Rename horizon_* ssl params to ssl_*
This renames the horizon_* ssl parameters to be named ssl_*. It also adds an enforcement to the end users to set ssl_verify_client if the ssl_ca (or deprecated horizon_ca) is used since it wont take effect. See the puppetlabs-apache 2.1.0 release notes [1]. [1] https://github.com/puppetlabs/puppetlabs-apache/blob/2.1.0/CHANGELOG.md#changed Change-Id: I4d3b8623924ad646bf4880ad70fb3ce9be1675c2
This commit is contained in:
parent
841d4d734e
commit
b2320ac295
|
@ -208,13 +208,13 @@
|
||||||
# (optional) Whether to redirect http to https
|
# (optional) Whether to redirect http to https
|
||||||
# Defaults to True
|
# Defaults to True
|
||||||
#
|
#
|
||||||
# [*horizon_cert*]
|
# [*ssl_cert*]
|
||||||
# (required with listen_ssl) Certificate to use for SSL support.
|
# (required with listen_ssl) Certificate to use for SSL support.
|
||||||
#
|
#
|
||||||
# [*horizon_key*]
|
# [*ssl_key*]
|
||||||
# (required with listen_ssl) Private key to use for SSL support.
|
# (required with listen_ssl) Private key to use for SSL support.
|
||||||
#
|
#
|
||||||
# [*horizon_ca*]
|
# [*ssl_ca*]
|
||||||
# (required with listen_ssl) CA certificate to use for SSL support.
|
# (required with listen_ssl) CA certificate to use for SSL support.
|
||||||
#
|
#
|
||||||
# [*ssl_verify_client*]
|
# [*ssl_verify_client*]
|
||||||
|
@ -459,6 +459,15 @@
|
||||||
# [*log_handler*]
|
# [*log_handler*]
|
||||||
# (optional) Log handler. Defaults to 'file'
|
# (optional) Log handler. Defaults to 'file'
|
||||||
#
|
#
|
||||||
|
# [*horizon_cert*]
|
||||||
|
# (required with listen_ssl) Certificate to use for SSL support.
|
||||||
|
#
|
||||||
|
# [*horizon_key*]
|
||||||
|
# (required with listen_ssl) Private key to use for SSL support.
|
||||||
|
#
|
||||||
|
# [*horizon_ca*]
|
||||||
|
# (required with listen_ssl) CA certificate to use for SSL support.
|
||||||
|
#
|
||||||
# === Examples
|
# === Examples
|
||||||
#
|
#
|
||||||
# class { 'horizon':
|
# class { 'horizon':
|
||||||
|
@ -504,9 +513,9 @@ class horizon(
|
||||||
$ssl_no_verify = false,
|
$ssl_no_verify = false,
|
||||||
$openstack_ssl_cacert = '',
|
$openstack_ssl_cacert = '',
|
||||||
$ssl_redirect = true,
|
$ssl_redirect = true,
|
||||||
$horizon_cert = undef,
|
$ssl_cert = undef,
|
||||||
$horizon_key = undef,
|
$ssl_key = undef,
|
||||||
$horizon_ca = undef,
|
$ssl_ca = undef,
|
||||||
$ssl_verify_client = undef,
|
$ssl_verify_client = undef,
|
||||||
$wsgi_processes = $::os_workers,
|
$wsgi_processes = $::os_workers,
|
||||||
$wsgi_threads = '1',
|
$wsgi_threads = '1',
|
||||||
|
@ -555,6 +564,9 @@ class horizon(
|
||||||
$horizon_upload_mode = undef,
|
$horizon_upload_mode = undef,
|
||||||
# DEPRECATED PARAMETERS
|
# DEPRECATED PARAMETERS
|
||||||
$log_handler = undef,
|
$log_handler = undef,
|
||||||
|
$horizon_cert = undef,
|
||||||
|
$horizon_key = undef,
|
||||||
|
$horizon_ca = undef,
|
||||||
) inherits ::horizon::params {
|
) inherits ::horizon::params {
|
||||||
|
|
||||||
include horizon::deps
|
include horizon::deps
|
||||||
|
@ -687,6 +699,14 @@ release. Use log_handlers instead')
|
||||||
}
|
}
|
||||||
|
|
||||||
if $configure_apache {
|
if $configure_apache {
|
||||||
|
if ($horizon_cert or $horizon_key or $horizon_ca) {
|
||||||
|
warning('horizon::horizon_cert, horizon::horizon_key and horizon::horizon_ca parameter is deprecated')
|
||||||
|
}
|
||||||
|
|
||||||
|
$ssl_cert_real = $horizon_cert.lest || { $ssl_cert }
|
||||||
|
$ssl_key_real = $horizon_key.lest || { $ssl_key }
|
||||||
|
$ssl_ca_real = $horizon_ca.lest || { $ssl_ca }
|
||||||
|
|
||||||
class { 'horizon::wsgi::apache':
|
class { 'horizon::wsgi::apache':
|
||||||
bind_address => $bind_address,
|
bind_address => $bind_address,
|
||||||
servername => $servername,
|
servername => $servername,
|
||||||
|
@ -695,9 +715,9 @@ release. Use log_handlers instead')
