Enable heat server to be run in SSL mode

This commit allows one to specify cert and key file to run heat server in SSL mode. Note: The flag use_ssl per se is not used in heat yet, its purpose here it to verify collateral parameters. Change-Id: I94d0b461adc752b028770aea71bf4e4612722539
2014-05-20 11:57:35 -04:00 · 2014-05-20 11:57:35 -04:00 · 025b8cb830
parent 85a98e13e8
commit 025b8cb830
6 changed files with 194 additions and 3 deletions
--- a/manifests/api.pp
+++ b/manifests/api.pp
@ -4,7 +4,10 @@ class heat::api (
  $enabled           = true,
  $bind_host         = '0.0.0.0',
  $bind_port         = '8004',
-  $workers           = '0'
+  $workers           = '0',
+  $use_ssl           = false,
+  $cert_file         = false,
+  $key_file          = false,
 ) {

  include heat
@ -15,6 +18,15 @@ class heat::api (
  Package['heat-api'] -> Heat_config<||>
  Package['heat-api'] -> Service['heat-api']

+  if $use_ssl {
+    if !$cert_file {
+      fail('The cert_file parameter is required when use_ssl is set to true')
+    }
+    if !$key_file {
+      fail('The key_file parameter is required when use_ssl is set to true')
+    }
+  }
+
  package { 'heat-api':
    ensure => installed,
    name   => $::heat::params::api_package_name,
@ -42,4 +54,18 @@ class heat::api (
    'heat_api/bind_port'  : value => $bind_port;
    'heat_api/workers'    : value => $workers;
  }
+
+  # SSL Options
+  if $use_ssl {
+    heat_config {
+      'heat_api/cert_file' : value => $cert_file;
+      'heat_api/key_file' :  value => $key_file;
+    }
+  } else {
+    heat_config {
+      'heat_api/cert_file' : ensure => absent;
+      'heat_api/key_file' :  ensure => absent;
+    }
+  }
+
 }
--- a/manifests/api_cfn.pp
+++ b/manifests/api_cfn.pp
@ -4,7 +4,10 @@ class heat::api_cfn (
  $enabled           = true,
  $bind_host         = '0.0.0.0',
  $bind_port         = '8000',
-  $workers           = '0'
+  $workers           = '0',
+  $use_ssl           = false,
+  $cert_file         = false,
+  $key_file          = false,
 ) {

  include heat
@ -14,6 +17,16 @@ class heat::api_cfn (

  Package['heat-api-cfn'] -> Heat_config<||>
  Package['heat-api-cfn'] -> Service['heat-api-cfn']
+
+  if $use_ssl {
+    if !$cert_file {
+      fail('The cert_file parameter is required when use_ssl is set to true')
+    }
+    if !$key_file {
+      fail('The key_file parameter is required when use_ssl is set to true')
+    }
+  }
+
  package { 'heat-api-cfn':
    ensure => installed,
    name   => $::heat::params::api_cfn_package_name,
@ -41,4 +54,18 @@ class heat::api_cfn (
    'heat_api_cfn/bind_port'              : value => $bind_port;
    'heat_api_cfn/workers'                : value => $workers;
  }
+
+  # SSL Options
+  if $use_ssl {
+    heat_config {
+      'heat_api_cfn/cert_file' : value => $cert_file;
+      'heat_api_cfn/key_file' :  value => $key_file;
+    }
+  } else {
+    heat_config {
+      'heat_api_cfn/cert_file' : ensure => absent;
+      'heat_api_cfn/key_file' :  ensure => absent;
+    }
+  }
+
 }
--- a/manifests/api_cloudwatch.pp
+++ b/manifests/api_cloudwatch.pp
@ -4,7 +4,10 @@ class heat::api_cloudwatch (
  $enabled           = true,
  $bind_host         = '0.0.0.0',
  $bind_port         = '8003',
-  $workers           = '0'
+  $workers           = '0',
+  $use_ssl           = false,
+  $cert_file         = false,
+  $key_file          = false,
 ) {

