Merge "Configure server_certs_key_passphrase for Octavia"

This commit is contained in:
Zuul 2019-03-28 18:32:09 +00:00 committed by Gerrit Code Review
commit 79b672a3f2
3 changed files with 65 additions and 47 deletions

View File

@ -28,6 +28,11 @@
# (Optional) Path for private key used to sign certificates
# Defaults to $::os_service_default
#
# [*server_certs_key_passphrase*]
# (Optional) Passphrase for encrypting Amphora Certificates and Private Keys.
# Defaults to $::os_service_default
#
#
# [*ca_private_key_passphrase*]
# (Optional) CA password used to sign certificates
# Defaults to $::os_service_default
@ -69,21 +74,22 @@
# Defaults to 'octavia'
#
class octavia::certificates (
$cert_generator = $::os_service_default,
$cert_manager = $::os_service_default,
$region_name = $::os_service_default,
$endpoint_type = $::os_service_default,
$ca_certificate = $::os_service_default,
$ca_private_key = $::os_service_default,
$ca_private_key_passphrase = $::os_service_default,
$client_ca = undef,
$client_cert = $::os_service_default,
$ca_certificate_data = undef,
$ca_private_key_data = undef,
$client_ca_data = undef,
$client_cert_data = undef,
$file_permission_owner = 'octavia',
$file_permission_group = 'octavia'
$cert_generator = $::os_service_default,
$cert_manager = $::os_service_default,
$region_name = $::os_service_default,
$endpoint_type = $::os_service_default,
$ca_certificate = $::os_service_default,
$ca_private_key = $::os_service_default,
$server_certs_key_passphrase = $::os_service_default,
$ca_private_key_passphrase = $::os_service_default,
$client_ca = undef,
$client_cert = $::os_service_default,
$ca_certificate_data = undef,
$ca_private_key_data = undef,
$client_ca_data = undef,
$client_cert_data = undef,
$file_permission_owner = 'octavia',
$file_permission_group = 'octavia'
) {
include ::octavia::deps
@ -91,16 +97,17 @@ class octavia::certificates (
$client_ca_real = pick($client_ca, $ca_certificate)
octavia_config {
'certificates/cert_generator' : value => $cert_generator;
'certificates/cert_manager' : value => $cert_manager;
'certificates/region_name' : value => $region_name;
'certificates/endpoint_type' : value => $endpoint_type;
'certificates/ca_certificate' : value => $ca_certificate;
'certificates/ca_private_key' : value => $ca_private_key;
'certificates/ca_private_key_passphrase' : value => $ca_private_key_passphrase;
'controller_worker/client_ca' : value => $client_ca_real;
'haproxy_amphora/client_cert' : value => $client_cert;
'haproxy_amphora/server_ca' : value => $ca_certificate;
'certificates/cert_generator' : value => $cert_generator;
'certificates/cert_manager' : value => $cert_manager;
'certificates/region_name' : value => $region_name;
'certificates/endpoint_type' : value => $endpoint_type;
'certificates/ca_certificate' : value => $ca_certificate;
'certificates/ca_private_key' : value => $ca_private_key;
'certificates/server_certs_key_passphrase' : value => $server_certs_key_passphrase;
'certificates/ca_private_key_passphrase' : value => $ca_private_key_passphrase;
'controller_worker/client_ca' : value => $client_ca_real;
'haproxy_amphora/client_cert' : value => $client_cert;
'haproxy_amphora/server_ca' : value => $ca_certificate;
}
# The file creation will create the parent directory for each file if necessary, but

View File

@ -0,0 +1,4 @@
---
features:
- The passphrase for config option 'server_certs_key_passphrase', that was
recently added to Octavia, will now be auto-generated.