|
||||||
http_port => $http_port,
|
http_port => $http_port,
|
||||||
https_port => $https_port,
|
https_port => $https_port,
|
||||||
ssl_redirect => $ssl_redirect,
|
ssl_redirect => $ssl_redirect,
|
||||||
horizon_cert => $horizon_cert,
|
ssl_cert => $ssl_cert_real,
|
||||||
horizon_key => $horizon_key,
|
ssl_key => $ssl_key_real,
|
||||||
horizon_ca => $horizon_ca,
|
ssl_ca => $ssl_ca_real,
|
||||||
ssl_verify_client => $ssl_verify_client,
|
ssl_verify_client => $ssl_verify_client,
|
||||||
wsgi_processes => $wsgi_processes,
|
wsgi_processes => $wsgi_processes,
|
||||||
wsgi_threads => $wsgi_threads,
|
wsgi_threads => $wsgi_threads,
|
||||||
|
|
|
@ -29,17 +29,18 @@
|
||||||
# [*https_port*]
|
# [*https_port*]
|
||||||
# (optional) Port to use for the HTTPS virtual host. (Defaults to 443)
|
# (optional) Port to use for the HTTPS virtual host. (Defaults to 443)
|
||||||
#
|
#
|
||||||
# [*horizon_cert*]
|
# [*ssl_cert*]
|
||||||
# (required with listen_ssl) Certificate to use for SSL support.
|
# (required with listen_ssl) Certificate to use for SSL support.
|
||||||
#
|
#
|
||||||
# [*horizon_key*]
|
# [*ssl_key*]
|
||||||
# (required with listen_ssl) Private key to use for SSL support.
|
# (required with listen_ssl) Private key to use for SSL support.
|
||||||
#
|
#
|
||||||
# [*horizon_ca*]
|
# [*ssl_ca*]
|
||||||
# (required with listen_ssl) CA certificate to use for SSL support.
|
# (required with listen_ssl) CA certificate to use for SSL support.
|
||||||
#
|
#
|
||||||
# [*ssl_verify_client*]
|
# [*ssl_verify_client*]
|
||||||
# Set the Certificate verification level for Client Authentication.
|
# (required with ssl_ca) Set the Certificate verification level
|
||||||
|
# for Client Authentication.
|
||||||
# Defaults to undef
|
# Defaults to undef
|
||||||
#
|
#
|
||||||
# [*wsgi_processes*]
|
# [*wsgi_processes*]
|
||||||
|
@ -95,6 +96,17 @@
|
||||||
# (optional) The log format to use to the access log.
|
# (optional) The log format to use to the access log.
|
||||||
# Defaults to false
|
# Defaults to false
|
||||||
#
|
#
|
||||||
|
# == DEPRECATED PARAMETERS
|
||||||
|
#
|
||||||
|
# [*horizon_cert*]
|
||||||
|
# (required with listen_ssl) Certificate to use for SSL support.
|
||||||
|
#
|
||||||
|
# [*horizon_key*]
|
||||||
|
# (required with listen_ssl) Private key to use for SSL support.
|
||||||
|
#
|
||||||
|
# [*horizon_ca*]
|
||||||
|
# (required with listen_ssl) CA certificate to use for SSL support.
|
||||||
|
#
|
||||||
class horizon::wsgi::apache (
|
class horizon::wsgi::apache (
|
||||||
$bind_address = undef,
|
$bind_address = undef,
|
||||||
$servername = $::fqdn,
|
$servername = $::fqdn,
|
||||||
|
@ -103,9 +115,9 @@ class horizon::wsgi::apache (
|
||||||
$http_port = 80,
|
$http_port = 80,
|
||||||
$https_port = 443,
|
