Rename horizon_* ssl params to ssl_*
This renames the horizon_* ssl parameters to be named ssl_*. It also adds an enforcement to the end users to set ssl_verify_client if the ssl_ca (or deprecated horizon_ca) is used since it wont take effect. See the puppetlabs-apache 2.1.0 release notes [1]. [1] https://github.com/puppetlabs/puppetlabs-apache/blob/2.1.0/CHANGELOG.md#changed Change-Id: I4d3b8623924ad646bf4880ad70fb3ce9be1675c2
This commit is contained in:
parent
841d4d734e
commit
b2320ac295
@ -208,13 +208,13 @@
|
||||
# (optional) Whether to redirect http to https
|
||||
# Defaults to True
|
||||
#
|
||||
# [*horizon_cert*]
|
||||
# [*ssl_cert*]
|
||||
# (required with listen_ssl) Certificate to use for SSL support.
|
||||
#
|
||||
# [*horizon_key*]
|
||||
# [*ssl_key*]
|
||||
# (required with listen_ssl) Private key to use for SSL support.
|
||||
#
|
||||
# [*horizon_ca*]
|
||||
# [*ssl_ca*]
|
||||
# (required with listen_ssl) CA certificate to use for SSL support.
|
||||
#
|
||||
# [*ssl_verify_client*]
|
||||
@ -459,6 +459,15 @@
|
||||
# [*log_handler*]
|
||||
# (optional) Log handler. Defaults to 'file'
|
||||
#
|
||||
# [*horizon_cert*]
|
||||
# (required with listen_ssl) Certificate to use for SSL support.
|
||||
#
|
||||
# [*horizon_key*]
|
||||
# (required with listen_ssl) Private key to use for SSL support.
|
||||
#
|
||||
# [*horizon_ca*]
|
||||
# (required with listen_ssl) CA certificate to use for SSL support.
|
||||
#
|
||||
# === Examples
|
||||
#
|
||||
# class { 'horizon':
|
||||
@ -504,9 +513,9 @@ class horizon(
|
||||
$ssl_no_verify = false,
|
||||
$openstack_ssl_cacert = '',
|
||||
$ssl_redirect = true,
|
||||
$horizon_cert = undef,
|
||||
$horizon_key = undef,
|
||||
$horizon_ca = undef,
|
||||
$ssl_cert = undef,
|
||||
$ssl_key = undef,
|
||||
$ssl_ca = undef,
|
||||
$ssl_verify_client = undef,
|
||||
$wsgi_processes = $::os_workers,
|
||||
$wsgi_threads = '1',
|
||||
@ -555,6 +564,9 @@ class horizon(
|
||||
$horizon_upload_mode = undef,
|
||||
# DEPRECATED PARAMETERS
|
||||
$log_handler = undef,
|
||||
$horizon_cert = undef,
|
||||
$horizon_key = undef,
|
||||
$horizon_ca = undef,
|
||||
) inherits ::horizon::params {
|
||||
|
||||
include horizon::deps
|
||||
@ -687,6 +699,14 @@ release. Use log_handlers instead')
|
||||
}
|
||||
|
||||
if $configure_apache {
|
||||
if ($horizon_cert or $horizon_key or $horizon_ca) {
|
||||
warning('horizon::horizon_cert, horizon::horizon_key and horizon::horizon_ca parameter is deprecated')
|
||||
}
|
||||
|
||||
$ssl_cert_real = $horizon_cert.lest || { $ssl_cert }
|
||||
$ssl_key_real = $horizon_key.lest || { $ssl_key }
|
||||
$ssl_ca_real = $horizon_ca.lest || { $ssl_ca }
|
||||
|
||||
class { 'horizon::wsgi::apache':
|
||||
bind_address => $bind_address,
|
||||
servername => $servername,
|
||||
@ -695,9 +715,9 @@ release. Use log_handlers instead')
