Enable cinder server to be run in SSL mode

This commit allows one to specify ca, cert and key file to run cinder server in SSL mode Note: The flag use_ssl per se is not used in cinder yet, its purpose here it to verify collateral parameters. Change-Id: Icc373830421f2254692eb8c7baad05a13e6e1e76 (cherry picked from commit 131108a)
openstack · Jun 10, 2014 · 240b119 · 240b119
1 parent 57da044
commit 240b119
Show file tree

Hide file tree

Showing 2 changed files with 102 additions and 0 deletions.
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -26,6 +26,22 @@
 #   If set to boolean false, it will not log to any directory.
 #   Defaults to '/var/log/cinder'
 #
+# [*use_ssl*]
+#   (optional) Enable SSL on the API server
+#   Defaults to false, not set
+#
+# [*cert_file*]
+#   (optinal) Certificate file to use when starting API server securely
+#   Defaults to false, not set
+#
+# [*key_file*]
+#   (optional) Private key file to use when starting API server securely
+#   Defaults to false, not set
+#
+# [*ca_file*]
+#   (optional) CA certificate file to use to verify connecting clients
+#   Defaults to false, not set_
+#
 # [*mysql_module*]
 #   (optional) Puppetlabs-mysql module version to use
 #   Tested versions include 0.9 and 2.2
@@ -63,6 +79,10 @@
   $qpid_protocol               = 'tcp',
   $qpid_tcp_nodelay            = true,
   $package_ensure              = 'present',
+  $use_ssl                     = false,
+  $ca_file                     = false,
+  $cert_file                   = false,
+  $key_file                    = false,
   $api_paste_config            = '/etc/cinder/api-paste.ini',
   $use_syslog                  = false,
   $log_facility                = 'LOG_USER',
@@ -94,6 +114,15 @@
     $database_idle_timeout_real = $database_idle_timeout
   }
 
+  if $use_ssl {
+    if !$cert_file {
+      fail('The cert_file parameter is required when use_ssl is set to true')
+    }
+    if !$key_file {
+      fail('The key_file parameter is required when use_ssl is set to true')
+    }
+  }
+
   # this anchor is used to simplify the graph between cinder components by
   # allowing a resource to serve as a point where the configuration of cinder begins
   anchor { 'cinder-start': }
@@ -217,6 +246,29 @@
     }
   }
 
+  # SSL Options
+  if $use_ssl {
+    cinder_config {
+      'DEFAULT/ssl_cert_file' : value => $cert_file;
+      'DEFAULT/ssl_key_file' :  value => $key_file;
+    }
+    if $ca_file {
+      cinder_config { 'DEFAULT/ssl_ca_file' :
+        value => $ca_file,
+      }
+    } else {
+      cinder_config { 'DEFAULT/ssl_ca_file' :
+        ensure => absent,
+      }
+    }
+  } else {
+    cinder_config {
+      'DEFAULT/ssl_cert_file' : ensure => absent;
+      'DEFAULT/ssl_key_file' :  ensure => absent;
+      'DEFAULT/ssl_ca_file' :   ensure => absent;
+    }
+  }
+
   if $use_syslog {
     cinder_config {
       'DEFAULT/use_syslog':           value => true;

diff --git a/spec/classes/cinder_spec.rb b/spec/classes/cinder_spec.rb
@@ -248,4 +248,54 @@
     it { should_not contain_class('mysql::bindings') }
     it { should_not contain_class('mysql::bindings::python') }
   end
+
+  describe 'with SSL socket options set' do
+    let :params do
+      {
+        :use_ssl         => true,
+        :cert_file       => '/path/to/cert',
+        :ca_file         => '/path/to/ca',
+        :key_file        => '/path/to/key',
+        :rabbit_password => 'guest',
+      }
+    end
+
+    it { should contain_cinder_config('DEFAULT/ssl_ca_file').with_value('/path/to/ca') }
+    it { should contain_cinder_config('DEFAULT/ssl_cert_file').with_value('/path/to/cert') }
+    it { should contain_cinder_config('DEFAULT/ssl_key_file').with_value('/path/to/key') }
+  end
+
+  describe 'with SSL socket options set to false' do
+    let :params do
+      {
+        :use_ssl         => false,
+        :cert_file       => false,
+        :ca_file         => false,
+        :key_file        => false,
+        :rabbit_password => 'guest',
+      }
+    end
+
+    it { should contain_cinder_config('DEFAULT/ssl_ca_file').with_ensure('absent') }
+    it { should contain_cinder_config('DEFAULT/ssl_cert_file').with_ensure('absent') }
+    it { should contain_cinder_config('DEFAULT/ssl_key_file').with_ensure('absent') }
+  end
+
+  describe 'with SSL socket options set wrongly configured' do
+    let :params do
+      {
+        :use_ssl         => true,
+        :ca_file         => '/path/to/ca',
+        :key_file        => '/path/to/key',
+        :rabbit_password => 'guest',
+      }
+    end
+
+    it 'should raise an error' do
+      expect {
+        should compile
+      }.to raise_error Puppet::Error, /The cert_file parameter is required when use_ssl is set to true/
+    end
+  end
+
 end