$https_port = 443,
|
||||||
$ssl_redirect = true,
|
$ssl_redirect = true,
|
||||||
$horizon_cert = undef,
|
$ssl_cert = undef,
|
||||||
$horizon_key = undef,
|
$ssl_key = undef,
|
||||||
$horizon_ca = undef,
|
$ssl_ca = undef,
|
||||||
$ssl_verify_client = undef,
|
$ssl_verify_client = undef,
|
||||||
$wsgi_processes = $::os_workers,
|
$wsgi_processes = $::os_workers,
|
||||||
$wsgi_threads = '1',
|
$wsgi_threads = '1',
|
||||||
|
@ -118,6 +130,10 @@ class horizon::wsgi::apache (
|
||||||
$root_url = $::horizon::params::root_url,
|
$root_url = $::horizon::params::root_url,
|
||||||
$root_path = "${::horizon::params::static_path}/openstack-dashboard",
|
$root_path = "${::horizon::params::static_path}/openstack-dashboard",
|
||||||
$access_log_format = false,
|
$access_log_format = false,
|
||||||
|
# DEPRECATED PARAMETERS
|
||||||
|
$horizon_cert = undef,
|
||||||
|
$horizon_key = undef,
|
||||||
|
$horizon_ca = undef,
|
||||||
) inherits horizon::params {
|
) inherits horizon::params {
|
||||||
|
|
||||||
include horizon::deps
|
include horizon::deps
|
||||||
|
@ -147,16 +163,28 @@ class horizon::wsgi::apache (
|
||||||
$root_url_real = $root_url
|
$root_url_real = $root_url
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$ssl_cert_real = $horizon_cert.lest || { $ssl_cert }
|
||||||
|
$ssl_key_real = $horizon_key.lest || { $ssl_key }
|
||||||
|
$ssl_ca_real = $horizon_ca.lest || { $ssl_ca }
|
||||||
|
|
||||||
if $listen_ssl {
|
if $listen_ssl {
|
||||||
include apache::mod::ssl
|
include apache::mod::ssl
|
||||||
$ensure_ssl_vhost = 'present'
|
$ensure_ssl_vhost = 'present'
|
||||||
|
|
||||||
if $horizon_cert == undef {
|
if ($horizon_cert or $horizon_key or $horizon_ca) {
|
||||||
fail('The horizon_cert parameter is required when listen_ssl is true')
|
warning('The horizon_cert, horizon_key and horizon_ca parameters is deprecated, please use ssl_cert, ssl_key and ssl_ca')
|
||||||
}
|
}
|
||||||
|
|
||||||
if $horizon_key == undef {
|
if $ssl_cert_real == undef {
|
||||||
fail('The horizon_key parameter is required when listen_ssl is true')
|
fail('The ssl_cert parameter is required when listen_ssl is true')
|
||||||
|
}
|
||||||
|
|
||||||
|
if $ssl_key_real == undef {
|
||||||
|
fail('The ssl_key parameter is required when listen_ssl is true')
|
||||||
|
}
|
||||||
|
|
||||||
|
if ($ssl_ca_real != undef and $ssl_verify_client == undef) {
|
||||||
|
fail('The ssl_verify_client parameter is required when setting ssl_ca')
|
||||||
}
|
}
|
||||||
|
|
||||||
if $ssl_redirect {
|
if $ssl_redirect {
|
||||||
|
@ -238,9 +266,9 @@ class horizon::wsgi::apache (
|
||||||
path => "${root_path}/static",
|
path => "${root_path}/static",
|
||||||
}],
|
}],
|
||||||
port => $http_port,
|
port => $http_port,
|
||||||
ssl_cert => $horizon_cert,
|
ssl_cert => $ssl_cert_real,
