Create SSL certificates from sslProfiles

Adds function for transforming SSL certificate/key content values into path values with creating the appropriate files. Change-Id: Idaee3c5fcc90f8107eac7c2ada94c1e5180abce5 (cherry picked from commit 6fd83b9631)
2021-03-29 13:13:38 +02:00 · 2021-03-29 13:13:38 +02:00 · 716a7874bf
commit 716a7874bf
parent b88561ba3b
3 changed files with 97 additions and 1 deletions
--- a/lib/puppet/functions/qdr_ssl_certificate.rb
+++ b/lib/puppet/functions/qdr_ssl_certificate.rb
@ -0,0 +1,39 @@
+# This adds to ssl profile hash a proper value of "caCertFile" key for "caCertFileContent" key.
+#
+# Given:
+#   ssl_profiles = [{"name": "test", "caCertFileContent": "cert content", ...}, ...]
+#   cert_dir = "/etc/pki/tls/certs/"
+# Returns:
+#   ssl_profiles = [
+#     {"name": "test",
+#      "caCertFileContent": "cert content",
+#      "caCertFile": "/etc/pki/tls/certs/CA_test.pem",
+#      ... },
+#     ...
+#   ]
+Puppet::Functions.create_function(:qdr_ssl_certificate) do
+
+  dispatch :qdr_ssl_certificate do
+    param 'Array', :ssl_profiles
+    param 'String', :cert_dir
+    return_type 'Array'
+  end
+
+  def qdr_ssl_certificate(ssl_profiles, cert_dir)
+    processed_profiles = Array.new
+    ssl_profiles.each do |profile|
+      if profile.key?("caCertFileContent")
+        processed = profile.clone
+        # create certificate path
+        path = File.join(cert_dir, "CA_#{processed["name"]}.pem")
+        # update profile
+        processed["caCertFile"] = path
+        processed_profiles.push(processed)
+      else
+        processed_profiles.push(profile)
+      end
+    end
+    return processed_profiles
+  end
+
+end
--- a/manifests/profile/base/metrics/qdr.pp
+++ b/manifests/profile/base/metrics/qdr.pp
@ -119,6 +119,10 @@
 #   for more details.
 #   Defaults to hiera('step')
 #
+# [*ssl_cert_dir*]
+#   (Optional) Path to directory where SSL certificate files should be created.
+#   Defaults to '/etc/pki/tls/certs/'
+#
 class tripleo::profile::base::metrics::qdr (
  $username                  = undef,
  $password                  = undef,
@ -142,6 +146,7 @@ class tripleo::profile::base::metrics::qdr (
  $autolink_addresses        = [],
  $router_mode               = 'edge',
  $step                      = Integer(hiera('step')),
+  $ssl_cert_dir              = '/etc/pki/tls/certs/',
 ) {
  if $step >= 1 {
    $interior_nodes = any2array(split($interior_mesh_nodes, ','))
@ -211,6 +216,25 @@ class tripleo::profile::base::metrics::qdr (
      $all_connectors = $connectors + $internal_connectors
    }

+    file { $ssl_cert_dir:
+      ensure => directory,
+      mode   => '0700'
+    }
+    $prep_ssl_profiles = qdr_ssl_certificate($ssl_profiles, $ssl_cert_dir)
+    $final_ssl_profiles = $prep_ssl_profiles.reduce( [] ) |$memo, $prf| {
+      if has_key($prf, 'caCertFileContent') {
+        file { $prf['caCertFile']:
+          ensure  => exists,
+          content => $prf['caCertFileContent'],
+          mode    => '0600',
+          require => File[$ssl_cert_dir]
+        }
+        $memo << delete($prf, 'caCertFileContent')
+      } else {
+        $memo << $prf
+      }
+    }
+
    class { '::qdr':
      listener_addr            => $listener_addr,
      listener_port            => $listener_port,
@ -224,7 +248,7 @@ class tripleo::profile::base::metrics::qdr (
      listener_trusted_certs   => $listener_trusted_certs,
      router_mode              => $router_mode,
      connectors               => $all_connectors,
-      ssl_profiles             => $ssl_profiles,
+      ssl_profiles             => $final_ssl_profiles,
      extra_addresses          => $addresses,
      autolink_addresses       => $autolink_addresses,
      extra_listeners          => $internal_listeners,
--- a/spec/classes/tripleo_profile_base_metrics_qdr_spec.rb
+++ b/spec/classes/tripleo_profile_base_metrics_qdr_spec.rb
@ -188,6 +188,39 @@ describe 'tripleo::profile::base::metrics::qdr' do
        expect(connectors.length).to match 1
      end
    end
+
+    context 'with step 3 and ssl_profiles' do
+      before do
+        params.merge!({
+          :ssl_cert_dir => '/tmp/certs',
+          :ssl_profiles => [
+            {"name" => "wubba", "caCertFileContent" => "ca_wubba"},
+            {"name" => "lubba", "caCertFileContent" => "ca_lubba", "caCertFile" => "whoops"},
+          ]
+        })
+      end
+
+      it 'should set sslProfiles correctly and create appropriate certificates' do
+        is_expected.to contain_class('qdr').with(:ssl_profiles => [
+          {"name" => "wubba", "caCertFile" => '/tmp/certs/CA_wubba.pem'},
+          {"name" => "lubba", "caCertFile" => '/tmp/certs/CA_lubba.pem'},
+        ])
+        is_expected.to contain_file('/tmp/certs').with(
+          :ensure => 'directory',
+          :mode => '0700'
+        )
+        is_expected.to contain_file('/tmp/certs/CA_wubba.pem').with(
+          :ensure => 'exists',
+          :content => 'ca_wubba',
+          :mode => '0600'
+        )
+        is_expected.to contain_file('/tmp/certs/CA_lubba.pem').with(
+          :ensure => 'exists',
+          :content => 'ca_lubba',
+          :mode => '0600'
+        )
+      end
+    end
  end

  on_supported_os.each do |os, facts|