Allow overriding the cert/key file paths
* manifests/cert.pp: This adds the flexibility to depend on existing files even if they're created as part of the storyboard dependency chain, though with the loss of some error handling if a deployer neglects to ensure the file itself exists before starting the apache daemon. Change-Id: I62d0bc7899703d7cc17f402cf34bd92357f44b58
This commit is contained in:
Jeremy Stanley
parent
c82c659feb
commit
8cb968cea0
@ -45,12 +45,12 @@ automatic redirect from http://$hostname to https://$hostname/.
|
||||
|
||||
hostname => ::fqdn,
|
||||
openid_url => 'https://login.launchpad.net/+openid',
|
||||
ssl_cert_file => '/etc/ssl/certs/ssl-cert-snakeoil.pem',
|
||||
ssl_cert_content => undef,
|
||||
ssl_key_file => '/etc/ssl/private/ssl-cert-snakeoil.key',
|
||||
ssl_cert => '/etc/ssl/certs/ssl-cert-snakeoil.pem',
|
||||
ssl_key_content => undef,
|
||||
ssl_ca_file => undef,
|
||||
ssl_key => '/etc/ssl/private/ssl-cert-snakeoil.key',
|
||||
ssl_ca_content => undef
|
||||
ssl_ca => undef,
|
||||
}
|
||||
}
|
||||
|
||||
@ -88,15 +88,12 @@ will be saved, however that's not strictly necessary.
|
||||
|
||||
node default {
|
||||
class { 'storyboard::cert':
|
||||
$ssl_cert_file = undef,
|
||||
$ssl_cert_content = undef,
|
||||
$ssl_cert = '/etc/ssl/certs/storyboard.openstack.org.pem',
|
||||
|
||||
$ssl_key_file = undef,
|
||||
$ssl_key_content = undef,
|
||||
$ssl_key = '/etc/ssl/private/storyboard.openstack.org.key',
|
||||
|
||||
$ssl_ca_file = undef,
|
||||
$ssl_ca_content = undef,
|
||||
$ssl_ca = '/etc/ssl/certs/ca.pem'
|
||||
}
|
||||
|
||||
@ -20,30 +20,17 @@
|
||||
# application will be hosted over https rather than http.
|
||||
#
|
||||
class storyboard::cert (
|
||||
$ssl_cert_file = undef,
|
||||
$ssl_cert_content = undef,
|
||||
$ssl_cert = '/etc/ssl/certs/storyboard.pem',
|
||||
|
||||
$ssl_key_file = undef,
|
||||
$ssl_key_content = undef,
|
||||
$ssl_key = '/etc/ssl/private/storyboard.key',
|
||||
|
||||
$ssl_ca_file = undef,
|
||||
$ssl_ca_content = undef,
|
||||
$ssl_ca = undef, # '/etc/ssl/certs/ca.pem'
|
||||
) {
|
||||
|
||||
if $ssl_cert_file != undef {
|
||||
file { $ssl_cert:
|
||||
owner => 'root',
|
||||
group => 'ssl-cert',
|
||||
mode => '0640',
|
||||
source => $ssl_cert_file,
|
||||
before => Class['storyboard::application'],
|
||||
notify => Class['storyboard::application'],
|
||||
}
|
||||
}
|
||||
elsif $ssl_cert_content != undef {
|
||||
if $ssl_cert_content != undef {
|
||||
file { $ssl_cert:
|
||||
owner => 'root',
|
||||
group => 'ssl-cert',
|
||||
@ -53,21 +40,8 @@ class storyboard::cert (
|
||||
notify => Class['storyboard::application'],
|
||||
}
|
||||
}
|
||||
else {
|
||||
fail('When including storyboard::cert, you must define either $ssl_cert_file or $ssl_cert_content')
|
||||
}
|
||||
|
||||
if $ssl_key_file != undef {
|
||||
file { $ssl_key:
|
||||
owner => 'root',
|
||||
group => 'ssl-cert',
|
||||
mode => '0640',
|
||||
source => $ssl_key_file,
|
||||
before => Class['storyboard::application'],
|
||||
notify => Class['storyboard::application'],
|
||||
}
|
||||
}
|
||||
elsif $ssl_key_content != undef {
|
||||
if $ssl_key_content != undef {
|
||||
file { $ssl_key:
|
||||
owner => 'root',
|
||||
group => 'ssl-cert',
|
||||
@ -77,29 +51,16 @@ class storyboard::cert (
|
||||
notify => Class['storyboard::application'],
|
||||
}
|
||||
}
|
||||
else {
|
||||
fail('When including storyboard::cert, you must define either $ssl_key_file or $ssl_key_content')
