openstack
/
cookbook-openstack-dashboard
Code Issues Proposed changes

Use new bind endpoints for dashboard 

Use the new http and https bind endpoints for dashboard that are
defined in the Common cookbook.  These will allow more control and
consistency with the other bind endpoints for openstack services.

Change-Id: I15c0c2c40a88e18ff9805d48c4da83890b7f4da7
Partial-Bug: #1430422
This commit is contained in:
Mark Vanderwiel 2015-03-10 14:32:35 -05:00
parent 1150cad969
commit 40b59919d6
6 changed files with 56 additions and 49 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
README.md
View File

@ -58,14 +58,14 @@ Attributes
* `openstack['dashboard']['ssl_offload']` - Set SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTOCOL', 'https') flag for offloading SSL * `openstack['dashboard']['ssl_offload']` - Set SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTOCOL', 'https') flag for offloading SSL
* `openstack['dashboard']['plugins']` - Array of plugins to include via INSTALED\_APPS * `openstack['dashboard']['plugins']` - Array of plugins to include via INSTALED\_APPS
* `openstack['dashboard']['simple_ip_management']` - Boolean to enable or disable simplified floating IP address management * `openstack['dashboard']['simple_ip_management']` - Boolean to enable or disable simplified floating IP address management
* `openstack['dashboard']['http_port']` - Port that httpd should listen on (default: 80)
* `openstack['dashboard']['https_port']` - Port that httpd should listen on for using ssl (default: 443)
* `openstack['dashboard']['password_autocomplete']` - Toggle browser autocompletion for login form ('on' or 'off', default: 'off') * `openstack['dashboard']['password_autocomplete']` - Toggle browser autocompletion for login form ('on' or 'off', default: 'off')
* `openstack['dashboard']['ssl_no_verify']` - Disable SSL certificate checks (useful for self-signed certificates) * `openstack['dashboard']['ssl_no_verify']` - Disable SSL certificate checks (useful for self-signed certificates)
* `openstack['dashboard']['ssl_cacert']` - The CA certificate to use to verify SSL connections * `openstack['dashboard']['ssl_cacert']` - The CA certificate to use to verify SSL connections
* `openstack['dashboard']['misc_local_settings']` - Additions to the local_settings conf file * `openstack['dashboard']['misc_local_settings']` - Additions to the local_settings conf file
* `openstack['dashboard']['hash_algorithm']` - Hash algorithm to use for hashing PKI tokens * `openstack['dashboard']['hash_algorithm']` - Hash algorithm to use for hashing PKI tokens
For listen addresses and ports, there are http and https bind endpoints defined in Common.
Identity Identity
-------- --------
* `openstack['dashboard']['identity_api_version']` - Force a specific Identity API version ('2.0' or '3', default: '2.0') * `openstack['dashboard']['identity_api_version']` - Force a specific Identity API version ('2.0' or '3', default: '2.0')
@ -130,11 +130,12 @@ License and Author
| **Author** | Ionut Artarisi (<iartarisi@suse.cz>) | | **Author** | Ionut Artarisi (<iartarisi@suse.cz>) |
| **Author** | Eric Zhou (<iartarisi@suse.cz>) | | **Author** | Eric Zhou (<iartarisi@suse.cz>) |
| **Author** | Jens Rosenboom (<j.rosenboom@x-ion.de>) | | **Author** | Jens Rosenboom (<j.rosenboom@x-ion.de>) |
| **Author** | Mark Vanderwiel (<vanderwl@us.ibm.com>) |
| | | | | |
| **Copyright** | Copyright (c) 2012, Rackspace US, Inc. | | **Copyright** | Copyright (c) 2012, Rackspace US, Inc. |
| **Copyright** | Copyright (c) 2012-2013, AT&T Services, Inc. | | **Copyright** | Copyright (c) 2012-2013, AT&T Services, Inc. |
| **Copyright** | Copyright (c) 2013, Opscode, Inc. | | **Copyright** | Copyright (c) 2013, Opscode, Inc. |
| **Copyright** | Copyright (c) 2013-2014, IBM, Corp. | | **Copyright** | Copyright (c) 2013-2015, IBM, Corp. |
| **Copyright** | Copyright (c) 2013-2014, SUSE Linux GmbH. | | **Copyright** | Copyright (c) 2013-2014, SUSE Linux GmbH. |
| **Copyright** | Copyright (c) 2014, x-ion GmbH. | | **Copyright** | Copyright (c) 2014, x-ion GmbH. |