|
||||||
ssl_key => $horizon_key,
|
ssl_key => $ssl_key_real,
|
||||||
ssl_ca => $horizon_ca,
|
ssl_ca => $ssl_ca_real,
|
||||||
ssl_verify_client => $ssl_verify_client,
|
ssl_verify_client => $ssl_verify_client,
|
||||||
wsgi_script_aliases => hash([$script_url, $::horizon::params::django_wsgi]),
|
wsgi_script_aliases => hash([$script_url, $::horizon::params::django_wsgi]),
|
||||||
wsgi_import_script => $::horizon::params::django_wsgi,
|
wsgi_import_script => $::horizon::params::django_wsgi,
|
||||||
|
|
|
@ -0,0 +1,18 @@
|
||||||
|
---
|
||||||
|
features:
|
||||||
|
- |
|
||||||
|
Added ssl_cert, ssl_key and ssl_ca parameter to init class and the
|
||||||
|
horizon::wsgi::apache class.
|
||||||
|
upgrade:
|
||||||
|
- |
|
||||||
|
You should now set the ssl_cert, ssl_key and ssl_ca parameters instead of
|
||||||
|
the horizon_cert, horizon_key and horizon_ca parameters in the init and
|
||||||
|
horizon::wsgi::apache class.
|
||||||
|
- |
|
||||||
|
When setting ssl_ca (or the deprecated horizon_ca) end users must now set
|
||||||
|
the ssl_verify_client parameter or the puppetlabs-apache module will not
|
||||||
|
set SSLCACertificate in the vhost configuration.
|
||||||
|
deprecations:
|
||||||
|
- |
|
||||||
|
The horizon_cert, horizon_key and horizon_ca parameters is deprecated.
|
||||||
|
Please use ssl_cert, ssl_key and ssl_ca.
|
|
@ -347,9 +347,9 @@ describe 'horizon' do
|
||||||
params.merge!({
|
params.merge!({
|
||||||
:listen_ssl => true,
|
:listen_ssl => true,
|
||||||
:servername => 'some.host.tld',
|
:servername => 'some.host.tld',
|
||||||
:horizon_cert => '/etc/pki/tls/certs/httpd.crt',
|
:ssl_cert => '/etc/pki/tls/certs/httpd.crt',
|
||||||
:horizon_key => '/etc/pki/tls/private/httpd.key',
|
:ssl_key => '/etc/pki/tls/private/httpd.key',
|
||||||
:horizon_ca => '/etc/pki/tls/certs/ca.crt',
|
:ssl_ca => '/etc/pki/tls/certs/ca.crt',
|
||||||
:ssl_verify_client => 'optional',
|
:ssl_verify_client => 'optional',
|
||||||
})
|
})
|
||||||
end
|
end
|
||||||
|
@ -358,9 +358,9 @@ describe 'horizon' do
|
||||||
is_expected.to contain_class('horizon::wsgi::apache').with({
|
is_expected.to contain_class('horizon::wsgi::apache').with({
|
||||||
:bind_address => nil,
|
:bind_address => nil,
|
||||||
:listen_ssl => true,
|
:listen_ssl => true,
|
||||||
:horizon_cert => '/etc/pki/tls/certs/httpd.crt',
|
:ssl_cert => '/etc/pki/tls/certs/httpd.crt',
|
||||||
:horizon_key => '/etc/pki/tls/private/httpd.key',
|
:ssl_key => '/etc/pki/tls/private/httpd.key',
|
||||||
:horizon_ca => '/etc/pki/tls/certs/ca.crt',
|
:ssl_ca => '/etc/pki/tls/certs/ca.crt',
|
||||||
:ssl_verify_client => 'optional',
|
:ssl_verify_client => 'optional',
|
||||||
})
|
})
|
||||||
end
|
end
|
||||||
|
|
|
@ -128,9 +128,9 @@ describe 'horizon::wsgi::apache' do
|
||||||
