From 8cb968cea062e804d49f0291fc569f2b164059c7 Mon Sep 17 00:00:00 2001 From: Jeremy Stanley Date: Mon, 29 Dec 2014 21:15:49 +0000 Subject: [PATCH] Allow overriding the cert/key file paths * manifests/cert.pp: This adds the flexibility to depend on existing files even if they're created as part of the storyboard dependency chain, though with the loss of some error handling if a deployer neglects to ensure the file itself exists before starting the apache daemon. Change-Id: I62d0bc7899703d7cc17f402cf34bd92357f44b58 --- README.md | 9 ++--- manifests/cert.pp | 49 +++------------------------- manifests/init.pp | 12 +++---- templates/storyboard_https.vhost.erb | 4 +-- 4 files changed, 16 insertions(+), 58 deletions(-) diff --git a/README.md b/README.md index a999636..37aea8f 100644 --- a/README.md +++ b/README.md @@ -45,12 +45,12 @@ automatic redirect from http://$hostname to https://$hostname/. hostname => ::fqdn, openid_url => 'https://login.launchpad.net/+openid', - ssl_cert_file => '/etc/ssl/certs/ssl-cert-snakeoil.pem', ssl_cert_content => undef, - ssl_key_file => '/etc/ssl/private/ssl-cert-snakeoil.key', + ssl_cert => '/etc/ssl/certs/ssl-cert-snakeoil.pem', ssl_key_content => undef, - ssl_ca_file => undef, + ssl_key => '/etc/ssl/private/ssl-cert-snakeoil.key', ssl_ca_content => undef + ssl_ca => undef, } } @@ -88,15 +88,12 @@ will be saved, however that's not strictly necessary. node default { class { 'storyboard::cert': - $ssl_cert_file = undef, $ssl_cert_content = undef, $ssl_cert = '/etc/ssl/certs/storyboard.openstack.org.pem', - $ssl_key_file = undef, $ssl_key_content = undef, $ssl_key = '/etc/ssl/private/storyboard.openstack.org.key', - $ssl_ca_file = undef, $ssl_ca_content = undef, $ssl_ca = '/etc/ssl/certs/ca.pem' } diff --git a/manifests/cert.pp b/manifests/cert.pp index f669283..a82b20c 100644 --- a/manifests/cert.pp +++ b/manifests/cert.pp @@ -20,30 +20,17 @@ # application will be hosted over https rather than http. # class storyboard::cert ( - $ssl_cert_file = undef, $ssl_cert_content = undef, $ssl_cert = '/etc/ssl/certs/storyboard.pem', - $ssl_key_file = undef, $ssl_key_content = undef, $ssl_key = '/etc/ssl/private/storyboard.key', - $ssl_ca_file = undef, $ssl_ca_content = undef, $ssl_ca = undef, # '/etc/ssl/certs/ca.pem' ) { - if $ssl_cert_file != undef { - file { $ssl_cert: - owner => 'root', - group => 'ssl-cert', - mode => '0640', - source => $ssl_cert_file, - before => Class['storyboard::application'], - notify => Class['storyboard::application'], - } - } - elsif $ssl_cert_content != undef { + if $ssl_cert_content != undef { file { $ssl_cert: owner => 'root', group => 'ssl-cert', @@ -53,21 +40,8 @@ class storyboard::cert ( notify => Class['storyboard::application'], } } - else { - fail('When including storyboard::cert, you must define either $ssl_cert_file or $ssl_cert_content') - } - if $ssl_key_file != undef { - file { $ssl_key: - owner => 'root', - group => 'ssl-cert', - mode => '0640', - source => $ssl_key_file, - before => Class['storyboard::application'], - notify => Class['storyboard::application'], - } - } - elsif $ssl_key_content != undef { + if $ssl_key_content != undef { file { $ssl_key: owner => 'root', group => 'ssl-cert', @@ -77,29 +51,16 @@ class storyboard::cert ( notify => Class['storyboard::application'], } } - else { - fail('When including storyboard::cert, you must define either $ssl_key_file or $ssl_key_content') - } # CA file needs special treatment, since we want the path variable # to be undef in some cases. - if ($ssl_ca_file != undef or $ssl_ca_content != undef) and $ssl_ca == undef { + if $ssl_ca == undef and $ssl_ca_content != undef { $resolved_ssl_ca = '/etc/ssl/certs/storyboard.ca.pem' } else { $resolved_ssl_ca = $ssl_ca } - if $ssl_ca_file != undef { - file { $resolved_ssl_ca: - owner => 'root', - group => 'ssl-cert', - mode => '0640', - source => $ssl_ca_file, - before => Class['storyboard::application'], - notify => Class['storyboard::application'], - } - } - elsif $ssl_ca_content != undef { + if $ssl_ca_content != undef { file { $resolved_ssl_ca: owner => 'root', group => 'ssl-cert', @@ -109,4 +70,4 @@ class storyboard::cert ( notify => Class['storyboard::application'], } } -} \ No newline at end of file +} diff --git a/manifests/init.pp b/manifests/init.pp index 7c6ca1f..95bd420 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -30,21 +30,21 @@ class storyboard ( $hostname = $::fqdn, $openid_url = 'https://login.launchpad.net/+openid', - $ssl_cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem', $ssl_cert_content = undef, - $ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key', + $ssl_cert = '/etc/ssl/certs/ssl-cert-snakeoil.pem', $ssl_key_content = undef, - $ssl_ca_file = undef, + $ssl_key = '/etc/ssl/private/ssl-cert-snakeoil.key', $ssl_ca_content = undef, + $ssl_ca = undef, ) { class { '::storyboard::cert': - ssl_cert_file => $ssl_cert_file, ssl_cert_content => $ssl_cert_content, - ssl_key_file => $ssl_key_file, + ssl_cert => $ssl_cert, ssl_key_content => $ssl_key_content, - ssl_ca_file => $ssl_ca_file, + ssl_key => $ssl_key, ssl_ca_content => $ssl_ca_content, + ssl_ca => $ssl_ca, } class { '::storyboard::rabbit': diff --git a/templates/storyboard_https.vhost.erb b/templates/storyboard_https.vhost.erb index be95821..2f02a55 100644 --- a/templates/storyboard_https.vhost.erb +++ b/templates/storyboard_https.vhost.erb @@ -28,8 +28,8 @@ SSLCertificateFile <%= scope.lookupvar("storyboard::cert::ssl_cert") %> SSLCertificateKeyFile <%= scope.lookupvar("storyboard::cert::ssl_key") %> - <% if scope.lookupvar("storyboard::cert::ssl_ca") != :undef %> - SSLCertificateChainFile <%= scope.lookupvar("storyboard::cert::ssl_ca") %> + <% if scope.lookupvar("storyboard::cert::resolved_ssl_ca") != :undef %> + SSLCertificateChainFile <%= scope.lookupvar("storyboard::cert::resolved_ssl_ca") %> <% end %>