Enable neutron server to be run in SSL mode

This commit allows one to specify ca, cert and key file to run neutron server in SSL mode. Change-Id: I90f36e7c465924105e6b8032909988286f3e5374 (cherry picked from commit f48ce94)
redhat-openstack · Jun 12, 2014 · 05c13ee · 05c13ee
1 parent d6896a6
commit 05c13ee
Show file tree

Hide file tree

Showing 2 changed files with 95 additions and 0 deletions.
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -141,6 +141,22 @@
 # [*qpid_reconnect_interval_max*]
 #   (optional) various QPID options
 #
+# [*use_ssl*]
+#   (optinal) Enable SSL on the API server
+#   Defaults to false, not set
+#
+# [*cert_file*]
+#   (optinal) certificate file to use when starting api server securely
+#   defaults to false, not set
+#
+# [*key_file*]
+#   (optional) Private key file to use when starting API server securely
+#   Defaults to false, not set
+#
+# [*ca_file*]
+#   (optional) CA certificate file to use to verify connecting clients
+#   Defaults to false, not set
+#
 # [*use_syslog*]
 #   (optional) Use syslog for logging
 #   Defaults to false
@@ -204,6 +220,10 @@
   $qpid_reconnect_interval_min = 0,
   $qpid_reconnect_interval_max = 0,
   $qpid_reconnect_interval     = 0,
+  $use_ssl                     = false,
+  $cert_file                   = false,
+  $key_file                    = false,
+  $ca_file                     = false,
   $use_syslog                  = false,
   $log_facility                = 'LOG_USER',
   $log_file                    = false,
@@ -214,6 +234,18 @@
 
   Package['neutron'] -> Neutron_config<||>
 
+  if $use_ssl {
+    if !$cert_file {
+      fail('The cert_file parameter is required when use_ssl is set to true')
+    }
+    if !$ca_file {
+      fail('The ca_file parameter is required when use_ssl is set to true')
+    }
+    if !$key_file {
+      fail('The key_file parameter is required when use_ssl is set to true')
+    }
+  }
+
   if $rabbit_use_ssl {
     if !$kombu_ssl_ca_certs {
       fail('The kombu_ssl_ca_certs parameter is required when rabbit_use_ssl is set to true')
@@ -350,6 +382,22 @@
     }
   }
 
+  # SSL Options
+  neutron_config { 'DEFAULT/use_ssl' : value => $use_ssl; }
+  if $use_ssl {
+    neutron_config {
+      'DEFAULT/ssl_cert_file' : value => $cert_file;
+      'DEFAULT/ssl_key_file'  : value => $key_file;
+      'DEFAULT/ssl_ca_file'   : value => $ca_file;
+    }
+  } else {
+    neutron_config {
+      'DEFAULT/ssl_cert_file': ensure => absent;
+      'DEFAULT/ssl_key_file':  ensure => absent;
+      'DEFAULT/ssl_ca_file':   ensure => absent;
+    }
+  }
+
   if $use_syslog {
     neutron_config {
       'DEFAULT/use_syslog':           value => true;

diff --git a/spec/classes/neutron_init_spec.rb b/spec/classes/neutron_init_spec.rb
@@ -52,6 +52,9 @@
     it_configures 'with SSL enabled'
     it_configures 'with SSL disabled'
     it_configures 'with SSL wrongly configured'
+    it_configures 'with SSL socket options set'
+    it_configures 'with SSL socket options set with wrong parameters'
+    it_configures 'with SSL socket options set to false'
     it_configures 'with syslog disabled'
     it_configures 'with syslog enabled'
     it_configures 'with syslog enabled and custom settings'
@@ -135,6 +138,50 @@
     end
   end
 
+  shared_examples_for 'with SSL socket options set' do
+    before do
+      params.merge!(
+        :use_ssl         => true,
+        :cert_file       => '/path/to/cert',
+        :key_file        => '/path/to/key',
+        :ca_file         => '/path/to/ca'
+      )
+    end
+
+    it { should contain_neutron_config('DEFAULT/use_ssl').with_value('true') }
+    it { should contain_neutron_config('DEFAULT/ssl_cert_file').with_value('/path/to/cert') }
+    it { should contain_neutron_config('DEFAULT/ssl_key_file').with_value('/path/to/key') }
+    it { should contain_neutron_config('DEFAULT/ssl_ca_file').with_value('/path/to/ca') }
+  end
+
+  shared_examples_for 'with SSL socket options set with wrong parameters' do
+    before do
+      params.merge!(
+        :use_ssl         => true,
+        :key_file        => '/path/to/key',
+        :ca_file         => '/path/to/ca'
+      )
+    end
+
+    it_raises 'a Puppet::Error', /The cert_file parameter is required when use_ssl is set to true/
+  end
+
+  shared_examples_for 'with SSL socket options set to false' do
+    before do
+      params.merge!(
+        :use_ssl         => false,
+        :cert_file       => false,
+        :key_file        => false,
+        :ca_file         => false
+      )
+    end
+
+    it { should contain_neutron_config('DEFAULT/use_ssl').with_value('false') }
+    it { should contain_neutron_config('DEFAULT/ssl_cert_file').with_ensure('absent') }
+    it { should contain_neutron_config('DEFAULT/ssl_key_file').with_ensure('absent') }
+    it { should contain_neutron_config('DEFAULT/ssl_ca_file').with_ensure('absent') }
+  end
+
   shared_examples_for 'with syslog disabled' do
     it { should contain_neutron_config('DEFAULT/use_syslog').with_value(false) }
   end