From 1e312dc8d828ce50f92d4b562fa8794930fd18dd Mon Sep 17 00:00:00 2001 From: Juan Antonio Osorio Robles Date: Thu, 16 Jun 2016 10:33:29 +0300 Subject: [PATCH] Move SSL parameters to api.pp Most of the other services configure their SSL options in the api.pp. So for consistency, they were moved here too. The old SSL parameters have been kept for backwards compatibility, so they should still work. This also configures TLS in the correct group. As Cinder uses sslutils from oslo_service. So with the previous configuration. puppet-cinder didn't actually enable TLS. Change-Id: I4d35016cb1ecda7e4dc133de7c58e0f239ff8517 --- manifests/api.pp | 44 ++++++++++++ manifests/init.pp | 67 +++++++------------ .../cinder-api-ssl-08f7be7fe02510c7.yaml | 3 + spec/classes/cinder_api_spec.rb | 27 ++++++++ spec/classes/cinder_spec.rb | 45 ------------- 5 files changed, 97 insertions(+), 89 deletions(-) create mode 100644 releasenotes/notes/cinder-api-ssl-08f7be7fe02510c7.yaml diff --git a/manifests/api.pp b/manifests/api.pp index 9d7db476..cce910c4 100644 --- a/manifests/api.pp +++ b/manifests/api.pp @@ -155,6 +155,22 @@ # middleware should parse the proxy headers or not.(boolean value) # Defaults to $::os_service_default # +# [*use_ssl*] +# (optional) Enable SSL on the API server +# Defaults to false +# +# [*cert_file*] +# (optional) Certificate file to use when starting API server securely +# Defaults to $::os_service_default +# +# [*key_file*] +# (optional) Private key file to use when starting API server securely +# Defaults to $::os_service_default +# +# [*ca_file*] +# (optional) CA certificate file to use to verify connecting clients +# Defaults to $::os_service_default +# class cinder::api ( $keystone_password, $keystone_enabled = true, @@ -187,6 +203,10 @@ class cinder::api ( $osapi_max_limit = $::os_service_default, $service_name = $::cinder::params::api_service, $enable_proxy_headers_parsing = $::os_service_default, + $use_ssl = false, + $cert_file = $::os_service_default, + $key_file = $::os_service_default, + $ca_file = $::os_service_default, # DEPRECATED PARAMETERS $validation_options = {}, ) inherits cinder::params { @@ -197,6 +217,21 @@ class cinder::api ( validate_bool($manage_service) validate_bool($enabled) + # Keep backwards compatibility with SSL values being set in init.pp + $use_ssl_real = pick($::cinder::use_ssl, $use_ssl) + $cert_file_real = pick($::cinder::cert_file, $cert_file) + $key_file_real = pick($::cinder::key_file, $key_file) + $ca_file_real = pick($::cinder::ca_file, $ca_file) + + if $use_ssl_real { + if is_service_default($cert_file_real) { + fail('The cert_file parameter is required when use_ssl is set to true') + } + if is_service_default($key_file_real) { + fail('The key_file parameter is required when use_ssl is set to true') + } + } + Cinder_config<||> ~> Service[$service_name] Cinder_api_paste_ini<||> ~> Service[$service_name] Class['cinder::policy'] ~> Service[$service_name] @@ -304,6 +339,15 @@ class cinder::api ( } } + # SSL Options + if $use_ssl_real { + cinder_config { + 'ssl/cert_file' : value => $cert_file_real; + 'ssl/key_file' : value => $key_file_real; + 'ssl/ca_file' : value => $ca_file_real; + } + } + if (!is_service_default($ratelimits)) { cinder_api_paste_ini { 'filter:ratelimit/paste.filter_factory': value => $ratelimits_factory; diff --git a/manifests/init.pp b/manifests/init.pp index 0a14649a..5eff3c55 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -229,22 +229,6 @@ # any directory. # Defaults to '/var/log/cinder'. # -# [*use_ssl*] -# (optional) Enable SSL on the API server -# Defaults to false, not set -# -# [*cert_file*] -# (optinal) Certificate file to use when starting API server securely -# Defaults to false, not set -# -# [*key_file*] -# (optional) Private key file to use when starting API server securely -# Defaults to false, not set -# -# [*ca_file*] -# (optional) CA certificate file to use to verify connecting clients -# Defaults to $::os_service_default -# # [*storage_availability_zone*] # (optional) Availability zone of the node. # Defaults to 'nova' @@ -299,6 +283,25 @@ # (Optional) DEPRECATED. Whether to enable the v2 API (true/false). # Defaults to undef. # +# [*use_ssl*] +# (optional) DEPRECATED. Enable SSL on the API server +# Defaults to undef +# +# [*cert_file*] +# (optional) DEPRECATED. Certificate file to use when starting API server +# securely +# Defaults to undef +# +# [*key_file*] +# (optional) DEPRECATED. Private key file to use when starting API server +# securely +# Defaults to undef +# +# [*ca_file*] +# (optional) DEPRECATED. CA certificate file to use to verify connecting +# clients +# Defaults