From 058565693733bb058af2e627b8999cc7acefcc75 Mon Sep 17 00:00:00 2001 From: Takashi Kajinami Date: Fri, 6 May 2022 20:46:39 +0900 Subject: [PATCH] apache+mod_wsgi: Disable SSL by default During the previous cycle, a warning message was added to inform users of this change. Now the default value is updated so that SSL is disabled by default. Change-Id: I6bd11a340b8623b45da7284e52ee505ea6870562 --- manifests/wsgi/apache.pp | 11 +++-------- manifests/wsgi/apache_api.pp | 11 +++-------- manifests/wsgi/apache_api_cfn.pp | 11 +++-------- .../notes/disable-apache-ssl-6227808a193f3110.yaml | 9 +++++++++ spec/classes/heat_wsgi_apache_api_cfn_spec.rb | 2 +- spec/classes/heat_wsgi_apache_api_spec.rb | 2 +- spec/defines/heat_wsgi_apache_spec.rb | 2 +- 7 files changed, 21 insertions(+), 27 deletions(-) create mode 100644 releasenotes/notes/disable-apache-ssl-6227808a193f3110.yaml diff --git a/manifests/wsgi/apache.pp b/manifests/wsgi/apache.pp index 9d59bc28..3f3b85ea 100644 --- a/manifests/wsgi/apache.pp +++ b/manifests/wsgi/apache.pp @@ -42,7 +42,7 @@ # # [*ssl*] # Use ssl ? (boolean) -# Optional. Defaults to true +# Optional. Defaults to false # # [*workers*] # Number of WSGI workers to spawn. @@ -112,7 +112,7 @@ define heat::wsgi::apache ( $servername = $::fqdn, $bind_host = undef, $path = '/', - $ssl = undef, + $ssl = false, $workers = $::os_workers, $ssl_cert = undef, $ssl_key = undef, @@ -135,11 +135,6 @@ define heat::wsgi::apache ( fail('The valid options are api, api_cfn') } - if $ssl == undef { - warning('Default of the ssl parameter will be changed in a future release') - } - $ssl_real = pick($ssl, true) - include heat::deps include heat::params @@ -152,7 +147,7 @@ define heat::wsgi::apache ( path => $path, priority => $priority, servername => $servername, - ssl => $ssl_real, + ssl => $ssl, ssl_ca => $ssl_ca, ssl_cert => $ssl_cert, ssl_certs_dir => $ssl_certs_dir, diff --git a/manifests/wsgi/apache_api.pp b/manifests/wsgi/apache_api.pp index 2ac6ee8b..c7f034fc 100644 --- a/manifests/wsgi/apache_api.pp +++ b/manifests/wsgi/apache_api.pp @@ -37,7 +37,7 @@ # # [*ssl*] # Use ssl ? (boolean) -# Optional. Defaults to true +# Optional. Defaults to false # # [*workers*] # Number of WSGI workers to spawn. @@ -108,7 +108,7 @@ class heat::wsgi::apache_api ( $servername = $::fqdn, $bind_host = undef, $path = '/', - $ssl = undef, + $ssl = false, $workers = $::os_workers, $ssl_cert = undef, $ssl_key = undef, @@ -128,17 +128,12 @@ class heat::wsgi::apache_api ( $request_headers = undef, ) { - if $ssl == undef { - warning('Default of the ssl parameter will be changed in a future release') - } - $ssl_real = pick($ssl, true) - heat::wsgi::apache { 'api': port => $port, servername => $servername, bind_host => $bind_host, path => $path, - ssl => $ssl_real, + ssl => $ssl, workers => $workers, ssl_cert => $ssl_cert, ssl_key => $ssl_key, diff --git a/manifests/wsgi/apache_api_cfn.pp b/manifests/wsgi/apache_api_cfn.pp index f211aee5..6f6ca9ef 100644 --- a/manifests/wsgi/apache_api_cfn.pp +++ b/manifests/wsgi/apache_api_cfn.pp @@ -37,7 +37,7 @@ # # [*ssl*] # Use ssl ? (boolean) -# Optional. Defaults to true +# Optional. Defaults to false # # [*workers*] # Number of WSGI workers to spawn. @@ -109,7 +109,7 @@ class heat::wsgi::apache_api_cfn ( $servername = $::fqdn, $bind_host = undef, $path = '/', - $ssl = undef, + $ssl = false, $workers = $::os_workers, $ssl_cert = undef, $ssl_key = undef, @@ -130,11 +130,6 @@ class heat::wsgi::apache_api_cfn ( $request_headers = ['set Content-Type "application/json"'], ) { - if $ssl == undef { - warning('Default of the ssl parameter will be changed in a future release') - } - $ssl_real = pick($ssl, true) - validate_legacy(Integer, 'validate_integer', $port) # Workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1396553 @@ -151,7 +146,7 @@ class heat::wsgi::apache_api_cfn ( servername => $servername, bind_host => $bind_host, path => $path, - ssl => $ssl_real, + ssl => $ssl, workers => $workers, ssl_cert => $ssl_cert, ssl_key => $ssl_key, diff --git a/releasenotes/notes/disable-apache-ssl-6227808a193f3110.yaml b/releasenotes/notes/disable-apache-ssl-6227808a193f3110.yaml new file mode 100644 index 00000000..b50f2e0a --- /dev/null +++ b/releasenotes/notes/disable-apache-ssl-6227808a193f3110.yaml @@ -0,0 +1,9 @@ +--- +upgrade: + - | + Default value of the following parameters has been changed from ``true`` to + ``false`` and now ssl is disabled by default. + + - ``heat::wsgi::apache::ssl`` + - ``heat::wsgi::apache_api::ssl`` + - ``heat::wsgi::apache_api_cfn::ssl`` diff --git a/spec/classes/heat_wsgi_apache_api_cfn_spec.rb b/spec/classes/heat_wsgi_apache_api_cfn_spec.rb index b3c3bb1d..d452ecc7 100644 --- a/spec/classes/heat_wsgi_apache_api_cfn_spec.rb +++ b/spec/classes/heat_wsgi_apache_api_cfn_spec.rb @@ -10,7 +10,7 @@ describe 'heat::wsgi::apache_api_cfn' do :servername => facts[:fqdn], :bind_host => nil, :path => '/', - :ssl => true, + :ssl => false, :workers => facts[:os_workers], :ssl_cert => nil, :ssl_key => nil, diff --git a/spec/classes/heat_wsgi_apache_api_spec.rb b/spec/classes/heat_wsgi_apache_api_spec.rb index fd2a7373..148d7aad 100644 --- a/spec/classes/heat_wsgi_apache_api_spec.rb +++ b/spec/classes/heat_wsgi_apache_api_spec.rb @@ -10,7 +10,7 @@ describe 'heat::wsgi::apache_api' do :servername => facts[:fqdn], :bind_host => nil, :path => '/', - :ssl => true, + :ssl => false, :workers => facts[:os_workers], :ssl_cert => nil, :ssl_key => nil, diff --git a/spec/defines/heat_wsgi_apache_spec.rb b/spec/defines/heat_wsgi_apache_spec.rb index 4a6c3e46..a8437378 100644 --- a/spec/defines/heat_wsgi_apache_spec.rb +++ b/spec/defines/heat_wsgi_apache_spec.rb @@ -21,7 +21,7 @@ describe 'heat::wsgi::apache' do 'bind_port' => '8000', 'group' => 'heat', 'user' => 'heat', - 'ssl' => 'true', + 'ssl' => false, 'wsgi_daemon_process' => "heat_#{title}", 'wsgi_process_group' => "heat_#{title}", 'wsgi_script_dir' => platform_params[:wsgi_script_dir],