Allow non-ssl to work correctly
when use_ssl is false, several ssl related items are still in play, notably including mod_ssl. Closes-Bug: #1445047 Change-Id: Iafd26f8eddfd74a90b6a8bde579bf53af57b5893
This commit is contained in:
parent
4294dd9b57
commit
3d4d7bc49d
@ -55,7 +55,7 @@ node.set['apache']['listen_ports'] = listen_ports
|
||||
include_recipe 'apache2'
|
||||
include_recipe 'apache2::mod_wsgi'
|
||||
include_recipe 'apache2::mod_rewrite'
|
||||
include_recipe 'apache2::mod_ssl'
|
||||
include_recipe 'apache2::mod_ssl' if node['openstack']['dashboard']['use_ssl']
|
||||
|
||||
#
|
||||
# Workaround to re-enable selinux after installing apache on a fedora machine that has
|
||||
@ -78,11 +78,12 @@ file "#{node["apache"]["dir"]}/conf.d/openstack-dashboard.conf" do
|
||||
only_if { platform_family?('rhel') } # :pragma-foodcritic: ~FC024 - won't fix this
|
||||
end
|
||||
|
||||
cert_file = "#{node['openstack']['dashboard']['ssl']['dir']}/certs/#{node['openstack']['dashboard']['ssl']['cert']}"
|
||||
cert_mode = 00644
|
||||
cert_owner = 'root'
|
||||
cert_group = 'root'
|
||||
if node['openstack']['dashboard']['ssl']['cert_url']
|
||||
if node['openstack']['dashboard']['use_ssl']
|
||||
cert_file = "#{node['openstack']['dashboard']['ssl']['dir']}/certs/#{node['openstack']['dashboard']['ssl']['cert']}"
|
||||
cert_mode = 00644
|
||||
cert_owner = 'root'
|
||||
cert_group = 'root'
|
||||
if node['openstack']['dashboard']['ssl']['cert_url']
|
||||
remote_file cert_file do
|
||||
sensitive true
|
||||
source node['openstack']['dashboard']['ssl']['cert_url']
|
||||
@ -92,7 +93,7 @@ if node['openstack']['dashboard']['ssl']['cert_url']
|
||||
|
||||
notifies :run, 'execute[restore-selinux-context]', :immediately
|
||||
end
|
||||
else
|
||||
else
|
||||
cookbook_file cert_file do
|
||||
sensitive true
|
||||
source 'horizon.pem'
|
||||
@ -102,19 +103,19 @@ else
|
||||
|
||||
notifies :run, 'execute[restore-selinux-context]', :immediately
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
key_file = "#{node['openstack']['dashboard']['ssl']['dir']}/private/#{node['openstack']['dashboard']['ssl']['key']}"
|
||||
key_mode = 00640
|
||||
key_owner = 'root'
|
||||
case node['platform_family']
|
||||
when 'debian'
|
||||
key_file = "#{node['openstack']['dashboard']['ssl']['dir']}/private/#{node['openstack']['dashboard']['ssl']['key']}"
|
||||
key_mode = 00640
|
||||
key_owner = 'root'
|
||||
case node['platform_family']
|
||||
when 'debian'
|
||||
key_group = 'ssl-cert'
|
||||
else
|
||||
else
|
||||
key_group = 'root'
|
||||
end
|
||||
end
|
||||
|
||||
if node['openstack']['dashboard']['ssl']['key_url']
|
||||
if node['openstack']['dashboard']['ssl']['key_url']
|
||||
remote_file key_file do
|
||||
sensitive true
|
||||
source node['openstack']['dashboard']['ssl']['key_url']
|
||||
@ -125,7 +126,7 @@ if node['openstack']['dashboard']['ssl']['key_url']
|
||||
notifies :restart, 'service[apache2]', :immediately
|
||||
notifies :run, 'execute[restore-selinux-context]', :immediately
|
||||
end
|
||||
else
|
||||
else
|
||||
cookbook_file key_file do
|
||||
sensitive true
|
||||
source 'horizon.key'
|
||||
@ -135,6 +136,7 @@ else
|
||||
|
||||
notifies :run, 'execute[restore-selinux-context]', :immediately
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
# make sure this file has correct permission
|
||||
|
@ -56,13 +56,18 @@ describe 'openstack-dashboard::apache2-server' do
|
||||
expect(chef_run).not_to run_execute(cmd)
|
||||
end
|
||||
|
||||
it 'installs apache packages' do
