Add certificate configuration for PKI
Octavia uses PKI in order to securely communicate over REST between
the control plane and the amphorae. However, there is no option to
currently configure these options at the moment.
This patch adds a class which helps configure these options to be
able to successfully communicate with PKI. It is important that
the SSL certificates must still be generated by the user.
Change-Id: Ifbf5cd5118e6d02c514589ecbce9d49096faf242
(cherry picked from commit 8b4707a1f5
)
This commit is contained in:
parent
b14845ada6
commit
e2c32ce977
|
@ -0,0 +1,40 @@
|
|||
# == Class: octavia::certificates
|
||||
#
|
||||
# Configure the octavia certificates for TLS authentication
|
||||
#
|
||||
# === Parameters
|
||||
#
|
||||
# [*ca_certificate*]
|
||||
# (Optional) Path to the CA certificate for Octavia
|
||||
# Defaults to $::os_service_default
|
||||
#
|
||||
# [*ca_private_key*]
|
||||
# (Optional) Path for private key used to sign certificates
|
||||
# Defaults to $::os_service_default
|
||||
#
|
||||
# [*ca_private_key_passphrase*]
|
||||
# (Optional) CA password used to sign certificates
|
||||
# Defaults to $::os_service_default
|
||||
#
|
||||
# [*client_cert*]
|
||||
# (Optional) Path for client certificate used to connect to amphorae.
|
||||
# Defaults to $::os_service_default
|
||||
#
|
||||
class octavia::certificates (
|
||||
$ca_certificate = $::os_service_default,
|
||||
$ca_private_key = $::os_service_default,
|
||||
$ca_private_key_passphrase = $::os_service_default,
|
||||
$client_cert = $::os_service_default,
|
||||
) {
|
||||
|
||||
include ::octavia::deps
|
||||
|
||||
octavia_config {
|
||||
'certificates/ca_certificate' : value => $ca_certificate;
|
||||
'certificates/ca_private_key' : value => $ca_private_key;
|
||||
'certificates/ca_private_key_passphrase' : value => $ca_private_key_passphrase;
|
||||
'controller_worker/client_ca' : value => $ca_certificate;
|
||||
'haproxy_amphora/client_cert' : value => $client_cert;
|
||||
'haproxy_amphora/server_ca' : value => $ca_certificate;
|
||||
}
|
||||
}
|
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
features:
|
||||
- You can now configure the paths for the certificates which are used to the
|
||||
public key infrastructure system which is used to authenticate to amphorae.
|
|
@ -0,0 +1,53 @@
|
|||
require 'spec_helper'
|
||||
|
||||
describe 'octavia::certificates' do
|
||||
|
||||
let :default_params do
|
||||
{ :ca_certificate => '<SERVICE DEFAULT>',
|
||||
:ca_private_key => '<SERVICE DEFAULT>',
|
||||
:ca_private_key_passphrase => '<SERVICE DEFAULT>',
|
||||
:client_cert => '<SERVICE DEFAULT>' }
|
||||
end
|
||||
|
||||
context 'with default params' do
|
||||
let :params do
|
||||
default_params
|
||||
end
|
||||
|
||||
it 'configures octavia certificate manager' do
|
||||
is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('<SERVICE DEFAULT>')
|
||||
end
|
||||
|
||||
it 'configures octavia authentication credentials' do
|
||||
is_expected.to contain_octavia_config('controller_worker/client_ca').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_octavia_config('haproxy_amphora/client_cert').with_value('<SERVICE DEFAULT>')
|
||||
is_expected.to contain_octavia_config('haproxy_amphora/server_ca').with_value('<SERVICE DEFAULT>')
|
||||
end
|
||||
end
|
||||
|
||||
context 'when certificates are configured' do
|
||||
let :params do
|
||||
default_params.merge(
|
||||
{ :ca_certificate => '/etc/octavia/ca.pem',
|
||||
:ca_private_key => '/etc/octavia/key.pem',
|
||||
:ca_private_key_passphrase => 'secure123',
|
||||
:client_cert => '/etc/octavia/client.pem'
|
||||
}
|
||||
)
|
||||
end
|
||||
|
||||
it 'configures octavia certificate manager' do
|
||||
is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('/etc/octavia/ca.pem')
|
||||
is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('/etc/octavia/key.pem')
|
||||
is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('secure123')
|
||||
end
|
||||
|
||||
it 'configures octavia authentication credentials' do
|
||||
is_expected.to contain_octavia_config('controller_worker/client_ca').with_value('/etc/octavia/ca.pem')
|
||||
is_expected.to contain_octavia_config('haproxy_amphora/client_cert').with_value('/etc/octavia/client.pem')
|
||||
is_expected.to contain_octavia_config('haproxy_amphora/server_ca').with_value('/etc/octavia/ca.pem')
|
||||
end
|
||||
end
|
||||
end
|
Loading…
Reference in New Issue