View File

@ -11,6 +11,7 @@ describe 'octavia::certificates' do
is_expected.to contain_octavia_config('certificates/endpoint_type').with_value('<SERVICE DEFAULT>')
is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('<SERVICE DEFAULT>')
is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('<SERVICE DEFAULT>')
is_expected.to contain_octavia_config('certificates/server_certs_key_passphrase').with_value('<SERVICE DEFAULT>')
is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('<SERVICE DEFAULT>')
end
@ -23,14 +24,15 @@ describe 'octavia::certificates' do
context 'when certificates are configured' do
let :params do
{ :cert_generator => 'local_cert_generator',
:cert_manager => 'barbican_cert_manager',
:region_name => 'RegionOne',
:endpoint_type => 'internalURL',
:ca_certificate => '/etc/octavia/ca.pem',
:ca_private_key => '/etc/octavia/key.pem',
:ca_private_key_passphrase => 'secure123',
:client_cert => '/etc/octavia/client.pem'
{ :cert_generator => 'local_cert_generator',
:cert_manager => 'barbican_cert_manager',
:region_name => 'RegionOne',
:endpoint_type => 'internalURL',
:ca_certificate => '/etc/octavia/ca.pem',
:ca_private_key => '/etc/octavia/key.pem',
:server_certs_key_passphrase => 'secure123',
:ca_private_key_passphrase => 'secure123',
:client_cert => '/etc/octavia/client.pem'
}
end
@ -41,6 +43,7 @@ describe 'octavia::certificates' do
is_expected.to contain_octavia_config('certificates/endpoint_type').with_value('internalURL')
is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('/etc/octavia/ca.pem')
is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('/etc/octavia/key.pem')
is_expected.to contain_octavia_config('certificates/server_certs_key_passphrase').with_value('secure123')
is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('secure123')
end
@ -53,19 +56,21 @@ describe 'octavia::certificates' do
context 'when certificates are configured with data provided' do
let :params do
{ :ca_certificate => '/etc/octavia/ca.pem',
:ca_private_key => '/etc/octavia/key.pem',
:ca_private_key_passphrase => 'secure123',
:client_cert => '/etc/octavia/client.pem',
:ca_certificate_data => 'on_my_authority_this_is_a_certificate',
:ca_private_key_data => 'this_is_my_private_key_woot_woot',
:client_cert_data => 'certainly_for_the_client',
{ :ca_certificate => '/etc/octavia/ca.pem',
:ca_private_key => '/etc/octavia/key.pem',
:server_certs_key_passphrase => 'secure123',
:ca_private_key_passphrase => 'secure123',
:client_cert => '/etc/octavia/client.pem',
:ca_certificate_data => 'on_my_authority_this_is_a_certificate',
:ca_private_key_data => 'this_is_my_private_key_woot_woot',
:client_cert_data => 'certainly_for_the_client',
}
end
it 'configures octavia certificate manager' do
is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('/etc/octavia/ca.pem')
is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('/etc/octavia/key.pem')
is_expected.to contain_octavia_config('certificates/server_certs_key_passphrase').with_value('secure123')
is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('secure123')
end
@ -118,19 +123,21 @@ describe 'octavia::certificates' do
context 'when certificates are configured with data provided but different paths' do
let :params do
{ :ca_certificate => '/etc/octavia/ca.pem',
:ca_private_key => '/etc/octavia1/key.pem',
:ca_private_key_passphrase => 'secure123',
:client_cert => '/etc/octavia2/client.pem',
:ca_certificate_data => 'on_my_authority_this_is_a_certificate',
:ca_private_key_data => 'this_is_my_private_key_woot_woot',
:client_cert_data => 'certainly_for_the_client',
{ :ca_certificate => '/etc/octavia/ca.pem',
:ca_private_key => '/etc/octavia1/key.pem',
:server_certs_key_passphrase => 'secure123',
:ca_private_key_passphrase => 'secure123',
:client_cert => '/etc/octavia2/client.pem',
:ca_certificate_data => 'on_my_authority_this_is_a_certificate',
:ca_private_key_data => 'this_is_my_private_key_woot_woot',
:client_cert_data => 'certainly_for_the_client',
}
end
it 'configures octavia certificate manager' do
is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('/etc/octavia/ca.pem')
is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('/etc/octavia1/key.pem')
is_expected.to contain_octavia_config('certificates/server_certs_key_passphrase').with_value('secure123')
is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('secure123')
end