From 9df58642c62387acda2bba11f5423c45bf69399d Mon Sep 17 00:00:00 2001
From: Juan Antonio Osorio Robles <jaosorior@redhat.com>
Date: Fri, 17 Mar 2017 11:24:04 +0200
Subject: [PATCH] RHEL: Add mod_ssl for services running over httpd
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This apache module is necessary for when one wants to use TLS for the
services running over httpd.

This only addressed RHEL based systems at the moment, since there is no
such package available for Ubuntu. This requires apache2.2-common which
will carry a lot more dependencies; So I think this should be handled
and decided in a separate patch.

when installing mod_ssl in RHEL-based distributions, an ssl.conf file is
installed in the /etc/httpd/conf.d directory. This file tells httpd to
listen on port 443; however, we don't want to do this by default, since
this should be explicitly enabled by the container's configuration. This
line is thus removed from the configuration.

A release note was added, which specifies this. And the last sentence
can be removed if this is addressed for debian/ubuntu as well.

Related-Bug: #1675490
Co-Authored-By: Martin André <m.andre@redhat.com>
Change-Id: Id6215d31547247309d43c031e163fa9e4c4ec5dc
---
 doc/image-building.rst                              |  1 +
 docker/aodh/aodh-base/Dockerfile.j2                 |  8 ++++++--
 docker/ceilometer/ceilometer-api/Dockerfile.j2      | 10 +++++++---
 docker/cinder/cinder-api/Dockerfile.j2              | 12 ++++++++----
 docker/freezer/freezer-api/Dockerfile.j2            |  4 +++-
 docker/gnocchi/gnocchi-base/Dockerfile.j2           |  8 ++++++--
 docker/heat/heat-base/Dockerfile.j2                 | 13 ++++++++-----
 docker/horizon/Dockerfile.j2                        |  6 +++++-
 docker/ironic/ironic-pxe/Dockerfile.j2              |  6 ++++--
 docker/keystone/keystone-base/Dockerfile.j2         |  8 ++++++--
 docker/nova/nova-api/Dockerfile.j2                  | 12 ++++++++----
 docker/nova/nova-placement-api/Dockerfile.j2        | 10 +++++++---
 docker/panko/panko-base/Dockerfile.j2               |  8 ++++++--
 .../Add-mod_ssl-to-images-2d2972c3cf794f65.yaml     |  6 ++++++
 14 files changed, 81 insertions(+), 31 deletions(-)
 create mode 100644 releasenotes/notes/Add-mod_ssl-to-images-2d2972c3cf794f65.yaml

diff --git a/doc/image-building.rst b/doc/image-building.rst
index 3b8ae1d71c..18cc3494f4 100644
--- a/doc/image-building.rst
+++ b/doc/image-building.rst
@@ -209,6 +209,7 @@ as part of a binary install type build:
 * ``openstack-dashboard``
 * ``httpd``
 * ``mod_wsgi``
+* ``mod_ssl``
 * ``gettext``
 
 To add a package to this list, say, ``iproute``, first create a file, e.g.
diff --git a/docker/aodh/aodh-base/Dockerfile.j2 b/docker/aodh/aodh-base/Dockerfile.j2
index 0b04a6486a..02af44bb1b 100644
--- a/docker/aodh/aodh-base/Dockerfile.j2
+++ b/docker/aodh/aodh-base/Dockerfile.j2
@@ -14,13 +14,15 @@ MAINTAINER {{ maintainer }}
             'openstack-aodh-common',
             'httpd',
             'mod_wsgi',
+            'mod_ssl',
             'python-ldappool'
         ] %}
 
 {{ macros.install_packages(aodh_base_packages | customizable("packages")) }}
 RUN mkdir -p /var/www/cgi-bin/aodh \
     && cp -a /usr/lib/python2.7/site-packages/aodh/api/app.wsgi /var/www/cgi-bin/aodh/ \
-    && sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf
+    && sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf \
+    && sed -i -r 's,^(Listen 443),#\1,' /etc/httpd/conf.d/ssl.conf
     {% elif base_distro in ['ubuntu'] %}
 
        {% set aodh_base_packages = [
@@ -42,12 +44,14 @@ RUN mkdir -p /var/www/cgi-bin/aodh \
        {% set aodh_base_packages = [
             'httpd',
             'mod_wsgi',
+            'mod_ssl',
             'python-ldappool'
         ] %}
 
