diff --git a/manifests/init.pp b/manifests/init.pp index 422d4d74..4818a24c 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -217,6 +217,10 @@ # [*horizon_ca*] # (required with listen_ssl) CA certificate to use for SSL support. # +# [*ssl_verify_client*] +# Set the Certificate verification level for Client Authentication. +# Defaults to undef +# # [*wsgi_processes*] # (optional) Number of Horizon processes to spawn # Defaults to $::os_workers @@ -503,6 +507,7 @@ class horizon( $horizon_cert = undef, $horizon_key = undef, $horizon_ca = undef, + $ssl_verify_client = undef, $wsgi_processes = $::os_workers, $wsgi_threads = '1', $compress_offline = true, @@ -693,6 +698,7 @@ release. Use log_handlers instead') horizon_cert => $horizon_cert, horizon_key => $horizon_key, horizon_ca => $horizon_ca, + ssl_verify_client => $ssl_verify_client, wsgi_processes => $wsgi_processes, wsgi_threads => $wsgi_threads, extra_params => $vhost_extra_params, diff --git a/manifests/wsgi/apache.pp b/manifests/wsgi/apache.pp index b7610531..863f3daf 100644 --- a/manifests/wsgi/apache.pp +++ b/manifests/wsgi/apache.pp @@ -38,6 +38,10 @@ # [*horizon_ca*] # (required with listen_ssl) CA certificate to use for SSL support. # +# [*ssl_verify_client*] +# Set the Certificate verification level for Client Authentication. +# Defaults to undef +# # [*wsgi_processes*] # (optional) Number of Horizon processes to spawn # Defaults to $::os_workers @@ -102,6 +106,7 @@ class horizon::wsgi::apache ( $horizon_cert = undef, $horizon_key = undef, $horizon_ca = undef, + $ssl_verify_client = undef, $wsgi_processes = $::os_workers, $wsgi_threads = '1', $custom_wsgi_process_options = {}, @@ -236,6 +241,7 @@ class horizon::wsgi::apache ( ssl_cert => $horizon_cert, ssl_key => $horizon_key, ssl_ca => $horizon_ca, + ssl_verify_client => $ssl_verify_client, wsgi_script_aliases => hash([$script_url, $::horizon::params::django_wsgi]), wsgi_import_script => $::horizon::params::django_wsgi, wsgi_process_group => $::horizon::params::wsgi_group, diff --git a/releasenotes/notes/add-ssl_verify_client-3e2bc9a7f1d4291a.yaml b/releasenotes/notes/add-ssl_verify_client-3e2bc9a7f1d4291a.yaml new file mode 100644 index 00000000..54f0236e --- /dev/null +++ b/releasenotes/notes/add-ssl_verify_client-3e2bc9a7f1d4291a.yaml @@ -0,0 +1,10 @@ +--- +features: + - | + Added the ssl_verify_client parameter to init class and horizon::wsgi::apache + that is passed down to the created apache::vhost resource. +upgrade: + - | + The puppetlabs-apache module 2.1.0 introduced a change where ssl_verify_client + is required otherwise the SSL CA certificate passed to the horizon module using + the horizon_ca parameter is ignored. diff --git a/spec/classes/horizon_init_spec.rb b/spec/classes/horizon_init_spec.rb index 47621bd6..7ea438db 100644 --- a/spec/classes/horizon_init_spec.rb +++ b/spec/classes/horizon_init_spec.rb @@ -345,21 +345,23 @@ describe 'horizon' do context 'with ssl enabled' do before do params.merge!({ - :listen_ssl => true, - :servername => 'some.host.tld', - :horizon_cert => '/etc/pki/tls/certs/httpd.crt', - :horizon_key => '/etc/pki/tls/private/httpd.key', - :horizon_ca => '/etc/pki/tls/certs/ca.crt', + :listen_ssl => true, + :servername => 'some.host.tld', + :horizon_cert => '/etc/pki/tls/certs/httpd.crt', + :horizon_key => '/etc/pki/tls/private/httpd.key', + :horizon_ca => '/etc/pki/tls/certs/ca.crt', + :ssl_verify_client => 'optional', }) end it 'configures apache' do is_expected.to contain_class('horizon::wsgi::apache').with({ - :bind_address => nil, - :listen_ssl => true, - :horizon_cert => '/etc/pki/tls/certs/httpd.crt', - :horizon_key => '/etc/pki/tls/private/httpd.key', - :horizon_ca => '/etc/pki/tls/certs/ca.crt', + :bind_address => nil, + :listen_ssl => true, + :horizon_cert => '/etc/pki/tls/certs/httpd.crt', + :horizon_key => '/etc/pki/tls/private/httpd.key', + :horizon_ca => '/etc/pki/tls/certs/ca.crt', + :ssl_verify_client => 'optional', }) end end diff --git a/spec/classes/horizon_wsgi_apache_spec.rb b/spec/classes/horizon_wsgi_apache_spec.rb index 5e1d214f..02cc3650 100644 --- a/spec/classes/horizon_wsgi_apache_spec.rb +++ b/spec/classes/horizon_wsgi_apache_spec.rb @@ -126,11 +126,12 @@ describe 'horizon::wsgi::apache' do context 'with ssl enabled' do before do params.merge!({ - :listen_ssl => true, - :ssl_redirect => true, - :horizon_cert => '/etc/pki/tls/certs/httpd.crt', - :horizon_key => '/etc/pki/tls/private/httpd.key', - :horizon_ca => '/etc/pki/tls/certs/ca.crt', + :listen_ssl => true, + :ssl_redirect => true, + :horizon_cert => '/etc/pki/tls/certs/httpd.crt', + :horizon_key => '/etc/pki/tls/private/httpd.key', + :horizon_ca => '/etc/pki/tls/certs/ca.crt', + :ssl_verify_client => 'optional', }) end @@ -149,6 +150,7 @@ describe 'horizon::wsgi::apache' do :ssl_cert => '/etc/pki/tls/certs/httpd.crt', :ssl_key => '/etc/pki/tls/private/httpd.key', :ssl_ca => '/etc/pki/tls/certs/ca.crt', + :ssl_verify_client => 'optional', :redirectmatch_status => 'permanent', :redirectmatch_regexp => '^/$', :redirectmatch_dest => platforms_params[:root_url],