Add ssl_verify_client
This adds the ssl_verify_client parameter that
is passed down to the apache::vhost resource.
Without this being set, as of puppetlabs-apache 2.1.0,
the horizon_ca parameter will be ignored and you won't
get the CA/intermediate set in the vhost configuration. [1]
This was introduced a long long time ago which means we should
backport this or SSL is semi-broken when using this module.
[1] https://github.com/puppetlabs/puppetlabs-apache/blob/2.1.0/CHANGELOG.md#changed
Change-Id: I9f60f266400a6d0ccfad757aa33009929c02cde7
(cherry picked from commit 841d4d734e
)
This commit is contained in:
parent
dd78e01afe
commit
2ae5f46740
|
@ -217,6 +217,10 @@
|
||||||
# [*horizon_ca*]
|
# [*horizon_ca*]
|
||||||
# (required with listen_ssl) CA certificate to use for SSL support.
|
# (required with listen_ssl) CA certificate to use for SSL support.
|
||||||
#
|
#
|
||||||
|
# [*ssl_verify_client*]
|
||||||
|
# Set the Certificate verification level for Client Authentication.
|
||||||
|
# Defaults to undef
|
||||||
|
#
|
||||||
# [*wsgi_processes*]
|
# [*wsgi_processes*]
|
||||||
# (optional) Number of Horizon processes to spawn
|
# (optional) Number of Horizon processes to spawn
|
||||||
# Defaults to $::os_workers
|
# Defaults to $::os_workers
|
||||||
|
@ -498,6 +502,7 @@ class horizon(
|
||||||
$horizon_cert = undef,
|
$horizon_cert = undef,
|
||||||
$horizon_key = undef,
|
$horizon_key = undef,
|
||||||
$horizon_ca = undef,
|
$horizon_ca = undef,
|
||||||
|
$ssl_verify_client = undef,
|
||||||
$wsgi_processes = $::os_workers,
|
$wsgi_processes = $::os_workers,
|
||||||
$wsgi_threads = '1',
|
$wsgi_threads = '1',
|
||||||
$compress_offline = true,
|
$compress_offline = true,
|
||||||
|
@ -677,6 +682,7 @@ class horizon(
|
||||||
horizon_cert => $horizon_cert,
|
horizon_cert => $horizon_cert,
|
||||||
horizon_key => $horizon_key,
|
horizon_key => $horizon_key,
|
||||||
horizon_ca => $horizon_ca,
|
horizon_ca => $horizon_ca,
|
||||||
|
ssl_verify_client => $ssl_verify_client,
|
||||||
wsgi_processes => $wsgi_processes,
|
wsgi_processes => $wsgi_processes,
|
||||||
wsgi_threads => $wsgi_threads,
|
wsgi_threads => $wsgi_threads,
|
||||||
extra_params => $vhost_extra_params,
|
extra_params => $vhost_extra_params,
|
||||||
|
|
|
@ -38,6 +38,10 @@
|
||||||
# [*horizon_ca*]
|
# [*horizon_ca*]
|
||||||
# (required with listen_ssl) CA certificate to use for SSL support.
|
# (required with listen_ssl) CA certificate to use for SSL support.
|
||||||
#
|
#
|
||||||
|
# [*ssl_verify_client*]
|
||||||
|
# Set the Certificate verification level for Client Authentication.
|
||||||
|
# Defaults to undef
|
||||||
|
#
|
||||||
# [*wsgi_processes*]
|
# [*wsgi_processes*]
|
||||||
# (optional) Number of Horizon processes to spawn
|
# (optional) Number of Horizon processes to spawn
|
||||||
# Defaults to $::os_workers
|
# Defaults to $::os_workers
|
||||||
|
@ -102,6 +106,7 @@ class horizon::wsgi::apache (
|
||||||
$horizon_cert = undef,
|
$horizon_cert = undef,
|
||||||
$horizon_key = undef,
|
$horizon_key = undef,
|
||||||
$horizon_ca = undef,
|
$horizon_ca = undef,
|
||||||
|
$ssl_verify_client = undef,
|
||||||
$wsgi_processes = $::os_workers,
|
$wsgi_processes = $::os_workers,
|
||||||
$wsgi_threads = '1',
|
$wsgi_threads = '1',
|
||||||
$custom_wsgi_process_options = {},
|
$custom_wsgi_process_options = {},
|
||||||
|
@ -236,6 +241,7 @@ class horizon::wsgi::apache (
|
||||||
ssl_cert => $horizon_cert,
|
ssl_cert => $horizon_cert,
|
||||||
ssl_key => $horizon_key,
|
ssl_key => $horizon_key,
|
||||||
ssl_ca => $horizon_ca,
|
ssl_ca => $horizon_ca,
|
||||||
|
ssl_verify_client => $ssl_verify_client,
|
||||||
wsgi_script_aliases => hash([$script_url, $::horizon::params::django_wsgi]),
|
wsgi_script_aliases => hash([$script_url, $::horizon::params::django_wsgi]),
|
||||||
wsgi_daemon_process => $::horizon::params::wsgi_group,
|
wsgi_daemon_process => $::horizon::params::wsgi_group,
|
||||||
wsgi_daemon_process_options => $wsgi_daemon_process_options,
|
wsgi_daemon_process_options => $wsgi_daemon_process_options,
|
||||||
|
|
|
@ -0,0 +1,10 @@
|
||||||
|
---
|
||||||
|
features:
|
||||||
|
- |
|
||||||
|
Added the ssl_verify_client parameter to init class and horizon::wsgi::apache
|
||||||
|
that is passed down to the created apache::vhost resource.