|
||||
http_port => $http_port,
|
||||
https_port => $https_port,
|
||||
ssl_redirect => $ssl_redirect,
|
||||
horizon_cert => $horizon_cert,
|
||||
horizon_key => $horizon_key,
|
||||
horizon_ca => $horizon_ca,
|
||||
ssl_cert => $ssl_cert_real,
|
||||
ssl_key => $ssl_key_real,
|
||||
ssl_ca => $ssl_ca_real,
|
||||
ssl_verify_client => $ssl_verify_client,
|
||||
wsgi_processes => $wsgi_processes,
|
||||
wsgi_threads => $wsgi_threads,
|
||||
|
@ -29,17 +29,18 @@
|
||||
# [*https_port*]
|
||||
# (optional) Port to use for the HTTPS virtual host. (Defaults to 443)
|
||||
#
|
||||
# [*horizon_cert*]
|
||||
# [*ssl_cert*]
|
||||
# (required with listen_ssl) Certificate to use for SSL support.
|
||||
#
|
||||
# [*horizon_key*]
|
||||
# [*ssl_key*]
|
||||
# (required with listen_ssl) Private key to use for SSL support.
|
||||
#
|
||||
# [*horizon_ca*]
|
||||
# [*ssl_ca*]
|
||||
# (required with listen_ssl) CA certificate to use for SSL support.
|
||||
#
|
||||
# [*ssl_verify_client*]
|
||||
# Set the Certificate verification level for Client Authentication.
|
||||
# (required with ssl_ca) Set the Certificate verification level
|
||||
# for Client Authentication.
|
||||
# Defaults to undef
|
||||
#
|
||||
# [*wsgi_processes*]
|
||||
@ -95,6 +96,17 @@
|
||||
# (optional) The log format to use to the access log.
|
||||
# Defaults to false
|
||||
#
|
||||
# == DEPRECATED PARAMETERS
|
||||
#
|
||||
# [*horizon_cert*]
|
||||
# (required with listen_ssl) Certificate to use for SSL support.
|
||||
#
|
||||
# [*horizon_key*]
|
||||
# (required with listen_ssl) Private key to use for SSL support.
|
||||
#
|
||||
# [*horizon_ca*]
|
||||
# (required with listen_ssl) CA certificate to use for SSL support.
|
||||
#
|
||||
class horizon::wsgi::apache (
|
||||
$bind_address = undef,
|
||||
$servername = $::fqdn,
|
||||
@ -103,9 +115,9 @@ class horizon::wsgi::apache (
|
||||
$http_port = 80,
|
||||
$https_port = 443,
|
||||
$ssl_redirect = true,
|
||||
$horizon_cert = undef,
|
||||
$horizon_key = undef,
|
||||
$horizon_ca = undef,
|
||||
$ssl_cert = undef,
|
||||
$ssl_key = undef,
|
||||
$ssl_ca = undef,
|
||||
$ssl_verify_client = undef,
|
||||
$wsgi_processes = $::os_workers,
|
||||
$wsgi_threads = '1',
|
||||
@ -118,6 +130,10 @@ class horizon::wsgi::apache (
|
||||
$root_url = $::horizon::params::root_url,
|
||||
$root_path = "${::horizon::params::static_path}/openstack-dashboard",
|
||||
$access_log_format = false,
|
||||
# DEPRECATED PARAMETERS
|
||||
$horizon_cert = undef,
|
||||
$horizon_key = undef,
|
||||
$horizon_ca = undef,
|
||||
) inherits horizon::params {
|
||||
|
||||
include horizon::deps
|
||||
@ -147,16 +163,28 @@ class horizon::wsgi::apache (
|
||||
$root_url_real = $root_url
|
||||
}
|
||||
|
||||
$ssl_cert_real = $horizon_cert.lest || { $ssl_cert }
|
||||
$ssl_key_real = $horizon_key.lest || { $ssl_key }
|
||||
$ssl_ca_real = $horizon_ca.lest || { $ssl_ca }
|
||||
|
||||
if $listen_ssl {
|
||||
include apache::mod::ssl
|
||||
$ensure_ssl_vhost = 'present'
|
