# == Class: octavia::certificates # # Configure the octavia certificates for TLS authentication # # === Parameters # # [*cert_generator*] # (Optional) Certificate generator to use. # Defaults to $facts['os_service_default'] # # [*cert_manager*] # (Optional) Certificate manager to use. # Defaults to $facts['os_service_default'] # # [*barbican_auth*] # (Optional) Name of the Barbican authentication method to use. # Defaults to $facts['os_service_default'] # # [*service_name*] # (Optional) The name of the certificate service in the keystone catalog. # Defaults to $facts['os_service_default'] # # [*endpoint*] # (Optional) A new endpoint to override the endpoint in the keystone catalog. # Defaults to $facts['os_service_default'] # # [*region_name*] # (Optional) Region name to use when connecting to cert manager. # Defaults to $facts['os_service_default'] # # [*endpoint_type*] # (Optional) Endpoint type to use when connecting to cert manager. # Defaults to $facts['os_service_default'] # # [*ca_certificate*] # (Optional) Path to the CA certificate for Octavia # Defaults to '/etc/ssl/certs/ssl-cert-snakeoil.pem' # # [*ca_private_key*] # (Optional) Path for private key used to sign certificates # Defaults to '/etc/ssl/private/ssl-cert-snakeoil.key' # # [*server_certs_key_passphrase*] # (Optional) Passphrase for encrypting Amphora Certificates and Private Keys. # Must be exactly 32 characters. # Defaults to 'insecure-key-do-not-use-this-key' # # [*ca_private_key_passphrase*] # (Optional) CA password used to sign certificates # Defaults to $facts['os_service_default'] # # [*signing_digest*] # (Optional) Certificate signing digest. # Defaults to $facts['os_service_default'] # # [*cert_validity_time*] # (Optional) The validity time for the Amphora Certificates (in seconds). # Defaults to $facts['os_service_default'] # # [*client_ca*] # (Optional) Path to the client CA certificate. # This option is not needed unless you want to separate the # ca_certificate/server_ca and the client_ca. # Defaults to undef # # [*client_cert*] # (Optional) Path for client certificate used to connect to amphorae. # Defaults to $facts['os_service_default'] # # [*ca_certificate_data*] # (Optional) CA certificate for Octavia # Defaults to undef # # [*ca_private_key_data*] # (Optional) CA private key for signing certificates # Defaults to undef # # [*client_ca_data*] # (Optional) Client CA certificate. # You must specify the client_ca parameter where to place this CA # if you give the data here. # Defaults to undef # # [*client_cert_data*] # (Optional) Client certificate used for connecting to amphorae # Defaults to undef # # [*file_permission_owner*] # (Optional) User account for file owner. # Defaults to 'octavia' # # [*file_permission_group*] # (Optional) User group for file permissions # Defaults to 'octavia' # class octavia::certificates ( $cert_generator = $facts['os_service_default'], $cert_manager = $facts['os_service_default'], $barbican_auth = $facts['os_service_default'], $service_name = $facts['os_service_default'], $endpoint = $facts['os_service_default'], $region_name = $facts['os_service_default'], $endpoint_type = $facts['os_service_default'], Stdlib::Absolutepath $ca_certificate = '/etc/ssl/certs/ssl-cert-snakeoil.pem', Stdlib::Absolutepath $ca_private_key = '/etc/ssl/certs/ssl-cert-snakeoil.key', String[32, 32] $server_certs_key_passphrase = 'insecure-key-do-not-use-this-key', $ca_private_key_passphrase = $facts['os_service_default'], $signing_digest = $facts['os_service_default'], $cert_validity_time = $facts['os_service_default'], Optional[Stdlib::Absolutepath] $client_ca = undef, Stdlib::Absolutepath $client_cert = '/etc/octavia/certs/client.pem', $ca_certificate_data = undef, $ca_private_key_data = undef, $client_ca_data = undef, $client_cert_data = undef, $file_permission_owner = $::octavia::params::user, $file_permission_group = $::octavia::params::group, ) inherits octavia::params { include octavia::deps $client_ca_real = pick($client_ca, $ca_certificate) octavia_config { 'certificates/cert_generator' : value => $cert_generator; 'certificates/cert_manager' : value => $cert_manager; 'certificates/barbican_auth' : value => $barbican_auth; 'certificates/service_name' : value => $service_name; 'certificates/endpoint' : value => $endpoint; 'certificates/region_name' : value => $region_name; 'certificates/endpoint_type' : value => $endpoint_type; 'certificates/ca_certificate' : value => $ca_certificate; 'certificates/ca_private_key' : value => $ca_private_key; 'certificates/server_certs_key_passphrase' : value => $server_certs_key_passphrase, secret => true; 'certificates/ca_private_key_passphrase' : value => $ca_private_key_passphrase, secret => true; 'certificates/signing_digest' : value => $signing_digest; 'certificates/cert_validity_time' : value => $cert_validity_time; 'controller_worker/client_ca' : value => $client_ca_real; 'haproxy_amphora/client_cert' : value => $client_cert; 'haproxy_amphora/server_ca' : value => $ca_certificate; } # The file creation will create the parent directory for each file if necessary, but # only to one level. if $ca_certificate_data { ensure_resource('file', dirname($ca_certificate), { ensure => directory, owner => $file_permission_owner, group => $file_permission_group, mode => '0755', tag => 'octavia-certificate', }) file { $ca_certificate: ensure => file, content => $ca_certificate_data, group => $file_permission_owner, owner => $file_permission_group, mode => '0640', replace => true, show_diff => false, tag => 'octavia-certificate', } } if $ca_private_key_data { ensure_resource('file', dirname($ca_private_key), { ensure => directory, owner => $file_permission_owner, group => $file_permission_group, mode => '0755', tag => 'octavia-certificate', }) file { $ca_private_key: ensure => file, content => $ca_private_key_data, group => $file_permission_owner, owner => $file_permission_group, mode => '0640', replace => true, show_diff => false, tag => 'octavia-certificate', } } if $client_ca and $client_ca_data { ensure_resource('file', dirname($client_ca), { ensure => directory, owner => $file_permission_owner, group => $file_permission_group, mode => '0755', tag => 'octavia-certificate', }) file { $client_ca: ensure => file, content => $client_ca_data, group => $file_permission_owner, owner => $file_permission_group, mode => '0640', replace => true, show_diff => false, tag => 'octavia-certificate', } } if $client_cert_data { ensure_resource('file', dirname($client_cert), { ensure => directory, owner => $file_permission_owner, group => $file_permission_group, mode => '0755', tag => 'octavia-certificate', }) file { $client_cert: ensure => file, content => $client_cert_data, group => $file_permission_owner, owner => $file_permission_group, mode => '0640', replace => true, show_diff => false, tag => 'octavia-certificate', } } }