Add support to manage SSL cert

Since gear support SSL certs, add in some support to place them into the SSL folder. It is possible we might want to move this into an ansible role, but for now it seems minimal to support it. Change-Id: I3e4c83c962f550b8cb6aef11a2a9b42288b3f1da Depends-On: https://review.openstack.org/557428 Signed-off-by: Paul Belanger <pabelanger@redhat.com>
2018-03-27 23:01:04 -04:00 · 2018-03-27 23:01:04 -04:00 · e75294e6b1
commit e75294e6b1
parent 66fc8c0b4c
7 changed files with 114 additions and 1 deletions
--- a/defaults/main.yaml
+++ b/defaults/main.yaml
@ -24,6 +24,27 @@ gear_user_name: gear
 gear_user_group: gear
 gear_user_home: /var/lib/gear

+gear_file_ssl_ca_content:
+gear_file_ssl_ca_dest: /etc/gear/ssl/root-ca.pem
+gear_file_ssl_ca_group: "{{ gear_user_group }}"
+gear_file_ssl_ca_mode: 0644
+gear_file_ssl_ca_owner: "{{ gear_user_name }}"
+gear_file_ssl_ca_src: etc/gear/ssl/root-ca.pem
+
+gear_file_ssl_cert_content:
+gear_file_ssl_cert_dest: /etc/gear/ssl/server.pem
+gear_file_ssl_cert_group: "{{ gear_user_group }}"
+gear_file_ssl_cert_mode: 0644
+gear_file_ssl_cert_owner: "{{ gear_user_name }}"
+gear_file_ssl_cert_src: etc/gear/ssl/server.pem
+
+gear_file_ssl_key_content:
+gear_file_ssl_key_dest: /etc/gear/ssl/server.key
+gear_file_ssl_key_group: "{{ gear_user_group }}"
+gear_file_ssl_key_mode: 0600
+gear_file_ssl_key_owner: "{{ gear_user_name }}"
+gear_file_ssl_key_src: etc/gear/ssl/server.key
+
 # tasks/install.yaml
 gear_git_dest: "{{ ansible_user_dir }}/src/git.openstack.org/openstack-infra/gear"
 gear_git_uri: https://git.openstack.org/openstack-infra/gear
--- a/tasks/config.yaml
+++ b/tasks/config.yaml
@ -21,4 +21,35 @@
    state: directory
  with_items:
    - /etc/gear
+    - /etc/gear/ssl
    - /var/log/gear
+
+- name: Install gear ssl ca configuration.
+  become: yes
+  template:
+    dest: "{{ gear_file_ssl_ca_dest }}"
+    group: "{{ gear_file_ssl_ca_group }}"
+    mode: "{{ gear_file_ssl_ca_mode }}"
+    owner: "{{ gear_file_ssl_ca_owner }}"
+    src: "{{ gear_file_ssl_ca_src }}"
+  register: gear_file_ssl_ca
+
+- name: Install gear ssl cert configuration.
+  become: yes
+  template:
+    dest: "{{ gear_file_ssl_cert_dest }}"
+    group: "{{ gear_file_ssl_cert_group }}"
+    mode: "{{ gear_file_ssl_cert_mode }}"
+    owner: "{{ gear_file_ssl_cert_owner }}"
+    src: "{{ gear_file_ssl_cert_src }}"
+  register: gear_file_ssl_cert
+
+- name: Install gear ssl key configuration.
+  become: yes
+  template:
+    dest: "{{ gear_file_ssl_key_dest }}"
+    group: "{{ gear_file_ssl_key_group }}"
+    mode: "{{ gear_file_ssl_key_mode }}"
+    owner: "{{ gear_file_ssl_key_owner }}"
+    src: "{{ gear_file_ssl_key_src }}"
+  register: gear_file_ssl_key
--- a/templates/etc/gear/ssl/root-ca.pem
+++ b/templates/etc/gear/ssl/root-ca.pem
@ -0,0 +1,4 @@
+# This file is generated by Ansible
+#  DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
+#
+{{ gear_file_ssl_ca_content }}
--- a/templates/etc/gear/ssl/server.key
+++ b/templates/etc/gear/ssl/server.key
@ -0,0 +1,4 @@
+# This file is generated by Ansible
+#  DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
+#
+{{ gear_file_ssl_key_content }}
--- a/templates/etc/gear/ssl/server.pem
+++ b/templates/etc/gear/ssl/server.pem
@ -0,0 +1,4 @@
+# This file is generated by Ansible
+#  DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
+#
+{{ gear_file_ssl_cert_content }}
--- a/templates/etc/systemd/system/gear.service
+++ b/templates/etc/systemd/system/gear.service
@ -9,7 +9,7 @@ Type=simple
 Environment="PREFIX=/usr/local"
 Group=gear
 User=gear
-ExecStart=/bin/sh -c "${PREFIX}/bin/geard -d"
+ExecStart=/bin/sh -c "${PREFIX}/bin/geard -d ${ARGS}"

 [Install]
 WantedBy=multi-user.target
--- a/tests/test.yaml
+++ b/tests/test.yaml
@ -21,6 +21,13 @@
    - "{{ rolename }}"

  post_tasks:
+    - name: Assert results are registered.
+      assert:
+        that:
+          - gear_file_ssl_ca
+          - gear_file_ssl_cert
+          - gear_file_ssl_key
+
    - name: Ensure gear_user_name is gear.
      shell: /usr/bin/getent passwd gear
      tags: skip_ansible_lint
@ -60,3 +67,45 @@
        that:
          - gear_git_dest_stat.stat.exists
          - gear_git_dest_stat.stat.isdir
+
+    - name: Register /etc/gear/ssl/root-ca.pem
+      stat:
+        path: /etc/gear/ssl/root-ca.pem
+      register: _gear_file_ssl_ca_stat
+
+    - name: Assert _gear_file_ssl_ca_stat tests.
+      assert:
+        that:
+          - _gear_file_ssl_ca_stat.stat.exists
+          - _gear_file_ssl_ca_stat.stat.isreg
+          - _gear_file_ssl_ca_stat.stat.pw_name == 'gear'
+          - _gear_file_ssl_ca_stat.stat.gr_name == 'gear'
+          - _gear_file_ssl_ca_stat.stat.mode == '0644'
+
+    - name: Register /etc/gear/ssl/server.pem
+      stat:
+        path: /etc/gear/ssl/server.pem
+      register: _gear_file_ssl_cert_stat
+
+    - name: Assert _gear_file_ssl_cert_stat tests.
+      assert:
+        that:
+          - _gear_file_ssl_cert_stat.stat.exists
+          - _gear_file_ssl_cert_stat.stat.isreg
+          - _gear_file_ssl_cert_stat.stat.pw_name == 'gear'
+          - _gear_file_ssl_cert_stat.stat.gr_name == 'gear'
+          - _gear_file_ssl_cert_stat.stat.mode == '0644'
+
+    - name: Register /etc/gear/ssl/server.key
+      stat:
+        path: /etc/gear/ssl/server.key
+      register: _gear_file_ssl_key_stat
+
+    - name: Assert _gear_file_ssl_key_stat tests.
+      assert:
+        that:
+          - _gear_file_ssl_key_stat.stat.exists
+          - _gear_file_ssl_key_stat.stat.isreg
+          - _gear_file_ssl_key_stat.stat.pw_name == 'gear'
+          - _gear_file_ssl_key_stat.stat.gr_name == 'gear'
+          - _gear_file_ssl_key_stat.stat.mode == '0600'