From 4686326650d265fbd287e4bccb3e38f4b2292c20 Mon Sep 17 00:00:00 2001 From: Damian Dabrowski Date: Tue, 4 Apr 2023 23:18:47 +0200 Subject: [PATCH] Rename horizon_enable_ssl to horizon_backend_ssl To standarize variable name across roles, this change renames `horizon_enable_ssl` to `horizon_backend_ssl`. All other roles use `_backend_ssl` format. It also better describes what it does. With `horizon_enable_ssl` it's unclear whether it is about frontend or backend. Backward compatibility will be kept until 2024.1. Change-Id: I218d45b7be667732e4204316b8d18fa3e136962b --- defaults/main.yml | 3 ++- .../notes/horizon_backend_https-105d9050aa3ec125.yaml | 5 +++++ tasks/main.yml | 6 +++--- templates/horizon_local_settings.py.j2 | 2 +- templates/openstack_dashboard.conf.j2 | 6 +++--- tests/os_horizon-overrides.yml | 2 +- 6 files changed, 15 insertions(+), 9 deletions(-) create mode 100644 releasenotes/notes/horizon_backend_https-105d9050aa3ec125.yaml diff --git a/defaults/main.yml b/defaults/main.yml index 2bf90cd6..8ee5ba29 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -240,7 +240,8 @@ horizon_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ horizo # horizon_user_ssl_ca_cert: # Toggle whether horizon should be served via SSL -horizon_enable_ssl: "{{ openstack_service_backend_ssl | default(False) }}" +# NOTE(damiandabrowski): Remove backward compatibility with horizon_enable_ssl in 2024.1 +horizon_backend_ssl: "{{ horizon_enable_ssl | default(openstack_service_backend_ssl | default(False)) }}" # Toggle whether horizon is served via an external device, like a load # balancer. This enables the use of the horizon_secure_proxy_ssl_header diff --git a/releasenotes/notes/horizon_backend_https-105d9050aa3ec125.yaml b/releasenotes/notes/horizon_backend_https-105d9050aa3ec125.yaml new file mode 100644 index 00000000..d3ab4c3d --- /dev/null +++ b/releasenotes/notes/horizon_backend_https-105d9050aa3ec125.yaml @@ -0,0 +1,5 @@ +--- +other: + - | + ``horizon_enable_ssl`` has been renamed to ``horizon_backend_ssl`` + for consistency reasons. diff --git a/tasks/main.yml b/tasks/main.yml index 01232f8c..75c0a4e9 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -57,21 +57,21 @@ - import_tasks: horizon_ssl_self_signed.yml when: - - horizon_enable_ssl | bool + - horizon_backend_ssl | bool - horizon_user_ssl_cert is not defined or horizon_user_ssl_key is not defined tags: - horizon-config - import_tasks: horizon_ssl_user_provided.yml when: - - horizon_enable_ssl | bool + - horizon_backend_ssl | bool tags: - horizon-config - name: Update the ca certificates command: "update-ca-certificates -f" when: - - horizon_enable_ssl | bool + - horizon_backend_ssl | bool - ansible_facts['pkg_mgr'] == 'apt' tags: - horizon-config diff --git a/templates/horizon_local_settings.py.j2 b/templates/horizon_local_settings.py.j2 index f6d462a1..df8914f3 100644 --- a/templates/horizon_local_settings.py.j2 +++ b/templates/horizon_local_settings.py.j2 @@ -59,7 +59,7 @@ SECURE_PROXY_SSL_HEADER = ('{{ horizon_secure_proxy_ssl_header_django }}', 'http SECURE_PROXY_ADDR_HEADER = 'HTTP_X_FORWARDED_FOR' {% endif %} -{% if horizon_enable_ssl | bool %} +{% if horizon_backend_ssl | bool %} # If Horizon is being served through SSL, then uncomment the following two # settings to better secure the cookies from security exploits CSRF_COOKIE_SECURE = True diff --git a/templates/openstack_dashboard.conf.j2 b/templates/openstack_dashboard.conf.j2 index 5e921776..8ed5f8af 100644 --- a/templates/openstack_dashboard.conf.j2 +++ b/templates/openstack_dashboard.conf.j2 @@ -6,7 +6,7 @@ Listen {{ horizon_bind_address }}:{{ horizon_listen_port }} # If horizon is being served via SSL from this web server, # then we must redirect HTTP requests to HTTPS. -{% if (horizon_enable_ssl | bool) %} +{% if (horizon_backend_ssl | bool) %} ServerName {{ horizon_server_name }} RewriteEngine On @@ -18,13 +18,13 @@ Listen {{ horizon_bind_address }}:{{ horizon_listen_port }} # If horizon is being served via SSL via a load balancer, we # need to listen via HTTP on this web server. If SSL is not # enabled, then the same applies. - + ServerName {{ horizon_server_name }} LogLevel {{ horizon_log_level }} ErrorLog syslog:daemon CustomLog "|/usr/bin/env logger -p daemon.info -t {{ horizon_system_service_name }}" {{ horizon_apache_custom_log_format }} Options +FollowSymLinks -{% if horizon_enable_ssl | bool %} +{% if horizon_backend_ssl | bool %} SSLEngine on SSLCertificateFile {{ horizon_ssl_cert }} SSLCertificateKeyFile {{ horizon_ssl_key }} diff --git a/tests/os_horizon-overrides.yml b/tests/os_horizon-overrides.yml index 97b96dba..fee76c2e 100644 --- a/tests/os_horizon-overrides.yml +++ b/tests/os_horizon-overrides.yml @@ -35,5 +35,5 @@ horizon_config_overrides: # This has to be set here because the common test-vars # has haproxy_ssl set to no. -horizon_enable_ssl: yes +horizon_backend_ssl: yes