Include option to set SSLCertificateChainFile
Some cert providers require an chain cert file so this allows for this option. In addition, I added tests for SSL that were missing for the apache vhost file. Change-Id: Ib3c6cf82f6afb8a79952745d8fb2116a05f59c39
This commit is contained in:
parent
ae8f0ec57a
commit
0751804867
|
@ -124,6 +124,7 @@ default['openstack']['identity']['ssl']['ciphers'] = nil
|
|||
default['openstack']['identity']['ssl']['certfile'] = "#{node['openstack']['identity']['ssl']['basedir']}/certs/sslcert.pem"
|
||||
# path of the keyfile for SSL.
|
||||
default['openstack']['identity']['ssl']['keyfile'] = "#{node['openstack']['identity']['ssl']['basedir']}/private/sslkey.pem"
|
||||
default['openstack']['identity']['ssl']['chainfile'] = nil
|
||||
# path of the CA cert file for SSL.
|
||||
default['openstack']['identity']['ssl']['ca_certs'] = "#{node['openstack']['identity']['ssl']['basedir']}/certs/sslca.pem"
|
||||
# path of the CA cert files for SSL (Apache)
|
||||
|
|
|
@ -325,6 +325,7 @@ wsgi_apps.each do |app, opt|
|
|||
group node['openstack']['identity']['group']
|
||||
use_ssl node['openstack']['identity']['ssl']['enabled']
|
||||
cert_file node['openstack']['identity']['ssl']['certfile']
|
||||
chain_file node['openstack']['identity']['ssl']['chainfile']
|
||||
key_file node['openstack']['identity']['ssl']['keyfile']
|
||||
ca_certs_path node['openstack']['identity']['ssl']['ca_certs_path']
|
||||
cert_required node['openstack']['identity']['ssl']['cert_required']
|
||||
|
|
|
@ -417,6 +417,42 @@ describe 'openstack-identity::server-apache' do
|
|||
expect(chef_run).not_to render_file(file).with_content(line)
|
||||
end
|
||||
end
|
||||
context 'Enable SSL' do
|
||||
before do
|
||||
node.set['openstack']['identity']['ssl']['enabled'] = true
|
||||
end
|
||||
it "configures #{file} common ssl lines" do
|
||||
[/^ SSLEngine On$/,
|
||||
%r{^ SSLCertificateFile /etc/keystone/ssl/certs/sslcert.pem$},
|
||||
%r{^ SSLCertificateKeyFile /etc/keystone/ssl/private/sslkey.pem$},
|
||||
%r{^ SSLCACertificatePath /etc/keystone/ssl/certs/$},
|
||||
/^ SSLProtocol All -SSLv2 -SSLv3$/].each do |line|
|
||||
expect(chef_run).to render_file(file).with_content(line)
|
||||
end
|
||||
end
|
||||
it "does not configure #{file} common ssl lines" do
|
||||
[/^ SSLCertificateChainFile/,
|
||||
/^ SSLCipherSuite/,
|
||||
/^ SSLVerifyClient require/].each do |line|
|
||||
expect(chef_run).not_to render_file(file).with_content(line)
|
||||
end
|
||||
end
|
||||
it "configures #{file} chainfile when set" do
|
||||
node.set['openstack']['identity']['ssl']['chainfile'] = '/etc/keystone/ssl/certs/chainfile.pem'
|
||||
expect(chef_run).to render_file(file)
|
||||
.with_content(%r{^ SSLCertificateChainFile /etc/keystone/ssl/certs/chainfile.pem$})
|
||||
end
|
||||
it "configures #{file} ciphers when set" do
|
||||
node.set['openstack']['identity']['ssl']['ciphers'] = 'ciphers_value'
|
||||
expect(chef_run).to render_file(file)
|
||||
.with_content(/^ SSLCipherSuite ciphers_value$/)
|
||||
end
|
||||
it "configures #{file} cert_required set" do
|
||||
node.set['openstack']['identity']['ssl']['cert_required'] = true
|
||||
expect(chef_run).to render_file(file)
|
||||
.with_content(/^ SSLVerifyClient require$/)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
describe 'keystone-main.conf' do
|
||||
|
|
|
@ -19,6 +19,9 @@
|
|||
SSLCertificateFile <%= @params[:cert_file] %>
|
||||
SSLCertificateKeyFile <%= @params[:key_file] %>
|
||||
SSLCACertificatePath <%= @params[:ca_certs_path] %>
|
||||
<% if @params[:chain_file] %>
|
||||
SSLCertificateChainFile <%= @params[:chain_file] %>
|
||||
<% end -%>
|
||||
SSLProtocol <%= @params[:protocol] %>
|
||||
<% if @params[:ciphers] -%>
|
||||
SSLCipherSuite <%= @params[:ciphers] %>
|
||||
|
|
Loading…
Reference in New Issue