Ensure we configure ssl.conf

Every time we call apache module regardless of using SSL we have to configure mod_ssl from puppet-apache or we'll hit issue during package update. File /etc/httpd/conf.d/ssl.conf from mod_ssl package contains Listen 443 while apache::mod::ssl just configures SSL bits but does not add Listen. If the apache::mod::ssl is not included the ssl.conf file is removed and recreated during mod_ssl package update. This causes conflict on port 443. Change-Id: Ic5a0719f67d3795a9edca25284d1cf6f088073e8 Related-Bug: 1682448 Resolves: rhbz#1441977
2017-04-13 19:21:45 +02:00 · 2017-04-13 19:21:45 +02:00 · 9e729c0db2
commit 9e729c0db2
parent de791082c7
14 changed files with 23 additions and 0 deletions
--- a/manifests/profile/base/aodh/api.pp
+++ b/manifests/profile/base/aodh/api.pp
@ -68,6 +68,7 @@ class tripleo::profile::base::aodh::api (

  if $step >= 3 {
    include ::aodh::api
+    include ::apache::mod::ssl
    class { '::aodh::wsgi::apache':
      ssl_cert => $tls_certfile,
      ssl_key  => $tls_keyfile,
--- a/manifests/profile/base/barbican/api.pp
+++ b/manifests/profile/base/barbican/api.pp
@ -158,6 +158,7 @@ class tripleo::profile::base::barbican::api (
    include ::barbican::api::logging
    include ::barbican::keystone::notification
    include ::barbican::quota
+    include ::apache::mod::ssl
    class { '::barbican::wsgi::apache':
      ssl_cert => $tls_certfile,
      ssl_key  => $tls_keyfile,
--- a/manifests/profile/base/ceilometer/api.pp
+++ b/manifests/profile/base/ceilometer/api.pp
@ -65,6 +65,7 @@ class tripleo::profile::base::ceilometer::api (

  if $step >= 4 {
    include ::ceilometer::api
+    include ::apache::mod::ssl
    class { '::ceilometer::wsgi::apache':
      ssl_cert => $tls_certfile,
      ssl_key  => $tls_keyfile,
--- a/manifests/profile/base/cinder/api.pp
+++ b/manifests/profile/base/cinder/api.pp
@ -76,6 +76,7 @@ class tripleo::profile::base::cinder::api (

  if $step >= 4 or ($step >= 3 and $sync_db) {
    include ::cinder::api
+    include ::apache::mod::ssl
    class { '::cinder::wsgi::apache':
      ssl_cert => $tls_certfile,
      ssl_key  => $tls_keyfile,
--- a/manifests/profile/base/gnocchi/api.pp
+++ b/manifests/profile/base/gnocchi/api.pp
@ -85,6 +85,7 @@ class tripleo::profile::base::gnocchi::api (

  if $step >= 4 {
    include ::gnocchi::api
+    include ::apache::mod::ssl
    class { '::gnocchi::wsgi::apache':
      ssl_cert => $tls_certfile,
      ssl_key  => $tls_keyfile,
--- a/manifests/profile/base/heat/api.pp
+++ b/manifests/profile/base/heat/api.pp
@ -65,6 +65,7 @@ class tripleo::profile::base::heat::api (

  if $step >= 3 {
    include ::heat::api
+    include ::apache::mod::ssl
    class { '::heat::wsgi::apache_api':
      ssl_cert => $tls_certfile,
      ssl_key  => $tls_keyfile,
--- a/manifests/profile/base/heat/api_cfn.pp
+++ b/manifests/profile/base/heat/api_cfn.pp
@ -66,6 +66,7 @@ class tripleo::profile::base::heat::api_cfn (
  if $step >= 3 {
    include ::heat::api_cfn

+    include ::apache::mod::ssl
    class { '::heat::wsgi::apache_api_cfn':
      ssl_cert => $tls_certfile,
      ssl_key  => $tls_keyfile,
--- a/manifests/profile/base/heat/api_cloudwatch.pp
+++ b/manifests/profile/base/heat/api_cloudwatch.pp
@ -66,6 +66,7 @@ class tripleo::profile::base::heat::api_cloudwatch (
  if $step >= 3 {
    include ::heat::api_cloudwatch

+    include ::apache::mod::ssl
    class { '::heat::wsgi::apache_api_cloudwatch':
      ssl_cert => $tls_certfile,
      ssl_key  => $tls_keyfile,
--- a/manifests/profile/base/keystone.pp
+++ b/manifests/profile/base/keystone.pp
@ -211,6 +211,7 @@ class tripleo::profile::base::keystone (
    }

    include ::keystone::config
+    include ::apache::mod::ssl
    class { '::keystone::wsgi::apache':
      ssl_cert       => $tls_certfile,
      ssl_key        => $tls_keyfile,
--- a/manifests/profile/base/nova/api.pp
+++ b/manifests/profile/base/nova/api.pp
@ -94,6 +94,7 @@ class tripleo::profile::base::nova::api (
      $tls_keyfile = undef
    }
    if $step >= 4 or ($step >= 3 and $sync_db) {
+      include ::apache::mod::ssl
      class { '::nova::wsgi::apache_api':
        ssl_cert => $tls_certfile,
        ssl_key  => $tls_keyfile,
--- a/manifests/profile/base/nova/placement.pp
+++ b/manifests/profile/base/nova/placement.pp
@ -74,6 +74,7 @@ class tripleo::profile::base::nova::placement (
  }

  if $step >= 3 {
+    include ::apache::mod::ssl
    class { '::nova::wsgi::apache_placement':
      ssl_cert => $tls_certfile,
      ssl_key  => $tls_keyfile,
--- a/manifests/profile/base/panko/api.pp
+++ b/manifests/profile/base/panko/api.pp
@ -79,6 +79,7 @@ class tripleo::profile::base::panko::api (
    class { '::panko::api':
      sync_db => $sync_db,
    }
+    include ::apache::mod::ssl
    class { '::panko::wsgi::apache':
      ssl_cert => $tls_certfile,
      ssl_key  => $tls_keyfile,
--- a/manifests/profile/base/zaqar.pp
+++ b/manifests/profile/base/zaqar.pp
@ -50,6 +50,7 @@ class tripleo::profile::base::zaqar (
      uri => $database_connection,
    }
    include ::zaqar::transport::websocket
+    include ::apache::mod::ssl
    include ::zaqar::transport::wsgi

    # TODO (bcrochet): At some point, the transports should be split out to
--- a/releasenotes/notes/ensure-ssl-conf-2f32c6ead6f3bb0e.yaml
+++ b/releasenotes/notes/ensure-ssl-conf-2f32c6ead6f3bb0e.yaml
@ -0,0 +1,10 @@
+---
+fixes:
+  - |
+    With having package mod_ssl by default installed in images we introduced
+    issue with mod_ssl package update. In case of SSL not being used or
+    provided by HAproxy the puppet-apache module by default purges the
+    ssl.conf file. The package update then recreates the file with default
+    Listen 443 option. This causes conflict on 443 port during httpd restart.
+    If we include ::apache::mod::ssl the ssl.conf file will be configured and
+    the Listen option will be used only if there is vhost set to use SSL.