commit b2320ac2956ac699fa1caa71d3b13efa77cf7512 Author: Tobias Urdin Date: Wed Oct 14 11:02:01 2020 +0200 Rename horizon_* ssl params to ssl_* This renames the horizon_* ssl parameters to be named ssl_*. It also adds an enforcement to the end users to set ssl_verify_client if the ssl_ca (or deprecated horizon_ca) is used since it wont take effect. See the puppetlabs-apache 2.1.0 release notes [1]. [1] https://github.com/puppetlabs/puppetlabs-apache/blob/2.1.0/CHANGELOG.md#changed Change-Id: I4d3b8623924ad646bf4880ad70fb3ce9be1675c2 diff --git a/manifests/init.pp b/manifests/init.pp index 4818a24..b2d4a39 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -208,13 +208,13 @@ # (optional) Whether to redirect http to https # Defaults to True # -# [*horizon_cert*] +# [*ssl_cert*] # (required with listen_ssl) Certificate to use for SSL support. # -# [*horizon_key*] +# [*ssl_key*] # (required with listen_ssl) Private key to use for SSL support. # -# [*horizon_ca*] +# [*ssl_ca*] # (required with listen_ssl) CA certificate to use for SSL support. # # [*ssl_verify_client*] @@ -459,6 +459,15 @@ # [*log_handler*] # (optional) Log handler. Defaults to 'file' # +# [*horizon_cert*] +# (required with listen_ssl) Certificate to use for SSL support. +# +# [*horizon_key*] +# (required with listen_ssl) Private key to use for SSL support. +# +# [*horizon_ca*] +# (required with listen_ssl) CA certificate to use for SSL support. +# # === Examples # # class { 'horizon': @@ -504,9 +513,9 @@ class horizon( $ssl_no_verify = false, $openstack_ssl_cacert = '', $ssl_redirect = true, - $horizon_cert = undef, - $horizon_key = undef, - $horizon_ca = undef, + $ssl_cert = undef, + $ssl_key = undef, + $ssl_ca = undef, $ssl_verify_client = undef, $wsgi_processes = $::os_workers, $wsgi_threads = '1', @@ -555,6 +564,9 @@ class horizon( $horizon_upload_mode = undef, # DEPRECATED PARAMETERS $log_handler = undef, + $horizon_cert = undef, + $horizon_key = undef, + $horizon_ca = undef, ) inherits ::horizon::params { include horizon::deps @@ -687,6 +699,14 @@ release. Use log_handlers instead') } if $configure_apache { + if ($horizon_cert or $horizon_key or $horizon_ca) { + warning('horizon::horizon_cert, horizon::horizon_key and horizon::horizon_ca parameter is deprecated') + } + + $ssl_cert_real = $horizon_cert.lest || { $ssl_cert } + $ssl_key_real = $horizon_key.lest || { $ssl_key } + $ssl_ca_real = $horizon_ca.lest || { $ssl_ca } + class { 'horizon::wsgi::apache': bind_address => $bind_address, servername => $servername, @@ -695,9 +715,9 @@ release. Use log_handlers instead') http_port => $http_port, https_port => $https_port, ssl_redirect => $ssl_redirect, - horizon_cert => $horizon_cert, - horizon_key => $horizon_key, - horizon_ca => $horizon_ca, + ssl_cert => $ssl_cert_real, + ssl_key => $ssl_key_real, + ssl_ca => $ssl_ca_real, ssl_verify_client => $ssl_verify_client, wsgi_processes => $wsgi_processes, wsgi_threads => $wsgi_threads, diff --git a/manifests/wsgi/apache.pp b/manifests/wsgi/apache.pp index 863f3da..df3f772 100644 --- a/manifests/wsgi/apache.pp +++ b/manifests/wsgi/apache.pp @@ -29,17 +29,18 @@ # [*https_port*] # (optional) Port to use for the HTTPS virtual host. (Defaults to 443) # -# [*horizon_cert*] +# [*ssl_cert*] # (required with listen_ssl) Certificate to use for SSL support. # -# [*horizon_key*] +# [*ssl_key*] # (required