Merge pull request #1446 from saz/allow_multiple_ssl

kenyon · web-flow · commit d51a170a4134 · 2021-03-28T11:35:43.000-07:00
allow configuration of multiple ssl certificates and keys
diff --git a/manifests/resource/server.pp b/manifests/resource/server.pp
@@ -86,6 +86,7 @@
 #   Pre-generated SSL Certificate file to reference for SSL Support. This is
 #   not generated by this module.  Set to `false` to inherit from the http
 #   section, which improves performance by conserving memory.
+#   Use an array to add multiple SSL Certificates.
 # @param ssl_client_cert
 #   Pre-generated SSL Certificate file to reference for client verify SSL
 #   Support. This is not generated by this module.
@@ -111,6 +112,7 @@
 #   Pre-generated SSL Key file to reference for SSL Support. This is not
 #   generated by this module. Set to `false` to inherit from the http section,
 #   which improves performance by conserving memory.
+#   Use an array to add multiple SSL Keys.
 # @param ssl_port
 #   Default IP Port for NGINX to listen with this SSL server on.
 # @param ssl_protocols
@@ -294,14 +296,14 @@
   Hash $add_header                                                               = {},
   Boolean $ssl                                                                   = false,
   Boolean $ssl_listen_option                                                     = true,
-  Optional[Variant[String, Boolean]] $ssl_cert                                   = undef,
+  Optional[Variant[String, Boolean, Array[String]]] $ssl_cert                    = undef,
   Optional[String] $ssl_client_cert                                              = undef,
   String $ssl_verify_client                                                      = 'on',
   Optional[String] $ssl_dhparam                                                  = undef,
   Optional[String] $ssl_ecdh_curve                                               = undef,
   Boolean $ssl_redirect                                                          = false,
   Optional[Integer] $ssl_redirect_port                                           = undef,
-  Optional[Variant[String, Boolean]] $ssl_key                                    = undef,
+  Optional[Variant[String, Boolean, Array[String]]] $ssl_key                     = undef,
   Integer $ssl_port                                                              = 443,
   Optional[Enum['on', 'off']] $ssl_prefer_server_ciphers                         = undef,
   Optional[String] $ssl_protocols                                                = undef,
@@ -592,8 +594,23 @@
   if $ssl {
     # Access and error logs are named differently in ssl template
 
-    File <| title == $ssl_cert or path == $ssl_cert or title == $ssl_key or path == $ssl_key |>
-    -> concat::fragment { "${name_sanitized}-ssl-header":
+    if $ssl_key {
+      $ssl_key_real = $ssl_key.flatten
+      $ssl_key_real.each | $key | {
+        File <| title == $key or path == $key |> {
+          before => Concat::Fragment["${name_sanitized}-ssl-header"],
+        }
+      }
+    }
+    if $ssl_cert {
+      $ssl_cert_real = $ssl_cert.flatten
+      $ssl_cert_real.each | $cert | {
+        File <| title == $cert or path == $cert |> {
+          before => Concat::Fragment["${name_sanitized}-ssl-header"],
+        }
+      }
+    }
+    concat::fragment { "${name_sanitized}-ssl-header":
       target  => $config_file,
       content => template('nginx/server/server_ssl_header.erb'),
       order   => '700',
diff --git a/spec/defines/resource_server_spec.rb b/spec/defines/resource_server_spec.rb
@@ -1250,6 +1250,19 @@
             it { is_expected.to contain_concat__fragment("#{title}-ssl-header").without_content(%r{ssl_certificate_key}) }
           end
 
+          context 'SSL cert and key are both an array' do
+            let(:params) { {
+              ssl: true,
+              ssl_cert: ['/tmp/foo1.crt', '/tmp/foo2.crt'],
+              ssl_key: ['/tmp/foo1.key', '/tmp/foo2.key'],
+            } }
+
+            it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{ssl_certificate\s+/tmp/foo1.crt}) }
+            it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{ssl_certificate_key\s+/tmp/foo1.key}) }
+            it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{ssl_certificate\s+/tmp/foo2.crt}) }
+            it { is_expected.to contain_concat__fragment("#{title}-ssl-header").with_content(%r{ssl_certificate_key\s+/tmp/foo2.key}) }
+          end
+
           context 'when use_default_location => true' do
             let :params do
               default_params.merge(use_default_location: true)
diff --git a/templates/server/server_ssl_settings.erb b/templates/server/server_ssl_settings.erb
@@ -1,11 +1,15 @@
 <% if scope.call_function('versioncmp', [scope['nginx::nginx_version'], '1.15.0']) < 0 -%>
   ssl on;
 <% end -%>
-<% if @ssl_cert -%>
-  ssl_certificate           <%= @ssl_cert %>;
+<% if @ssl_cert_real -%>
+<% @ssl_cert_real.each do | cert | -%>
+  ssl_certificate           <%= cert %>;
+<% end -%>
+<% end -%>
+<% if @ssl_key_real -%>
+<% @ssl_key_real.each do | key | -%>
+  ssl_certificate_key       <%= key %>;
 <% end -%>
-<% if @ssl_key -%>
-  ssl_certificate_key       <%= @ssl_key %>;
 <% end -%>
 <% if defined? @ssl_client_cert -%>
   ssl_client_certificate    <%= @ssl_client_cert %>;
