apache+mod_wsgi: Disable SSL by default

During the previous cycle, a warning message was added to inform users of this change. Now the default value is updated so that SSL is disabled by default. Change-Id: I0fa974214bae800eb0bd9fd19a9824152e9e5632
2022-05-06 20:50:33 +09:00 · 2022-05-06 20:50:33 +09:00 · 472d22e584
parent afc28df75d
commit 472d22e584
3 changed files with 10 additions and 11 deletions
--- a/manifests/wsgi/apache.pp
+++ b/manifests/wsgi/apache.pp
@ -28,7 +28,7 @@
 #
 # [*ssl*]
 #   (Optional) Use SSL.
-#   Defaults to true
+#   Defaults to false
 #
 # [*workers*]
 #   (Optional) Number of WSGI workers to spawn.
@ -138,7 +138,7 @@ class keystone::wsgi::apache (
  $bind_host                         = undef,
  $api_port                          = 5000,
  $path                              = '/',
-  $ssl                               = undef,
+  $ssl                               = false,
  $workers                           = $::os_workers_keystone,
  $ssl_cert                          = undef,
  $ssl_key                           = undef,
@ -165,11 +165,6 @@ class keystone::wsgi::apache (
  $custom_wsgi_process_options       = {},
 ) inherits keystone::params {

-  if $ssl == undef {
-    warning('Default of the ssl parameter will be changed in a future release')
-  }
-  $ssl_real = pick($ssl, true)
-
  include keystone::deps

  ::openstacklib::wsgi::apache { 'keystone_wsgi':
@ -182,7 +177,7 @@ class keystone::wsgi::apache (
    threads                     => $threads,
    user                        => $::keystone::params::keystone_user,
    priority                    => $priority,
-    ssl                         => $ssl_real,
+    ssl                         => $ssl,
    ssl_cert                    => $ssl_cert,
    ssl_key                     => $ssl_key,
    ssl_chain                   => $ssl_chain,
--- a/releasenotes/notes/disable-apache-ssl-58975d0ddabc49a5.yaml
+++ b/releasenotes/notes/disable-apache-ssl-58975d0ddabc49a5.yaml
@ -0,0 +1,5 @@
+---
+upgrade:
+  - |
+    Default value of the ``keystone::wsgi::apache::ssl`` parameter has been
+    changed from ``true`` to ``false`` and now ssl is disabled by default.
--- a/spec/classes/keystone_wsgi_apache_spec.rb
+++ b/spec/classes/keystone_wsgi_apache_spec.rb
@ -5,7 +5,6 @@ describe 'keystone::wsgi::apache' do
  let :pre_condition do
    "class { 'keystone':
       service_name => 'httpd',
-       enable_ssl   => true,
     }"
  end

@ -25,7 +24,7 @@ describe 'keystone::wsgi::apache' do
        :threads                     => 1,
        :user                        => 'keystone',
        :priority                    => '10',
-        :ssl                         => true,
+        :ssl                         => false,
        :wsgi_daemon_process         => 'keystone',
        :wsgi_process_display_name   => 'keystone',
        :wsgi_process_group          => 'keystone',
@ -53,7 +52,7 @@ describe 'keystone::wsgi::apache' do
          :bind_host                   => '127.0.0.1',
          :api_port                    => 1234,
          :path                        => '/keystone',
-          :ssl                         => false,
+          :ssl                         => true,
          :workers                     => 10,
          :ssl_cert                    => 'ssl cert',
          :ssl_key                     => 'ssl key',