with listen_ssl) Private key to use for SSL support. # -# [*horizon_ca*] +# [*ssl_ca*] # (required with listen_ssl) CA certificate to use for SSL support. # # [*ssl_verify_client*] -# Set the Certificate verification level for Client Authentication. +# (required with ssl_ca) Set the Certificate verification level +# for Client Authentication. # Defaults to undef # # [*wsgi_processes*] @@ -95,6 +96,17 @@ # (optional) The log format to use to the access log. # Defaults to false # +# == DEPRECATED PARAMETERS +# +# [*horizon_cert*] +# (required with listen_ssl) Certificate to use for SSL support. +# +# [*horizon_key*] +# (required with listen_ssl) Private key to use for SSL support. +# +# [*horizon_ca*] +# (required with listen_ssl) CA certificate to use for SSL support. +# class horizon::wsgi::apache ( $bind_address = undef, $servername = $::fqdn, @@ -103,9 +115,9 @@ class horizon::wsgi::apache ( $http_port = 80, $https_port = 443, $ssl_redirect = true, - $horizon_cert = undef, - $horizon_key = undef, - $horizon_ca = undef, + $ssl_cert = undef, + $ssl_key = undef, + $ssl_ca = undef, $ssl_verify_client = undef, $wsgi_processes = $::os_workers, $wsgi_threads = '1', @@ -118,6 +130,10 @@ class horizon::wsgi::apache ( $root_url = $::horizon::params::root_url, $root_path = "${::horizon::params::static_path}/openstack-dashboard", $access_log_format = false, + # DEPRECATED PARAMETERS + $horizon_cert = undef, + $horizon_key = undef, + $horizon_ca = undef, ) inherits horizon::params { include horizon::deps @@ -147,16 +163,28 @@ class horizon::wsgi::apache ( $root_url_real = $root_url } + $ssl_cert_real = $horizon_cert.lest || { $ssl_cert } + $ssl_key_real = $horizon_key.lest || { $ssl_key } + $ssl_ca_real = $horizon_ca.lest || { $ssl_ca } + if $listen_ssl { include apache::mod::ssl $ensure_ssl_vhost = 'present' - if $horizon_cert == undef { - fail('The horizon_cert parameter is required when listen_ssl is true') + if ($horizon_cert or $horizon_key or $horizon_ca) { + warning('The horizon_cert, horizon_key and horizon_ca parameters is deprecated, please use ssl_cert, ssl_key and ssl_ca') + } + + if $ssl_cert_real == undef { + fail('The ssl_cert parameter is required when listen_ssl is true') + } + + if $ssl_key_real == undef { + fail('The ssl_key parameter is required when listen_ssl is true') } - if $horizon_key == undef { - fail('The horizon_key parameter is required when listen_ssl is true') + if ($ssl_ca_real != undef and $ssl_verify_client == undef) { + fail('The ssl_verify_client parameter is required when setting ssl_ca') } if $ssl_redirect { @@ -238,9 +266,9 @@ class horizon::wsgi::apache ( path => "${root_path}/static", }], port => $http_port, - ssl_cert => $horizon_cert, - ssl_key => $horizon_key, - ssl_ca => $horizon_ca, + ssl_cert => $ssl_cert_real, + ssl_key => $ssl_key_real, + ssl_ca => $ssl_ca_real, ssl_verify_client => $ssl_verify_client, wsgi_script_aliases => hash([$script_url, $::horizon::params::django_wsgi]), wsgi_import_script => $::horizon::params::django_wsgi, diff --git a/releasenotes/notes/rename-ssl-params-5c58357688b4850f.yaml b/releasenotes/notes/rename-ssl-params-5c58357688b4850f.yaml new file mode 100644 index 0000000..bee3b32 --- /dev/null +++ b/releasenotes/notes/rename-ssl-params-5c58357688b4850f.yaml @@ -0,0 +1,18 @@ +--- +features: + - | + Added