haproxy_amphora/server_ca').with_value('/etc/ssl/certs/ssl-cert-snakeoil.pem')
end
end
@ -214,39 +214,6 @@ describe 'octavia::certificates' do
end
end
context 'when CA file name is missing with data provided' do
let :params do
{ :ca_certificate_data => 'dummy_data'
}
end
it 'fails without a filename' do
is_expected.to raise_error(Puppet::Error)
end
end
context 'when CA key file name is missing with data provided' do
let :params do
{ :ca_private_key_data => 'dummy_data'
}
end
it 'fails without a filename' do
is_expected.to raise_error(Puppet::Error)
end
end
context 'when client cert file name is missing with data provided' do
let :params do
{ :client_cert_data => 'dummy_data'
}
end
it 'fails without a filename' do
is_expected.to raise_error(Puppet::Error)
end
end
context 'with ca_certificate and client_ca being different' do
let :params do
{