params.merge!({
|
params.merge!({
|
||||||
:listen_ssl => true,
|
:listen_ssl => true,
|
||||||
:ssl_redirect => true,
|
:ssl_redirect => true,
|
||||||
:horizon_cert => '/etc/pki/tls/certs/httpd.crt',
|
:ssl_cert => '/etc/pki/tls/certs/httpd.crt',
|
||||||
:horizon_key => '/etc/pki/tls/private/httpd.key',
|
:ssl_key => '/etc/pki/tls/private/httpd.key',
|
||||||
:horizon_ca => '/etc/pki/tls/certs/ca.crt',
|
:ssl_ca => '/etc/pki/tls/certs/ca.crt',
|
||||||
:ssl_verify_client => 'optional',
|
:ssl_verify_client => 'optional',
|
||||||
})
|
})
|
||||||
end
|
end
|
||||||
|
@ -198,21 +198,32 @@ describe 'horizon::wsgi::apache' do
|
||||||
)}
|
)}
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'without horizon_cert parameter' do
|
context 'without ssl_cert parameter' do
|
||||||
before do
|
before do
|
||||||
params.merge!( :listen_ssl => true )
|
params.merge!( :listen_ssl => true )
|
||||||
end
|
end
|
||||||
|
|
||||||
it { should raise_error(Puppet::Error, /The horizon_cert parameter is required when listen_ssl is true/) }
|
it { should raise_error(Puppet::Error, /The ssl_cert parameter is required when listen_ssl is true/) }
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'without horizon_key parameter' do
|
context 'without ssl_key parameter' do
|
||||||
before do
|
before do
|
||||||
params.merge!( :listen_ssl => true,
|
params.merge!( :listen_ssl => true,
|
||||||
:horizon_cert => '/etc/pki/tls/certs/httpd.crt' )
|
:ssl_cert => '/etc/pki/tls/certs/httpd.crt' )
|
||||||
end
|
end
|
||||||
|
|
||||||
it { should raise_error(Puppet::Error, /The horizon_key parameter is required when listen_ssl is true/) }
|
it { should raise_error(Puppet::Error, /The ssl_key parameter is required when listen_ssl is true/) }
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'without ssl_verify_client' do
|
||||||
|
before do
|
||||||
|
params.merge!( :listen_ssl => true,
|
||||||
|
:ssl_cert => '/etc/pki/tls/certs/httpd.crt',
|
||||||
|
:ssl_key => '/etc/pki/tls/certs/httpd.key',
|
||||||
|
:ssl_ca => '/etc/pki/tls/certs/httpd.ca' )
|
||||||
|
end
|
||||||
|
|
||||||
|
it { should raise_error(Puppet::Error, /The ssl_verify_client parameter is required when setting ssl_ca/) }
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'with extra parameters' do
|
context 'with extra parameters' do
|
||||||
|
@ -310,9 +321,10 @@ describe 'horizon::wsgi::apache' do
|
||||||
params.merge!({
|
params.merge!({
|
||||||
:listen_ssl => true,
|
:listen_ssl => true,
|
||||||
:ssl_redirect => true,
|
:ssl_redirect => true,
|
||||||
:horizon_cert => '/etc/pki/tls/certs/httpd.crt',
|
:ssl_cert => '/etc/pki/tls/certs/httpd.crt',
|
||||||
:horizon_key => '/etc/pki/tls/private/httpd.key',
|
:ssl_key => '/etc/pki/tls/private/httpd.key',
|
||||||
:horizon_ca => '/etc/pki/tls/certs/ca.crt',
