Merge "Rename horizon_* ssl params to ssl_*"

This commit is contained in:
Zuul 2020-10-16 08:20:58 +00:00 committed by Gerrit Code Review
commit 274deeb09e
5 changed files with 148 additions and 66 deletions

View File

@ -208,13 +208,13 @@
# (optional) Whether to redirect http to https
# Defaults to True
#
# [*horizon_cert*]
# [*ssl_cert*]
# (required with listen_ssl) Certificate to use for SSL support.
#
# [*horizon_key*]
# [*ssl_key*]
# (required with listen_ssl) Private key to use for SSL support.
#
# [*horizon_ca*]
# [*ssl_ca*]
# (required with listen_ssl) CA certificate to use for SSL support.
#
# [*ssl_verify_client*]
@ -459,6 +459,15 @@
# [*log_handler*]
# (optional) Log handler. Defaults to 'file'
#
# [*horizon_cert*]
# (required with listen_ssl) Certificate to use for SSL support.
#
# [*horizon_key*]
# (required with listen_ssl) Private key to use for SSL support.
#
# [*horizon_ca*]
# (required with listen_ssl) CA certificate to use for SSL support.
#
# === Examples
#
# class { 'horizon':
@ -504,9 +513,9 @@ class horizon(
$ssl_no_verify = false,
$openstack_ssl_cacert = '',
$ssl_redirect = true,
$horizon_cert = undef,
$horizon_key = undef,
$horizon_ca = undef,
$ssl_cert = undef,
$ssl_key = undef,
$ssl_ca = undef,
$ssl_verify_client = undef,
$wsgi_processes = $::os_workers,
$wsgi_threads = '1',
@ -555,6 +564,9 @@ class horizon(
$horizon_upload_mode = undef,
# DEPRECATED PARAMETERS
$log_handler = undef,
$horizon_cert = undef,
$horizon_key = undef,
$horizon_ca = undef,
) inherits ::horizon::params {
include horizon::deps
@ -687,6 +699,14 @@ release. Use log_handlers instead')
}
if $configure_apache {
if ($horizon_cert or $horizon_key or $horizon_ca) {
warning('horizon::horizon_cert, horizon::horizon_key and horizon::horizon_ca parameter is deprecated')
}
$ssl_cert_real = $horizon_cert.lest || { $ssl_cert }
$ssl_key_real = $horizon_key.lest || { $ssl_key }
$ssl_ca_real = $horizon_ca.lest || { $ssl_ca }
class { 'horizon::wsgi::apache':
bind_address => $bind_address,
servername => $servername,
@ -695,9 +715,9 @@ release. Use log_handlers instead')
http_port => $http_port,
https_port => $https_port,
ssl_redirect => $ssl_redirect,
horizon_cert => $horizon_cert,
horizon_key => $horizon_key,
horizon_ca => $horizon_ca,
ssl_cert => $ssl_cert_real,
ssl_key => $ssl_key_real,
ssl_ca => $ssl_ca_real,
ssl_verify_client => $ssl_verify_client,
wsgi_processes => $wsgi_processes,
wsgi_threads => $wsgi_threads,