||||
|
||||
if $horizon_cert == undef {
|
||||
fail('The horizon_cert parameter is required when listen_ssl is true')
|
||||
if ($horizon_cert or $horizon_key or $horizon_ca) {
|
||||
warning('The horizon_cert, horizon_key and horizon_ca parameters is deprecated, please use ssl_cert, ssl_key and ssl_ca')
|
||||
}
|
||||
|
||||
if $horizon_key == undef {
|
||||
fail('The horizon_key parameter is required when listen_ssl is true')
|
||||
if $ssl_cert_real == undef {
|
||||
fail('The ssl_cert parameter is required when listen_ssl is true')
|
||||
}
|
||||
|
||||
if $ssl_key_real == undef {
|
||||
fail('The ssl_key parameter is required when listen_ssl is true')
|
||||
}
|
||||
|
||||
if ($ssl_ca_real != undef and $ssl_verify_client == undef) {
|
||||
fail('The ssl_verify_client parameter is required when setting ssl_ca')
|
||||
}
|
||||
|
||||
if $ssl_redirect {
|
||||
@ -238,9 +266,9 @@ class horizon::wsgi::apache (
|
||||
path => "${root_path}/static",
|
||||
}],
|
||||
port => $http_port,
|
||||
ssl_cert => $horizon_cert,
|
||||
ssl_key => $horizon_key,
|
||||
ssl_ca => $horizon_ca,
|
||||
ssl_cert => $ssl_cert_real,
|
||||
ssl_key => $ssl_key_real,
|
||||
ssl_ca => $ssl_ca_real,
|
||||
ssl_verify_client => $ssl_verify_client,
|
||||
wsgi_script_aliases => hash([$script_url, $::horizon::params::django_wsgi]),
|
||||
wsgi_import_script => $::horizon::params::django_wsgi,
|
||||
|
18
releasenotes/notes/rename-ssl-params-5c58357688b4850f.yaml
Normal file
18
releasenotes/notes/rename-ssl-params-5c58357688b4850f.yaml
Normal file
@ -0,0 +1,18 @@
|
||||
---
|
||||
features:
|
||||
- |
|
||||
Added ssl_cert, ssl_key and ssl_ca parameter to init class and the
|
||||
horizon::wsgi::apache class.
|
||||
upgrade:
|
||||
- |
|
||||
You should now set the ssl_cert, ssl_key and ssl_ca parameters instead of
|
||||
the horizon_cert, horizon_key and horizon_ca parameters in the init and
|
||||
horizon::wsgi::apache class.
|
||||
- |
|
||||
When setting ssl_ca (or the deprecated horizon_ca) end users must now set
|
||||
the ssl_verify_client parameter or the puppetlabs-apache module will not
|
||||
set SSLCACertificate in the vhost configuration.
|
||||
deprecations:
|
||||
- |
|
||||
The horizon_cert, horizon_key and horizon_ca parameters is deprecated.
|
||||
Please use ssl_cert, ssl_key and ssl_ca.
|
@ -347,9 +347,9 @@ describe 'horizon' do
|
||||
params.merge!({
|
||||
:listen_ssl => true,
|
||||
:servername => 'some.host.tld',
|
||||
:horizon_cert => '/etc/pki/tls/certs/httpd.crt',
|
||||
:horizon_key => '/etc/pki/tls/private/httpd.key',
|
||||
:horizon_ca => '/etc/pki/tls/certs/ca.crt',
|
||||
:ssl_cert => '/etc/pki/tls/certs/httpd.crt',
|
||||
:ssl_key => '/etc/pki/tls/private/httpd.key',
|
||||
:ssl_ca => '/etc/pki/tls/certs/ca.crt',
|
||||
:ssl_verify_client => 'optional',
|
||||
})
|
||||
end
|
||||
@ -358,9 +358,9 @@ describe 'horizon' do
|
||||
is_expected.to contain_class('horizon::wsgi::apache').with({
|
||||
:bind_address => nil,
|
||||
:listen_ssl => true,
|
||||