3
attributes/default.rb
View File

@ -67,9 +67,6 @@ default['openstack']['dashboard']['apache']['sites-path'] = "#{node['apache']['d
# Set to one of: On | Off | extended # Set to one of: On | Off | extended
default['openstack']['dashboard']['traceenable'] = node['apache']['traceenable'] default['openstack']['dashboard']['traceenable'] = node['apache']['traceenable']
default['openstack']['dashboard']['http_port'] = 80
default['openstack']['dashboard']['https_port'] = 443
default['openstack']['dashboard']['secret_key_content'] = nil default['openstack']['dashboard']['secret_key_content'] = nil
default['openstack']['dashboard']['ssl_no_verify'] = 'True' default['openstack']['dashboard']['ssl_no_verify'] = 'True'

2
metadata.rb
View File

@ -15,4 +15,4 @@ recipe 'openstack-dashboard::server', 'Sets up the Horizon dashboard a
end end
depends 'apache2', '~> 3.0.0' depends 'apache2', '~> 3.0.0'
depends 'openstack-common', '>= 11.0.0' depends 'openstack-common', '>= 11.1.0'

17
recipes/apache2-server.rb
View File

@ -41,6 +41,17 @@ execute 'set-selinux-permissive' do
only_if "[ ! -e /etc/httpd/conf/httpd.conf ] && [ -e /etc/redhat-release ] && [ $(/sbin/sestatus | grep -c '^Current mode:.*enforcing') -eq 1 ]" only_if "[ ! -e /etc/httpd/conf/httpd.conf ] && [ -e /etc/redhat-release ] && [ $(/sbin/sestatus | grep -c '^Current mode:.*enforcing') -eq 1 ]"
end end
http_bind = endpoint 'dashboard-http-bind'
https_bind = endpoint 'dashboard-https-bind'
# This allow the apache2/templates/default/ports.conf.erb to setup the correct listeners.
listen_addresses = [http_bind.host]
listen_addresses += [https_bind.host] if node['openstack']['dashboard']['use_ssl']
listen_ports = [http_bind.port]
listen_ports += [https_bind.port] if node['openstack']['dashboard']['use_ssl']
node.set['apache']['listen_addresses'] = listen_addresses
node.set['apache']['listen_ports'] = listen_ports
include_recipe 'apache2' include_recipe 'apache2'
include_recipe 'apache2::mod_wsgi' include_recipe 'apache2::mod_wsgi'
include_recipe 'apache2::mod_rewrite' include_recipe 'apache2::mod_rewrite'
@ -156,7 +167,11 @@ template node['openstack']['dashboard']['apache']['sites-path'] do
variables( variables(
ssl_cert_file: "#{node["openstack"]["dashboard"]["ssl"]["dir"]}/certs/#{node["openstack"]["dashboard"]["ssl"]["cert"]}", ssl_cert_file: "#{node["openstack"]["dashboard"]["ssl"]["dir"]}/certs/#{node["openstack"]["dashboard"]["ssl"]["cert"]}",
ssl_key_file: "#{node["openstack"]["dashboard"]["ssl"]["dir"]}/private/#{node["openstack"]["dashboard"]["ssl"]["key"]}" ssl_key_file: "#{node["openstack"]["dashboard"]["ssl"]["dir"]}/private/#{node["openstack"]["dashboard"]["ssl"]["key"]}",
http_bind_address: http_bind.host,
http_bind_port: http_bind.port.to_i,
https_bind_address: https_bind.host,
https_bind_port: https_bind.port.to_i
) )
notifies :run, 'execute[restore-selinux-context]', :immediately notifies :run, 'execute[restore-selinux-context]', :immediately

