openstack
/
puppet-horizon
Code Issues Proposed changes

Rename horizon_* ssl params to ssl_* 

This renames the horizon_* ssl parameters to
be named ssl_*. It also adds an enforcement to
the end users to set ssl_verify_client if
the ssl_ca (or deprecated horizon_ca) is used
since it wont take effect.

See the puppetlabs-apache 2.1.0 release notes [1].

[1]
https://github.com/puppetlabs/puppetlabs-apache/blob/2.1.0/CHANGELOG.md#changed

Change-Id: I4d3b8623924ad646bf4880ad70fb3ce9be1675c2
This commit is contained in:
Tobias Urdin 2020-10-14 11:02:01 +02:00
parent 841d4d734e
commit b2320ac295
5 changed files with 148 additions and 66 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
manifests/init.pp
View File

@ -208,13 +208,13 @@
# (optional) Whether to redirect http to https # (optional) Whether to redirect http to https
# Defaults to True # Defaults to True
# #
# [*horizon_cert*] # [*ssl_cert*]
# (required with listen_ssl) Certificate to use for SSL support. # (required with listen_ssl) Certificate to use for SSL support.
# #
# [*horizon_key*] # [*ssl_key*]
# (required with listen_ssl) Private key to use for SSL support. # (required with listen_ssl) Private key to use for SSL support.
# #
# [*horizon_ca*] # [*ssl_ca*]
# (required with listen_ssl) CA certificate to use for SSL support. # (required with listen_ssl) CA certificate to use for SSL support.
# #
# [*ssl_verify_client*] # [*ssl_verify_client*]
@ -459,6 +459,15 @@
# [*log_handler*] # [*log_handler*]
# (optional) Log handler. Defaults to 'file' # (optional) Log handler. Defaults to 'file'
# #
# [*horizon_cert*]
# (required with listen_ssl) Certificate to use for SSL support.
#
# [*horizon_key*]
# (required with listen_ssl) Private key to use for SSL support.
#
# [*horizon_ca*]
# (required with listen_ssl) CA certificate to use for SSL support.
#
# === Examples # === Examples
# #
# class { 'horizon': # class { 'horizon':
@ -504,9 +513,9 @@ class horizon(
$ssl_no_verify = false, $ssl_no_verify = false,
$openstack_ssl_cacert = '', $openstack_ssl_cacert = '',
$ssl_redirect = true, $ssl_redirect = true,
$horizon_cert = undef, $ssl_cert = undef,
$horizon_key = undef, $ssl_key = undef,
$horizon_ca = undef, $ssl_ca = undef,
$ssl_verify_client = undef, $ssl_verify_client = undef,
$wsgi_processes = $::os_workers, $wsgi_processes = $::os_workers,
$wsgi_threads = '1', $wsgi_threads = '1',
@ -555,6 +564,9 @@ class horizon(
$horizon_upload_mode = undef, $horizon_upload_mode = undef,
# DEPRECATED PARAMETERS # DEPRECATED PARAMETERS
$log_handler = undef, $log_handler = undef,
$horizon_cert = undef,
$horizon_key = undef,
$horizon_ca = undef,
) inherits ::horizon::params { ) inherits ::horizon::params {
include horizon::deps include horizon::deps
@ -687,6 +699,14 @@ release. Use log_handlers instead')
} }
if $configure_apache { if $configure_apache {
if ($horizon_cert or $horizon_key or $horizon_ca) {
warning('horizon::horizon_cert, horizon::horizon_key and horizon::horizon_ca parameter is deprecated')
}
$ssl_cert_real = $horizon_cert.lest || { $ssl_cert }
$ssl_key_real = $horizon_key.lest || { $ssl_key }
$ssl_ca_real = $horizon_ca.lest || { $ssl_ca }
class { 'horizon::wsgi::apache': class { 'horizon::wsgi::apache':
bind_address => $bind_address, bind_address => $bind_address,
servername => $servername, servername => $servername,
@ -695,9 +715,9 @@ release. Use log_handlers instead')
http_port => $http_port, http_port => $http_port,
https_port => $https_port, https_port => $https_port,
ssl_redirect => $ssl_redirect, ssl_redirect => $ssl_redirect,
horizon_cert => $horizon_cert, ssl_cert => $ssl_cert_real,
horizon_key => $horizon_key, ssl_key => $ssl_key_real,
horizon_ca => $horizon_ca, ssl_ca => $ssl_ca_real,
ssl_verify_client => $ssl_verify_client, ssl_verify_client => $ssl_verify_client,
wsgi_processes => $wsgi_processes, wsgi_processes => $wsgi_processes,
wsgi_threads => $wsgi_threads, wsgi_threads => $wsgi_threads,

56
manifests/wsgi/apache.pp
View File

@ -29,17 +29,18 @@
# [*https_port*] # [*https_port*]
# (optional) Port to use for the HTTPS virtual host. (Defaults to 443) # (optional) Port to use for the HTTPS virtual host. (Defaults to 443)
# #
# [*horizon_cert*] # [*ssl_cert*]
# (required with listen_ssl) Certificate to use for SSL support. # (required with listen_ssl) Certificate to use for SSL support.
# #
# [*horizon_key*] # [*ssl_key*]
# (required with listen_ssl) Private key to use for SSL support. # (required with listen_ssl) Private key to use for SSL support.
# #
# [*horizon_ca*] # [*ssl_ca*]
# (required with listen_ssl) CA certificate to use for SSL support. # (required with listen_ssl) CA certificate to use for SSL support.
# #
# [*ssl_verify_client*] # [*ssl_verify_client*]
# Set the Certificate verification level for Client Authentication. # (required with ssl_ca) Set the Certificate verification level
# for Client Authentication.
# Defaults to undef # Defaults to undef
# #
# [*wsgi_processes*] # [*wsgi_processes*]
@ -95,6 +96,17 @@
# (optional) The log format to use to the access log. # (optional) The log format to use to the access log.
# Defaults to false # Defaults to false
# #
# == DEPRECATED PARAMETERS
#
# [*horizon_cert*]
# (required with listen_ssl) Certificate to use for SSL support.
#
# [*horizon_key*]
# (required with listen_ssl) Private key to use for SSL support.
#
# [*horizon_ca*]
# (required with listen_ssl) CA certificate to use for SSL support.
#
class horizon::wsgi::apache ( class horizon::wsgi::apache (
$bind_address = undef, $bind_address = undef,
$servername = $::fqdn, $servername = $::fqdn,
@ -103,9 +115,9 @@ class horizon::wsgi::apache (
$http_port = 80, $http_port = 80,
$https_port = 443, $https_port = 443,
$ssl_redirect = true, $ssl_redirect = true,
$horizon_cert = undef, $ssl_cert = undef,
$horizon_key = undef, $ssl_key = undef,
$horizon_ca = undef, $ssl_ca = undef,
$ssl_verify_client = undef, $ssl_verify_client = undef,
$wsgi_processes = $::os_workers, $wsgi_processes = $::os_workers,
$wsgi_threads = '1', $wsgi_threads = '1',
@ -118,6 +130,10 @@ class horizon::wsgi::apache (
$root_url = $::horizon::params::root_url, $root_url = $::horizon::params::root_url,
$root_path = "${::horizon::params::static_path}/openstack-dashboard", $root_path = "${::horizon::params::static_path}/openstack-dashboard",
$access_log_format = false, $access_log_format = false,
# DEPRECATED PARAMETERS
$horizon_cert = undef,
$horizon_key = undef,
$horizon_ca = undef,
) inherits horizon::params { ) inherits horizon::params {
include horizon::deps include horizon::deps
@ -147,16 +163,28 @@ class horizon::wsgi::apache (
$root_url_real = $root_url $root_url_real = $root_url
} }
$ssl_cert_real = $horizon_cert.lest || { $ssl_cert }
$ssl_key_real = $horizon_key.lest || { $ssl_key }
$ssl_ca_real = $horizon_ca.lest || { $ssl_ca }
if $listen_ssl { if $listen_ssl {
include apache::mod::ssl include apache::mod::ssl
$ensure_ssl_vhost = 'present' $ensure_ssl_vhost = 'present'
if $horizon_cert == undef { if ($horizon_cert or $horizon_key or $horizon_ca) {
fail('The horizon_cert parameter is required when listen_ssl is true') warning('The horizon_cert, horizon_key and horizon_ca parameters is deprecated, please use ssl_cert, ssl_key and ssl_ca')
} }
if $horizon_key == undef { if $ssl_cert_real == undef {
fail('The horizon_key parameter is required when listen_ssl is true') fail('The ssl_cert parameter is required when listen_ssl is true')
}
if $ssl_key_real == undef {
fail('The ssl_key parameter is required when listen_ssl is true')
}
if ($ssl_ca_real != undef and $ssl_verify_client == undef) {
fail('The ssl_verify_client parameter is required when setting ssl_ca')
} }
if $ssl_redirect { if $ssl_redirect {
@ -238,9 +266,9 @@ class horizon::wsgi::apache (
path => "${root_path}/static", path => "${root_path}/static",
}], }],
port => $http_port, port => $http_port,
ssl_cert => $horizon_cert, ssl_cert => $ssl_cert_real,
ssl_key => $horizon_key, ssl_key => $ssl_key_real,
ssl_ca => $horizon_ca, ssl_ca => $ssl_ca_real,
ssl_verify_client => $ssl_verify_client, ssl_verify_client => $ssl_verify_client,
wsgi_script_aliases => hash([$script_url, $::horizon::params::django_wsgi]), wsgi_script_aliases => hash([$script_url, $::horizon::params::django_wsgi]),
wsgi_import_script => $::horizon::params::django_wsgi, wsgi_import_script => $::horizon::params::django_wsgi,

18
releasenotes/notes/rename-ssl-params-5c58357688b4850f.yaml Normal file
View File

@ -0,0 +1,18 @@
---
features:
- |
Added ssl_cert, ssl_key and ssl_ca parameter to init class and the
horizon::wsgi::apache class.
upgrade:
- |
You should now set the ssl_cert, ssl_key and ssl_ca parameters instead of
the horizon_cert, horizon_key and horizon_ca parameters in the init and
horizon::wsgi::apache class.
- |
When setting ssl_ca (or the deprecated horizon_ca) end users must now set
the ssl_verify_client parameter or the puppetlabs-apache module will not
set SSLCACertificate in the vhost configuration.
deprecations:
- |
The horizon_cert, horizon_key and horizon_ca parameters is deprecated.
Please use ssl_cert, ssl_key and ssl_ca.

12
spec/classes/horizon_init_spec.rb
View File

@ -347,9 +347,9 @@ describe 'horizon' do
params.merge!({ params.merge!({
:listen_ssl => true, :listen_ssl => true,
:servername => 'some.host.tld', :servername => 'some.host.tld',
:horizon_cert => '/etc/pki/tls/certs/httpd.crt', :ssl_cert => '/etc/pki/tls/certs/httpd.crt',
:horizon_key => '/etc/pki/tls/private/httpd.key', :ssl_key => '/etc/pki/tls/private/httpd.key',
:horizon_ca => '/etc/pki/tls/certs/ca.crt', :ssl_ca => '/etc/pki/tls/certs/ca.crt',
:ssl_verify_client => 'optional', :ssl_verify_client => 'optional',
}) })
end end
@ -358,9 +358,9 @@ describe 'horizon' do
is_expected.to contain_class('horizon::wsgi::apache').with({ is_expected.to contain_class('horizon::wsgi::apache').with({
:bind_address => nil, :bind_address => nil,
:listen_ssl => true, :listen_ssl => true,
:horizon_cert => '/etc/pki/tls/certs/httpd.crt', :ssl_cert => '/etc/pki/tls/certs/httpd.crt',
:horizon_key => '/etc/pki/tls/private/httpd.key', :ssl_key => '/etc/pki/tls/private/httpd.key',
:horizon_ca => '/etc/pki/tls/certs/ca.crt', :ssl_ca => '/etc/pki/tls/certs/ca.crt',
:ssl_verify_client => 'optional', :ssl_verify_client => 'optional',
}) })
end end

62
spec/classes/horizon_wsgi_apache_spec.rb
View File

@ -128,9 +128,9 @@ describe 'horizon::wsgi::apache' do
params.merge!({ params.merge!({
:listen_ssl => true, :listen_ssl => true,
:ssl_redirect => true, :ssl_redirect => true,
:horizon_cert => '/etc/pki/tls/certs/httpd.crt', :ssl_cert => '/etc/pki/tls/certs/httpd.crt',
:horizon_key => '/etc/pki/tls/private/httpd.key', :ssl_key => '/etc/pki/tls/private/httpd.key',
:horizon_ca => '/etc/pki/tls/certs/ca.crt', :ssl_ca => '/etc/pki/tls/certs/ca.crt',
:ssl_verify_client => 'optional', :ssl_verify_client => 'optional',
}) })
end end
@ -198,21 +198,32 @@ describe 'horizon::wsgi::apache' do
)} )}
end end
context 'without horizon_cert parameter' do context 'without ssl_cert parameter' do
before do before do
params.merge!( :listen_ssl => true ) params.merge!( :listen_ssl => true )
end end
it { should raise_error(Puppet::Error, /The horizon_cert parameter is required when listen_ssl is true/) } it { should raise_error(Puppet::Error, /The ssl_cert parameter is required when listen_ssl is true/) }
end end
context 'without horizon_key parameter' do context 'without ssl_key parameter' do
before do before do
params.merge!( :listen_ssl => true, params.merge!( :listen_ssl => true,
:horizon_cert => '/etc/pki/tls/certs/httpd.crt' ) :ssl_cert => '/etc/pki/tls/certs/httpd.crt' )
end end
it { should raise_error(Puppet::Error, /The horizon_key parameter is required when listen_ssl is true/) } it { should raise_error(Puppet::Error, /The ssl_key parameter is required when listen_ssl is true/) }
end
context 'without ssl_verify_client' do
before do
params.merge!( :listen_ssl => true,
:ssl_cert => '/etc/pki/tls/certs/httpd.crt',
:ssl_key => '/etc/pki/tls/certs/httpd.key',
:ssl_ca => '/etc/pki/tls/certs/httpd.ca' )
end
it { should raise_error(Puppet::Error, /The ssl_verify_client parameter is required when setting ssl_ca/) }
end end
context 'with extra parameters' do context 'with extra parameters' do
@ -310,9 +321,10 @@ describe 'horizon::wsgi::apache' do
params.merge!({ params.merge!({
:listen_ssl => true, :listen_ssl => true,
:ssl_redirect => true, :ssl_redirect => true,
:horizon_cert => '/etc/pki/tls/certs/httpd.crt', :ssl_cert => '/etc/pki/tls/certs/httpd.crt',
:horizon_key => '/etc/pki/tls/private/httpd.key', :ssl_key => '/etc/pki/tls/private/httpd.key',
:horizon_ca => '/etc/pki/tls/certs/ca.crt', :ssl_ca => '/etc/pki/tls/certs/ca.crt',
:ssl_verify_client => 'optional',
}) })
end end
@ -332,9 +344,10 @@ describe 'horizon::wsgi::apache' do
params.merge!({ params.merge!({
:listen_ssl => true, :listen_ssl => true,
:ssl_redirect => true, :ssl_redirect => true,
:horizon_cert => '/etc/pki/tls/certs/httpd.crt', :ssl_cert => '/etc/pki/tls/certs/httpd.crt',
:horizon_key => '/etc/pki/tls/private/httpd.key', :ssl_key => '/etc/pki/tls/private/httpd.key',
:horizon_ca => '/etc/pki/tls/certs/ca.crt', :ssl_ca => '/etc/pki/tls/certs/ca.crt',
:ssl_verify_client => 'optional',
:root_url => '/', :root_url => '/',
}) })
end end
@ -355,9 +368,10 @@ describe 'horizon::wsgi::apache' do
params.merge!({ params.merge!({
:listen_ssl => true, :listen_ssl => true,
:ssl_redirect => true, :ssl_redirect => true,
:horizon_cert => '/etc/pki/tls/certs/httpd.crt', :ssl_cert => '/etc/pki/tls/certs/httpd.crt',
:horizon_key => '/etc/pki/tls/private/httpd.key', :ssl_key => '/etc/pki/tls/private/httpd.key',
:horizon_ca => '/etc/pki/tls/certs/ca.crt', :ssl_ca => '/etc/pki/tls/certs/ca.crt',
:ssl_verify_client => 'optional',
:root_url => '', :root_url => '',
}) })
end end
@ -378,9 +392,10 @@ describe 'horizon::wsgi::apache' do
params.merge!({ params.merge!({
:listen_ssl => true, :listen_ssl => true,
:ssl_redirect => false, :ssl_redirect => false,
:horizon_cert => '/etc/pki/tls/certs/httpd.crt', :ssl_cert => '/etc/pki/tls/certs/httpd.crt',
:horizon_key => '/etc/pki/tls/private/httpd.key', :ssl_key => '/etc/pki/tls/private/httpd.key',
:horizon_ca => '/etc/pki/tls/certs/ca.crt', :ssl_ca => '/etc/pki/tls/certs/ca.crt',
:ssl_verify_client => 'optional',
}) })
end end
@ -400,9 +415,10 @@ describe 'horizon::wsgi::apache' do
params.merge!({ params.merge!({
:listen_ssl => true, :listen_ssl => true,
:ssl_redirect => false, :ssl_redirect => false,
:horizon_cert => '/etc/pki/tls/certs/httpd.crt', :ssl_cert => '/etc/pki/tls/certs/httpd.crt',
:horizon_key => '/etc/pki/tls/private/httpd.key', :ssl_key => '/etc/pki/tls/private/httpd.key',
:horizon_ca => '/etc/pki/tls/certs/ca.crt', :ssl_ca => '/etc/pki/tls/certs/ca.crt',
:ssl_verify_client => 'optional',
:root_url => '/custom', :root_url => '/custom',
}) })
end end