Ensure we configure ssl.conf

Every time we call apache module regardless of using SSL we have to
configure mod_ssl from puppet-apache or we'll hit issue during package
update. File /etc/httpd/conf.d/ssl.conf from mod_ssl package contains
Listen 443 while apache::mod::ssl just configures SSL bits but does not
add Listen. If the apache::mod::ssl is not included the ssl.conf file is
removed and recreated during mod_ssl package update. This causes
conflict on port 443.

Change-Id: Ic5a0719f67d3795a9edca25284d1cf6f088073e8
Related-Bug: 1682448
Resolves: rhbz#1441977
This commit is contained in:
Lukas Bezdicka 2017-04-13 19:21:45 +02:00
parent de791082c7
commit 9e729c0db2
14 changed files with 23 additions and 0 deletions

View File

@ -68,6 +68,7 @@ class tripleo::profile::base::aodh::api (
if $step >= 3 {
include ::aodh::api
include ::apache::mod::ssl
class { '::aodh::wsgi::apache':
ssl_cert => $tls_certfile,
ssl_key => $tls_keyfile,

View File

@ -158,6 +158,7 @@ class tripleo::profile::base::barbican::api (
include ::barbican::api::logging
include ::barbican::keystone::notification
include ::barbican::quota
include ::apache::mod::ssl
class { '::barbican::wsgi::apache':
ssl_cert => $tls_certfile,
ssl_key => $tls_keyfile,

View File

@ -65,6 +65,7 @@ class tripleo::profile::base::ceilometer::api (
if $step >= 4 {
include ::ceilometer::api
include ::apache::mod::ssl
class { '::ceilometer::wsgi::apache':
ssl_cert => $tls_certfile,
ssl_key => $tls_keyfile,

View File

@ -76,6 +76,7 @@ class tripleo::profile::base::cinder::api (
if $step >= 4 or ($step >= 3 and $sync_db) {
include ::cinder::api
include ::apache::mod::ssl
class { '::cinder::wsgi::apache':
ssl_cert => $tls_certfile,
ssl_key => $tls_keyfile,

View File

@ -85,6 +85,7 @@ class tripleo::profile::base::gnocchi::api (
if $step >= 4 {
include ::gnocchi::api
include ::apache::mod::ssl
class { '::gnocchi::wsgi::apache':
ssl_cert => $tls_certfile,
ssl_key => $tls_keyfile,

View File

@ -65,6 +65,7 @@ class tripleo::profile::base::heat::api (
if $step >= 3 {
include ::heat::api
include ::apache::mod::ssl
class { '::heat::wsgi::apache_api':
ssl_cert => $tls_certfile,
ssl_key => $tls_keyfile,

View File

@ -66,6 +66,7 @@ class tripleo::profile::base::heat::api_cfn (
if $step >= 3 {
include ::heat::api_cfn
include ::apache::mod::ssl
class { '::heat::wsgi::apache_api_cfn':
ssl_cert => $tls_certfile,
ssl_key => $tls_keyfile,

View File

@ -66,6 +66,7 @@ class tripleo::profile::base::heat::api_cloudwatch (
if $step >= 3 {
include ::heat::api_cloudwatch
include ::apache::mod::ssl
class { '::heat::wsgi::apache_api_cloudwatch':
ssl_cert => $tls_certfile,
ssl_key => $tls_keyfile,

View File

@ -211,6 +211,7 @@ class tripleo::profile::base::keystone (
}
include ::keystone::config
include ::apache::mod::ssl
class { '::keystone::wsgi::apache':
ssl_cert => $tls_certfile,
ssl_key => $tls_keyfile,

View File

@ -94,6 +94,7 @@ class tripleo::profile::base::nova::api (
$tls_keyfile = undef
}
if $step >= 4 or ($step >= 3 and $sync_db) {
include ::apache::mod::ssl
class { '::nova::wsgi::apache_api':
ssl_cert => $tls_certfile,
ssl_key => $tls_keyfile,

View File

@ -74,6 +74,7 @@ class tripleo::profile::base::nova::placement (
}
if $step >= 3 {
include ::apache::mod::ssl
class { '::nova::wsgi::apache_placement':
ssl_cert => $tls_certfile,
ssl_key => $tls_keyfile,

View File

@ -79,6 +79,7 @@ class tripleo::profile::base::panko::api (
class { '::panko::api':
sync_db => $sync_db,
}
include ::apache::mod::ssl
class { '::panko::wsgi::apache':
ssl_cert => $tls_certfile,
ssl_key => $tls_keyfile,

View File

@ -50,6 +50,7 @@ class tripleo::profile::base::zaqar (
uri => $database_connection,
}
include ::zaqar::transport::websocket
include ::apache::mod::ssl
include ::zaqar::transport::wsgi
# TODO (bcrochet): At some point, the transports should be split out to

View File

@ -0,0 +1,10 @@
---
fixes:
- |
With having package mod_ssl by default installed in images we introduced
issue with mod_ssl package update. In case of SSL not being used or
provided by HAproxy the puppet-apache module by default purges the
ssl.conf file. The package update then recreates the file with default
Listen 443 option. This causes conflict on 443 port during httpd restart.
If we include ::apache::mod::ssl the ssl.conf file will be configured and
the Listen option will be used only if there is vhost set to use SSL.