Add certificate configuration for PKI

Octavia uses PKI in order to securely communicate over REST between the control plane and the amphorae. However, there is no option to currently configure these options at the moment. This patch adds a class which helps configure these options to be able to successfully communicate with PKI. It is important that the SSL certificates must still be generated by the user. Change-Id: Ifbf5cd5118e6d02c514589ecbce9d49096faf242 (cherry picked from commit 8b4707a1f5)
2017-07-27 15:07:53 -04:00 · 2017-07-27 15:07:53 -04:00 · e2c32ce977
parent b14845ada6
commit e2c32ce977
3 changed files with 97 additions and 0 deletions
--- a/manifests/certificates.pp
+++ b/manifests/certificates.pp
@ -0,0 +1,40 @@
+# == Class: octavia::certificates
+#
+#  Configure the octavia certificates for TLS authentication
+#
+# === Parameters
+#
+# [*ca_certificate*]
+#   (Optional) Path to the CA certificate for Octavia
+#   Defaults to $::os_service_default
+#
+# [*ca_private_key*]
+#   (Optional) Path for private key used to sign certificates
+#   Defaults to $::os_service_default
+#
+# [*ca_private_key_passphrase*]
+#   (Optional) CA password used to sign certificates
+#   Defaults to $::os_service_default
+#
+# [*client_cert*]
+#   (Optional) Path for client certificate used to connect to amphorae.
+#   Defaults to $::os_service_default
+#
+class octavia::certificates (
+  $ca_certificate            = $::os_service_default,
+  $ca_private_key            = $::os_service_default,
+  $ca_private_key_passphrase = $::os_service_default,
+  $client_cert               = $::os_service_default,
+) {
+
+  include ::octavia::deps
+
+  octavia_config {
+    'certificates/ca_certificate'            : value => $ca_certificate;
+    'certificates/ca_private_key'            : value => $ca_private_key;
+    'certificates/ca_private_key_passphrase' : value => $ca_private_key_passphrase;
+    'controller_worker/client_ca'            : value => $ca_certificate;
+    'haproxy_amphora/client_cert'            : value => $client_cert;
+    'haproxy_amphora/server_ca'              : value => $ca_certificate;
+  }
+}
--- a/releasenotes/notes/add-certificates-configuration-6e956bd99e5c2a2b.yaml
+++ b/releasenotes/notes/add-certificates-configuration-6e956bd99e5c2a2b.yaml
@ -0,0 +1,4 @@
+---
+features:
+  - You can now configure the paths for the certificates which are used to the
+    public key infrastructure system which is used to authenticate to amphorae.
--- a/spec/classes/octavia_certificates_spec.rb
+++ b/spec/classes/octavia_certificates_spec.rb
@ -0,0 +1,53 @@
+require 'spec_helper'
+
+describe 'octavia::certificates' do
+
+  let :default_params do
+    { :ca_certificate            => '<SERVICE DEFAULT>',
+      :ca_private_key            => '<SERVICE DEFAULT>',
+      :ca_private_key_passphrase => '<SERVICE DEFAULT>',
+      :client_cert               => '<SERVICE DEFAULT>' }
+  end
+
+  context 'with default params' do
+    let :params do
+      default_params
+    end
+
+    it 'configures octavia certificate manager' do
+      is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('<SERVICE DEFAULT>')
+      is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('<SERVICE DEFAULT>')
+      is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('<SERVICE DEFAULT>')
+    end
+
+    it 'configures octavia authentication credentials' do
+      is_expected.to contain_octavia_config('controller_worker/client_ca').with_value('<SERVICE DEFAULT>')
+      is_expected.to contain_octavia_config('haproxy_amphora/client_cert').with_value('<SERVICE DEFAULT>')
+      is_expected.to contain_octavia_config('haproxy_amphora/server_ca').with_value('<SERVICE DEFAULT>')
+    end
+  end
+
+  context 'when certificates are configured' do
+    let :params do
+      default_params.merge(
+        { :ca_certificate            => '/etc/octavia/ca.pem',
+          :ca_private_key            => '/etc/octavia/key.pem',
+          :ca_private_key_passphrase => 'secure123',
+          :client_cert               => '/etc/octavia/client.pem'
+        }
+      )
+    end
+
+    it 'configures octavia certificate manager' do
+      is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('/etc/octavia/ca.pem')
+      is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('/etc/octavia/key.pem')
+      is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('secure123')
+    end
+
+    it 'configures octavia authentication credentials' do
+      is_expected.to contain_octavia_config('controller_worker/client_ca').with_value('/etc/octavia/ca.pem')
+      is_expected.to contain_octavia_config('haproxy_amphora/client_cert').with_value('/etc/octavia/client.pem')
+      is_expected.to contain_octavia_config('haproxy_amphora/server_ca').with_value('/etc/octavia/ca.pem')
+    end
+  end
+end