From ef4a1da270f92aaf0c4fdb06fadaaec932149d49 Mon Sep 17 00:00:00 2001
From: Lukas Bezdicka <lbezdick@redhat.com>
Date: Thu, 13 Apr 2017 19:21:45 +0200
Subject: Ensure we configure ssl.conf

Every time we call apache module regardless of using SSL we have to
configure mod_ssl from puppet-apache or we'll hit issue during package
update. File /etc/httpd/conf.d/ssl.conf from mod_ssl package contains
Listen 443 while apache::mod::ssl just configures SSL bits but does not
add Listen. If the apache::mod::ssl is not included the ssl.conf file is
removed and recreated during mod_ssl package update. This causes
conflict on port 443.

Change-Id: Ic5a0719f67d3795a9edca25284d1cf6f088073e8
Related-Bug: 1682448
Resolves: rhbz#1441977
(cherry picked from commit 9e729c0db22865d036860346eb6b81c4c2108719)
---
 manifests/profile/base/aodh/api.pp                       |  1 +
 manifests/profile/base/barbican/api.pp                   |  1 +
 manifests/profile/base/ceilometer/api.pp                 |  1 +
 manifests/profile/base/cinder/api.pp                     |  1 +
 manifests/profile/base/gnocchi/api.pp                    |  1 +
 manifests/profile/base/keystone.pp                       |  1 +
 manifests/profile/base/nova/api.pp                       |  1 +
 manifests/profile/base/nova/placement.pp                 |  1 +
 manifests/profile/base/panko/api.pp                      |  1 +
 manifests/profile/base/zaqar.pp                          |  1 +
 releasenotes/notes/ensure-ssl-conf-2f32c6ead6f3bb0e.yaml | 10 ++++++++++
 11 files changed, 20 insertions(+)
 create mode 100644 releasenotes/notes/ensure-ssl-conf-2f32c6ead6f3bb0e.yaml

diff --git a/manifests/profile/base/aodh/api.pp b/manifests/profile/base/aodh/api.pp
index 1c03059..a9c94f4 100644
--- a/manifests/profile/base/aodh/api.pp
+++ b/manifests/profile/base/aodh/api.pp
@@ -81,6 +81,7 @@ class tripleo::profile::base::aodh::api (
 
   if $step >= 3 {
     include ::aodh::api
+    include ::apache::mod::ssl
     class { '::aodh::wsgi::apache':
       ssl_cert => $tls_certfile,
       ssl_key  => $tls_keyfile,
diff --git a/manifests/profile/base/barbican/api.pp b/manifests/profile/base/barbican/api.pp
index b464317..42ac8cd 100644
--- a/manifests/profile/base/barbican/api.pp
+++ b/manifests/profile/base/barbican/api.pp
@@ -99,6 +99,7 @@ class tripleo::profile::base::barbican::api (
     include ::barbican::api::logging
     include ::barbican::keystone::notification
     include ::barbican::quota
+    include ::apache::mod::ssl
     class { '::barbican::wsgi::apache':
       ssl_cert => $tls_certfile,
       ssl_key  => $tls_keyfile,
diff --git a/manifests/profile/base/ceilometer/api.pp b/manifests/profile/base/ceilometer/api.pp
index 6ef4748..254cee8 100644
--- a/manifests/profile/base/ceilometer/api.pp
+++ b/manifests/profile/base/ceilometer/api.pp
@@ -78,6 +78,7 @@ class tripleo::profile::base::ceilometer::api (
 
   if $step >= 4 {
     include ::ceilometer::api
+    include ::apache::mod::ssl
     class { '::ceilometer::wsgi::apache':
       ssl_cert => $tls_certfile,
       ssl_key  => $tls_keyfile,
diff --git a/manifests/profile/base/cinder/api.pp b/manifests/profile/base/cinder/api.pp
index 450a8e6..ef5bd06 100644
--- a/manifests/profile/base/cinder/api.pp
+++ b/manifests/profile/base/cinder/api.pp
@@ -89,6 +89,7 @@ class tripleo::profile::base::cinder::api (
 
