openstack/puppet-tripleo
Code Issues Proposed changes

Create SSL certificates from sslProfiles

Browse Source 
Adds function for transforming SSL certificate/key content values
into path values with creating the appropriate files.

Change-Id: Idaee3c5fcc90f8107eac7c2ada94c1e5180abce5
(cherry picked from commit 6fd83b9631)
This commit is contained in:
Martin Magr 2021-03-29 13:13:38 +02:00
parent b88561ba3b
commit 716a7874bf
3 changed files with 97 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
lib/puppet/functions/qdr_ssl_certificate.rb Normal file
View File

@ -0,0 +1,39 @@
# This adds to ssl profile hash a proper value of "caCertFile" key for "caCertFileContent" key.
#
# Given:
# ssl_profiles = [{"name": "test", "caCertFileContent": "cert content", ...}, ...]
# cert_dir = "/etc/pki/tls/certs/"
# Returns:
# ssl_profiles = [
# {"name": "test",
# "caCertFileContent": "cert content",
# "caCertFile": "/etc/pki/tls/certs/CA_test.pem",
# ... },
# ...
# ]
Puppet::Functions.create_function(:qdr_ssl_certificate) do
dispatch :qdr_ssl_certificate do
param 'Array', :ssl_profiles
param 'String', :cert_dir
return_type 'Array'
end
def qdr_ssl_certificate(ssl_profiles, cert_dir)
processed_profiles = Array.new
ssl_profiles.each do |profile|
if profile.key?("caCertFileContent")
processed = profile.clone
# create certificate path
path = File.join(cert_dir, "CA_#{processed["name"]}.pem")
# update profile
processed["caCertFile"] = path
processed_profiles.push(processed)
else
processed_profiles.push(profile)
end
end
return processed_profiles
end
end

26
manifests/profile/base/metrics/qdr.pp
View File

@ -119,6 +119,10 @@
# for more details. # for more details.
# Defaults to hiera('step') # Defaults to hiera('step')
# #
# [*ssl_cert_dir*]
# (Optional) Path to directory where SSL certificate files should be created.
# Defaults to '/etc/pki/tls/certs/'
#
class tripleo::profile::base::metrics::qdr ( class tripleo::profile::base::metrics::qdr (
$username = undef, $username = undef,
$password = undef, $password = undef,
@ -142,6 +146,7 @@ class tripleo::profile::base::metrics::qdr (
$autolink_addresses = [], $autolink_addresses = [],
$router_mode = 'edge', $router_mode = 'edge',
$step = Integer(hiera('step')), $step = Integer(hiera('step')),
$ssl_cert_dir = '/etc/pki/tls/certs/',
) { ) {
if $step >= 1 { if $step >= 1 {
$interior_nodes = any2array(split($interior_mesh_nodes, ',')) $interior_nodes = any2array(split($interior_mesh_nodes, ','))
@ -211,6 +216,25 @@ class tripleo::profile::base::metrics::qdr (
$all_connectors = $connectors + $internal_connectors $all_connectors = $connectors + $internal_connectors
} }
file { $ssl_cert_dir:
ensure => directory,
mode => '0700'
}
$prep_ssl_profiles = qdr_ssl_certificate($ssl_profiles, $ssl_cert_dir)
$final_ssl_profiles = $prep_ssl_profiles.reduce( [] ) |$memo, $prf| {
if has_key($prf, 'caCertFileContent') {
file { $prf['caCertFile']:
ensure => exists,
content => $prf['caCertFileContent'],
mode => '0600',
require => File[$ssl_cert_dir]
}
$memo << delete($prf, 'caCertFileContent')
} else {
$memo << $prf
}
}
class { '::qdr': class { '::qdr':
listener_addr => $listener_addr, listener_addr => $listener_addr,
listener_port => $listener_port, listener_port => $listener_port,
@ -224,7 +248,7 @@ class tripleo::profile::base::metrics::qdr (
listener_trusted_certs => $listener_trusted_certs, listener_trusted_certs => $listener_trusted_certs,
router_mode => $router_mode, router_mode => $router_mode,
connectors => $all_connectors, connectors => $all_connectors,
ssl_profiles => $ssl_profiles, ssl_profiles => $final_ssl_profiles,
extra_addresses => $addresses, extra_addresses => $addresses,
autolink_addresses => $autolink_addresses, autolink_addresses => $autolink_addresses,
extra_listeners => $internal_listeners, extra_listeners => $internal_listeners,

33
spec/classes/tripleo_profile_base_metrics_qdr_spec.rb
View File

@ -188,6 +188,39 @@ describe 'tripleo::profile::base::metrics::qdr' do
expect(connectors.length).to match 1 expect(connectors.length).to match 1
end end
end end
context 'with step 3 and ssl_profiles' do
before do
params.merge!({
:ssl_cert_dir => '/tmp/certs',
:ssl_profiles => [
{"name" => "wubba", "caCertFileContent" => "ca_wubba"},
{"name" => "lubba", "caCertFileContent" => "ca_lubba", "caCertFile" => "whoops"},
]
})
end
it 'should set sslProfiles correctly and create appropriate certificates' do
is_expected.to contain_class('qdr').with(:ssl_profiles => [
{"name" => "wubba", "caCertFile" => '/tmp/certs/CA_wubba.pem'},
{"name" => "lubba", "caCertFile" => '/tmp/certs/CA_lubba.pem'},
])
is_expected.to contain_file('/tmp/certs').with(
:ensure => 'directory',
:mode => '0700'
)
is_expected.to contain_file('/tmp/certs/CA_wubba.pem').with(
:ensure => 'exists',
:content => 'ca_wubba',
:mode => '0600'
)
is_expected.to contain_file('/tmp/certs/CA_lubba.pem').with(
:ensure => 'exists',
:content => 'ca_lubba',
:mode => '0600'
)
end
end
end end
on_supported_os.each do |os, facts| on_supported_os.each do |os, facts|