Merge "Allow overriding the cert/key file paths"

2015-01-09 15:57:23 +00:00 · 2015-01-09 15:57:23 +00:00 · 0f8cd110ed
parent 9cc80d5fed 8cb968cea0
commit 0f8cd110ed
4 changed files with 16 additions and 58 deletions
--- a/README.md
+++ b/README.md
@ -45,12 +45,12 @@ automatic redirect from http://$hostname to https://$hostname/.

            hostname               => ::fqdn,
            openid_url             => 'https://login.launchpad.net/+openid',
-            ssl_cert_file          => '/etc/ssl/certs/ssl-cert-snakeoil.pem',
            ssl_cert_content       => undef,
-            ssl_key_file           => '/etc/ssl/private/ssl-cert-snakeoil.key',
+            ssl_cert               => '/etc/ssl/certs/ssl-cert-snakeoil.pem',
            ssl_key_content        => undef,
-            ssl_ca_file            => undef,
+            ssl_key                => '/etc/ssl/private/ssl-cert-snakeoil.key',
            ssl_ca_content         => undef
+            ssl_ca                 => undef,
        }
    }

@ -88,15 +88,12 @@ will be saved, however that's not strictly necessary.

    node default {
        class { 'storyboard::cert':
-            $ssl_cert_file    = undef,
            $ssl_cert_content = undef,
            $ssl_cert         = '/etc/ssl/certs/storyboard.openstack.org.pem',

-            $ssl_key_file     = undef,
            $ssl_key_content  = undef,
            $ssl_key          = '/etc/ssl/private/storyboard.openstack.org.key',

-            $ssl_ca_file      = undef,
            $ssl_ca_content   = undef,
            $ssl_ca           = '/etc/ssl/certs/ca.pem'
        }
--- a/manifests/cert.pp
+++ b/manifests/cert.pp
@ -20,30 +20,17 @@
 # application will be hosted over https rather than http.
 #
 class storyboard::cert (
-  $ssl_cert_file    = undef,
  $ssl_cert_content = undef,
  $ssl_cert         = '/etc/ssl/certs/storyboard.pem',

-  $ssl_key_file     = undef,
  $ssl_key_content  = undef,
  $ssl_key          = '/etc/ssl/private/storyboard.key',

-  $ssl_ca_file      = undef,
  $ssl_ca_content   = undef,
  $ssl_ca           = undef, # '/etc/ssl/certs/ca.pem'
 ) {

-  if $ssl_cert_file != undef {
-    file { $ssl_cert:
-      owner  => 'root',
-      group  => 'ssl-cert',
-      mode   => '0640',
-      source => $ssl_cert_file,
-      before => Class['storyboard::application'],
-      notify => Class['storyboard::application'],
-    }
-  }
-  elsif $ssl_cert_content != undef {
+  if $ssl_cert_content != undef {
    file { $ssl_cert:
      owner   => 'root',
      group   => 'ssl-cert',
@ -53,21 +40,8 @@ class storyboard::cert (
      notify  => Class['storyboard::application'],
    }
  }
-  else {
-    fail('When including storyboard::cert, you must define either $ssl_cert_file or $ssl_cert_content')
-  }

-  if $ssl_key_file != undef {
-    file { $ssl_key:
-      owner  => 'root',
-      group  => 'ssl-cert',
-      mode   => '0640',
-      source => $ssl_key_file,
-      before => Class['storyboard::application'],
-      notify => Class['storyboard::application'],
-    }
-  }
-  elsif $ssl_key_content != undef {
+  if $ssl_key_content != undef {
    file { $ssl_key:
      owner   => 'root',
      group   => 'ssl-cert',
@ -77,29 +51,16 @@ class storyboard::cert (
      notify  => Class['storyboard::application'],
    }
  }
-  else {
-    fail('When including storyboard::cert, you must define either $ssl_key_file or $ssl_key_content')
-  }

  # CA file needs special treatment, since we want the path variable
  # to be undef in some cases.
-  if ($ssl_ca_file != undef or $ssl_ca_content != undef) and $ssl_ca == undef {
+  if $ssl_ca == undef and $ssl_ca_content != undef {
    $resolved_ssl_ca = '/etc/ssl/certs/storyboard.ca.pem'
  } else {
    $resolved_ssl_ca = $ssl_ca
  }

-  if $ssl_ca_file != undef {
-    file { $resolved_ssl_ca:
-      owner  => 'root',
-      group  => 'ssl-cert',
-      mode   => '0640',
-      source => $ssl_ca_file,
-      before => Class['storyboard::application'],
-      notify => Class['storyboard::application'],
-    }
-  }
-  elsif $ssl_ca_content != undef {
+  if $ssl_ca_content != undef {
    file { $resolved_ssl_ca:
      owner   => 'root',
      group   => 'ssl-cert',
@ -109,4 +70,4 @@ class storyboard::cert (
      notify  => Class['storyboard::application'],
    }
  }
-}
+}
--- a/manifests/init.pp
+++ b/manifests/init.pp
@ -30,21 +30,21 @@ class storyboard (
  $hostname            = $::fqdn,
  $openid_url          = 'https://login.launchpad.net/+openid',

-  $ssl_cert_file       = '/etc/ssl/certs/ssl-cert-snakeoil.pem',
  $ssl_cert_content    = undef,
-  $ssl_key_file        = '/etc/ssl/private/ssl-cert-snakeoil.key',
+  $ssl_cert            = '/etc/ssl/certs/ssl-cert-snakeoil.pem',
  $ssl_key_content     = undef,
-  $ssl_ca_file         = undef,
+  $ssl_key             = '/etc/ssl/private/ssl-cert-snakeoil.key',
  $ssl_ca_content      = undef,
+  $ssl_ca              = undef,
 ) {

  class { '::storyboard::cert':
-    ssl_cert_file    => $ssl_cert_file,
    ssl_cert_content => $ssl_cert_content,
-    ssl_key_file     => $ssl_key_file,
+    ssl_cert         => $ssl_cert,
    ssl_key_content  => $ssl_key_content,
-    ssl_ca_file      => $ssl_ca_file,
+    ssl_key          => $ssl_key,
    ssl_ca_content   => $ssl_ca_content,
+    ssl_ca           => $ssl_ca,
  }

  class { '::storyboard::rabbit':
--- a/templates/storyboard_https.vhost.erb
+++ b/templates/storyboard_https.vhost.erb
@ -28,8 +28,8 @@

    SSLCertificateFile      <%= scope.lookupvar("storyboard::cert::ssl_cert") %>
    SSLCertificateKeyFile   <%= scope.lookupvar("storyboard::cert::ssl_key") %>
-  <% if scope.lookupvar("storyboard::cert::ssl_ca") != :undef %>
-    SSLCertificateChainFile <%= scope.lookupvar("storyboard::cert::ssl_ca") %>
+  <% if scope.lookupvar("storyboard::cert::resolved_ssl_ca") != :undef %>
+    SSLCertificateChainFile <%= scope.lookupvar("storyboard::cert::resolved_ssl_ca") %>
  <% end %>

    <FilesMatch "\.(cgi|shtml|phtml|php)$">