|
||||||
|
upgrade:
|
||||||
|
- |
|
||||||
|
The puppetlabs-apache module 2.1.0 introduced a change where ssl_verify_client
|
||||||
|
is required otherwise the SSL CA certificate passed to the horizon module using
|
||||||
|
the horizon_ca parameter is ignored.
|
|
@ -343,21 +343,23 @@ describe 'horizon' do
|
||||||
context 'with ssl enabled' do
|
context 'with ssl enabled' do
|
||||||
before do
|
before do
|
||||||
params.merge!({
|
params.merge!({
|
||||||
:listen_ssl => true,
|
:listen_ssl => true,
|
||||||
:servername => 'some.host.tld',
|
:servername => 'some.host.tld',
|
||||||
:horizon_cert => '/etc/pki/tls/certs/httpd.crt',
|
:horizon_cert => '/etc/pki/tls/certs/httpd.crt',
|
||||||
:horizon_key => '/etc/pki/tls/private/httpd.key',
|
:horizon_key => '/etc/pki/tls/private/httpd.key',
|
||||||
:horizon_ca => '/etc/pki/tls/certs/ca.crt',
|
:horizon_ca => '/etc/pki/tls/certs/ca.crt',
|
||||||
|
:ssl_verify_client => 'optional',
|
||||||
})
|
})
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'configures apache' do
|
it 'configures apache' do
|
||||||
is_expected.to contain_class('horizon::wsgi::apache').with({
|
is_expected.to contain_class('horizon::wsgi::apache').with({
|
||||||
:bind_address => nil,
|
:bind_address => nil,
|
||||||
:listen_ssl => true,
|
:listen_ssl => true,
|
||||||
:horizon_cert => '/etc/pki/tls/certs/httpd.crt',
|
:horizon_cert => '/etc/pki/tls/certs/httpd.crt',
|
||||||
:horizon_key => '/etc/pki/tls/private/httpd.key',
|
:horizon_key => '/etc/pki/tls/private/httpd.key',
|
||||||
:horizon_ca => '/etc/pki/tls/certs/ca.crt',
|
:horizon_ca => '/etc/pki/tls/certs/ca.crt',
|
||||||
|
:ssl_verify_client => 'optional',
|
||||||
})
|
})
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -125,11 +125,12 @@ describe 'horizon::wsgi::apache' do
|
||||||
context 'with ssl enabled' do
|
context 'with ssl enabled' do
|
||||||
before do
|
before do
|
||||||
params.merge!({
|
params.merge!({
|
||||||
:listen_ssl => true,
|
:listen_ssl => true,
|
||||||
:ssl_redirect => true,
|
:ssl_redirect => true,
|
||||||
:horizon_cert => '/etc/pki/tls/certs/httpd.crt',
|
:horizon_cert => '/etc/pki/tls/certs/httpd.crt',
|
||||||
:horizon_key => '/etc/pki/tls/private/httpd.key',
|
:horizon_key => '/etc/pki/tls/private/httpd.key',
|
||||||
:horizon_ca => '/etc/pki/tls/certs/ca.crt',
|
:horizon_ca => '/etc/pki/tls/certs/ca.crt',
|
||||||
|
:ssl_verify_client => 'optional',
|
||||||
})
|
})
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -148,6 +149,7 @@ describe 'horizon::wsgi::apache' do
|
||||||
:ssl_cert => '/etc/pki/tls/certs/httpd.crt',
|
:ssl_cert => '/etc/pki/tls/certs/httpd.crt',
|
||||||
:ssl_key => '/etc/pki/tls/private/httpd.key',
|
:ssl_key => '/etc/pki/tls/private/httpd.key',
|
||||||
:ssl_ca => '/etc/pki/tls/certs/ca.crt',
|
:ssl_ca => '/etc/pki/tls/certs/ca.crt',
|
||||||
|
:ssl_verify_client => 'optional',
|
||||||
:redirectmatch_status => 'permanent',
|
:redirectmatch_status => 'permanent',
|
||||||
:redirectmatch_regexp => '^/$',
|
:redirectmatch_regexp => '^/$',
|
||||||
:redirectmatch_dest => platforms_params[:root_url],
|
:redirectmatch_dest => platforms_params[:root_url],
|
||||||
|
|
Loading…
Reference in New Issue