openstack
/
puppet-heat
Code Issues Proposed changes

Prepare to update default of <service>::wsgi::apache::ssl 

Currently the <service>::wsgi::apache::ssl parameters have inconsistent
default values. Some parameters default to true while the other default
to false.

Based on the following points, false is considered to be the more
reasonable default.
 - Usage of SSL is optional and is not always required
 - There are other methods(like load-balancer) to implement SSL
   termination
 - Enabling SSL doesn't work with the default values currently
   defined, and requires additional parameters like ssl_cert.
 - false is the default value defined in the base implementation in
   puppet-openstacklib.

This change is the preparation to change the default value, and
introduces a warning message to make users aware of the future change.

Change-Id: I76516e3d0c659fabdb7736ff4a5a6621eed29371
This commit is contained in:
Takashi Kajinami 2021-11-03 20:52:09 +09:00
parent 06fae4a812
commit 603f545cbc
4 changed files with 34 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
manifests/wsgi/apache.pp
View File

@ -108,7 +108,7 @@ define heat::wsgi::apache (
$servername = $::fqdn,
$bind_host = undef,
$path = '/',
$ssl = true,
$ssl = undef,
$workers = $::os_workers,
$ssl_cert = undef,
$ssl_key = undef,
@ -129,11 +129,17 @@ define heat::wsgi::apache (
if $title !~ /^api(|_cfn)$/ {
fail('The valid options are api, api_cfn')
}
if $ssl == undef {
warning('Default of the ssl parameter will be changed in a future release')
}
$ssl_real = pick($ssl, true)
include heat::deps
include heat::params
include apache
include apache::mod::wsgi
if $ssl {
if $ssl_real {
include apache::mod::ssl
}
@ -144,7 +150,7 @@ define heat::wsgi::apache (
path => $path,
priority => $priority,
servername => $servername,
ssl => $ssl,
ssl => $ssl_real,
ssl_ca => $ssl_ca,
ssl_cert => $ssl_cert,
ssl_certs_dir => $ssl_certs_dir,

10
manifests/wsgi/apache_api.pp
View File

@ -104,7 +104,7 @@ class heat::wsgi::apache_api (
$servername = $::fqdn,
$bind_host = undef,
$path = '/',
$ssl = true,
$ssl = undef,
$workers = $::os_workers,
$ssl_cert = undef,
$ssl_key = undef,
@ -122,12 +122,18 @@ class heat::wsgi::apache_api (
$wsgi_process_display_name = undef,
$vhost_custom_fragment = undef,
) {
if $ssl == undef {
warning('Default of the ssl parameter will be changed in a future release')
}
$ssl_real = pick($ssl, true)
heat::wsgi::apache { 'api':
port => $port,
servername => $servername,
bind_host => $bind_host,
path => $path,
ssl => $ssl,
ssl => $ssl_real,
workers => $workers,
ssl_cert => $ssl_cert,
ssl_key => $ssl_key,

9
manifests/wsgi/apache_api_cfn.pp
View File

@ -105,7 +105,7 @@ class heat::wsgi::apache_api_cfn (
$servername = $::fqdn,
$bind_host = undef,
$path = '/',
$ssl = true,
$ssl = undef,
$workers = $::os_workers,
$ssl_cert = undef,
$ssl_key = undef,
@ -125,6 +125,11 @@ class heat::wsgi::apache_api_cfn (
$vhost_custom_fragment = 'RequestHeader set Content-Type "application/json"',
) {
if $ssl == undef {
warning('Default of the ssl parameter will be changed in a future release')
}
$ssl_real = pick($ssl, true)
# See custom fragment below
include apache
include apache::mod::headers
@ -145,7 +150,7 @@ class heat::wsgi::apache_api_cfn (
servername => $servername,
bind_host => $bind_host,
path => $path,
ssl => $ssl,
ssl => $ssl_real,
workers => $workers,
ssl_cert => $ssl_cert,
ssl_key => $ssl_key,

10
releasenotes/notes/prepare-to-change-apache-ssl-0fe3526e8fdb82b3.yaml Normal file
View File

@ -0,0 +1,10 @@
---
upgrade:
- |
Default value of the following three parameters will be changed from
``true`` to ``false`` in a future release. Make sure the parameter is set
to the desired value.
- ``heat::wsgi::apache::ssl``
- ``heat::wsgi::apache_api::ssl``
- ``heat::wsgi::apache_api_cfn::ssl``