Add more config options for pki signing

* add config signing/cert_subject * add config signing/key_size * use default values from keystone Change-Id: Ie327b8ca4f0f8026582530a9aefe5f0d184f92e2
redhat-openstack · Oct 16, 2014 · 1459063 · 1459063
1 parent 605161f
commit 1459063
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 18 deletions.
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -71,6 +71,14 @@
 #   [signing_ca_key] Use this CA key file along with signing_certfile/signing_keyfile for signing
 #     pki tokens and revocation lists. Optional. Default: /etc/keystone/ssl/private/cakey.pem
 #
+#   [*signing_cert_subject*]
+#   (optional) Certificate subject (auto generated certificate) for token signing.
+#   Defaults to '/C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com'
+#
+#   [*signing_key_size*]
+#   (optional) Key size (in bits) for token signing cert (auto generated certificate)
+#   Defaults to 2048
+#
 #   [rabbit_host] Location of rabbitmq installation. Optional. Defaults to localhost.
 #   [rabbit_port] Port for rabbitmq instance. Optional. Defaults to 5672.
 #   [rabbit_hosts] Location of rabbitmq installation. Optional. Defaults to undef.
@@ -281,6 +289,8 @@
   $signing_keyfile       = '/etc/keystone/ssl/private/signing_key.pem',
   $signing_ca_certs      = '/etc/keystone/ssl/certs/ca.pem',
   $signing_ca_key        = '/etc/keystone/ssl/private/cakey.pem',
+  $signing_cert_subject  = '/C=US/ST=Unset/L=Unset/O=Unset/CN=www.example.com',
+  $signing_key_size      = 2048,
   $rabbit_host           = 'localhost',
   $rabbit_hosts          = false,
   $rabbit_password       = 'guest',
@@ -514,10 +524,12 @@
 
   # Set the signing key/cert configuration values.
   keystone_config {
-    'signing/certfile': value => $signing_certfile;
-    'signing/keyfile':  value => $signing_keyfile;
-    'signing/ca_certs': value => $signing_ca_certs;
-    'signing/ca_key':   value => $signing_ca_key;
+    'signing/certfile':     value => $signing_certfile;
+    'signing/keyfile':      value => $signing_keyfile;
+    'signing/ca_certs':     value => $signing_ca_certs;
+    'signing/ca_key':       value => $signing_ca_key;
+    'signing/cert_subject': value => $signing_cert_subject;
+    'signing/key_size':     value => $signing_key_size;
   }
 
   # Create cache directory used for signing.

diff --git a/spec/classes/keystone_spec.rb b/spec/classes/keystone_spec.rb
@@ -294,13 +294,15 @@
     describe 'when configuring PKI signing cert paths with UUID and with pki_setup disabled' do
       let :params do
         {
-          'admin_token'       => 'service_token',
-          'token_provider'    => 'keystone.token.providers.uuid.Provider',
-          'enable_pki_setup'  => false,
-          'signing_certfile'  => 'signing_certfile',
-          'signing_keyfile'   => 'signing_keyfile',
-          'signing_ca_certs'  => 'signing_ca_certs',
-          'signing_ca_key'    => 'signing_ca_key'
+          'admin_token'          => 'service_token',
+          'token_provider'       => 'keystone.token.providers.uuid.Provider',
+          'enable_pki_setup'     => false,
+          'signing_certfile'     => 'signing_certfile',
+          'signing_keyfile'      => 'signing_keyfile',
+          'signing_ca_certs'     => 'signing_ca_certs',
+          'signing_ca_key'       => 'signing_ca_key',
+          'signing_cert_subject' => 'signing_cert_subject',
+          'signing_key_size'     => 2048
         }
       end
 
@@ -321,18 +323,28 @@
       it 'should contain correct PKI ca_key config' do
         should contain_keystone_config('signing/ca_key').with_value('signing_ca_key')
       end
+
+      it 'should contain correct PKI cert_subject config' do
+        should contain_keystone_config('signing/cert_subject').with_value('signing_cert_subject')
+      end
+
+      it 'should contain correct PKI key_size config' do
+        should contain_keystone_config('signing/key_size').with_value('2048')
+      end
     end
 
     describe 'when configuring PKI signing cert paths with pki_setup disabled' do
       let :params do
         {
-          'admin_token'       => 'service_token',
-          'token_provider'    => 'keystone.token.providers.pki.Provider',
-          'enable_pki_setup'  => false,
-          'signing_certfile'  => 'signing_certfile',
-          'signing_keyfile'   => 'signing_keyfile',
-          'signing_ca_certs'  => 'signing_ca_certs',
-          'signing_ca_key'    => 'signing_ca_key'
+          'admin_token'          => 'service_token',
+          'token_provider'       => 'keystone.token.providers.pki.Provider',
+          'enable_pki_setup'     => false,
+          'signing_certfile'     => 'signing_certfile',
+          'signing_keyfile'      => 'signing_keyfile',
+          'signing_ca_certs'     => 'signing_ca_certs',
+          'signing_ca_key'       => 'signing_ca_key',
+          'signing_cert_subject' => 'signing_cert_subject',
+          'signing_key_size'     => 2048
         }
       end
 
@@ -353,6 +365,14 @@
       it 'should contain correct PKI ca_key config' do
         should contain_keystone_config('signing/ca_key').with_value('signing_ca_key')
       end
+
+      it 'should contain correct PKI cert_subject config' do
+        should contain_keystone_config('signing/cert_subject').with_value('signing_cert_subject')
+      end
+
+      it 'should contain correct PKI key_size config' do
+        should contain_keystone_config('signing/key_size').with_value('2048')
+      end
     end
 
     describe 'with invalid catalog_type' do