Config the some certificate options

Allow the following options to be configured
OPENSTACK_SSL_NO_VERIFY
OPENSTACK_SSL_CACERT

Closes-Bug: #1372723

Change-Id: Ic4a612a899753198d1c09f5b5b78ca94d920d687

CHANGELOG.md

@@ -10,6 +10,7 @@ This file is used to list changes made in each version of the openstack-dashboar
 * Add optional section support for local_settings template
 * Update local_settings from 0644 to 0640
 * Fix python-ibm-db-django package polluting common package attribute
+* Allow some ceitificate options to be configured
 
 ## 9.1
 * python_packages database client attributes have been moved to the -common cookbook

README.md

@@ -47,6 +47,8 @@ Attributes
 * `openstack['dashboard']['http_port']` - Port that httpd should listen on (default: 80)
 * `openstack['dashboard']['https_port']` - Port that httpd should listen on for using ssl (default: 443)
 * `openstack['dashboard']['password_autocomplete']` - Toggle browser autocompletion for login form ('on' or 'off', default: 'on')
+* `openstack['dashboard']['ssl_no_verify']` - Disable SSL certificate checks (useful for self-signed certificates)
+* `openstack['dashboard']['ssl_cacert']` - The CA certificate to use to verify SSL connections
 * `openstack['dashboard']['misc_local_settings']` - Additions to the local_settings conf file
 
 Identity

attributes/default.rb

@@ -60,6 +60,9 @@ default['openstack']['dashboard']['https_port'] = 443
 
 default['openstack']['dashboard']['secret_key_content'] = nil
 
+default['openstack']['dashboard']['ssl_no_verify'] = 'True'
+default['openstack']['dashboard']['ssl_cacert'] = nil
+
 default['openstack']['dashboard']['webroot'] = '/'
 
 # Dashboard specific database packages

spec/server_spec.rb

@@ -158,6 +158,29 @@ describe 'openstack-dashboard::server' do
           end
         end
 
+        context 'config ssl_no_verify' do
+          context 'set to the default value' do
+            it 'has a True value for the OPENSTACK_SSL_NO_VERIFY attribute' do
+              expect(chef_run).to render_file(file.name).with_content(/^OPENSTACK_SSL_NO_VERIFY = True$/)
+            end
+          end
+
+          context 'set to False' do
+            before do
+              node.set['openstack']['dashboard']['ssl_no_verify'] = 'False'
+            end
+
+            it 'has a False value for the OPENSTACK_SSL_NO_VERIFY attribute' do
+              expect(chef_run).to render_file(file.name).with_content(/^OPENSTACK_SSL_NO_VERIFY = False$/)
+            end
+          end
+        end
+
+        it 'config ssl_cacert' do
+          node.set['openstack']['dashboard']['ssl_cacert'] = '/path_to_cacert.pem'
+          expect(chef_run).to render_file(file.name).with_content(/^OPENSTACK_SSL_CACERT = '\/path_to_cacert.pem'$/)
+        end
+
         it 'has some allowed hosts set' do
           node.set['openstack']['dashboard']['allowed_hosts'] = ['dashboard.example.net']
           expect(chef_run).to render_file(file.name).with_content(/^ALLOWED_HOSTS = \["dashboard.example.net"\]$/)

templates/default/local_settings.py.erb

@@ -161,9 +161,13 @@ OPENSTACK_KEYSTONE_DEFAULT_ROLE = "<%= node["openstack"]["dashboard"]["keystone_
 
 # Disable SSL certificate checks (useful for self-signed certificates):
 # OPENSTACK_SSL_NO_VERIFY = True
+OPENSTACK_SSL_NO_VERIFY = <%= node['openstack']['dashboard']['ssl_no_verify'] %>
 
 # The CA certificate to use to verify SSL connections
 # OPENSTACK_SSL_CACERT = '/path/to/cacert.pem'
+<% if node['openstack']['dashboard']['ssl_cacert'] %>
+OPENSTACK_SSL_CACERT = '<%= node['openstack']['dashboard']['ssl_cacert'] %>'
+<% end %>
 
 # The OPENSTACK_KEYSTONE_BACKEND settings can be used to identify the
 # capabilities of the auth backend for Keystone.