Add ssl_verify_client parameter for horizon

The recent change in puppet-horizon[1] made the ssl_verify_client parameter mandatory when ssl_ca is set. This patch makes sure that the ssl_verify_client parameter is set properly. In addition, internal tls cert is not valid when internal tls is not enabled. This patch also addresses that point, and make ssl_ca is set only when needed. [1] https://review.opendev.org/#/c/758041/6 Closes-Bug: #1900947 Change-Id: I286f69b8d3775d7538685e799f092ce47b5d75a7
openstack-archive · Oct 22, 2020 · 132c0b1 · 132c0b1
1 parent d3b099f
commit 132c0b1
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/deployment/horizon/horizon-container-puppet.yaml b/deployment/horizon/horizon-container-puppet.yaml
@@ -223,11 +223,16 @@ outputs:
               params:
                 $NETWORK: {get_param: [ServiceNetMap, HorizonNetwork]}
           horizon::listen_ssl: {get_param: EnableInternalTLS}
-          horizon::ssl_ca: {get_param: InternalTLSCAFile}
           horizon::customization_module: {get_param: HorizonCustomizationModule}
           horizon::timezone: {get_param: TimeZone}
           horizon::file_upload_temp_dir: '/var/tmp'
           horizon::help_url: {get_param: HorizonHelpURL}
+        -
+          if:
+          - internal_tls_enabled
+          - horizon::ssl_ca: {get_param: InternalTLSCAFile}
+            horizon::ssl_verify_client: true
+          - {}
         -
           if:
           - websso_enabled