 {{ macros.install_packages(aodh_base_packages | customizable("packages")) }}
 RUN mkdir -p /var/www/cgi-bin/aodh \
-    && sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf
+    && sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf \
+    && sed -i -r 's,^(Listen 443),#\1,' /etc/httpd/conf.d/ssl.conf
     {% elif base_distro in ['ubuntu', 'debian'] %}
 
        {% set aodh_base_packages = [
diff --git a/docker/ceilometer/ceilometer-api/Dockerfile.j2 b/docker/ceilometer/ceilometer-api/Dockerfile.j2
index 885155e74d..69716b2dc6 100644
--- a/docker/ceilometer/ceilometer-api/Dockerfile.j2
+++ b/docker/ceilometer/ceilometer-api/Dockerfile.j2
@@ -10,10 +10,12 @@ MAINTAINER {{ maintainer }}
         {% set ceilometer_api_packages = [
             'openstack-ceilometer-api',
             'httpd',
-            'mod_wsgi'
+            'mod_wsgi',
+            'mod_ssl'
         ] %}
 {{ macros.install_packages(ceilometer_api_packages | customizable("packages")) }}
-RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf
+RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf \
+    && sed -i -r 's,^(Listen 443),#\1,' /etc/httpd/conf.d/ssl.conf
     {% elif base_distro in ['ubuntu'] %}
         {% set ceilometer_api_packages = [
             'ceilometer-api',
@@ -32,13 +34,15 @@ RUN echo > /etc/apache2/ports.conf
         {% set ceilometer_api_packages = [
                 'httpd',
                 'mod_wsgi',
+                'mod_ssl',
                 'gettext'
         ] %}
 
 {{ macros.install_packages(ceilometer_api_packages | customizable("packages")) }}
 
 {% block ceilometer_api_redhat_source_setup %}
-RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf
+RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf \
+    && sed -i -r 's,^(Listen 443),#\1,' /etc/httpd/conf.d/ssl.conf
 {% endblock %}
 
     {% elif base_distro in ['ubuntu', 'debian'] %}
diff --git a/docker/cinder/cinder-api/Dockerfile.j2 b/docker/cinder/cinder-api/Dockerfile.j2
index 6c6800fba7..a99dba4bda 100644
--- a/docker/cinder/cinder-api/Dockerfile.j2
+++ b/docker/cinder/cinder-api/Dockerfile.j2
@@ -10,10 +10,12 @@ MAINTAINER {{ maintainer }}
         {% set cinder_api_packages = [
                 'python-keystone',
                 'httpd',
-                'mod_wsgi'
+                'mod_wsgi',
+                'mod_ssl'
         ] %}
 {{ macros.install_packages(cinder_api_packages | customizable("packages")) }}
-RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf
+RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf \
+    && sed -i -r 's,^(Listen 443),#\1,' /etc/httpd/conf.d/ssl.conf
     {% elif base_distro in ['ubuntu'] %}
         {% set cinder_api_packages = [
                 'cinder-api',
@@ -28,10 +30,12 @@ RUN echo > /etc/apache2/ports.conf
     {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
         {% set cinder_api_packages = [
                 'httpd',
-                'mod_wsgi'
+                'mod_wsgi',
+                'mod_ssl'
         ] %}
 {{ macros.install_packages(cinder_api_packages | customizable("packages")) }}
-RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf
+RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf \
+    && sed -i -r 's,^(Listen 443),#\1,' /etc/httpd/conf.d/ssl.conf
     {% elif base_distro in ['ubuntu'] %}
         {% set cinder_api_packages = [
                 'apache2',
diff --git a/docker/freezer/freezer-api/Dockerfile.j2 b/docker/freezer/freezer-api/Dockerfile.j2
index 3e5fd5bbfc..f3b9831530 100644
--- a/docker/freezer/freezer-api/Dockerfile.j2
+++ b/docker/freezer/freezer-api/Dockerfile.j2
@@ -15,12 +15,14 @@ RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \
     {% if base_distro in ['centos', 'oraclelinux', 'rhel'] %}
         {% set freezer_api_packages = [
             'mod_wsgi',
+            'mod_ssl',
             'httpd'
         ] %}
 
