Add optional variables for SSL management-console

[slm0n87]

Fixes #564

[wyardley]

👍 from me, can you squash that second commit?

[wyardley]

This looks good to me, can you squash that last commit?

[wyardley]

Not sure if this could introduce any weird behavior. This is undef by default, since the params you're referencing are undef, but if someone set ssl_cacert and tried to explicitly set ssl_management_cacert to undef, it wouldn't work. I think this is still probably the best and most logical behavior (to take those as defaults).

[slm0n87]

@wyardley thx for reviewing. You are right, its was not possible to not set an CA Cert for the mgmnt.
I solved this now by changing the Type to "String or Boolean".
Now the mgmnt CA Cert can be disabled by just setting it to "false".

[wyardley]

@slm0n87 maybe you could make it undef, and then, in the manifest, set it to the value of the other one?

I think setting it to false vs. undef is kind of an anti-pattern, @bastelfreak @alexjfisher - any thoughts on the best way to accomplish this?

[bastelfreak]

all params should be alligned at their =

[bastelfreak]

@wyardley I agree, this is an antipattern and should be avoided.

[wyardley]

I think you could do it this way:

1. default the params to undef
2. if management_ssl is true, and the params are undef, set $_ssl_management_cacert etc. to $rabbitmq::ssl_cacert (in the manifest, not in the class params)
3. if management_ssl is true and param is not undef, use that value instead.

That make sense?

[wyardley]

See also some changes in #649 that may affect this or require a rebase. Basically, I think the cert params should be Optional[Stdlib::Absolutepath] vs just Optional[String]

we should revisit based on discussion

[alexjfisher]

I think there's some issue trying to default one parameter based on another like this. @bastelfreak this came up on IRC IIRC??

[alexjfisher]

Actually, since puppet 4.4.0 (I've been go back through the IRC logs), this should work. https://github.com/puppetlabs/puppet-specifications/blob/master/language/parameter_scope.md#the-default-expression-evaluation.

[alexjfisher]

It took me a little while to figure out why the false option for ssl_management_cacert was needed, but now I have, I actually think the code is OK.

If I understand correctly, you need to default all the parameters to the existing ones for backwards compatibility and because that's what most people will want to do anyway.
There are 2 ways of doing this. You either default them to undef and do it in the manifest, or since puppet 4.4, you can just default the parameters to the others directly in the declaration.

But you also want to account for users who want no ssl_management_cacert file. If you explicitly try to set the parameter to undef, nothing happens, you just get the parameter default. So you've got to allow false instead.

[wyardley]

It took me a little while to figure out why the false option for ssl_management_cacert was needed, but now I have, I actually think the code is OK.

I think if the boolean management_ssl is true, then the various cert files are probably all required, no (at least, a cert and key will be required, and from what I remember from testing, the ca cert may also be required)? So I'm not sure if there's a valid reason to have the ability to suppress these - probably should just default to the non-management ones, and allow overriding.

It doesn't look like the templates support the case where these don't exist, e.g.:

<% if @ssl && @management_ssl -%>
ssl = True
ssl_ca_cert_file = <%= @ssl_cacert %>
ssl_cert_file = <%= @ssl_cert %>
ssl_key_file = <%= @ssl_key %>
port = <%= @ssl_management_port %>

[slm0n87]

reopen Issie (accidentally closed by forced rebasing my forked master)...

[slm0n87]

I updated my patch once more by moving the overwrites for backwards compatibility into the manifest and set them to undef by default.

[wyardley]

I think regardless of how it's coded, ssl_management_cacert can't actually be undef, right? since it still defaults to ssl_cacert if it's not defined?

[wyardley]

@slm0n87 I think this will work, but I think @alexjfisher is right that this still won't allow actually suppressing it, because of the way the defaults work. Given that, I think the bit I commented on in the template is maybe extraneous? Also, the module supports >= 4.7.1 only, so maybe using the default in the params is cleaner after all, though I'm Ok with it as it is here.

Sorry for so much back and forth on this PR, and thanks for all the revisions.

[slm0n87]

@wyardley thx for the feedback - you are welcome. regarding the forth and back, I am aware of the conflict keeping a module most configurablae but backwards compatible :)
So what do you think how we should finally resolve the ssl_management_cacerts? To make your condition in the template back working?
Creating a new boolean variable $_ssl_management_cacert_enable which defaults to true?
I can put the defaults back from the manifest to the declaration for cleaner code.

[slm0n87]

like this slm0n87@3d5ba4b
if its OK I would properly test it and add it to this PR tomorrow.

[wyardley]

@slm0n87 yeah, I think that makes some sense. Having a param was the way I was thinking of suggesting. The current template doesn't seem to support suppressing the cafile, so I think it could be Ok if that's not supported, but maybe you need that feature?

[wyardley]

@slm0n87 Great, two questions then:

1. Can you add spec tests?
2. Do you think we should mirror the same option for the non-management SSL part? Or is the need to suppress the ca file not applicable there?

[slm0n87]

I am not deep enough into spec tests to be able to write tests for my pullrequest. It would be perfect if someone could overtake this which also gives me a good example.
2. We dont have the fallback case for the amqp ssl. So setting variable ssl_cacert = undef (which is the default) results into setting no ssl_cacert in the template.

[bastelfreak]

Can you please add datatypes for the new params?

[wyardley]

I think this is because they're not class params, but variables in config.pp. in init.pp, these all have data types. IIRC, you can't specify data types for variables vs. class params. I think they're not settable since they're in the body of the manifest, though we could also add an explicit assert_private() too maybe?

[wyardley]

I am not deep enough into spec tests to be able to write tests for my pullrequest. It would be perfect if someone could overtake this which also gives me a good example.

I can work on this at some point if I've got the time and submit a PR to your PR. FWIW, I think this is the section, so it might not be as bad as you think to make cases for the specific use cases. While I don't mind adding them, I think it can actually be a pretty useful exercise to add tests yourself.

You'd want to create a describe or context block and test that the new behavior has the right config settings, and also make sure that the tests for the default behavior already ensure that the default behavior does what we think.

https://github.com/voxpupuli/puppet-rabbitmq/blob/master/spec/classes/rabbitmq_spec.rb#L721-L1135
https://github.com/voxpupuli/puppet-rabbitmq/blob/master/.github/CONTRIBUTING.md
also has some info on running tests, and we're happy to help on Slack / IRC.

2. We dont have the fallback case for the amqp ssl. So setting variable ssl_cacert = undef (which is the default) results into setting no ssl_cacert in the template.

Ah, you're right, misread that before. So this solves the case of needing to suppress the CA cert for the management in the case where the main SSL config needs it but management doesn't.

[slm0n87]

• rebased & fix conflicts
• create spec tests for new options

@wyardley @bastelfreak @alexjfisher can you review again?

[wyardley]

Looks good overall, can you explain the one comment I have (inline)?