View File

@ -29,17 +29,18 @@
# [*https_port*]
# (optional) Port to use for the HTTPS virtual host. (Defaults to 443)
#
# [*horizon_cert*]
# [*ssl_cert*]
# (required with listen_ssl) Certificate to use for SSL support.
#
# [*horizon_key*]
# [*ssl_key*]
# (required with listen_ssl) Private key to use for SSL support.
#
# [*horizon_ca*]
# [*ssl_ca*]
# (required with listen_ssl) CA certificate to use for SSL support.
#
# [*ssl_verify_client*]
# Set the Certificate verification level for Client Authentication.
# (required with ssl_ca) Set the Certificate verification level
# for Client Authentication.
# Defaults to undef
#
# [*wsgi_processes*]
@ -95,6 +96,17 @@
# (optional) The log format to use to the access log.
# Defaults to false
#
# == DEPRECATED PARAMETERS
#
# [*horizon_cert*]
# (required with listen_ssl) Certificate to use for SSL support.
#
# [*horizon_key*]
# (required with listen_ssl) Private key to use for SSL support.
#
# [*horizon_ca*]
# (required with listen_ssl) CA certificate to use for SSL support.
#
class horizon::wsgi::apache (
$bind_address = undef,
$servername = $::fqdn,
@ -103,9 +115,9 @@ class horizon::wsgi::apache (
$http_port = 80,
$https_port = 443,
$ssl_redirect = true,
$horizon_cert = undef,
$horizon_key = undef,
$horizon_ca = undef,
$ssl_cert = undef,
$ssl_key = undef,
$ssl_ca = undef,
$ssl_verify_client = undef,
$wsgi_processes = $::os_workers,
$wsgi_threads = '1',
@ -118,6 +130,10 @@ class horizon::wsgi::apache (
$root_url = $::horizon::params::root_url,
$root_path = "${::horizon::params::static_path}/openstack-dashboard",
$access_log_format = false,
# DEPRECATED PARAMETERS
$horizon_cert = undef,
$horizon_key = undef,
$horizon_ca = undef,
) inherits horizon::params {
include horizon::deps
@ -147,16 +163,28 @@ class horizon::wsgi::apache (
$root_url_real = $root_url
}
$ssl_cert_real = $horizon_cert.lest || { $ssl_cert }
$ssl_key_real = $horizon_key.lest || { $ssl_key }
$ssl_ca_real = $horizon_ca.lest || { $ssl_ca }
if $listen_ssl {
include apache::mod::ssl
$ensure_ssl_vhost = 'present'
if $horizon_cert == undef {
fail('The horizon_cert parameter is required when listen_ssl is true')
if ($horizon_cert or $horizon_key or $horizon_ca) {
warning('The horizon_cert, horizon_key and horizon_ca parameters is deprecated, please use ssl_cert, ssl_key and ssl_ca')
}
if $horizon_key == undef {
fail('The horizon_key parameter is required when listen_ssl is true')
if $ssl_cert_real == undef {
fail('The ssl_cert parameter is required when listen_ssl is true')
}
if $ssl_key_real == undef {
fail('The ssl_key parameter is required when listen_ssl is true')
}
if ($ssl_ca_real != undef and $ssl_verify_client == undef) {
fail('The ssl_verify_client parameter is required when setting ssl_ca')
}
if $ssl_redirect {
@ -238,9 +266,9 @@ class horizon::wsgi::apache (
path => "${root_path}/static",
}],
port => $http_port,
ssl_cert => $horizon_cert,
ssl_key => $horizon_key,
ssl_ca => $horizon_ca,
ssl_cert => $ssl_cert_real,
ssl_key => $ssl_key_real,
ssl_ca => $ssl_ca_real,
ssl_verify_client => $ssl_verify_client,
wsgi_script_aliases => hash([$script_url, $::horizon::params::django_wsgi]),
wsgi_import_script => $::horizon::params::django_wsgi,

View File

@ -0,0 +1,18 @@
---
features:
- |
Added ssl_cert, ssl_key and ssl_ca parameter to init class and the
horizon::wsgi::apache class.
upgrade:
- |
You should now set the ssl_cert, ssl_key and ssl_ca parameters instead of
the horizon_cert, horizon_key and horizon_ca parameters in the init and
horizon::wsgi::apache class.
- |
When setting ssl_ca (or the deprecated horizon_ca) end users must now set
the ssl_verify_client parameter or the puppetlabs-apache module will not
set SSLCACertificate in the vhost configuration.
deprecations:
- |
The horizon_cert, horizon_key and horizon_ca parameters is deprecated.
Please use ssl_cert, ssl_key and ssl_ca.

View File

@ -347,9 +347,9 @@ describe 'horizon' do
params.merge!({
:listen_ssl => true,
:servername => 'some.host.tld',
:horizon_cert => '/etc/pki/tls/certs/httpd.crt',
:horizon_key => '/etc/pki/tls/private/httpd.key',
:horizon_ca => '/etc/pki/tls/certs/ca.crt',
:ssl_cert => '/etc/pki/tls/certs/httpd.crt',
:ssl_key => '/etc/pki/tls/private/httpd.key',
:ssl_ca => '/etc/pki/tls/certs/ca.crt',
:ssl_verify_client => 'optional',
})
end
@ -358,9 +358,9 @@ describe 'horizon' do
is_expected.to contain_class('horizon::wsgi::apache').with({
:bind_address => nil,
:listen_ssl => true,
:horizon_cert => '/etc/pki/tls/certs/httpd.crt',
:horizon_key => '/etc/pki/tls/private/httpd.key',
:horizon_ca => '/etc/pki/tls/certs/ca.crt',
:ssl_cert => '/etc/pki/tls/certs/httpd.crt',
:ssl_key => '/etc/pki/tls/private/httpd.key',
:ssl_ca => '/etc/pki/tls/certs/ca.crt',
:ssl_verify_client => 'optional',
})
end