ssl_cert, ssl_key and ssl_ca parameter to init class and the + horizon::wsgi::apache class. +upgrade: + - | + You should now set the ssl_cert, ssl_key and ssl_ca parameters instead of + the horizon_cert, horizon_key and horizon_ca parameters in the init and + horizon::wsgi::apache class. + - | + When setting ssl_ca (or the deprecated horizon_ca) end users must now set + the ssl_verify_client parameter or the puppetlabs-apache module will not + set SSLCACertificate in the vhost configuration. +deprecations: + - | + The horizon_cert, horizon_key and horizon_ca parameters is deprecated. + Please use ssl_cert, ssl_key and ssl_ca. diff --git a/spec/classes/horizon_init_spec.rb b/spec/classes/horizon_init_spec.rb index 7ea438d..b524d5c 100644 --- a/spec/classes/horizon_init_spec.rb +++ b/spec/classes/horizon_init_spec.rb @@ -347,9 +347,9 @@ describe 'horizon' do params.merge!({ :listen_ssl => true, :servername => 'some.host.tld', - :horizon_cert => '/etc/pki/tls/certs/httpd.crt', - :horizon_key => '/etc/pki/tls/private/httpd.key', - :horizon_ca => '/etc/pki/tls/certs/ca.crt', + :ssl_cert => '/etc/pki/tls/certs/httpd.crt', + :ssl_key => '/etc/pki/tls/private/httpd.key', + :ssl_ca => '/etc/pki/tls/certs/ca.crt', :ssl_verify_client => 'optional', }) end @@ -358,9 +358,9 @@ describe 'horizon' do is_expected.to contain_class('horizon::wsgi::apache').with({ :bind_address => nil, :listen_ssl => true, - :horizon_cert => '/etc/pki/tls/certs/httpd.crt', - :horizon_key => '/etc/pki/tls/private/httpd.key', - :horizon_ca => '/etc/pki/tls/certs/ca.crt', + :ssl_cert => '/etc/pki/tls/certs/httpd.crt', + :ssl_key => '/etc/pki/tls/private/httpd.key', + :ssl_ca => '/etc/pki/tls/certs/ca.crt', :ssl_verify_client => 'optional', }) end diff --git a/spec/classes/horizon_wsgi_apache_spec.rb b/spec/classes/horizon_wsgi_apache_spec.rb index 02cc365..a47f09c 100644 --- a/spec/classes/horizon_wsgi_apache_spec.rb +++ b/spec/classes/horizon_wsgi_apache_spec.rb @@ -128,9 +128,9 @@ describe 'horizon::wsgi::apache' do params.merge!({ :listen_ssl => true, :ssl_redirect => true, - :horizon_cert => '/etc/pki/tls/certs/httpd.crt', - :horizon_key => '/etc/pki/tls/private/httpd.key', - :horizon_ca => '/etc/pki/tls/certs/ca.crt', + :ssl_cert => '/etc/pki/tls/certs/httpd.crt', + :ssl_key => '/etc/pki/tls/private/httpd.key', + :ssl_ca => '/etc/pki/tls/certs/ca.crt', :ssl_verify_client => 'optional', }) end @@ -198,21 +198,32 @@ describe 'horizon::wsgi::apache' do )} end - context 'without horizon_cert parameter' do + context 'without ssl_cert parameter' do before do params.merge!( :listen_ssl => true ) end - it { should raise_error(Puppet::Error, /The horizon_cert parameter is required when listen_ssl is true/) } + it { should raise_error(Puppet::Error, /The ssl_cert parameter is required when listen_ssl is true/) } end - context 'without horizon_key parameter' do + context 'without ssl_key parameter' do before do - params.merge!( :listen_ssl => true, - :horizon_cert => '/etc/pki/tls/certs/httpd.crt' ) + params.merge!( :listen_ssl => true, + :ssl_cert => '/etc/pki/tls/certs/httpd.crt' ) end - it { should raise_error(Puppet::Error, /The horizon_key parameter is required when listen_ssl is true/) } + it { should raise_error(Puppet::Error, /The ssl_key parameter is required when listen_ssl is true/) } + end + + context 'without ssl_verify_client' do + before do + params.merge!