 {{ macros.install_packages(freezer_api_packages | customizable("packages")) }}
 
-RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf
+RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf \
+    && sed -i -r 's,^(Listen 443),#\1,' /etc/httpd/conf.d/ssl.conf
     {% elif base_distro in ['ubuntu', 'debian'] %}
         {% set freezer_api_packages = [
             'libapache2-mod-wsgi',
diff --git a/docker/gnocchi/gnocchi-base/Dockerfile.j2 b/docker/gnocchi/gnocchi-base/Dockerfile.j2
index 13f1ac5a2e..2011dec33c 100644
--- a/docker/gnocchi/gnocchi-base/Dockerfile.j2
+++ b/docker/gnocchi/gnocchi-base/Dockerfile.j2
@@ -14,12 +14,14 @@ MAINTAINER {{ maintainer }}
             'openstack-gnocchi-common',
             'httpd',
             'mod_wsgi',
+            'mod_ssl',
             'python-ldappool',
             'python-rados'
         ] %}
 
 {{ macros.install_packages(gnocchi_base_packages | customizable("packages")) }}
-RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf
+RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf \
+    && sed -i -r 's,^(Listen 443),#\1,' /etc/httpd/conf.d/ssl.conf
     {% elif base_distro in ['ubuntu'] %}
 
        {% set gnocchi_base_packages = [
@@ -40,12 +42,14 @@ RUN truncate -s 0 /etc/apache2/ports.conf
        {% set gnocchi_base_packages = [
             'httpd',
             'mod_wsgi',
+            'mod_ssl',
             'python-ldappool',
             'python-rados'
         ] %}
 {{ macros.install_packages(gnocchi_base_packages | customizable("packages")) }}
 RUN mkdir -p /var/www/cgi-bin/gnocchi \
-    && sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf
+    && sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf \
+    && sed -i -r 's,^(Listen 443),#\1,' /etc/httpd/conf.d/ssl.conf
     {% elif base_distro in ['ubuntu', 'debian'] %}
 
        {% set gnocchi_base_packages = [
diff --git a/docker/heat/heat-base/Dockerfile.j2 b/docker/heat/heat-base/Dockerfile.j2
index 49ec781cef..933c9e4290 100644
--- a/docker/heat/heat-base/Dockerfile.j2
+++ b/docker/heat/heat-base/Dockerfile.j2
@@ -13,10 +13,12 @@ MAINTAINER {{ maintainer }}
     {% set heat_base_packages = [
         'openstack-heat-common',
         'httpd',
-        'mod_wsgi'
+        'mod_wsgi',
+        'mod_ssl'
     ] %}
 {{ macros.install_packages(heat_base_packages | customizable("packages")) }}
-RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf
+RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf \
+    && sed -i -r 's,^(Listen 443),#\1,' /etc/httpd/conf.d/ssl.conf
 {% elif base_distro in ['ubuntu'] %}
     {% set heat_base_packages = [
         'heat-common',
@@ -33,11 +35,12 @@ RUN echo > /etc/apache2/ports.conf
 
     {% set heat_base_packages = [
         'httpd',
-        'mod_wsgi'
+        'mod_wsgi',
+        'mod_ssl'
     ] %}
-
 {{ macros.install_packages(heat_base_packages | customizable("packages")) }}
-RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf
+RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf \
+    && sed -i -r 's,^(Listen 443),#\1,' /etc/httpd/conf.d/ssl.conf
 
 {% elif base_distro in ['ubuntu'] %}
 
diff --git a/docker/horizon/Dockerfile.j2 b/docker/horizon/Dockerfile.j2
index 7948808a4e..f6d63b695f 100644
--- a/docker/horizon/Dockerfile.j2
+++ b/docker/horizon/Dockerfile.j2
@@ -14,6 +14,7 @@ MAINTAINER {{ maintainer }}
                 'openstack-dashboard',
                 'httpd',
                 'mod_wsgi',
+                'mod_ssl',
                 'gettext',
                 'openstack-cloudkitty-ui',
                 'openstack-ironic-ui',
@@ -30,6 +31,7 @@ MAINTAINER {{ maintainer }}
 
