Fixes #29892 - Use server certs for websockets

Prior to this the user needed to specify the certs both for the server and websockets. In practice these are pretty much always the same files. By using undef + pick() the option to specify these is maintained, but the defaults are better.
theforeman · May 24, 2020 · 2dc5e7d · 2dc5e7d
1 parent 58c797b
commit 2dc5e7d
Show file tree

Hide file tree

Showing 5 changed files with 20 additions and 8 deletions.
diff --git a/manifests/config.pp b/manifests/config.pp
@@ -19,6 +19,10 @@
     }
   }
 
+  # Used in the settings template
+  $websockets_ssl_cert = pick($foreman::websockets_ssl_cert, $foreman::server_ssl_cert)
+  $websockets_ssl_key = pick($foreman::websockets_ssl_key, $foreman::server_ssl_key)
+
   concat::fragment {'foreman_settings+01-header.yaml':
     target  => '/etc/foreman/settings.yaml',
     content => template('foreman/settings.yaml.erb'),

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -273,8 +273,8 @@
   String $pam_service = $foreman::params::pam_service,
   Boolean $ipa_manage_sssd = $foreman::params::ipa_manage_sssd,
   Boolean $websockets_encrypt = $foreman::params::websockets_encrypt,
-  Stdlib::Absolutepath $websockets_ssl_key = $foreman::params::websockets_ssl_key,
-  Stdlib::Absolutepath $websockets_ssl_cert = $foreman::params::websockets_ssl_cert,
+  Optional[Stdlib::Absolutepath] $websockets_ssl_key = $foreman::params::websockets_ssl_key,
+  Optional[Stdlib::Absolutepath] $websockets_ssl_cert = $foreman::params::websockets_ssl_cert,
   Enum['debug', 'info', 'warn', 'error', 'fatal'] $logging_level = $foreman::params::logging_level,
   Enum['file', 'syslog', 'journald'] $logging_type = $foreman::params::logging_type,
   Enum['pattern', 'multiline_pattern', 'json'] $logging_layout = $foreman::params::logging_layout,

diff --git a/manifests/params.pp b/manifests/params.pp
@@ -183,8 +183,8 @@
 
   # Websockets
   $websockets_encrypt = true
-  $websockets_ssl_key = $server_ssl_key
-  $websockets_ssl_cert = $server_ssl_cert
+  $websockets_ssl_key = undef
+  $websockets_ssl_cert = undef
 
   # Application logging
   $logging_level = 'info'

diff --git a/spec/classes/foreman_spec.rb b/spec/classes/foreman_spec.rb
@@ -31,6 +31,8 @@
             .with_content(/^:oauth_consumer_key:\s*\w+$/)
             .with_content(/^:oauth_consumer_secret:\s*\w+$/)
             .with_content(/^:websockets_encrypt:\s*true$/)
+            .with_content(%r{^:websockets_ssl_key:\s*/etc/puppetlabs/puppet/ssl/private_keys/foo\.example\.com\.pem$})
+            .with_content(%r{^:websockets_ssl_cert:\s*/etc/puppetlabs/puppet/ssl/certs/foo\.example\.com\.pem$})
             .with_content(%r{^:ssl_certificate:\s*/etc/puppetlabs/puppet/ssl/certs/foo\.example\.com\.pem$})
             .with_content(%r{^:ssl_ca_file:\s*/etc/puppetlabs/puppet/ssl/certs/ca.pem$})
             .with_content(%r{^:ssl_priv_key:\s*/etc/puppetlabs/puppet/ssl/private_keys/foo\.example\.com\.pem$})
@@ -236,8 +238,8 @@
             pam_service: 'foreman',
             ipa_manage_sssd: true,
             websockets_encrypt: true,
-            websockets_ssl_key: '/etc/ssl/private/snakeoil.pem',
-            websockets_ssl_cert: '/etc/ssl/certs/snakeoil.pem',
+            websockets_ssl_key: '/etc/ssl/private/snakeoil-ws.pem',
+            websockets_ssl_cert: '/etc/ssl/certs/snakeoil-ws.pem',
             logging_level: 'info',
             loggers: {},
             email_delivery_method: 'sendmail',
@@ -260,6 +262,12 @@
             .with_keycloak_app_name('cloak-app')
             .with_keycloak_realm('myrealm')
         end
+
+        it 'should configure certificates in settings.yaml' do
+          is_expected.to contain_concat__fragment('foreman_settings+01-header.yaml')
+            .with_content(%r{^:websockets_ssl_key: /etc/ssl/private/snakeoil-ws\.pem$})
+            .with_content(%r{^:websockets_ssl_cert: /etc/ssl/certs/snakeoil-ws\.pem$})
+        end
       end
 
       context 'with journald logging' do

diff --git a/templates/settings.yaml.erb b/templates/settings.yaml.erb
@@ -17,8 +17,8 @@
 
 # Websockets
 :websockets_encrypt: <%= scope.lookupvar("foreman::websockets_encrypt") %>
-:websockets_ssl_key: <%= scope.lookupvar("foreman::websockets_ssl_key") %>
-:websockets_ssl_cert: <%= scope.lookupvar("foreman::websockets_ssl_cert") %>
+:websockets_ssl_key: <%= @websockets_ssl_key %>
+:websockets_ssl_cert: <%= @websockets_ssl_cert %>
 
 # SSL-settings
 :ssl_certificate: <%= scope.lookupvar("foreman::client_ssl_cert") %>