openstack/puppet-octavia
Code Issues Proposed changes
puppet-octavia/manifests/certificates.pp
Tobias Urdin 45ecee290b Set show_diff to false on certificates 
Certificate should be considered secrets
and we should not output the diffs.

Also fixes up the testing to test all the
parameters set on the file resources.

Closes-Bug: 1804884
Change-Id: I0db84f4b9d97bf22d06478ded126a1f209c9b69a
2018-11-23 21:28:45 +01:00

194 lines
6.1 KiB
Puppet
Raw Blame History

# == Class: octavia::certificates
#
# Configure the octavia certificates for TLS authentication
#
# === Parameters
#
# [*cert_generator*]
# (Optional) Certificate generator to use.
# Defaults to $::os_service_default
#
# [*cert_manager*]
# (Optional) Certificate manager to use.
# Defaults to $::os_service_default
#
# [*region_name*]
# (Optional) Region name to use when connecting to cert manager.
# Defaults to $::os_service_default
#
# [*endpoint_type*]
# (Optional) Endpoint type to use when connecting to cert manager.
# Defaults to $::os_service_default
#
# [*ca_certificate*]
# (Optional) Path to the CA certificate for Octavia
# Defaults to $::os_service_default
#
# [*ca_private_key*]
# (Optional) Path for private key used to sign certificates
# Defaults to $::os_service_default
#
# [*ca_private_key_passphrase*]
# (Optional) CA password used to sign certificates
# Defaults to $::os_service_default
#
# [*client_ca*]
# (Optional) Path to the client CA certificate.
# This option is not needed unless you want to separate the
# ca_certificate/server_ca and the client_ca.
# Defaults to undef
#
# [*client_cert*]
# (Optional) Path for client certificate used to connect to amphorae.
# Defaults to $::os_service_default
#
# [*ca_certificate_data*]
# (Optional) CA certificate for Octavia
# Defaults to undef
#
# [*ca_private_key_data*]
# (Optional) CA private key for signing certificates
# Defaults to undef
#
# [*client_ca_data*]
# (Optional) Client CA certificate.
# You must specify the client_ca parameter where to place this CA
# if you give the data here.
# Defaults to undef
#
# [*client_cert_data*]
# (Optional) Client certificate used for connecting to amphorae
# Defaults to undef
#
# [*file_permission_owner*]
# (Optional) User account for file owner.
# Defaults to 'octavia'
#
# [*file_permission_group*]
# (Optional) User group for file permissions
# Defaults to 'octavia'
#
class octavia::certificates (
$cert_generator = $::os_service_default,
$cert_manager = $::os_service_default,
$region_name = $::os_service_default,
$endpoint_type = $::os_service_default,
$ca_certificate = $::os_service_default,
$ca_private_key = $::os_service_default,
$ca_private_key_passphrase = $::os_service_default,
$client_ca = undef,
$client_cert = $::os_service_default,
$ca_certificate_data = undef,
$ca_private_key_data = undef,
$client_ca_data = undef,
$client_cert_data = undef,
$file_permission_owner = 'octavia',
$file_permission_group = 'octavia'
) {
include ::octavia::deps
$client_ca_real = pick($client_ca, $ca_certificate)
octavia_config {
'certificates/cert_generator' : value => $cert_generator;
'certificates/cert_manager' : value => $cert_manager;
'certificates/region_name' : value => $region_name;
'certificates/endpoint_type' : value => $endpoint_type;
'certificates/ca_certificate' : value => $ca_certificate;
'certificates/ca_private_key' : value => $ca_private_key;
'certificates/ca_private_key_passphrase' : value => $ca_private_key_passphrase;
'controller_worker/client_ca' : value => $client_ca_real;
'haproxy_amphora/client_cert' : value => $client_cert;
'haproxy_amphora/server_ca' : value => $ca_certificate;
}
# The file creation will create the parent directory for each file if necessary, but
# only to one level.
if $ca_certificate_data {
if is_service_default($ca_certificate) {
fail('You must provide a path for storing the CA certificate')
}
ensure_resource('file', dirname($ca_certificate), {
ensure => directory,
owner => $file_permission_owner,
group => $file_permission_group,
mode => '0755',
tag => 'octavia-certificate',
})
file { $ca_certificate:
ensure => file,
content => $ca_certificate_data,
group => $file_permission_owner,
owner => $file_permission_group,
mode => '0755',
replace => true,
show_diff => false,
tag => 'octavia-certificate',
}
}
if $ca_private_key_data {
if is_service_default($ca_private_key) {
fail('You must provide a path for storing the CA private key')
}
ensure_resource('file', dirname($ca_private_key), {
ensure => directory,
owner => $file_permission_owner,
group => $file_permission_group,
mode => '0755',
tag => 'octavia-certificate',
})
file { $ca_private_key:
ensure => file,
content => $ca_private_key_data,
group => $file_permission_owner,
owner => $file_permission_group,
mode => '0755',
replace => true,
show_diff => false,
tag => 'octavia-certificate',
}
}
if $client_ca and $client_ca_data {
ensure_resource('file', dirname($client_ca), {
ensure => directory,
owner => $file_permission_owner,
group => $file_permission_group,
mode => '0755',
tag => 'octavia-certificate',
})
file { $client_ca:
ensure => file,
content => $client_ca_data,
group => $file_permission_owner,
owner => $file_permission_group,
mode => '0755',
replace => true,
show_diff => false,
tag => 'octavia-certificate',
}
}
if $client_cert_data {
if is_service_default($client_cert) {
fail('You must provide a path for storing the client certificate')
}
ensure_resource('file', dirname($client_cert), {
ensure => directory,
owner => $file_permission_owner,
group => $file_permission_group,
mode => '0755',
tag => 'octavia-certificate',
})
file { $client_cert:
ensure => file,
content => $client_cert_data,
group => $file_permission_owner,
owner => $file_permission_group,
mode => '0755',
replace => true,
show_diff => false,
tag => 'octavia-certificate',
}
}
}
View Git Blame Copy Permalink