View File

@ -128,9 +128,9 @@ describe 'horizon::wsgi::apache' do
params.merge!({
:listen_ssl => true,
:ssl_redirect => true,
:horizon_cert => '/etc/pki/tls/certs/httpd.crt',
:horizon_key => '/etc/pki/tls/private/httpd.key',
:horizon_ca => '/etc/pki/tls/certs/ca.crt',
:ssl_cert => '/etc/pki/tls/certs/httpd.crt',
:ssl_key => '/etc/pki/tls/private/httpd.key',
:ssl_ca => '/etc/pki/tls/certs/ca.crt',
:ssl_verify_client => 'optional',
})
end
@ -198,21 +198,32 @@ describe 'horizon::wsgi::apache' do
)}
end
context 'without horizon_cert parameter' do
context 'without ssl_cert parameter' do
before do
params.merge!( :listen_ssl => true )
end
it { should raise_error(Puppet::Error, /The horizon_cert parameter is required when listen_ssl is true/) }
it { should raise_error(Puppet::Error, /The ssl_cert parameter is required when listen_ssl is true/) }
end
context 'without horizon_key parameter' do
context 'without ssl_key parameter' do
before do
params.merge!( :listen_ssl => true,
:horizon_cert => '/etc/pki/tls/certs/httpd.crt' )
params.merge!( :listen_ssl => true,
:ssl_cert => '/etc/pki/tls/certs/httpd.crt' )
end
it { should raise_error(Puppet::Error, /The horizon_key parameter is required when listen_ssl is true/) }
it { should raise_error(Puppet::Error, /The ssl_key parameter is required when listen_ssl is true/) }
end
context 'without ssl_verify_client' do
before do
params.merge!( :listen_ssl => true,
:ssl_cert => '/etc/pki/tls/certs/httpd.crt',
:ssl_key => '/etc/pki/tls/certs/httpd.key',
:ssl_ca => '/etc/pki/tls/certs/httpd.ca' )
end
it { should raise_error(Puppet::Error, /The ssl_verify_client parameter is required when setting ssl_ca/) }
end
context 'with extra parameters' do
@ -308,11 +319,12 @@ describe 'horizon::wsgi::apache' do
context 'with listen_ssl and ssl_redirect set to true' do
before do
params.merge!({
:listen_ssl => true,
:ssl_redirect => true,
:horizon_cert => '/etc/pki/tls/certs/httpd.crt',
:horizon_key => '/etc/pki/tls/private/httpd.key',
:horizon_ca => '/etc/pki/tls/certs/ca.crt',
:listen_ssl => true,
:ssl_redirect => true,
:ssl_cert => '/etc/pki/tls/certs/httpd.crt',
:ssl_key => '/etc/pki/tls/private/httpd.key',
:ssl_ca => '/etc/pki/tls/certs/ca.crt',
:ssl_verify_client => 'optional',
})
end
@ -330,12 +342,13 @@ describe 'horizon::wsgi::apache' do
context 'with listen_ssl and ssl_redirect with a slash root_url' do
before do
params.merge!({
:listen_ssl => true,
:ssl_redirect => true,
:horizon_cert => '/etc/pki/tls/certs/httpd.crt',
:horizon_key => '/etc/pki/tls/private/httpd.key',
:horizon_ca => '/etc/pki/tls/certs/ca.crt',
:root_url => '/',
:listen_ssl => true,
:ssl_redirect => true,
:ssl_cert => '/etc/pki/tls/certs/httpd.crt',
:ssl_key => '/etc/pki/tls/private/httpd.key',
:ssl_ca => '/etc/pki/tls/certs/ca.crt',
:ssl_verify_client => 'optional',
:root_url => '/',
})
end
@ -353,12 +366,13 @@ describe 'horizon::wsgi::apache' do
context 'with listen_ssl and ssl_redirect with a empty root_url' do
before do
params.merge!({
:listen_ssl => true,
:ssl_redirect => true,
:horizon_cert => '/etc/pki/tls/certs/httpd.crt',
:horizon_key => '/etc/pki/tls/private/httpd.key',
:horizon_ca => '/etc/pki/tls/certs/ca.crt',
:root_url => '',
:listen_ssl => true,
:ssl_redirect => true,
:ssl_cert => '/etc/pki/tls/certs/httpd.crt',
:ssl_key => '/etc/pki/tls/private/httpd.key',
:ssl_ca => '/etc/pki/tls/certs/ca.crt',
:ssl_verify_client => 'optional',
:root_url => '',
})
end
@ -376,11 +390,12 @@ describe 'horizon::wsgi::apache' do
context 'with listen_ssl and ssl_redirect disabled' do
before do
params.merge!({
:listen_ssl => true,
:ssl_redirect => false,
:horizon_cert => '/etc/pki/tls/certs/httpd.crt',
:horizon_key => '/etc/pki/tls/private/httpd.key',
:horizon_ca => '/etc/pki/tls/certs/ca.crt',
:listen_ssl => true,
:ssl_redirect => false,
:ssl_cert => '/etc/pki/tls/certs/httpd.crt',
:ssl_key => '/etc/pki/tls/private/httpd.key',
:ssl_ca => '/etc/pki/tls/certs/ca.crt',
:ssl_verify_client => 'optional',
})
end
@ -398,12 +413,13 @@ describe 'horizon::wsgi::apache' do
context 'with listen_ssl and ssl_redirect disabled with custom root_url' do
before do
params.merge!({
:listen_ssl => true,
:ssl_redirect => false,
:horizon_cert => '/etc/pki/tls/certs/httpd.crt',
:horizon_key => '/etc/pki/tls/private/httpd.key',
:horizon_ca => '/etc/pki/tls/certs/ca.crt',
:root_url => '/custom',
:listen_ssl => true,
:ssl_redirect => false,
:ssl_cert => '/etc/pki/tls/certs/httpd.crt',
:ssl_key => '/etc/pki/tls/private/httpd.key',
:ssl_ca => '/etc/pki/tls/certs/ca.crt',
:ssl_verify_client => 'optional',
:root_url => '/custom',
})
end