From 31048d2de9160ceb1da76c96ae8a38257e9ea577 Mon Sep 17 00:00:00 2001
From: Yanis Guenane <yanis.guenane@enovance.com>
Date: Tue, 20 May 2014 11:23:32 -0400
Subject: [PATCH] Enable nova server to be run in SSL mode

This commit allows one to specify ca, cert and key file
to run nova server in SSL mode.

Note: The flag use_ssl per se is not used in nova yet,
its purpose here it to verify collateral parameters.

Change-Id: I5aed08afc2b6ac94bf9e1929f6b1f41a88882f02
---
 manifests/init.pp              | 65 ++++++++++++++++++++++++++++++++++
 spec/classes/nova_init_spec.rb | 47 ++++++++++++++++++++++++
 2 files changed, 112 insertions(+)

diff --git a/manifests/init.pp b/manifests/init.pp
index 8a4984e2a..e97adef3e 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -175,6 +175,27 @@
 #   (optional) Syslog facility to receive log lines.
 #   Defaults to 'LOG_USER'
 #
+# [*use_ssl*]
+#   (optional) Enable SSL on the API server
+#   Defaults to false, not set
+#
+# [*enabled_ssl_apis*]
+#   (optional) List of APIs to SSL enable
+#   Defaults to []
+#   Possible values : 'ec2', 'osapi_compute', 'metadata'
+#
+# [*cert_file*]
+#   (optinal) Certificate file to use when starting API server securely
+#   Defaults to false, not set
+#
+# [*key_file*]
+#   (optional) Private key file to use when starting API server securely
+#   Defaults to false, not set
+#
+# [*ca_file*]
+#   (optional) CA certificate file to use to verify connecting clients
+#   Defaults to false, not set_
+#
 # [*nova_user_id*]
 #   (optional) Create the nova user with the specified gid.
 #   Changing to a new uid after specifying a different uid previously,
@@ -271,6 +292,11 @@
   $periodic_interval        = '60',
   $report_interval          = '10',
   $rootwrap_config          = '/etc/nova/rootwrap.conf',
+  $use_ssl                  = false,
+  $enabled_ssl_apis         = ['ec2', 'metadata', 'osapi_compute'],
+  $ca_file                  = false,
+  $cert_file                = false,
+  $key_file                 = false,
   $nova_user_id             = undef,
   $nova_group_id            = undef,
   $nova_public_key          = undef,
@@ -299,6 +325,20 @@
     warning('The nova_cluster_id parameter is deprecated and has no effect.')
   }
 
+  validate_array($enabled_ssl_apis)
+  if empty($enabled_ssl_apis) and $use_ssl {
+      warning('enabled_ssl_apis is empty but use_ssl is set to true')
+  }
+
+  if $use_ssl {
+    if !$cert_file {
+      fail('The cert_file parameter is required when use_ssl is set to true')
+    }
+    if !$key_file {
+      fail('The key_file parameter is required when use_ssl is set to true')
+    }
+  }
+
   if $rabbit_use_ssl {
     if !$kombu_ssl_ca_certs {
       fail('The kombu_ssl_ca_certs parameter is required when rabbit_use_ssl is set to true')
@@ -548,6 +588,31 @@
     }
   }
 
+  # SSL Options
+  if $use_ssl {
+    nova_config {
+      'DEFAULT/enabled_ssl_apis' : value => $enabled_ssl_apis;
+      'DEFAULT/ssl_cert_file' :    value => $cert_file;
+      'DEFAULT/ssl_key_file' :     value => $key_file;
+    }
+    if $ca_file {
+      nova_config { 'DEFAULT/ssl_ca_file' :
+        value => $ca_file,
+      }
+    } else {
+      nova_config { 'DEFAULT/ssl_ca_file' :
+        ensure => absent,
+      }
+    }
+  } else {
+    nova_config {
+      'DEFAULT/enabled_ssl_apis' : ensure => absent;
+      'DEFAULT/ssl_cert_file' :    ensure => absent;
+      'DEFAULT/ssl_key_file' :     ensure => absent;
+      'DEFAULT/ssl_ca_file' :      ensure => absent;
+    }
+  }
+
   if $logdir {
     warning('The logdir parameter is deprecated, use log_dir instead.')
     $log_dir_real = $logdir
diff --git a/spec/classes/nova_init_spec.rb b/spec/classes/nova_init_spec.rb
index 8e3fa21bf..1fdf7845f 100644
--- a/spec/classes/nova_init_spec.rb
+++ b/spec/classes/nova_init_spec.rb
@@ -536,6 +536,53 @@
       end
     end
 
+    context 'with SSL socket options set' do
+      let :params do
+        {
+          :use_ssl          => true,
+          :enabled_ssl_apis => ['ec2'],
+          :cert_file        => '/path/to/cert',
+          :ca_file          => '/path/to/ca',
+          :key_file         => '/path/to/key',
+        }
+      end
+
+      it { should contain_nova_config('DEFAULT/enabled_ssl_apis').with_value(['ec2']) }
+      it { should contain_nova_config('DEFAULT/ssl_ca_file').with_value('/path/to/ca') }
+      it { should contain_nova_config('DEFAULT/ssl_cert_file').with_value('/path/to/cert') }
+      it { should contain_nova_config('DEFAULT/ssl_key_file').with_value('/path/to/key') }
+    end
+
+    context 'with SSL socket options set with wrong parameters' do
+      let :params do
+        {
+          :use_ssl          => true,
+          :enabled_ssl_apis => ['ec2'],
+          :ca_file          => '/path/to/ca',
+          :key_file         => '/path/to/key',
+        }
+      end
+
+      it_raises 'a Puppet::Error', /The cert_file parameter is required when use_ssl is set to true/
+    end
+
+    context 'with SSL socket options set to false' do
+      let :params do
+        {
+          :use_ssl          => false,
+          :enabled_ssl_apis => [],
+          :cert_file        => false,
+          :ca_file          => false,
+          :key_file         => false,
+        }
+      end
+
+      it { should contain_nova_config('DEFAULT/enabled_ssl_apis').with_ensure('absent') }
+      it { should contain_nova_config('DEFAULT/ssl_ca_file').with_ensure('absent') }
+      it { should contain_nova_config('DEFAULT/ssl_cert_file').with_ensure('absent') }
+      it { should contain_nova_config('DEFAULT/ssl_key_file').with_ensure('absent') }
+    end
+
   end
 
   context 'on Debian platforms' do