openstack/puppet-octavia
Code Issues Proposed changes
42f05dc08c
puppet-octavia/manifests/certificates.pp
Nir Magnezi e8ae4607b4 Configure server_certs_key_passphrase for Octavia 
A recent change[1] to Octavia added a parameter named
server_certs_key_passphrase, which means that TripleO should
generate a password for it to avoid using the default value.

Closes-Bug: #1821751

[1] I06d329ca53bc36bd27f7870ae7c7ca0cf18575b2

Change-Id: Id6c0d156715147c6559dc39098a6eaabf77ac426
2019-03-28 13:09:35 +02:00

201 lines
6.5 KiB
Puppet
Raw Blame History

# == Class: octavia::certificates
#
# Configure the octavia certificates for TLS authentication
#
# === Parameters
#
# [*cert_generator*]
# (Optional) Certificate generator to use.
# Defaults to $::os_service_default
#
# [*cert_manager*]
# (Optional) Certificate manager to use.
# Defaults to $::os_service_default
#
# [*region_name*]
# (Optional) Region name to use when connecting to cert manager.
# Defaults to $::os_service_default
#
# [*endpoint_type*]
# (Optional) Endpoint type to use when connecting to cert manager.
# Defaults to $::os_service_default
#
# [*ca_certificate*]
# (Optional) Path to the CA certificate for Octavia
# Defaults to $::os_service_default
#
# [*ca_private_key*]
# (Optional) Path for private key used to sign certificates
# Defaults to $::os_service_default
#
# [*server_certs_key_passphrase*]
# (Optional) Passphrase for encrypting Amphora Certificates and Private Keys.
# Defaults to $::os_service_default
#
#
# [*ca_private_key_passphrase*]
# (Optional) CA password used to sign certificates
# Defaults to $::os_service_default
#
# [*client_ca*]
# (Optional) Path to the client CA certificate.
# This option is not needed unless you want to separate the
# ca_certificate/server_ca and the client_ca.
# Defaults to undef
#
# [*client_cert*]
# (Optional) Path for client certificate used to connect to amphorae.
# Defaults to $::os_service_default
#
# [*ca_certificate_data*]
# (Optional) CA certificate for Octavia
# Defaults to undef
#
# [*ca_private_key_data*]
# (Optional) CA private key for signing certificates
# Defaults to undef
#
# [*client_ca_data*]
# (Optional) Client CA certificate.
# You must specify the client_ca parameter where to place this CA
# if you give the data here.
# Defaults to undef
#
# [*client_cert_data*]
# (Optional) Client certificate used for connecting to amphorae
# Defaults to undef
#
# [*file_permission_owner*]
# (Optional) User account for file owner.
# Defaults to 'octavia'
#
# [*file_permission_group*]
# (Optional) User group for file permissions
# Defaults to 'octavia'
#
class octavia::certificates (
$cert_generator = $::os_service_default,
$cert_manager = $::os_service_default,
$region_name = $::os_service_default,
$endpoint_type = $::os_service_default,
$ca_certificate = $::os_service_default,
$ca_private_key = $::os_service_default,
$server_certs_key_passphrase = $::os_service_default,
$ca_private_key_passphrase = $::os_service_default,
$client_ca = undef,
$client_cert = $::os_service_default,
$ca_certificate_data = undef,
$ca_private_key_data = undef,
$client_ca_data = undef,
$client_cert_data = undef,
$file_permission_owner = 'octavia',
$file_permission_group = 'octavia'
) {
include ::octavia::deps
$client_ca_real = pick($client_ca, $ca_certificate)
octavia_config {
'certificates/cert_generator' : value => $cert_generator;
'certificates/cert_manager' : value => $cert_manager;
'certificates/region_name' : value => $region_name;
'certificates/endpoint_type' : value => $endpoint_type;
'certificates/ca_certificate' : value => $ca_certificate;
'certificates/ca_private_key' : value => $ca_private_key;
'certificates/server_certs_key_passphrase' : value => $server_certs_key_passphrase;
'certificates/ca_private_key_passphrase' : value => $ca_private_key_passphrase;
'controller_worker/client_ca' : value => $client_ca_real;
'haproxy_amphora/client_cert' : value => $client_cert;
'haproxy_amphora/server_ca' : value => $ca_certificate;
}
# The file creation will create the parent directory for each file if necessary, but
# only to one level.
if $ca_certificate_data {
if is_service_default($ca_certificate) {
fail('You must provide a path for storing the CA certificate')
}
ensure_resource('file', dirname($ca_certificate), {
ensure => directory,
owner => $file_permission_owner,
group => $file_permission_group,
mode => '0755',
tag => 'octavia-certificate',
})
file { $ca_certificate:
ensure => file,
content => $ca_certificate_data,
group => $file_permission_owner,
owner => $file_permission_group,
mode => '0755',
replace => true,
show_diff => false,
tag => 'octavia-certificate',
}
}
if $ca_private_key_data {
if is_service_default($ca_private_key) {
fail('You must provide a path for storing the CA private key')
}
ensure_resource('file', dirname($ca_private_key), {
ensure => directory,
owner => $file_permission_owner,
group => $file_permission_group,
mode => '0755',
tag => 'octavia-certificate',
})
file { $ca_private_key:
ensure => file,
content => $ca_private_key_data,
group => $file_permission_owner,
owner => $file_permission_group,
mode => '0755',
replace => true,
show_diff => false,
tag => 'octavia-certificate',
}
}
if $client_ca and $client_ca_data {
ensure_resource('file', dirname($client_ca), {
ensure => directory,
owner => $file_permission_owner,
group => $file_permission_group,
mode => '0755',
tag => 'octavia-certificate',
})
file { $client_ca:
ensure => file,
content => $client_ca_data,
group => $file_permission_owner,
owner => $file_permission_group,
mode => '0755',
replace => true,
show_diff => false,
tag => 'octavia-certificate',
}
}
if $client_cert_data {
if is_service_default($client_cert) {
fail('You must provide a path for storing the client certificate')
}
ensure_resource('file', dirname($client_cert), {
ensure => directory,
owner => $file_permission_owner,
group => $file_permission_group,
mode => '0755',
tag => 'octavia-certificate',
})
file { $client_cert:
ensure => file,
content => $client_cert_data,
group => $file_permission_owner,
owner => $file_permission_group,
mode => '0755',
replace => true,
show_diff => false,
tag => 'octavia-certificate',
}
}
}
View Git Blame Copy Permalink