Skip to content

Commit

Permalink
Enable nova server to be run in SSL mode
Browse files Browse the repository at this point in the history
This commit allows one to specify ca, cert and key file
to run nova server in SSL mode.

Note: The flag use_ssl per se is not used in nova yet,
its purpose here it to verify collateral parameters.

Change-Id: I5aed08afc2b6ac94bf9e1929f6b1f41a88882f02
  • Loading branch information
Spredzy committed May 28, 2014
1 parent 99bf46d commit 31048d2
Show file tree
Hide file tree
Showing 2 changed files with 112 additions and 0 deletions.
65 changes: 65 additions & 0 deletions manifests/init.pp
Original file line number Diff line number Diff line change
Expand Up @@ -175,6 +175,27 @@
# (optional) Syslog facility to receive log lines.
# Defaults to 'LOG_USER'
#
# [*use_ssl*]
# (optional) Enable SSL on the API server
# Defaults to false, not set
#
# [*enabled_ssl_apis*]
# (optional) List of APIs to SSL enable
# Defaults to []
# Possible values : 'ec2', 'osapi_compute', 'metadata'
#
# [*cert_file*]
# (optinal) Certificate file to use when starting API server securely
# Defaults to false, not set
#
# [*key_file*]
# (optional) Private key file to use when starting API server securely
# Defaults to false, not set
#
# [*ca_file*]
# (optional) CA certificate file to use to verify connecting clients
# Defaults to false, not set_
#
# [*nova_user_id*]
# (optional) Create the nova user with the specified gid.
# Changing to a new uid after specifying a different uid previously,
Expand Down Expand Up @@ -271,6 +292,11 @@
$periodic_interval = '60',
$report_interval = '10',
$rootwrap_config = '/etc/nova/rootwrap.conf',
$use_ssl = false,
$enabled_ssl_apis = ['ec2', 'metadata', 'osapi_compute'],
$ca_file = false,
$cert_file = false,
$key_file = false,
$nova_user_id = undef,
$nova_group_id = undef,
$nova_public_key = undef,
Expand Down Expand Up @@ -299,6 +325,20 @@
warning('The nova_cluster_id parameter is deprecated and has no effect.')
}

validate_array($enabled_ssl_apis)
if empty($enabled_ssl_apis) and $use_ssl {
warning('enabled_ssl_apis is empty but use_ssl is set to true')
}

if $use_ssl {
if !$cert_file {
fail('The cert_file parameter is required when use_ssl is set to true')
}
if !$key_file {
fail('The key_file parameter is required when use_ssl is set to true')
}
}

if $rabbit_use_ssl {
if !$kombu_ssl_ca_certs {
fail('The kombu_ssl_ca_certs parameter is required when rabbit_use_ssl is set to true')
Expand Down Expand Up @@ -548,6 +588,31 @@
}
}

# SSL Options
if $use_ssl {
nova_config {
'DEFAULT/enabled_ssl_apis' : value => $enabled_ssl_apis;
'DEFAULT/ssl_cert_file' : value => $cert_file;
'DEFAULT/ssl_key_file' : value => $key_file;
}
if $ca_file {
nova_config { 'DEFAULT/ssl_ca_file' :
value => $ca_file,
}
} else {
nova_config { 'DEFAULT/ssl_ca_file' :
ensure => absent,
}
}
} else {
nova_config {
'DEFAULT/enabled_ssl_apis' : ensure => absent;
'DEFAULT/ssl_cert_file' : ensure => absent;
'DEFAULT/ssl_key_file' : ensure => absent;
'DEFAULT/ssl_ca_file' : ensure => absent;
}
}

if $logdir {
warning('The logdir parameter is deprecated, use log_dir instead.')
$log_dir_real = $logdir
Expand Down
47 changes: 47 additions & 0 deletions spec/classes/nova_init_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -536,6 +536,53 @@
end
end

context 'with SSL socket options set' do
let :params do
{
:use_ssl => true,
:enabled_ssl_apis => ['ec2'],
:cert_file => '/path/to/cert',
:ca_file => '/path/to/ca',
:key_file => '/path/to/key',
}
end

it { should contain_nova_config('DEFAULT/enabled_ssl_apis').with_value(['ec2']) }
it { should contain_nova_config('DEFAULT/ssl_ca_file').with_value('/path/to/ca') }
it { should contain_nova_config('DEFAULT/ssl_cert_file').with_value('/path/to/cert') }
it { should contain_nova_config('DEFAULT/ssl_key_file').with_value('/path/to/key') }
end

context 'with SSL socket options set with wrong parameters' do
let :params do
{
:use_ssl => true,
:enabled_ssl_apis => ['ec2'],
:ca_file => '/path/to/ca',
:key_file => '/path/to/key',
}
end

it_raises 'a Puppet::Error', /The cert_file parameter is required when use_ssl is set to true/
end

context 'with SSL socket options set to false' do
let :params do
{
:use_ssl => false,
:enabled_ssl_apis => [],
:cert_file => false,
:ca_file => false,
:key_file => false,
}
end

it { should contain_nova_config('DEFAULT/enabled_ssl_apis').with_ensure('absent') }
it { should contain_nova_config('DEFAULT/ssl_ca_file').with_ensure('absent') }
it { should contain_nova_config('DEFAULT/ssl_cert_file').with_ensure('absent') }
it { should contain_nova_config('DEFAULT/ssl_key_file').with_ensure('absent') }
end

end

context 'on Debian platforms' do
Expand Down

0 comments on commit 31048d2

Please sign in to comment.