:horizon_cert => '/etc/pki/tls/certs/httpd.crt',
|
||||
:horizon_key => '/etc/pki/tls/private/httpd.key',
|
||||
:horizon_ca => '/etc/pki/tls/certs/ca.crt',
|
||||
:ssl_cert => '/etc/pki/tls/certs/httpd.crt',
|
||||
:ssl_key => '/etc/pki/tls/private/httpd.key',
|
||||
:ssl_ca => '/etc/pki/tls/certs/ca.crt',
|
||||
:ssl_verify_client => 'optional',
|
||||
})
|
||||
end
|
||||
|
@ -128,9 +128,9 @@ describe 'horizon::wsgi::apache' do
|
||||
params.merge!({
|
||||
:listen_ssl => true,
|
||||
:ssl_redirect => true,
|
||||
:horizon_cert => '/etc/pki/tls/certs/httpd.crt',
|
||||
:horizon_key => '/etc/pki/tls/private/httpd.key',
|
||||
:horizon_ca => '/etc/pki/tls/certs/ca.crt',
|
||||
:ssl_cert => '/etc/pki/tls/certs/httpd.crt',
|
||||
:ssl_key => '/etc/pki/tls/private/httpd.key',
|
||||
:ssl_ca => '/etc/pki/tls/certs/ca.crt',
|
||||
:ssl_verify_client => 'optional',
|
||||
})
|
||||
end
|
||||
@ -198,21 +198,32 @@ describe 'horizon::wsgi::apache' do
|
||||
)}
|
||||
end
|
||||
|
||||
context 'without horizon_cert parameter' do
|
||||
context 'without ssl_cert parameter' do
|
||||
before do
|
||||
params.merge!( :listen_ssl => true )
|
||||
end
|
||||
|
||||
it { should raise_error(Puppet::Error, /The horizon_cert parameter is required when listen_ssl is true/) }
|
||||
it { should raise_error(Puppet::Error, /The ssl_cert parameter is required when listen_ssl is true/) }
|
||||
end
|
||||
|
||||
context 'without horizon_key parameter' do
|
||||
context 'without ssl_key parameter' do
|
||||
before do
|
||||
params.merge!( :listen_ssl => true,
|
||||
:horizon_cert => '/etc/pki/tls/certs/httpd.crt' )
|
||||
params.merge!( :listen_ssl => true,
|
||||
:ssl_cert => '/etc/pki/tls/certs/httpd.crt' )
|
||||
end
|
||||
|
||||
it { should raise_error(Puppet::Error, /The horizon_key parameter is required when listen_ssl is true/) }
|
||||
it { should raise_error(Puppet::Error, /The ssl_key parameter is required when listen_ssl is true/) }
|
||||
end
|
||||
|
||||
context 'without ssl_verify_client' do
|
||||
before do
|
||||
params.merge!( :listen_ssl => true,
|
||||
:ssl_cert => '/etc/pki/tls/certs/httpd.crt',
|
||||
:ssl_key => '/etc/pki/tls/certs/httpd.key',
|
||||
:ssl_ca => '/etc/pki/tls/certs/httpd.ca' )
|
||||
end
|
||||
|
||||
it { should raise_error(Puppet::Error, /The ssl_verify_client parameter is required when setting ssl_ca/) }
|
||||
end
|
||||
|
||||
context 'with extra parameters' do
|
||||
@ -308,11 +319,12 @@ describe 'horizon::wsgi::apache' do
|
||||
context 'with listen_ssl and ssl_redirect set to true' do
|
||||
before do
|
||||
params.merge!({
|
||||
:listen_ssl => true,
|
||||
:ssl_redirect => true,
|
||||
:horizon_cert => '/etc/pki/tls/certs/httpd.crt',
|
||||
:horizon_key => '/etc/pki/tls/private/httpd.key',
|
||||
:horizon_ca => '/etc/pki/tls/certs/ca.crt',
|
||||
:listen_ssl => true,
|
||||
:ssl_redirect => true,
|
||||
:ssl_cert => '/etc/pki/tls/certs/httpd.crt',
|
||||
:ssl_key => '/etc/pki/tls/private/httpd.key',
|
||||
:ssl_ca => '/etc/pki/tls/certs/ca.crt',