|
||||
}
|
||||
|
||||
# CA file needs special treatment, since we want the path variable
|
||||
# to be undef in some cases.
|
||||
if ($ssl_ca_file != undef or $ssl_ca_content != undef) and $ssl_ca == undef {
|
||||
if $ssl_ca == undef and $ssl_ca_content != undef {
|
||||
$resolved_ssl_ca = '/etc/ssl/certs/storyboard.ca.pem'
|
||||
} else {
|
||||
$resolved_ssl_ca = $ssl_ca
|
||||
}
|
||||
|
||||
if $ssl_ca_file != undef {
|
||||
file { $resolved_ssl_ca:
|
||||
owner => 'root',
|
||||
group => 'ssl-cert',
|
||||
mode => '0640',
|
||||
source => $ssl_ca_file,
|
||||
before => Class['storyboard::application'],
|
||||
notify => Class['storyboard::application'],
|
||||
}
|
||||
}
|
||||
elsif $ssl_ca_content != undef {
|
||||
if $ssl_ca_content != undef {
|
||||
file { $resolved_ssl_ca:
|
||||
owner => 'root',
|
||||
group => 'ssl-cert',
|
||||
@ -109,4 +70,4 @@ class storyboard::cert (
|
||||
notify => Class['storyboard::application'],
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -30,21 +30,21 @@ class storyboard (
|
||||
$hostname = $::fqdn,
|
||||
$openid_url = 'https://login.launchpad.net/+openid',
|
||||
|
||||
$ssl_cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem',
|
||||
$ssl_cert_content = undef,
|
||||
$ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key',
|
||||
$ssl_cert = '/etc/ssl/certs/ssl-cert-snakeoil.pem',
|
||||
$ssl_key_content = undef,
|
||||
$ssl_ca_file = undef,
|
||||
$ssl_key = '/etc/ssl/private/ssl-cert-snakeoil.key',
|
||||
$ssl_ca_content = undef,
|
||||
$ssl_ca = undef,
|
||||
) {
|
||||
|
||||
class { '::storyboard::cert':
|
||||
ssl_cert_file => $ssl_cert_file,
|
||||
ssl_cert_content => $ssl_cert_content,
|
||||
ssl_key_file => $ssl_key_file,
|
||||
ssl_cert => $ssl_cert,
|
||||
ssl_key_content => $ssl_key_content,
|
||||
ssl_ca_file => $ssl_ca_file,
|
||||
ssl_key => $ssl_key,
|
||||
ssl_ca_content => $ssl_ca_content,
|
||||
ssl_ca => $ssl_ca,
|
||||
}
|
||||
|
||||
class { '::storyboard::rabbit':
|
||||
|
||||
@ -28,8 +28,8 @@
|
||||
|
||||
SSLCertificateFile <%= scope.lookupvar("storyboard::cert::ssl_cert") %>
|
||||
SSLCertificateKeyFile <%= scope.lookupvar("storyboard::cert::ssl_key") %>
|
||||
<% if scope.lookupvar("storyboard::cert::ssl_ca") != :undef %>
|
||||
SSLCertificateChainFile <%= scope.lookupvar("storyboard::cert::ssl_ca") %>
|
||||
<% if scope.lookupvar("storyboard::cert::resolved_ssl_ca") != :undef %>
|
||||
SSLCertificateChainFile <%= scope.lookupvar("storyboard::cert::resolved_ssl_ca") %>
|
||||
<% end %>
|
||||
|
||||
<FilesMatch "\.(cgi|shtml|phtml|php)$">
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user