|
:ssl_ca => '/etc/pki/tls/certs/ca.crt',
|
||||||
|
:ssl_verify_client => 'optional',
|
||||||
})
|
})
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -332,9 +344,10 @@ describe 'horizon::wsgi::apache' do
|
||||||
params.merge!({
|
params.merge!({
|
||||||
:listen_ssl => true,
|
:listen_ssl => true,
|
||||||
:ssl_redirect => true,
|
:ssl_redirect => true,
|
||||||
:horizon_cert => '/etc/pki/tls/certs/httpd.crt',
|
:ssl_cert => '/etc/pki/tls/certs/httpd.crt',
|
||||||
:horizon_key => '/etc/pki/tls/private/httpd.key',
|
:ssl_key => '/etc/pki/tls/private/httpd.key',
|
||||||
:horizon_ca => '/etc/pki/tls/certs/ca.crt',
|
:ssl_ca => '/etc/pki/tls/certs/ca.crt',
|
||||||
|
:ssl_verify_client => 'optional',
|
||||||
:root_url => '/',
|
:root_url => '/',
|
||||||
})
|
})
|
||||||
end
|
end
|
||||||
|
@ -355,9 +368,10 @@ describe 'horizon::wsgi::apache' do
|
||||||
params.merge!({
|
params.merge!({
|
||||||
:listen_ssl => true,
|
:listen_ssl => true,
|
||||||
:ssl_redirect => true,
|
:ssl_redirect => true,
|
||||||
:horizon_cert => '/etc/pki/tls/certs/httpd.crt',
|
:ssl_cert => '/etc/pki/tls/certs/httpd.crt',
|
||||||
:horizon_key => '/etc/pki/tls/private/httpd.key',
|
:ssl_key => '/etc/pki/tls/private/httpd.key',
|
||||||
:horizon_ca => '/etc/pki/tls/certs/ca.crt',
|
:ssl_ca => '/etc/pki/tls/certs/ca.crt',
|
||||||
|
:ssl_verify_client => 'optional',
|
||||||
:root_url => '',
|
:root_url => '',
|
||||||
})
|
})
|
||||||
end
|
end
|
||||||
|
@ -378,9 +392,10 @@ describe 'horizon::wsgi::apache' do
|
||||||
params.merge!({
|
params.merge!({
|
||||||
:listen_ssl => true,
|
:listen_ssl => true,
|
||||||
:ssl_redirect => false,
|
:ssl_redirect => false,
|
||||||
:horizon_cert => '/etc/pki/tls/certs/httpd.crt',
|
:ssl_cert => '/etc/pki/tls/certs/httpd.crt',
|
||||||
:horizon_key => '/etc/pki/tls/private/httpd.key',
|
:ssl_key => '/etc/pki/tls/private/httpd.key',
|
||||||
:horizon_ca => '/etc/pki/tls/certs/ca.crt',
|
:ssl_ca => '/etc/pki/tls/certs/ca.crt',
|
||||||
|
:ssl_verify_client => 'optional',
|
||||||
})
|
})
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -400,9 +415,10 @@ describe 'horizon::wsgi::apache' do
|
||||||
params.merge!({
|
params.merge!({
|
||||||
:listen_ssl => true,
|
:listen_ssl => true,
|
||||||
:ssl_redirect => false,
|
:ssl_redirect => false,
|
||||||
:horizon_cert => '/etc/pki/tls/certs/httpd.crt',
|
:ssl_cert => '/etc/pki/tls/certs/httpd.crt',
|
||||||
:horizon_key => '/etc/pki/tls/private/httpd.key',
|
:ssl_key => '/etc/pki/tls/private/httpd.key',
|
||||||
:horizon_ca => '/etc/pki/tls/certs/ca.crt',
|
:ssl_ca => '/etc/pki/tls/certs/ca.crt',
|
||||||
|
:ssl_verify_client => 'optional',
|
||||||
:root_url => '/custom',
|
:root_url => '/custom',
|
||||||
})
|
})
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue