From 132c0b1e792084664920fc8ac6c984cb4d1b823d Mon Sep 17 00:00:00 2001
From: Takashi Kajinami <tkajinam@redhat.com>
Date: Fri, 23 Oct 2020 00:42:34 +0900
Subject: [PATCH] Add ssl_verify_client parameter for horizon

The recent change in puppet-horizon[1] made the ssl_verify_client
parameter mandatory when ssl_ca is set. This patch makes sure that
the ssl_verify_client parameter is set properly.

In addition, internal tls cert is not valid when internal tls is not
enabled. This patch also addresses that point, and make ssl_ca is set
only when needed.

[1] https://review.opendev.org/#/c/758041/6

Closes-Bug: #1900947
Change-Id: I286f69b8d3775d7538685e799f092ce47b5d75a7
---
 deployment/horizon/horizon-container-puppet.yaml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/deployment/horizon/horizon-container-puppet.yaml b/deployment/horizon/horizon-container-puppet.yaml
index 6226eeb4e3..04e3da79cb 100644
--- a/deployment/horizon/horizon-container-puppet.yaml
+++ b/deployment/horizon/horizon-container-puppet.yaml
@@ -223,11 +223,16 @@ outputs:
               params:
                 $NETWORK: {get_param: [ServiceNetMap, HorizonNetwork]}
           horizon::listen_ssl: {get_param: EnableInternalTLS}
-          horizon::ssl_ca: {get_param: InternalTLSCAFile}
           horizon::customization_module: {get_param: HorizonCustomizationModule}
           horizon::timezone: {get_param: TimeZone}
           horizon::file_upload_temp_dir: '/var/tmp'
           horizon::help_url: {get_param: HorizonHelpURL}
+        -
+          if:
+          - internal_tls_enabled
+          - horizon::ssl_ca: {get_param: InternalTLSCAFile}
+            horizon::ssl_verify_client: true
+          - {}
         -
           if:
           - websso_enabled