Make certs databag optional

This provides an attribute which allows users to optionally disable using the
internal certs databag for SSL certificates. The use case is for people who are
using other external methods (such as the certificates cookbook) to manage
certificates.

Change-Id: Ib7c578135db74675bd4c5a0da13f053f6474e0f1

attributes/default.rb

@@ -65,6 +65,9 @@ default['openstack']['dashboard']['ssl']['protocol'] = 'All -SSLv2 -SSLv3'
 # Which ciphers to use with the SSL/TLS protocol.
 # Example: 'RSA:HIGH:MEDIUM:!LOW:!kEDH:!aNULL:!ADH:!eNULL:!EXP:!SSLv2:!SEED:!CAMELLIA:!PSK!RC4:!RC4-MD5:!RC4-SHA'
 default['openstack']['dashboard']['ssl']['ciphers'] = nil
+# Use the 'certs' databag for managing certs to disable it to use something
+# external
+default['openstack']['dashboard']['ssl']['use_data_bag'] = true
 
 # List of hosts/domains the dashboard can serve. This should be changed, a '*'
 # allows everything

recipes/apache2-server.rb

@@ -74,18 +74,21 @@ file "#{node['apache']['dir']}/conf.d/openstack-dashboard.conf" do
   only_if { platform_family?('rhel') } # :pragma-foodcritic: ~FC024 - won't fix this
 end
 
-ssl_cert = secret('certs', node['openstack']['dashboard']['ssl']['cert'])
-ssl_key = secret('certs', node['openstack']['dashboard']['ssl']['key'])
-ssl_cert_file = File.join(node['openstack']['dashboard']['ssl']['cert_dir'], node['openstack']['dashboard']['ssl']['cert'])
-ssl_key_file = File.join(node['openstack']['dashboard']['ssl']['key_dir'], node['openstack']['dashboard']['ssl']['key'])
-if node['openstack']['dashboard']['ssl']['chain']
-  ssl_chain = secret('certs', node['openstack']['dashboard']['ssl']['chain'])
-  ssl_chain_file = File.join(node['openstack']['dashboard']['ssl']['cert_dir'], node['openstack']['dashboard']['ssl']['chain'])
-else
-  ssl_chain_file = nil
+if node['openstack']['dashboard']['ssl']['use_data_bag']
+  ssl_cert = secret('certs', node['openstack']['dashboard']['ssl']['cert'])
+  ssl_key = secret('certs', node['openstack']['dashboard']['ssl']['key'])
+  ssl_cert_file = File.join(node['openstack']['dashboard']['ssl']['cert_dir'], node['openstack']['dashboard']['ssl']['cert'])
+  ssl_key_file = File.join(node['openstack']['dashboard']['ssl']['key_dir'], node['openstack']['dashboard']['ssl']['key'])
+  if node['openstack']['dashboard']['ssl']['chain']
+    ssl_chain = secret('certs', node['openstack']['dashboard']['ssl']['chain'])
+    ssl_chain_file = File.join(node['openstack']['dashboard']['ssl']['cert_dir'], node['openstack']['dashboard']['ssl']['chain'])
+  else
+    ssl_chain_file = nil
+  end
 end
 
-if node['openstack']['dashboard']['use_ssl']
+if node['openstack']['dashboard']['use_ssl'] &&
+   node['openstack']['dashboard']['ssl']['use_data_bag']
   unless ssl_cert_file == ssl_key_file
     cert_mode = 00644
     cert_owner = 'root'

spec/apache2-server_spec.rb

@@ -211,6 +211,13 @@ describe 'openstack-dashboard::apache2-server' do
           expect(chef_run).not_to create_file('/etc/anypath/any.pem')
           expect(chef_run).not_to create_file('/etc/anypath/any-chain.pem')
         end
+        it 'does not create certs if certs data bag is disabled' do
+          node.set['openstack']['dashboard']['ssl']['use_data_bag'] = false
+          node.set['openstack']['dashboard']['ssl']['chain'] = 'horizon-chain.pem'
+          expect(chef_run).not_to create_file('/etc/ssl/certs/horizon.pem')
+          expect(chef_run).not_to create_file('/etc/ssl/certs/horizon.key')
+          expect(chef_run).not_to create_file('/etc/ssl/certs/horizon-chain.pem')
+        end
       end
     end