( :listen_ssl => true, + :ssl_cert => '/etc/pki/tls/certs/httpd.crt', + :ssl_key => '/etc/pki/tls/certs/httpd.key', + :ssl_ca => '/etc/pki/tls/certs/httpd.ca' ) + end + + it { should raise_error(Puppet::Error, /The ssl_verify_client parameter is required when setting ssl_ca/) } end context 'with extra parameters' do @@ -308,11 +319,12 @@ describe 'horizon::wsgi::apache' do context 'with listen_ssl and ssl_redirect set to true' do before do params.merge!({ - :listen_ssl => true, - :ssl_redirect => true, - :horizon_cert => '/etc/pki/tls/certs/httpd.crt', - :horizon_key => '/etc/pki/tls/private/httpd.key', - :horizon_ca => '/etc/pki/tls/certs/ca.crt', + :listen_ssl => true, + :ssl_redirect => true, + :ssl_cert => '/etc/pki/tls/certs/httpd.crt', + :ssl_key => '/etc/pki/tls/private/httpd.key', + :ssl_ca => '/etc/pki/tls/certs/ca.crt', + :ssl_verify_client => 'optional', }) end @@ -330,12 +342,13 @@ describe 'horizon::wsgi::apache' do context 'with listen_ssl and ssl_redirect with a slash root_url' do before do params.merge!({ - :listen_ssl => true, - :ssl_redirect => true, - :horizon_cert => '/etc/pki/tls/certs/httpd.crt', - :horizon_key => '/etc/pki/tls/private/httpd.key', - :horizon_ca => '/etc/pki/tls/certs/ca.crt', - :root_url => '/', + :listen_ssl => true, + :ssl_redirect => true, + :ssl_cert => '/etc/pki/tls/certs/httpd.crt', + :ssl_key => '/etc/pki/tls/private/httpd.key', + :ssl_ca => '/etc/pki/tls/certs/ca.crt', + :ssl_verify_client => 'optional', + :root_url => '/', }) end @@ -353,12 +366,13 @@ describe 'horizon::wsgi::apache' do context 'with listen_ssl and ssl_redirect with a empty root_url' do before do params.merge!({ - :listen_ssl => true, - :ssl_redirect => true, - :horizon_cert => '/etc/pki/tls/certs/httpd.crt', - :horizon_key => '/etc/pki/tls/private/httpd.key', - :horizon_ca => '/etc/pki/tls/certs/ca.crt', - :root_url => '', + :listen_ssl => true, + :ssl_redirect => true, + :ssl_cert => '/etc/pki/tls/certs/httpd.crt', + :ssl_key => '/etc/pki/tls/private/httpd.key', + :ssl_ca => '/etc/pki/tls/certs/ca.crt', + :ssl_verify_client => 'optional', + :root_url => '', }) end @@ -376,11 +390,12 @@ describe 'horizon::wsgi::apache' do context 'with listen_ssl and ssl_redirect disabled' do before do params.merge!({ - :listen_ssl => true, - :ssl_redirect => false, - :horizon_cert => '/etc/pki/tls/certs/httpd.crt', - :horizon_key => '/etc/pki/tls/private/httpd.key', - :horizon_ca => '/etc/pki/tls/certs/ca.crt', + :listen_ssl => true, + :ssl_redirect => false, + :ssl_cert => '/etc/pki/tls/certs/httpd.crt', + :ssl_key => '/etc/pki/tls/private/httpd.key', + :ssl_ca => '/etc/pki/tls/certs/ca.crt', + :ssl_verify_client => 'optional', }) end @@ -398,12 +413,13 @@ describe 'horizon::wsgi::apache' do context 'with listen_ssl and ssl_redirect disabled with custom root_url' do before do params.merge!({ - :listen_ssl => true, - :ssl_redirect => false, - :horizon_cert => '/etc/pki/tls/certs/httpd.crt', - :horizon_key => '/etc/pki/tls/private/httpd.key', - :horizon_ca => '/etc/pki/tls/certs/ca.crt', - :root_url => '/custom', + :listen_ssl => true, + :ssl_redirect => false, + :ssl_cert => '/etc/pki/tls/certs/httpd.crt', + :ssl_key => '/etc/pki/tls/private/httpd.key', + :ssl_ca => '/etc/pki/tls/certs/ca.crt', + :ssl_verify_client => 'optional', + :root_url => '/custom', }) end