From f48ce942390c0f63cb1f26d3c80aec4e4c126236 Mon Sep 17 00:00:00 2001 From: Yanis Guenane Date: Tue, 20 May 2014 13:33:06 -0400 Subject: [PATCH] Enable neutron server to be run in SSL mode This commit allows one to specify ca, cert and key file to run neutron server in SSL mode. Change-Id: I90f36e7c465924105e6b8032909988286f3e5374 --- manifests/init.pp | 48 +++++++++++++++++++++++++++++++ spec/classes/neutron_init_spec.rb | 47 ++++++++++++++++++++++++++++++ 2 files changed, 95 insertions(+) diff --git a/manifests/init.pp b/manifests/init.pp index c4bfbff42..6f63b0f7b 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -141,6 +141,22 @@ # [*qpid_reconnect_interval_max*] # (optional) various QPID options # +# [*use_ssl*] +# (optinal) Enable SSL on the API server +# Defaults to false, not set +# +# [*cert_file*] +# (optinal) certificate file to use when starting api server securely +# defaults to false, not set +# +# [*key_file*] +# (optional) Private key file to use when starting API server securely +# Defaults to false, not set +# +# [*ca_file*] +# (optional) CA certificate file to use to verify connecting clients +# Defaults to false, not set +# # [*use_syslog*] # (optional) Use syslog for logging # Defaults to false @@ -204,6 +220,10 @@ $qpid_reconnect_interval_min = 0, $qpid_reconnect_interval_max = 0, $qpid_reconnect_interval = 0, + $use_ssl = false, + $cert_file = false, + $key_file = false, + $ca_file = false, $use_syslog = false, $log_facility = 'LOG_USER', $log_file = false, @@ -214,6 +234,18 @@ Package['neutron'] -> Neutron_config<||> + if $use_ssl { + if !$cert_file { + fail('The cert_file parameter is required when use_ssl is set to true') + } + if !$ca_file { + fail('The ca_file parameter is required when use_ssl is set to true') + } + if !$key_file { + fail('The key_file parameter is required when use_ssl is set to true') + } + } + if $rabbit_use_ssl { if !$kombu_ssl_ca_certs { fail('The kombu_ssl_ca_certs parameter is required when rabbit_use_ssl is set to true') @@ -350,6 +382,22 @@ } } + # SSL Options + neutron_config { 'DEFAULT/use_ssl' : value => $use_ssl; } + if $use_ssl { + neutron_config { + 'DEFAULT/ssl_cert_file' : value => $cert_file; + 'DEFAULT/ssl_key_file' : value => $key_file; + 'DEFAULT/ssl_ca_file' : value => $ca_file; + } + } else { + neutron_config { + 'DEFAULT/ssl_cert_file': ensure => absent; + 'DEFAULT/ssl_key_file': ensure => absent; + 'DEFAULT/ssl_ca_file': ensure => absent; + } + } + if $use_syslog { neutron_config { 'DEFAULT/use_syslog': value => true; diff --git a/spec/classes/neutron_init_spec.rb b/spec/classes/neutron_init_spec.rb index 76751c696..afe2e1577 100644 --- a/spec/classes/neutron_init_spec.rb +++ b/spec/classes/neutron_init_spec.rb @@ -52,6 +52,9 @@ it_configures 'with SSL enabled' it_configures 'with SSL disabled' it_configures 'with SSL wrongly configured' + it_configures 'with SSL socket options set' + it_configures 'with SSL socket options set with wrong parameters' + it_configures 'with SSL socket options set to false' it_configures 'with syslog disabled' it_configures 'with syslog enabled' it_configures 'with syslog enabled and custom settings' @@ -135,6 +138,50 @@ end end + shared_examples_for 'with SSL socket options set' do + before do + params.merge!( + :use_ssl => true, + :cert_file => '/path/to/cert', + :key_file => '/path/to/key', + :ca_file => '/path/to/ca' + ) + end + + it { should contain_neutron_config('DEFAULT/use_ssl').with_value('true') } + it { should contain_neutron_config('DEFAULT/ssl_cert_file').with_value('/path/to/cert') } + it { should contain_neutron_config('DEFAULT/ssl_key_file').with_value('/path/to/key') } + it { should contain_neutron_config('DEFAULT/ssl_ca_file').with_value('/path/to/ca') } + end + + shared_examples_for 'with SSL socket options set with wrong parameters' do + before do + params.merge!( + :use_ssl => true, + :key_file => '/path/to/key', + :ca_file => '/path/to/ca' + ) + end + + it_raises 'a Puppet::Error', /The cert_file parameter is required when use_ssl is set to true/ + end + + shared_examples_for 'with SSL socket options set to false' do + before do + params.merge!( + :use_ssl => false, + :cert_file => false, + :key_file => false, + :ca_file => false + ) + end + + it { should contain_neutron_config('DEFAULT/use_ssl').with_value('false') } + it { should contain_neutron_config('DEFAULT/ssl_cert_file').with_ensure('absent') } + it { should contain_neutron_config('DEFAULT/ssl_key_file').with_ensure('absent') } + it { should contain_neutron_config('DEFAULT/ssl_ca_file').with_ensure('absent') } + end + shared_examples_for 'with syslog disabled' do it { should contain_neutron_config('DEFAULT/use_syslog').with_value(false) } end