Add ssl_verify_client parameter for horizon

The recent change in puppet-horizon[1] made the ssl_verify_client parameter mandatory when ssl_ca is set. This patch makes sure that the ssl_verify_client parameter is set properly. In addition, internal tls cert is not valid when internal tls is not enabled. This patch also addresses that point, and make ssl_ca is set only when needed. [1] https://review.opendev.org/#/c/758041/6 Closes-Bug: #1900947 Change-Id: I286f69b8d3775d7538685e799f092ce47b5d75a7
2020-10-23 00:42:34 +09:00 · 2020-10-23 00:42:34 +09:00 · 132c0b1e79
parent d3b099fac9
commit 132c0b1e79
1 changed files with 6 additions and 1 deletions
--- a/deployment/horizon/horizon-container-puppet.yaml
+++ b/deployment/horizon/horizon-container-puppet.yaml
@ -223,11 +223,16 @@ outputs:
              params:
                $NETWORK: {get_param: [ServiceNetMap, HorizonNetwork]}
          horizon::listen_ssl: {get_param: EnableInternalTLS}
-          horizon::ssl_ca: {get_param: InternalTLSCAFile}
          horizon::customization_module: {get_param: HorizonCustomizationModule}
          horizon::timezone: {get_param: TimeZone}
          horizon::file_upload_temp_dir: '/var/tmp'
          horizon::help_url: {get_param: HorizonHelpURL}
+        -
+          if:
+          - internal_tls_enabled
+          - horizon::ssl_ca: {get_param: InternalTLSCAFile}
+            horizon::ssl_verify_client: true
+          - {}
        -
          if:
          - websso_enabled