46
spec/apache2-server_spec.rb
View File

@ -2,24 +2,18 @@
require_relative 'spec_helper' require_relative 'spec_helper'
shared_examples 'virtualhost port configurator' do |port_attribute_name, port_attribute_value| shared_examples 'virtualhost port configurator' do |port_attribute_name, port_attribute_value|
let(:virtualhost_directive) { "<VirtualHost \\*:#{port_attribute_value}>" } let(:virtualhost_directive) { "<VirtualHost 127.0.0.1:#{port_attribute_value}>" }
before do before do
node.set['openstack']['dashboard'][port_attribute_name] = port_attribute_value node.set['openstack']['endpoints'][port_attribute_name]['port'] = port_attribute_value
end end
it "sets Listen and NameVirtualHost directives when apache's listen_ports does not include #{port_attribute_value}" do it 'does not set NameVirtualHost directives when apache 2.4' do
node.set['apache']['listen_ports'] = [port_attribute_value.to_i + 1] expect(chef_run).not_to render_file(file.name).with_content(/^NameVirtualHost/)
%w(Listen NameVirtualHost).each do |directive|
expect(chef_run).to render_file(file.name).with_content(/^#{directive} \*:#{port_attribute_value}$/)
end
end end
it "does not set Listen and NameVirtualHost directives when apache's listen_ports include #{port_attribute_value}" do it 'sets NameVirtualHost directives when apache 2.2' do
node.set['apache']['listen_ports'] = [port_attribute_value] node.set['apache']['version'] = '2.2'
chef_run.converge(described_recipe) expect(chef_run).to render_file(file.name).with_content(/^NameVirtualHost 127.0.0.1:#{port_attribute_value}$/)
%w(Listen NameVirtualHost).each do |directive|
expect(chef_run).not_to render_file(file.name).with_content(/^#{directive} \*:#{port_attribute_value}$/)
end
end end
it 'sets the VirtualHost directive' do it 'sets the VirtualHost directive' do
@ -152,38 +146,38 @@ describe 'openstack-dashboard::apache2-server' do
expect(chef_run).to render_file(file.name).with_content(/^custom_template_banner_value$/) expect(chef_run).to render_file(file.name).with_content(/^custom_template_banner_value$/)
end end
it_should_behave_like 'virtualhost port configurator', 'http_port', 8080 it_should_behave_like 'virtualhost port configurator', 'dashboard-http-bind', 8080
context 'with use_ssl enabled' do context 'with use_ssl enabled' do
before do before do
node.set['openstack']['dashboard']['use_ssl'] = true node.set['openstack']['dashboard']['use_ssl'] = true
end end
it_should_behave_like 'virtualhost port configurator', 'https_port', 4433 it_should_behave_like 'virtualhost port configurator', 'dashboard-https-bind', 4433
it 'shows rewrite ssl directive' do it 'shows rewrite ssl directive' do
expect(chef_run).to render_file(file.name).with_content(rewrite_ssl_directive) expect(chef_run).to render_file(file.name).with_content(rewrite_ssl_directive)
end end
context 'rewrite rule' do context 'rewrite rule' do
it 'shows the default rewrite rule when http_port is 80 and https_port is 443' do it 'shows the default SSL rewrite rule when http_port is 80 and https_port is 443' do
node.set['openstack']['dashboard']['http_port'] = 80 node.set['openstack']['endpoints']['dashboard-http-bind']['port'] = 80
node.set['openstack']['dashboard']['https_port'] = 443 node.set['openstack']['endpoints']['dashboard-https-bind']['port'] = 443
expect(chef_run).to render_file(file.name).with_content(default_rewrite_rule) expect(chef_run).to render_file(file.name).with_content(default_rewrite_rule)
end end
it 'shows the parameterized rewrite rule when http_port is different from 80' do it 'shows the parameterized SSL rewrite rule when http_port is different from 80' do
https_port_value = 443 https_port_value = 443
node.set['openstack']['dashboard']['http_port'] = 81 node.set['openstack']['endpoints']['dashboard-http-bind']['port'] = 81
node.set['openstack']['dashboard']['https_port'] = https_port_value node.set['openstack']['endpoints']['dashboard-https-bind']['port'] = https_port_value
expect(chef_run).to render_file(file.name) expect(chef_run).to render_file(file.name)
.with_content(%r(^\s*RewriteRule \^\(\.\*\)\$ https://%\{SERVER_NAME\}:#{https_port_value}%\{REQUEST_URI\} \[L,R\]$)) .with_content(%r(^\s*RewriteRule \^\(\.\*\)\$ https://%\{SERVER_NAME\}:#{https_port_value}%\{REQUEST_URI\} \[L,R\]$))
end end
it 'shows the parameterized rewrite rule when https_port is different from 443' do it 'shows the parameterized SSL rewrite rule when https_port is different from 443' do
https_port_value = 444 https_port_value = 444
node.set['openstack']['dashboard']['http_port'] = 80 node.set['openstack']['endpoints']['dashboard-http-bind']['port'] = 80
node.set['openstack']['dashboard']['https_port'] = https_port_value node.set['openstack']['endpoints']['dashboard-https-bind']['port'] = https_port_value
expect(chef_run).to render_file(file.name) expect(chef_run).to render_file(file.name)
.with_content(%r(^\s*RewriteRule \^\(\.\*\)\$ https://%\{SERVER_NAME\}:#{https_port_value}%\{REQUEST_URI\} \[L,R\]$)) .with_content(%r(^\s*RewriteRule \^\(\.\*\)\$ https://%\{SERVER_NAME\}:#{https_port_value}%\{REQUEST_URI\} \[L,R\]$))
end end
@ -223,8 +217,8 @@ describe 'openstack-dashboard::apache2-server' do
end end
it 'does not show the default rewrite rule' do it 'does not show the default rewrite rule' do
node.set['openstack']['dashboard']['http_port'] = 80 node.set['openstack']['endpoints']['dashboard-http-bind']['port'] = 80
node.set['openstack']['dashboard']['https_port'] = 443 node.set['openstack']['endpoints']['dashboard-https-bind']['port'] = 443
expect(chef_run).not_to render_file(file.name).with_content(default_rewrite_rule) expect(chef_run).not_to render_file(file.name).with_content(default_rewrite_rule)
end end