|
||||
:ssl_verify_client => 'optional',
|
||||
})
|
||||
end
|
||||
|
||||
@ -330,12 +342,13 @@ describe 'horizon::wsgi::apache' do
|
||||
context 'with listen_ssl and ssl_redirect with a slash root_url' do
|
||||
before do
|
||||
params.merge!({
|
||||
:listen_ssl => true,
|
||||
:ssl_redirect => true,
|
||||
:horizon_cert => '/etc/pki/tls/certs/httpd.crt',
|
||||
:horizon_key => '/etc/pki/tls/private/httpd.key',
|
||||
:horizon_ca => '/etc/pki/tls/certs/ca.crt',
|
||||
:root_url => '/',
|
||||
:listen_ssl => true,
|
||||
:ssl_redirect => true,
|
||||
:ssl_cert => '/etc/pki/tls/certs/httpd.crt',
|
||||
:ssl_key => '/etc/pki/tls/private/httpd.key',
|
||||
:ssl_ca => '/etc/pki/tls/certs/ca.crt',
|
||||
:ssl_verify_client => 'optional',
|
||||
:root_url => '/',
|
||||
})
|
||||
end
|
||||
|
||||
@ -353,12 +366,13 @@ describe 'horizon::wsgi::apache' do
|
||||
context 'with listen_ssl and ssl_redirect with a empty root_url' do
|
||||
before do
|
||||
params.merge!({
|
||||
:listen_ssl => true,
|
||||
:ssl_redirect => true,
|
||||
:horizon_cert => '/etc/pki/tls/certs/httpd.crt',
|
||||
:horizon_key => '/etc/pki/tls/private/httpd.key',
|
||||
:horizon_ca => '/etc/pki/tls/certs/ca.crt',
|
||||
:root_url => '',
|
||||
:listen_ssl => true,
|
||||
:ssl_redirect => true,
|
||||
:ssl_cert => '/etc/pki/tls/certs/httpd.crt',
|
||||
:ssl_key => '/etc/pki/tls/private/httpd.key',
|
||||
:ssl_ca => '/etc/pki/tls/certs/ca.crt',
|
||||
:ssl_verify_client => 'optional',
|
||||
:root_url => '',
|
||||
})
|
||||
end
|
||||
|
||||
@ -376,11 +390,12 @@ describe 'horizon::wsgi::apache' do
|
||||
context 'with listen_ssl and ssl_redirect disabled' do
|
||||
before do
|
||||
params.merge!({
|
||||
:listen_ssl => true,
|
||||
:ssl_redirect => false,
|
||||
:horizon_cert => '/etc/pki/tls/certs/httpd.crt',
|
||||
:horizon_key => '/etc/pki/tls/private/httpd.key',
|
||||
:horizon_ca => '/etc/pki/tls/certs/ca.crt',
|
||||
:listen_ssl => true,
|
||||
:ssl_redirect => false,
|
||||
:ssl_cert => '/etc/pki/tls/certs/httpd.crt',
|
||||
:ssl_key => '/etc/pki/tls/private/httpd.key',
|
||||
:ssl_ca => '/etc/pki/tls/certs/ca.crt',
|
||||
:ssl_verify_client => 'optional',
|
||||
})
|
||||
end
|
||||
|
||||
@ -398,12 +413,13 @@ describe 'horizon::wsgi::apache' do
|
||||
context 'with listen_ssl and ssl_redirect disabled with custom root_url' do
|
||||
before do
|
||||
params.merge!({
|
||||
:listen_ssl => true,
|
||||
:ssl_redirect => false,
|
||||
:horizon_cert => '/etc/pki/tls/certs/httpd.crt',
|
||||
:horizon_key => '/etc/pki/tls/private/httpd.key',
|
||||
:horizon_ca => '/etc/pki/tls/certs/ca.crt',
|
||||
:root_url => '/custom',
|
||||
:listen_ssl => true,
|
||||
:ssl_redirect => false,
|
||||
:ssl_cert => '/etc/pki/tls/certs/httpd.crt',
|
||||
:ssl_key => '/etc/pki/tls/private/httpd.key',
|
||||
:ssl_ca => '/etc/pki/tls/certs/ca.crt',
|
||||
:ssl_verify_client => 'optional',
|
||||
:root_url => '/custom',
|
||||
})
|
||||
end
|
||||
|
||||
|
Loading…
x
Reference in New Issue
Block a user