Make certs databag optional
This provides an attribute which allows users to optionally disable using the internal certs databag for SSL certificates. The use case is for people who are using other external methods (such as the certificates cookbook) to manage certificates. Change-Id: Ib7c578135db74675bd4c5a0da13f053f6474e0f1
This commit is contained in:
parent
648da86777
commit
2685178b69
|
@ -65,6 +65,9 @@ default['openstack']['dashboard']['ssl']['protocol'] = 'All -SSLv2 -SSLv3'
|
|||
# Which ciphers to use with the SSL/TLS protocol.
|
||||
# Example: 'RSA:HIGH:MEDIUM:!LOW:!kEDH:!aNULL:!ADH:!eNULL:!EXP:!SSLv2:!SEED:!CAMELLIA:!PSK!RC4:!RC4-MD5:!RC4-SHA'
|
||||
default['openstack']['dashboard']['ssl']['ciphers'] = nil
|
||||
# Use the 'certs' databag for managing certs to disable it to use something
|
||||
# external
|
||||
default['openstack']['dashboard']['ssl']['use_data_bag'] = true
|
||||
|
||||
# List of hosts/domains the dashboard can serve. This should be changed, a '*'
|
||||
# allows everything
|
||||
|
|
|
@ -74,18 +74,21 @@ file "#{node['apache']['dir']}/conf.d/openstack-dashboard.conf" do
|
|||
only_if { platform_family?('rhel') } # :pragma-foodcritic: ~FC024 - won't fix this
|
||||
end
|
||||
|
||||
ssl_cert = secret('certs', node['openstack']['dashboard']['ssl']['cert'])
|
||||
ssl_key = secret('certs', node['openstack']['dashboard']['ssl']['key'])
|
||||
ssl_cert_file = File.join(node['openstack']['dashboard']['ssl']['cert_dir'], node['openstack']['dashboard']['ssl']['cert'])
|
||||
ssl_key_file = File.join(node['openstack']['dashboard']['ssl']['key_dir'], node['openstack']['dashboard']['ssl']['key'])
|
||||
if node['openstack']['dashboard']['ssl']['chain']
|
||||
ssl_chain = secret('certs', node['openstack']['dashboard']['ssl']['chain'])
|
||||
ssl_chain_file = File.join(node['openstack']['dashboard']['ssl']['cert_dir'], node['openstack']['dashboard']['ssl']['chain'])
|
||||
else
|
||||
ssl_chain_file = nil
|
||||
if node['openstack']['dashboard']['ssl']['use_data_bag']
|
||||
ssl_cert = secret('certs', node['openstack']['dashboard']['ssl']['cert'])
|
||||
ssl_key = secret('certs', node['openstack']['dashboard']['ssl']['key'])
|
||||
ssl_cert_file = File.join(node['openstack']['dashboard']['ssl']['cert_dir'], node['openstack']['dashboard']['ssl']['cert'])
|
||||
ssl_key_file = File.join(node['openstack']['dashboard']['ssl']['key_dir'], node['openstack']['dashboard']['ssl']['key'])
|
||||
if node['openstack']['dashboard']['ssl']['chain']
|
||||
ssl_chain = secret('certs', node['openstack']['dashboard']['ssl']['chain'])
|
||||
ssl_chain_file = File.join(node['openstack']['dashboard']['ssl']['cert_dir'], node['openstack']['dashboard']['ssl']['chain'])
|
||||
else
|
||||
ssl_chain_file = nil
|
||||
end
|
||||
end
|
||||
|
||||
if node['openstack']['dashboard']['use_ssl']
|
||||
if node['openstack']['dashboard']['use_ssl'] &&
|
||||
node['openstack']['dashboard']['ssl']['use_data_bag']
|
||||
unless ssl_cert_file == ssl_key_file
|
||||
cert_mode = 00644
|
||||
cert_owner = 'root'
|
||||
|
|
|
@ -211,6 +211,13 @@ describe 'openstack-dashboard::apache2-server' do
|
|||
expect(chef_run).not_to create_file('/etc/anypath/any.pem')
|
||||
expect(chef_run).not_to create_file('/etc/anypath/any-chain.pem')
|
||||
end
|
||||
it 'does not create certs if certs data bag is disabled' do
|
||||
node.set['openstack']['dashboard']['ssl']['use_data_bag'] = false
|
||||
node.set['openstack']['dashboard']['ssl']['chain'] = 'horizon-chain.pem'
|
||||
expect(chef_run).not_to create_file('/etc/ssl/certs/horizon.pem')
|
||||
expect(chef_run).not_to create_file('/etc/ssl/certs/horizon.key')
|
||||
expect(chef_run).not_to create_file('/etc/ssl/certs/horizon-chain.pem')
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
|
|
Loading…
Reference in New Issue