From 2685178b69416d49500862a4aeff9bf1b8d8f46c Mon Sep 17 00:00:00 2001 From: Lance Albertson Date: Tue, 19 Jul 2016 21:34:33 -0700 Subject: [PATCH] Make certs databag optional This provides an attribute which allows users to optionally disable using the internal certs databag for SSL certificates. The use case is for people who are using other external methods (such as the certificates cookbook) to manage certificates. Change-Id: Ib7c578135db74675bd4c5a0da13f053f6474e0f1 --- attributes/default.rb | 3 +++ recipes/apache2-server.rb | 23 +++++++++++++---------- spec/apache2-server_spec.rb | 7 +++++++ 3 files changed, 23 insertions(+), 10 deletions(-) diff --git a/attributes/default.rb b/attributes/default.rb index 4040da8..bd1a131 100644 --- a/attributes/default.rb +++ b/attributes/default.rb @@ -65,6 +65,9 @@ default['openstack']['dashboard']['ssl']['protocol'] = 'All -SSLv2 -SSLv3' # Which ciphers to use with the SSL/TLS protocol. # Example: 'RSA:HIGH:MEDIUM:!LOW:!kEDH:!aNULL:!ADH:!eNULL:!EXP:!SSLv2:!SEED:!CAMELLIA:!PSK!RC4:!RC4-MD5:!RC4-SHA' default['openstack']['dashboard']['ssl']['ciphers'] = nil +# Use the 'certs' databag for managing certs to disable it to use something +# external +default['openstack']['dashboard']['ssl']['use_data_bag'] = true # List of hosts/domains the dashboard can serve. This should be changed, a '*' # allows everything diff --git a/recipes/apache2-server.rb b/recipes/apache2-server.rb index 41f0ac5..09b014b 100644 --- a/recipes/apache2-server.rb +++ b/recipes/apache2-server.rb @@ -74,18 +74,21 @@ file "#{node['apache']['dir']}/conf.d/openstack-dashboard.conf" do only_if { platform_family?('rhel') } # :pragma-foodcritic: ~FC024 - won't fix this end -ssl_cert = secret('certs', node['openstack']['dashboard']['ssl']['cert']) -ssl_key = secret('certs', node['openstack']['dashboard']['ssl']['key']) -ssl_cert_file = File.join(node['openstack']['dashboard']['ssl']['cert_dir'], node['openstack']['dashboard']['ssl']['cert']) -ssl_key_file = File.join(node['openstack']['dashboard']['ssl']['key_dir'], node['openstack']['dashboard']['ssl']['key']) -if node['openstack']['dashboard']['ssl']['chain'] - ssl_chain = secret('certs', node['openstack']['dashboard']['ssl']['chain']) - ssl_chain_file = File.join(node['openstack']['dashboard']['ssl']['cert_dir'], node['openstack']['dashboard']['ssl']['chain']) -else - ssl_chain_file = nil +if node['openstack']['dashboard']['ssl']['use_data_bag'] + ssl_cert = secret('certs', node['openstack']['dashboard']['ssl']['cert']) + ssl_key = secret('certs', node['openstack']['dashboard']['ssl']['key']) + ssl_cert_file = File.join(node['openstack']['dashboard']['ssl']['cert_dir'], node['openstack']['dashboard']['ssl']['cert']) + ssl_key_file = File.join(node['openstack']['dashboard']['ssl']['key_dir'], node['openstack']['dashboard']['ssl']['key']) + if node['openstack']['dashboard']['ssl']['chain'] + ssl_chain = secret('certs', node['openstack']['dashboard']['ssl']['chain']) + ssl_chain_file = File.join(node['openstack']['dashboard']['ssl']['cert_dir'], node['openstack']['dashboard']['ssl']['chain']) + else + ssl_chain_file = nil + end end -if node['openstack']['dashboard']['use_ssl'] +if node['openstack']['dashboard']['use_ssl'] && + node['openstack']['dashboard']['ssl']['use_data_bag'] unless ssl_cert_file == ssl_key_file cert_mode = 00644 cert_owner = 'root' diff --git a/spec/apache2-server_spec.rb b/spec/apache2-server_spec.rb index bffa862..9fc99a4 100644 --- a/spec/apache2-server_spec.rb +++ b/spec/apache2-server_spec.rb @@ -211,6 +211,13 @@ describe 'openstack-dashboard::apache2-server' do expect(chef_run).not_to create_file('/etc/anypath/any.pem') expect(chef_run).not_to create_file('/etc/anypath/any-chain.pem') end + it 'does not create certs if certs data bag is disabled' do + node.set['openstack']['dashboard']['ssl']['use_data_bag'] = false + node.set['openstack']['dashboard']['ssl']['chain'] = 'horizon-chain.pem' + expect(chef_run).not_to create_file('/etc/ssl/certs/horizon.pem') + expect(chef_run).not_to create_file('/etc/ssl/certs/horizon.key') + expect(chef_run).not_to create_file('/etc/ssl/certs/horizon-chain.pem') + end end end