Allow OpenStack SSL certs + keys to take path or content #10271
Conversation
|
Before I dive into this, does this seem like a reasonable change to make? Seems like it would only require changing a couple lines here and adding some tests. |
|
That's a good question. I know other fields, such as SSH keys and such, have been modified over time to take the contents of a file rather than a file path, so this would align with those changes. Is there precedence elsewhere in Terraform for using SSL cert contents? |
|
@jtopjian the aws_iam_server_certificate resource only takes the body and suggests you use the Given there's a bit of precedence but we still need to maintain backwards compatibility, sounds like I can move ahead with updating the OpenStack provider to take either the contents of the SSL certs or a path to the cert. Please let me know if that doesn't seem right. |
ljfranklin
force-pushed
the
PR-openstack-ssl-content
branch
2 times, most recently
from
c84a510 to
39f06ff
Compare
ljfranklin
force-pushed
the
PR-openstack-ssl-content
branch
from
39f06ff to
c40576c
Compare
|
@jtopjian was hoping to get a little guidance on writing acceptance tests in Terraform. I'm trying to write a few tests against the OpenStack provider directly. For example, given a provider option Is there a way to mark a test as an acceptance test? I tried to create a test using |
|
@ljfranklin Good question. I did a cursory look but I'm not entirely sure. I'm going to ping @stack72 or @mitchellh and see if they know off-hand rather than us spin our wheels :) |
|
@jtopjian @stack72 @mitchellh gentle bump on the above testing framework question :) |
ljfranklin
force-pushed
the
PR-openstack-ssl-content
branch
from
c40576c to
8fd3b7e
Compare
|
@jtopjian I ended up just skipping the provider tests that need to hit the OpenStack API unless |
ljfranklin
changed the title
|
@ljfranklin Sorry for the late reply, I've been traveling for work. This all sounds good to me. I want to set up a dev environment to verify the acceptance tests, though. I'll try to get to that within the next week. |
|
@ljfranklin I had some time to test this out today. I had to review #6279 to remember how to do it. I configured a test OpenStack environment to use the demo certificates that can be found here: https://github.com/OpenVPN/openvpn/tree/master/sample/sample-keys Once I did that, I was able to compile a However, I ran into problems with the acceptance tests that you made, using the certs that you included: I tried using the certs obtained from the link above, but since the tests are not checking the CA file, they still fail. Perhaps I ran something incorrectly? Here's what I did to set up my test environment: Using the cert link above, I saved the following files locally: I then configured apache like so: and The Keystone catalog and all OpenStack components were then updated to use https for the above Keystone services. The server hostname was also modified, etc etc. On the client side, specifying Configuring Terraform like so also worked: provider "openstack" {
key = "/etc/ssl/certs/client.key"
cert = "/etc/ssl/certs/client.crt"
cacert_file = "/etc/ssl/certs/ca.crt"
}
resource "openstack_compute_servergroup_v2" "test" {
name = "test"
policies = ["anti-affinity"]
}With all of the above said, given the complexity required to set up a test environment to run these tests, I think a conditional should be added to the tests in addition to |
ljfranklin
force-pushed
the
PR-openstack-ssl-content
branch
from
8fd3b7e to
a7a3e43
Compare
|
@jtopjian thanks for fighting through that environment setup! I just pushed an update with the changes below. I think the "TestAccProvider_caCertString" and "TestAccProvider_caCertFile" tests are failing due to a slightly different error string, possibly OS dependent. On Linux I got "x509: certificate signed by unknown authority" but your error is "remote error: tls: unknown certificate authority". I changed my test to check for "certificate" rather than "x509" to sidestep the issue but I'm open to other ideas that are less brittle. I added the "OS_CLIENT_SSL_TESTS" variable to skip the client SSL tests as the environment setup is a pain. I left the "TestAccProvider_caCert" tests without this skip as they are more around client-side validation rather than special server-side validation and should pass in a vanilla environment. For the failing "TestAccProvider_clientCert" tests, I think you just need to set "OS_CACERT" environment variable before running those tests and the provider should pick it up. I didn't require that env variable in the test as you could have an OpenStack with Server certs signed by a legit CA, but use a different private CA to sign your client certs. |
Just an aside: my test environment is CentOS. Would it be better to write the test so that the entire certificate chain passes? This would include a cert, key, and ca file. If any of the three aren't valid certificates, then the test wouldn't pass. I think this would end up being the existing
Thanks! And agreed.
You're right - I was switching back and forth between the demo certs I downloaded and the ones you included and the CA was not set up correctly for the former. However, with the cert/key that you included, I'm getting certificate validation errors that, I think, a CA file would resolve. Are you able to run the tests with just the cert/key included in this PR? |
ljfranklin
force-pushed
the
PR-openstack-ssl-content
branch
from
a7a3e43 to
c44da1f
Compare
|
@jtopjian pushed a couple more changes.
I kinda like leaving them as separate tests as they are two separate features. One has the TF CLI verify the cert from the server, the other is a server-side authentication feature. That said, I think the negative test was more trouble than it was worth so I removed the fake certs and require that the user pass the real CA cert.
The included cert and key were only used for the negative CA tests, so I just removed them. Whatever certs and CA you have nginx configured with should be fine. |
|
Thank you for your patience with this! I think the last modification to make would be to make the two caCert tests run only on the Then the comment you made here: Can be moved to the top of the series of tests and explain that these tests are only valid for test environments that are configured with https endpoints which require a valid SSL chain consisting of a cert, key, and intermediate cert. Does that make sense? I really apologize for, more or less, grilling the testing part of this PR. I just want to make sure that the tests are correct yet only run under the right condition. Neither Packstack nor Devstack (which are used to test the OpenStack support) are able to set up this kind of SSL environment out of the box. :/ |
- OpenStack provider now supports either a path or the file contents for `cacert_file`, `cert`, and `key` - Makes it easier to automate TF by passing in certs as environment variables - set `OS_SSL_TESTS=true` to run the acceptance tests
ljfranklin
force-pushed
the
PR-openstack-ssl-content
branch
from
c44da1f to
3b7cf41
Compare
|
@jtopjian no worries, appreciate you sticking with it! Changed the var to "OS_SSL_TESTS" and it is now being checked for all four tests. |
|
Looks good! I'll merge this in the next day or so. I'll be offline traveling and I don't want to merge and disappear :) |
|
@ljfranklin Thank you for your patience and help with this! |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
ghost
locked and limited conversation to collaborators
The goal of this PR is to allow the existing OpenStack provider fields
cacert_file,cert, andkeyto take either a path to the file (existing behavior) or the contents of the file itself (new functionality). This will make it easier to interact with Terraform in CI via environment variables.