From e8ae4607b43b2b5f686f7337540837cc024c0b71 Mon Sep 17 00:00:00 2001 From: Nir Magnezi Date: Mon, 25 Mar 2019 17:08:31 +0200 Subject: [PATCH] Configure server_certs_key_passphrase for Octavia A recent change[1] to Octavia added a parameter named server_certs_key_passphrase, which means that TripleO should generate a password for it to avoid using the default value. Closes-Bug: #1821751 [1] I06d329ca53bc36bd27f7870ae7c7ca0cf18575b2 Change-Id: Id6c0d156715147c6559dc39098a6eaabf77ac426 --- manifests/certificates.pp | 57 +++++++++++-------- ...certs_key_passphrase-45d716a67b0e83b3.yaml | 4 ++ spec/classes/octavia_certificates_spec.rb | 51 ++++++++++------- 3 files changed, 65 insertions(+), 47 deletions(-) create mode 100644 releasenotes/notes/generate-server_certs_key_passphrase-45d716a67b0e83b3.yaml diff --git a/manifests/certificates.pp b/manifests/certificates.pp index 125c3d68..888e6b77 100644 --- a/manifests/certificates.pp +++ b/manifests/certificates.pp @@ -28,6 +28,11 @@ # (Optional) Path for private key used to sign certificates # Defaults to $::os_service_default # +# [*server_certs_key_passphrase*] +# (Optional) Passphrase for encrypting Amphora Certificates and Private Keys. +# Defaults to $::os_service_default +# +# # [*ca_private_key_passphrase*] # (Optional) CA password used to sign certificates # Defaults to $::os_service_default @@ -69,21 +74,22 @@ # Defaults to 'octavia' # class octavia::certificates ( - $cert_generator = $::os_service_default, - $cert_manager = $::os_service_default, - $region_name = $::os_service_default, - $endpoint_type = $::os_service_default, - $ca_certificate = $::os_service_default, - $ca_private_key = $::os_service_default, - $ca_private_key_passphrase = $::os_service_default, - $client_ca = undef, - $client_cert = $::os_service_default, - $ca_certificate_data = undef, - $ca_private_key_data = undef, - $client_ca_data = undef, - $client_cert_data = undef, - $file_permission_owner = 'octavia', - $file_permission_group = 'octavia' + $cert_generator = $::os_service_default, + $cert_manager = $::os_service_default, + $region_name = $::os_service_default, + $endpoint_type = $::os_service_default, + $ca_certificate = $::os_service_default, + $ca_private_key = $::os_service_default, + $server_certs_key_passphrase = $::os_service_default, + $ca_private_key_passphrase = $::os_service_default, + $client_ca = undef, + $client_cert = $::os_service_default, + $ca_certificate_data = undef, + $ca_private_key_data = undef, + $client_ca_data = undef, + $client_cert_data = undef, + $file_permission_owner = 'octavia', + $file_permission_group = 'octavia' ) { include ::octavia::deps @@ -91,16 +97,17 @@ class octavia::certificates ( $client_ca_real = pick($client_ca, $ca_certificate) octavia_config { - 'certificates/cert_generator' : value => $cert_generator; - 'certificates/cert_manager' : value => $cert_manager; - 'certificates/region_name' : value => $region_name; - 'certificates/endpoint_type' : value => $endpoint_type; - 'certificates/ca_certificate' : value => $ca_certificate; - 'certificates/ca_private_key' : value => $ca_private_key; - 'certificates/ca_private_key_passphrase' : value => $ca_private_key_passphrase; - 'controller_worker/client_ca' : value => $client_ca_real; - 'haproxy_amphora/client_cert' : value => $client_cert; - 'haproxy_amphora/server_ca' : value => $ca_certificate; + 'certificates/cert_generator' : value => $cert_generator; + 'certificates/cert_manager' : value => $cert_manager; + 'certificates/region_name' : value => $region_name; + 'certificates/endpoint_type' : value => $endpoint_type; + 'certificates/ca_certificate' : value => $ca_certificate; + 'certificates/ca_private_key' : value => $ca_private_key; + 'certificates/server_certs_key_passphrase' : value => $server_certs_key_passphrase; + 'certificates/ca_private_key_passphrase' : value => $ca_private_key_passphrase; + 'controller_worker/client_ca' : value => $client_ca_real; + 'haproxy_amphora/client_cert' : value => $client_cert; + 'haproxy_amphora/server_ca' : value => $ca_certificate; } # The file creation will create the parent directory for each file if necessary, but diff --git a/releasenotes/notes/generate-server_certs_key_passphrase-45d716a67b0e83b3.yaml b/releasenotes/notes/generate-server_certs_key_passphrase-45d716a67b0e83b3.yaml new file mode 100644 index 00000000..d33162b6 --- /dev/null +++ b/releasenotes/notes/generate-server_certs_key_passphrase-45d716a67b0e83b3.yaml @@ -0,0 +1,4 @@ +--- +features: + - The passphrase for config option 'server_certs_key_passphrase', that was + recently added to Octavia, will now be auto-generated. diff --git