  include heat
@ -14,6 +17,16 @@ class heat::api_cloudwatch (

  Package['heat-api-cloudwatch'] -> Heat_config<||>
  Package['heat-api-cloudwatch'] -> Service['heat-api-cloudwatch']
+
+  if $use_ssl {
+    if !$cert_file {
+      fail('The cert_file parameter is required when use_ssl is set to true')
+    }
+    if !$key_file {
+      fail('The key_file parameter is required when use_ssl is set to true')
+    }
+  }
+
  package { 'heat-api-cloudwatch':
    ensure => installed,
    name   => $::heat::params::api_cloudwatch_package_name,
@ -41,4 +54,18 @@ class heat::api_cloudwatch (
    'heat_api_cloudwatch/bind_port'  : value => $bind_port;
    'heat_api_cloudwatch/workers'    : value => $workers;
  }
+
+  # SSL Options
+  if $use_ssl {
+    heat_config {
+      'heat_api_cloudwatch/cert_file' : value => $cert_file;
+      'heat_api_cloudwatch/key_file' :  value => $key_file;
+    }
+  } else {
+    heat_config {
+      'heat_api_cloudwatch/cert_file' : ensure => absent;
+      'heat_api_cloudwatch/key_file' :  ensure => absent;
+    }
+  }
+
 }
--- a/spec/classes/heat_api_cfn_spec.rb
+++ b/spec/classes/heat_api_cfn_spec.rb
@ -25,4 +25,41 @@ describe 'heat::api_cfn' do

  end

+  context 'with SSL socket options set' do
+    let :params do
+      {
+        :use_ssl   => true,
+        :cert_file => '/path/to/cert',
+        :key_file  => '/path/to/key'
+      }
+    end
+
+    it { should contain_heat_config('heat_api_cfn/cert_file').with_value('/path/to/cert') }
+    it { should contain_heat_config('heat_api_cfn/key_file').with_value('/path/to/key') }
+  end
+
+  context 'with SSL socket options set with wrong parameters' do
+    let :params do
+      {
+        :use_ssl   => true,
+        :key_file  => '/path/to/key'
+      }
+    end
+
+    it_raises 'a Puppet::Error', /The cert_file parameter is required when use_ssl is set to true/
+  end
+
+  context 'with SSL socket options set to false' do
+    let :params do
+      {
+        :use_ssl   => false,
+        :cert_file => false,
+        :key_file  => false
+      }
+    end
+
+    it { should contain_heat_config('heat_api_cfn/cert_file').with_ensure('absent') }
+    it { should contain_heat_config('heat_api_cfn/key_file').with_ensure('absent') }
+  end
+
 end
--- a/spec/classes/heat_api_cloudwatch_spec.rb
+++ b/spec/classes/heat_api_cloudwatch_spec.rb
@ -25,4 +25,41 @@ describe 'heat::api_cloudwatch' do

  end

+  context 'with SSL socket options set' do
+    let :params do
+      {
+        :use_ssl   => true,
+        :cert_file => '/path/to/cert',
+        :key_file  => '/path/to/key'
+      }
+    end
+
+    it { should contain_heat_config('heat_api_cloudwatch/cert_file').with_value('/path/to/cert') }
+    it { should contain_heat_config('heat_api_cloudwatch/key_file').with_value('/path/to/key') }
+  end
+
+  context 'with SSL socket options set with wrong parameters' do
+    let :params do
+      {
+        :use_ssl   => true,
+        :key_file  => '/path/to/key'
+      }
+    end
+
+    it_raises 'a Puppet::Error', /The cert_file parameter is required when use_ssl is set to true/
+  end
+
+  context 'with SSL socket options set to false' do
+    let :params do
+      {
+        :use_ssl   => false,
+        :cert_file => false,
+        :key_file  => false
+      }
+    end
+
+    it { should contain_heat_config('heat_api_cloudwatch/cert_file').with_ensure('absent') }
+    it { should contain_heat_config('heat_api_cloudwatch/key_file').with_ensure('absent') }
+  end
+
 end
--- a/spec/classes/heat_api_spec.rb
+++ b/spec/classes/heat_api_spec.rb
@ -25,4 +25,41 @@ describe 'heat::api' do

  end

+  context 'with SSL socket options set' do
+    let :params do
+      {
+        :use_ssl   => true,
+        :cert_file => '/path/to/cert',
+        :key_file  => '/path/to/key'
+      }
+    end
+
+    it { should contain_heat_config('heat_api/cert_file').with_value('/path/to/cert') }
+    it { should contain_heat_config('heat_api/key_file').with_value('/path/to/key') }
+  end
+
+  context 'with SSL socket options set with wrong parameters' do
+    let :params do
+      {
+        :use_ssl   => true,
+        :key_file  => '/path/to/key'
+      }
+    end
+
+    it_raises 'a Puppet::Error', /The cert_file parameter is required when use_ssl is set to true/
+  end
+
+  context 'with SSL socket options set to false' do
+    let :params do
+      {
+        :use_ssl   => false,
+        :cert_file => false,
+        :key_file  => false
+      }
+    end
+
+    it { should contain_heat_config('heat_api/cert_file').with_ensure('absent') }
+    it { should contain_heat_config('heat_api/key_file').with_ensure('absent') }
+  end
+
 end