 {% block horizon_redhat_binary_setup %}
 RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf \
+    && sed -i -r 's,^(Listen 443),#\1,' /etc/httpd/conf.d/ssl.conf \
     && ln -s /usr/share/openstack-dashboard/openstack_dashboard /usr/lib/python2.7/site-packages/openstack_dashboard \
     && ln -s /usr/share/openstack-dashboard/static /usr/lib/python2.7/site-packages/static \
     && chown -R horizon: /etc/openstack-dashboard /usr/share/openstack-dashboard \
@@ -81,13 +83,15 @@ RUN echo > /etc/apache2/ports.conf \
         {% set horizon_packages = [
                 'httpd',
                 'mod_wsgi',
+                'mod_ssl',
                 'gettext'
         ] %}
 
 {{ macros.install_packages(horizon_packages | customizable("packages")) }}
 
 {% block horizon_redhat_source_setup %}
-RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf
+RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf \
+    && sed -i -r 's,^(Listen 443),#\1,' /etc/httpd/conf.d/ssl.conf
 {% endblock %}
 
     {% elif base_distro in ['ubuntu', 'debian'] %}
diff --git a/docker/ironic/ironic-pxe/Dockerfile.j2 b/docker/ironic/ironic-pxe/Dockerfile.j2
index 658a83d631..79e71393d2 100644
--- a/docker/ironic/ironic-pxe/Dockerfile.j2
+++ b/docker/ironic/ironic-pxe/Dockerfile.j2
@@ -11,10 +11,12 @@ MAINTAINER {{ maintainer }}
         'syslinux-tftpboot',
         'httpd',
         'ipxe-bootimgs',
-        'mod_wsgi'
+        'mod_wsgi',
+        'mod_ssl'
     ] %}
 {{ macros.install_packages(ironic_pxe_packages | customizable("packages")) }}
-RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf
+RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf \
+    && sed -i -r 's,^(Listen 443),#\1,' /etc/httpd/conf.d/ssl.conf
 {% elif base_distro in ['ubuntu', 'debian'] %}
     {% set ironic_pxe_packages = [
         'tftpd-hpa',
diff --git a/docker/keystone/keystone-base/Dockerfile.j2 b/docker/keystone/keystone-base/Dockerfile.j2
index 9b33a55554..a4d98efa4c 100644
--- a/docker/keystone/keystone-base/Dockerfile.j2
+++ b/docker/keystone/keystone-base/Dockerfile.j2
@@ -14,6 +14,7 @@ MAINTAINER {{ maintainer }}
             'python-keystoneclient',
             'httpd',
             'mod_wsgi',
+            'mod_ssl',
             'python-ldappool'
         ] %}
 
@@ -21,7 +22,8 @@ MAINTAINER {{ maintainer }}
 RUN mkdir -p /var/www/cgi-bin/keystone \
     && cp -a /usr/bin/keystone-wsgi-public /var/www/cgi-bin/keystone/main \
     && cp -a /usr/bin/keystone-wsgi-admin /var/www/cgi-bin/keystone/admin \
-    && sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf
+    && sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf \
+    && sed -i -r 's,^(Listen 443),#\1,' /etc/httpd/conf.d/ssl.conf
 
     {% elif base_distro in ['ubuntu'] %}
         {% set keystone_base_packages = [
@@ -44,10 +46,12 @@ RUN mkdir -p /var/www/cgi-bin/keystone \
         {% set keystone_base_packages = [
             'httpd',
             'mod_wsgi',
+            'mod_ssl',
             'python-ldappool'
         ] %}
 {{ macros.install_packages(keystone_base_packages | customizable("packages")) }}
-RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf
+RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf \
+    && sed -i -r 's,^(Listen 443),#\1,' /etc/httpd/conf.d/ssl.conf
 
     {% elif base_distro in ['ubuntu', 'debian'] %}
         {% set keystone_base_packages = [
diff --git a/docker/nova/nova-api/Dockerfile.j2 b/docker/nova/nova-api/Dockerfile.j2
index 287b3a2d0e..ae08ffe658 100644
--- a/docker/nova/nova-api/Dockerfile.j2
+++ b/docker/nova/nova-api/Dockerfile.j2
@@ -11,10 +11,12 @@ MAINTAINER {{ maintainer }}
         {% set nova_api_packages = [
             'openstack-nova-api',
             'httpd',
-            'mod_wsgi'
+            'mod_wsgi',
+            'mod_ssl'
         ] %}
 {{ macros.install_packages(nova_api_packages | customizable("packages")) }}
-RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf
+RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf \
+    && sed -i -r 's,^(Listen 443),#\1,' /etc/httpd/conf.d/ssl.conf
 