a/spec/classes/octavia_certificates_spec.rb b/spec/classes/octavia_certificates_spec.rb index 06bc78dc..81c1f906 100644 --- a/spec/classes/octavia_certificates_spec.rb +++ b/spec/classes/octavia_certificates_spec.rb @@ -11,6 +11,7 @@ describe 'octavia::certificates' do is_expected.to contain_octavia_config('certificates/endpoint_type').with_value('') is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('') is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('') + is_expected.to contain_octavia_config('certificates/server_certs_key_passphrase').with_value('') is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('') end @@ -23,14 +24,15 @@ describe 'octavia::certificates' do context 'when certificates are configured' do let :params do - { :cert_generator => 'local_cert_generator', - :cert_manager => 'barbican_cert_manager', - :region_name => 'RegionOne', - :endpoint_type => 'internalURL', - :ca_certificate => '/etc/octavia/ca.pem', - :ca_private_key => '/etc/octavia/key.pem', - :ca_private_key_passphrase => 'secure123', - :client_cert => '/etc/octavia/client.pem' + { :cert_generator => 'local_cert_generator', + :cert_manager => 'barbican_cert_manager', + :region_name => 'RegionOne', + :endpoint_type => 'internalURL', + :ca_certificate => '/etc/octavia/ca.pem', + :ca_private_key => '/etc/octavia/key.pem', + :server_certs_key_passphrase => 'secure123', + :ca_private_key_passphrase => 'secure123', + :client_cert => '/etc/octavia/client.pem' } end @@ -41,6 +43,7 @@ describe 'octavia::certificates' do is_expected.to contain_octavia_config('certificates/endpoint_type').with_value('internalURL') is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('/etc/octavia/ca.pem') is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('/etc/octavia/key.pem') + is_expected.to contain_octavia_config('certificates/server_certs_key_passphrase').with_value('secure123') is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('secure123') end @@ -53,19 +56,21 @@ describe 'octavia::certificates' do context 'when certificates are configured with data provided' do let :params do - { :ca_certificate => '/etc/octavia/ca.pem', - :ca_private_key => '/etc/octavia/key.pem', - :ca_private_key_passphrase => 'secure123', - :client_cert => '/etc/octavia/client.pem', - :ca_certificate_data => 'on_my_authority_this_is_a_certificate', - :ca_private_key_data => 'this_is_my_private_key_woot_woot', - :client_cert_data => 'certainly_for_the_client', + { :ca_certificate => '/etc/octavia/ca.pem', + :ca_private_key => '/etc/octavia/key.pem', + :server_certs_key_passphrase => 'secure123', + :ca_private_key_passphrase => 'secure123', + :client_cert => '/etc/octavia/client.pem', + :ca_certificate_data => 'on_my_authority_this_is_a_certificate', + :ca_private_key_data => 'this_is_my_private_key_woot_woot', + :client_cert_data => 'certainly_for_the_client', } end it 'configures octavia certificate manager' do is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('/etc/octavia/ca.pem') is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('/etc/octavia/key.pem') + is_expected.to contain_octavia_config('certificates/server_certs_key_passphrase').with_value('secure123') is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('secure123') end @@ -118,19 +123,21 @@ describe 'octavia::certificates' do context 'when certificates are configured with data provided but different paths' do let :params do - { :ca_certificate => '/etc/octavia/ca.pem', - :ca_private_key => '/etc/octavia1/key.pem', - :ca_private_key_passphrase => 'secure123', - :client_cert => '/etc/octavia2/client.pem', - :ca_certificate_data => 'on_my_authority_this_is_a_certificate', - :ca_private_key_data => 'this_is_my_private_key_woot_woot', - :client_cert_data => 'certainly_for_the_client', + { :ca_certificate => '/etc/octavia/ca.pem', + :ca_private_key => '/etc/octavia1/key.pem', + :server_certs_key_passphrase => 'secure123', + :ca_private_key_passphrase => 'secure123', + :client_cert => '/etc/octavia2/client.pem', + :ca_certificate_data => 'on_my_authority_this_is_a_certificate', + :ca_private_key_data => 'this_is_my_private_key_woot_woot', + :client_cert_data => 'certainly_for_the_client', } end it 'configures octavia certificate manager' do is_expected.to contain_octavia_config('certificates/ca_certificate').with_value('/etc/octavia/ca.pem') is_expected.to contain_octavia_config('certificates/ca_private_key').with_value('/etc/octavia1/key.pem') + is_expected.to contain_octavia_config('certificates/server_certs_key_passphrase').with_value('secure123') is_expected.to contain_octavia_config('certificates/ca_private_key_passphrase').with_value('secure123') end