|
||||
it 'includes apache packages' do
|
||||
expect(chef_run).to include_recipe('apache2')
|
||||
expect(chef_run).to include_recipe('apache2::mod_wsgi')
|
||||
expect(chef_run).to include_recipe('apache2::mod_rewrite')
|
||||
expect(chef_run).to include_recipe('apache2::mod_ssl')
|
||||
end
|
||||
|
||||
it 'does not include the apache mod_ssl package when ssl disabled' do
|
||||
node.set['openstack']['dashboard']['use_ssl'] = false
|
||||
expect(chef_run).not_to include_recipe('apache2::mod_ssl')
|
||||
end
|
||||
|
||||
it 'does not execute set-selinux-enforcing' do
|
||||
cmd = '/sbin/setenforce Enforcing ; restorecon -R /etc/httpd'
|
||||
expect(chef_run).not_to run_execute(cmd)
|
||||
@ -117,6 +122,12 @@ describe 'openstack-dashboard::apache2-server' do
|
||||
)
|
||||
expect(remote_key).to notify('service[apache2]').to(:restart)
|
||||
end
|
||||
|
||||
it 'does not mess with certs if ssl not enabled' do
|
||||
node.set['openstack']['dashboard']['use_ssl'] = false
|
||||
expect(chef_run).not_to create_cookbook_file(crt)
|
||||
expect(chef_run).not_to create_cookbook_file(key)
|
||||
end
|
||||
end
|
||||
|
||||
it 'creates .blackhole dir with proper owner' do
|
||||
|
@ -127,6 +127,13 @@ describe 'openstack-dashboard::horizon' do
|
||||
expect(chef_run).to render_file(file.name).with_content(/^OPENSTACK_SSL_NO_VERIFY = False$/)
|
||||
end
|
||||
end
|
||||
|
||||
context 'not set when ssl disabled' do
|
||||
it 'has a True value for the OPENSTACK_SSL_NO_VERIFY attribute' do
|
||||
node.set['openstack']['dashboard']['use_ssl'] = false
|
||||
expect(chef_run).not_to render_file(file.name).with_content(/^OPENSTACK_SSL_NO_VERIFY = True$/)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
it 'config ssl_cacert' do
|
||||
@ -134,6 +141,12 @@ describe 'openstack-dashboard::horizon' do
|
||||
expect(chef_run).to render_file(file.name).with_content(/^OPENSTACK_SSL_CACERT = '\/path_to_cacert.pem'$/)
|
||||
end
|
||||
|
||||
it 'does not config ssl_cacert when ssl disabled' do
|
||||
node.set['openstack']['dashboard']['use_ssl'] = false
|
||||
node.set['openstack']['dashboard']['ssl_cacert'] = '/path_to_cacert.pem'
|
||||
expect(chef_run).not_to render_file(file.name).with_content(/^OPENSTACK_SSL_CACERT = '\/path_to_cacert.pem'$/)
|
||||
end
|
||||
|
||||
it 'has some allowed hosts set' do
|
||||
node.set['openstack']['dashboard']['allowed_hosts'] = ['dashboard.example.net']
|
||||
expect(chef_run).to render_file(file.name).with_content(/^ALLOWED_HOSTS = \["dashboard.example.net"\]$/)
|
||||
|
@ -162,6 +162,7 @@ OPENSTACK_KEYSTONE_URL = "<%= @auth_uri %>"
|
||||
OPENSTACK_KEYSTONE_ADMIN_URL = "<%= @auth_admin_uri %>"
|
||||
OPENSTACK_KEYSTONE_DEFAULT_ROLE = "<%= node["openstack"]["dashboard"]["keystone_default_role"] %>"
|
||||
|
||||
<% if node["openstack"]["dashboard"]["use_ssl"] %>
|
||||
# Disable SSL certificate checks (useful for self-signed certificates):
|
||||
# OPENSTACK_SSL_NO_VERIFY = True
|
||||
OPENSTACK_SSL_NO_VERIFY = <%= node['openstack']['dashboard']['ssl_no_verify'] %>
|
||||
@ -171,6 +172,7 @@ OPENSTACK_SSL_NO_VERIFY = <%= node['openstack']['dashboard']['ssl_no_verify'] %>
|
||||
<% if node['openstack']['dashboard']['ssl_cacert'] %>
|
||||
OPENSTACK_SSL_CACERT = '<%= node['openstack']['dashboard']['ssl_cacert'] %>'
|
||||
<% end %>
|
||||
<% end %>
|
||||
|
||||
# The OPENSTACK_KEYSTONE_BACKEND settings can be used to identify the
|
||||
# capabilities of the auth backend for Keystone.
|
||||
|
Loading…
Reference in New Issue
Block a user