     {% elif base_distro in ['ubuntu'] %}
 
@@ -35,10 +37,12 @@ RUN echo > /etc/apache2/ports.conf
 
         {% set nova_api_packages = [
             'httpd',
-            'mod_wsgi'
+            'mod_wsgi',
+            'mod_ssl'
         ] %}
 {{ macros.install_packages(nova_api_packages | customizable("packages")) }}
-RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf
+RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf \
+    && sed -i -r 's,^(Listen 443),#\1,' /etc/httpd/conf.d/ssl.conf
 
     {% elif base_distro in ['ubuntu'] %}
 
diff --git a/docker/nova/nova-placement-api/Dockerfile.j2 b/docker/nova/nova-placement-api/Dockerfile.j2
index dfd7a1f2f6..c90fd6b7cd 100644
--- a/docker/nova/nova-placement-api/Dockerfile.j2
+++ b/docker/nova/nova-placement-api/Dockerfile.j2
@@ -11,11 +11,13 @@ MAINTAINER {{ maintainer }}
         {% set nova_placement_api_packages = [
             'httpd',
             'mod_wsgi',
+            'mod_ssl',
             'openstack-nova-placement-api'
         ] %}
 
 {{ macros.install_packages(nova_placement_api_packages | customizable("packages")) }}
-RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf
+RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf \
+    && sed -i -r 's,^(Listen 443),#\1,' /etc/httpd/conf.d/ssl.conf
 
     {% elif base_distro in ['ubuntu'] %}
 
@@ -34,11 +36,13 @@ RUN truncate -s 0 /etc/apache2/ports.conf
 
         {% set nova_placement_api_packages = [
             'httpd',
-            'mod_wsgi'
+            'mod_wsgi',
+            'mod_ssl'
         ] %}
 
 {{ macros.install_packages(nova_placement_api_packages | customizable("packages")) }}
-RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf
+RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf \
+    && sed -i -r 's,^(Listen 443),#\1,' /etc/httpd/conf.d/ssl.conf
     {% elif base_distro in ['ubuntu'] %}
 
         {% set nova_placement_api_packages = [
diff --git a/docker/panko/panko-base/Dockerfile.j2 b/docker/panko/panko-base/Dockerfile.j2
index 88ce5b87ce..7db6c48098 100644
--- a/docker/panko/panko-base/Dockerfile.j2
+++ b/docker/panko/panko-base/Dockerfile.j2
@@ -14,11 +14,13 @@ MAINTAINER {{ maintainer }}
             'openstack-panko-common',
             'httpd',
             'mod_wsgi',
+            'mod_ssl',
             'python-ldappool'
         ] %}
 
 {{ macros.install_packages(panko_base_packages | customizable("packages")) }}
-RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf
+RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf \
+    && sed -i -r 's,^(Listen 443),#\1,' /etc/httpd/conf.d/ssl.conf
     {% elif base_distro in ['ubuntu', 'debian'] %}
 
 RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \
@@ -31,10 +33,12 @@ RUN echo '{{ install_type }} not yet available for {{ base_distro }}' \
        {% set panko_base_packages = [
             'httpd',
             'mod_wsgi',
+            'mod_ssl',
             'python-ldappool'
         ] %}
 {{ macros.install_packages(panko_base_packages | customizable("packages")) }}
-RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf
+RUN sed -i -r 's,^(Listen 80),#\1,' /etc/httpd/conf/httpd.conf \
+    && sed -i -r 's,^(Listen 443),#\1,' /etc/httpd/conf.d/ssl.conf
 
     {% elif base_distro in ['ubuntu', 'debian'] %}
 
diff --git a/releasenotes/notes/Add-mod_ssl-to-images-2d2972c3cf794f65.yaml b/releasenotes/notes/Add-mod_ssl-to-images-2d2972c3cf794f65.yaml
new file mode 100644
index 0000000000..9a49a6e764
--- /dev/null
+++ b/releasenotes/notes/Add-mod_ssl-to-images-2d2972c3cf794f65.yaml
@@ -0,0 +1,6 @@
+---
+features:
+  - Images that contain services that run over httpd now ship mod_ssl as well.
+    This is useful when deployers want to configure these services to serve TLS
+    in the internal network instead of just relying on HAProxy for the TLS
+    termination. Note that currently this only applies to RHEL-based images.