to undef +# class cinder ( $database_connection = undef, $database_idle_timeout = undef, @@ -346,10 +349,6 @@ class cinder ( $amqp_username = $::os_service_default, $amqp_password = $::os_service_default, $package_ensure = 'present', - $use_ssl = false, - $ca_file = $::os_service_default, - $cert_file = false, - $key_file = false, $api_paste_config = '/etc/cinder/api-paste.ini', $use_syslog = undef, $use_stderr = undef, @@ -367,20 +366,15 @@ class cinder ( $verbose = undef, $enable_v1_api = undef, $enable_v2_api = undef, + $use_ssl = undef, + $ca_file = undef, + $cert_file = undef, + $key_file = undef, ) inherits cinder::params { include ::cinder::db include ::cinder::logging - if $use_ssl { - if !$cert_file { - fail('The cert_file parameter is required when use_ssl is set to true') - } - if !$key_file { - fail('The key_file parameter is required when use_ssl is set to true') - } - } - if $verbose { warning('verbose is deprecated, has no effect and will be removed after Newton cycle.') } @@ -477,21 +471,6 @@ class cinder ( 'DEFAULT/host': value => $host; } - # SSL Options - if $use_ssl { - cinder_config { - 'DEFAULT/ssl_cert_file' : value => $cert_file; - 'DEFAULT/ssl_key_file' : value => $key_file; - 'DEFAULT/ssl_ca_file' : value => $ca_file; - } - } else { - cinder_config { - 'DEFAULT/ssl_cert_file' : ensure => absent; - 'DEFAULT/ssl_key_file' : ensure => absent; - 'DEFAULT/ssl_ca_file' : ensure => absent; - } - } - # V3 APIs cinder_config { 'DEFAULT/enable_v3_api': value => $enable_v3_api; diff --git a/releasenotes/notes/cinder-api-ssl-08f7be7fe02510c7.yaml b/releasenotes/notes/cinder-api-ssl-08f7be7fe02510c7.yaml new file mode 100644 index 00000000..18e891e7 --- /dev/null +++ b/releasenotes/notes/cinder-api-ssl-08f7be7fe02510c7.yaml @@ -0,0 +1,3 @@ +--- +deprecations: + - The SSL-related options were removed from init.pp and added to api.pp diff --git a/spec/classes/cinder_api_spec.rb b/spec/classes/cinder_api_spec.rb index debe9f35..1e47131a 100644 --- a/spec/classes/cinder_api_spec.rb +++ b/spec/classes/cinder_api_spec.rb @@ -335,6 +335,33 @@ describe 'cinder::api' do it_raises 'a Puppet::Error', /Invalid service_name/ end + + describe 'with SSL socket options set' do + let :params do + req_params.merge!({ + :use_ssl => true, + :cert_file => '/path/to/cert', + :ca_file => '/path/to/ca', + :key_file => '/path/to/key', + }) + end + + it { is_expected.to contain_cinder_config('ssl/ca_file').with_value('/path/to/ca') } + it { is_expected.to contain_cinder_config('ssl/cert_file').with_value('/path/to/cert') } + it { is_expected.to contain_cinder_config('ssl/key_file').with_value('/path/to/key') } + end + + describe 'with SSL socket options set wrongly configured' do + let :params do + req_params.merge!({ + :use_ssl => true, + :ca_file => '/path/to/ca', + :key_file => '/path/to/key', + }) + end + + it_raises 'a Puppet::Error', /The cert_file parameter is required when use_ssl is set to true/ + end end on_supported_os({ diff --git a/spec/classes/cinder_spec.rb b/spec/classes/cinder_spec.rb index 08fe84e6..4dec5030 100644 --- a/spec/classes/cinder_spec.rb +++ b/spec/classes/cinder_spec.rb @@ -254,51 +254,6 @@ describe 'cinder' do it { is_expected.to_not contain_class('mysql::bindings::python') } end - describe 'with SSL socket options set' do - let :params do - { - :use_ssl => true, - :cert_file => '/path/to/cert', - :ca_file => '/path/to/ca', - :key_file => '/path/to/key', - :rabbit_password => 'guest', - } - end - - it { is_expected.to contain_cinder_config('DEFAULT/ssl_ca_file').with_value('/path/to/ca') } - it { is_expected.to contain_cinder_config('DEFAULT/ssl_cert_file').with_value('/path/to/cert') } - it { is_expected.to contain_cinder_config('DEFAULT/ssl_key_file').with_value('/path/to/key') } - end - - describe 'with SSL socket options set to false' do - let :params do - { - :use_ssl => false, - :cert_file => false, - :ca_file => false, - :key_file => false, - :rabbit_password => 'guest', - } - end - - it { is_expected.to contain_cinder_config('DEFAULT/ssl_ca_file').with_ensure('absent') } - it { is_expected.to contain_cinder_config('DEFAULT/ssl_cert_file').with_ensure('absent') } - it { is_expected.to contain_cinder_config('DEFAULT/ssl_key_file').with_ensure('absent') } - end - - describe 'with SSL socket options set wrongly configured' do - let :params do - { - :use_ssl => true, - :ca_file => '/path/to/ca', - :key_file => '/path/to/key', - :rabbit_password => 'guest', - } - end - - it_raises 'a Puppet::Error', /The cert_file parameter is required when use_ssl is set to true/ - end - describe 'with APIs set for Mitaka (proposed)' do let :params do {