30
templates/default/dash-site.erb
View File

@ -1,32 +1,32 @@
<%= node["openstack"]["dashboard"]["custom_template_banner"] %> <%= node["openstack"]["dashboard"]["custom_template_banner"] %>
<% unless node['apache']['listen_ports'].map(&:to_i).uniq.include?(node['openstack']['dashboard']['http_port'].to_i) %> <% if node['apache']['version'] != '2.4' -%>
Listen *:<%= node['openstack']['dashboard']['http_port'].to_i%> NameVirtualHost <%= @http_bind_address %>:<%= @http_bind_port %>
NameVirtualHost *:<%= node['openstack']['dashboard']['http_port'].to_i%>
<% end -%> <% end -%>
<VirtualHost *:<%= node['openstack']['dashboard']['http_port'] %>>
<VirtualHost <%= @http_bind_address %>:<%= @http_bind_port %>>
<% if node["openstack"]["dashboard"]["server_hostname"] -%> <% if node["openstack"]["dashboard"]["server_hostname"] -%>
ServerName <%= node["openstack"]["dashboard"]["server_hostname"] %> ServerName <%= node["openstack"]["dashboard"]["server_hostname"] %>
<% end -%> <% end -%>
<% if node["openstack"]["dashboard"]["use_ssl"] %> <% if node["openstack"]["dashboard"]["use_ssl"] %>
RewriteEngine On RewriteEngine On
RewriteCond %{HTTPS} off RewriteCond %{HTTPS} off
<% if node['openstack']['dashboard']['http_port'].to_i != 80 or node['openstack']['dashboard']['https_port'].to_i != 443 %> <% if @http_bind_port != 80 or @https_bind_port != 443 %>
RewriteRule ^(.*)$ https://%{SERVER_NAME}:<%= node['openstack']['dashboard']['https_port'] %>%{REQUEST_URI} [L,R] RewriteRule ^(.*)$ https://%{SERVER_NAME}:<%= @https_bind_port %>%{REQUEST_URI} [L,R]
<% else -%> <% else -%>
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R] RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R]
<% end -%> <% end -%>
TraceEnable <%= node['openstack']['dashboard']['traceenable'] %> TraceEnable <%= node['openstack']['dashboard']['traceenable'] %>
</VirtualHost> </VirtualHost>
<% unless node['apache']['listen_ports'].map(&:to_i).uniq.include?(node['openstack']['dashboard']['https_port'].to_i) %> <% if node['apache']['version'] != '2.4' -%>
Listen *:<%= node['openstack']['dashboard']['https_port'].to_i%> NameVirtualHost <%= @https_bind_address %>:<%= @https_bind_port %>
NameVirtualHost *:<%= node['openstack']['dashboard']['https_port'].to_i%> <% end -%>
<% end -%>
<VirtualHost *:<%= node['openstack']['dashboard']['https_port'] %>> <VirtualHost <%= @https_bind_address %>:<%= @https_bind_port %>>
<% if node["openstack"]["dashboard"]["server_hostname"] -%> <% if node["openstack"]["dashboard"]["server_hostname"] -%>
ServerName <%= node["openstack"]["dashboard"]["server_hostname"] %> ServerName <%= node["openstack"]["dashboard"]["server_hostname"] %>
<% end -%> <% end -%>
<% end %> <% end %>
ServerAdmin <%= node["apache"]["contact"] %> ServerAdmin <%= node["apache"]["contact"] %>
WSGIScriptAlias <%= node["openstack"]["dashboard"]["webroot"] %> <%= node["openstack"]["dashboard"]["wsgi_path"] %> WSGIScriptAlias <%= node["openstack"]["dashboard"]["webroot"] %> <%= node["openstack"]["dashboard"]["wsgi_path"] %>