Enable nova server to be run in SSL mode

Spredzy · Spredzy · commit b9ae517fcad8 · 2014-06-10T14:06:00.000Z
This commit allows one to specify ca, cert and key file to run nova server in SSL mode. Note: The flag use_ssl per se is not used in nova yet, its purpose here it to verify collateral parameters. Change-Id: I5aed08afc2b6ac94bf9e1929f6b1f41a88882f02 (cherry picked from commit 31048d2)
diff --git a/manifests/init.pp b/manifests/init.pp
@@ -175,6 +175,27 @@
 #   (optional) Syslog facility to receive log lines.
 #   Defaults to 'LOG_USER'
 #
+# [*use_ssl*]
+#   (optional) Enable SSL on the API server
+#   Defaults to false, not set
+#
+# [*enabled_ssl_apis*]
+#   (optional) List of APIs to SSL enable
+#   Defaults to []
+#   Possible values : 'ec2', 'osapi_compute', 'metadata'
+#
+# [*cert_file*]
+#   (optinal) Certificate file to use when starting API server securely
+#   Defaults to false, not set
+#
+# [*key_file*]
+#   (optional) Private key file to use when starting API server securely
+#   Defaults to false, not set
+#
+# [*ca_file*]
+#   (optional) CA certificate file to use to verify connecting clients
+#   Defaults to false, not set_
+#
 # [*nova_user_id*]
 #   (optional) Create the nova user with the specified gid.
 #   Changing to a new uid after specifying a different uid previously,
@@ -271,6 +292,11 @@
   $periodic_interval        = '60',
   $report_interval          = '10',
   $rootwrap_config          = '/etc/nova/rootwrap.conf',
+  $use_ssl                  = false,
+  $enabled_ssl_apis         = ['ec2', 'metadata', 'osapi_compute'],
+  $ca_file                  = false,
+  $cert_file                = false,
+  $key_file                 = false,
   $nova_user_id             = undef,
   $nova_group_id            = undef,
   $nova_public_key          = undef,
@@ -299,6 +325,20 @@
     warning('The nova_cluster_id parameter is deprecated and has no effect.')
   }
 
+  validate_array($enabled_ssl_apis)
+  if empty($enabled_ssl_apis) and $use_ssl {
+      warning('enabled_ssl_apis is empty but use_ssl is set to true')
+  }
+
+  if $use_ssl {
+    if !$cert_file {
+      fail('The cert_file parameter is required when use_ssl is set to true')
+    }
+    if !$key_file {
+      fail('The key_file parameter is required when use_ssl is set to true')
+    }
+  }
+
   group { 'nova':
     ensure  => present,
     system  => true,
@@ -553,6 +593,31 @@
     }
   }
 
+  # SSL Options
+  if $use_ssl {
+    nova_config {
+      'DEFAULT/enabled_ssl_apis' : value => $enabled_ssl_apis;
+      'DEFAULT/ssl_cert_file' :    value => $cert_file;
+      'DEFAULT/ssl_key_file' :     value => $key_file;
+    }
+    if $ca_file {
+      nova_config { 'DEFAULT/ssl_ca_file' :
+        value => $ca_file,
+      }
+    } else {
+      nova_config { 'DEFAULT/ssl_ca_file' :
+        ensure => absent,
+      }
+    }
+  } else {
+    nova_config {
+      'DEFAULT/enabled_ssl_apis' : ensure => absent;
+      'DEFAULT/ssl_cert_file' :    ensure => absent;
+      'DEFAULT/ssl_key_file' :     ensure => absent;
+      'DEFAULT/ssl_ca_file' :      ensure => absent;
+    }
+  }
+
   if $logdir {
     warning('The logdir parameter is deprecated, use log_dir instead.')
     $log_dir_real = $logdir
diff --git a/spec/classes/nova_init_spec.rb b/spec/classes/nova_init_spec.rb
@@ -535,6 +535,53 @@
         end
     end
 
+    context 'with SSL socket options set' do
+      let :params do
+        {
+          :use_ssl          => true,
+          :enabled_ssl_apis => ['ec2'],
+          :cert_file        => '/path/to/cert',
+          :ca_file          => '/path/to/ca',
+          :key_file         => '/path/to/key',
+        }
+      end
+
+      it { should contain_nova_config('DEFAULT/enabled_ssl_apis').with_value(['ec2']) }
+      it { should contain_nova_config('DEFAULT/ssl_ca_file').with_value('/path/to/ca') }
+      it { should contain_nova_config('DEFAULT/ssl_cert_file').with_value('/path/to/cert') }
+      it { should contain_nova_config('DEFAULT/ssl_key_file').with_value('/path/to/key') }
+    end
+
+    context 'with SSL socket options set with wrong parameters' do
+      let :params do
+        {
+          :use_ssl          => true,
+          :enabled_ssl_apis => ['ec2'],
+          :ca_file          => '/path/to/ca',
+          :key_file         => '/path/to/key',
+        }
+      end
+
+      it_raises 'a Puppet::Error', /The cert_file parameter is required when use_ssl is set to true/
+    end
+
+    context 'with SSL socket options set to false' do
+      let :params do
+        {
+          :use_ssl          => false,
+          :enabled_ssl_apis => [],
+          :cert_file        => false,
+          :ca_file          => false,
+          :key_file         => false,
+        }
+      end
+
+      it { should contain_nova_config('DEFAULT/enabled_ssl_apis').with_ensure('absent') }
+      it { should contain_nova_config('DEFAULT/ssl_ca_file').with_ensure('absent') }
+      it { should contain_nova_config('DEFAULT/ssl_cert_file').with_ensure('absent') }
+      it { should contain_nova_config('DEFAULT/ssl_key_file').with_ensure('absent') }
+    end
+
   end
 
   context 'on Debian platforms' do