   if $step >= 4 or ($step >= 3 and $sync_db) {
     include ::cinder::api
+    include ::apache::mod::ssl
     class { '::cinder::wsgi::apache':
       ssl_cert => $tls_certfile,
       ssl_key  => $tls_keyfile,
diff --git a/manifests/profile/base/gnocchi/api.pp b/manifests/profile/base/gnocchi/api.pp
index e79f800..92431e4 100644
--- a/manifests/profile/base/gnocchi/api.pp
+++ b/manifests/profile/base/gnocchi/api.pp
@@ -98,6 +98,7 @@ class tripleo::profile::base::gnocchi::api (
 
   if $step >= 4 {
     include ::gnocchi::api
+    include ::apache::mod::ssl
     class { '::gnocchi::wsgi::apache':
       ssl_cert => $tls_certfile,
       ssl_key  => $tls_keyfile,
diff --git a/manifests/profile/base/keystone.pp b/manifests/profile/base/keystone.pp
index dbd6142..9aa3eb3 100644
--- a/manifests/profile/base/keystone.pp
+++ b/manifests/profile/base/keystone.pp
@@ -161,6 +161,7 @@ class tripleo::profile::base::keystone (
     }
 
     include ::keystone::config
+    include ::apache::mod::ssl
     class { '::keystone::wsgi::apache':
       ssl_cert       => $tls_certfile,
       ssl_key        => $tls_keyfile,
diff --git a/manifests/profile/base/nova/api.pp b/manifests/profile/base/nova/api.pp
index 287d14c..f09f083 100644
--- a/manifests/profile/base/nova/api.pp
+++ b/manifests/profile/base/nova/api.pp
@@ -116,6 +116,7 @@ class tripleo::profile::base::nova::api (
       $tls_keyfile = undef
     }
     if $step >= 4 or ($step >= 3 and $sync_db) {
+      include ::apache::mod::ssl
       class { '::nova::wsgi::apache_api':
         ssl_cert => $tls_certfile,
         ssl_key  => $tls_keyfile,
diff --git a/manifests/profile/base/nova/placement.pp b/manifests/profile/base/nova/placement.pp
index c429373..614a3e7 100644
--- a/manifests/profile/base/nova/placement.pp
+++ b/manifests/profile/base/nova/placement.pp
@@ -86,6 +86,7 @@ class tripleo::profile::base::nova::placement (
   }
 
   if $step >= 3 {
+    include ::apache::mod::ssl
     class { '::nova::wsgi::apache_placement':
       ssl_cert => $tls_certfile,
       ssl_key  => $tls_keyfile,
diff --git a/manifests/profile/base/panko/api.pp b/manifests/profile/base/panko/api.pp
index a6643ce..be6df8d 100644
--- a/manifests/profile/base/panko/api.pp
+++ b/manifests/profile/base/panko/api.pp
@@ -92,6 +92,7 @@ class tripleo::profile::base::panko::api (
     class { '::panko::api':
       sync_db => $sync_db,
     }
+    include ::apache::mod::ssl
     class { '::panko::wsgi::apache':
       ssl_cert => $tls_certfile,
       ssl_key  => $tls_keyfile,
diff --git a/manifests/profile/base/zaqar.pp b/manifests/profile/base/zaqar.pp
index 89a03ad..7fbcd34 100644
--- a/manifests/profile/base/zaqar.pp
+++ b/manifests/profile/base/zaqar.pp
@@ -50,6 +50,7 @@ class tripleo::profile::base::zaqar (
       uri => $database_connection,
     }
     include ::zaqar::transport::websocket
+    include ::apache::mod::ssl
     include ::zaqar::transport::wsgi
 
     # TODO (bcrochet): At some point, the transports should be split out to
diff --git a/releasenotes/notes/ensure-ssl-conf-2f32c6ead6f3bb0e.yaml b/releasenotes/notes/ensure-ssl-conf-2f32c6ead6f3bb0e.yaml
new file mode 100644
index 0000000..92f2360
--- /dev/null
+++ b/releasenotes/notes/ensure-ssl-conf-2f32c6ead6f3bb0e.yaml
@@ -0,0 +1,10 @@
+---
+fixes:
+  - |
+    With having package mod_ssl by default installed in images we introduced
+    issue with mod_ssl package update. In case of SSL not being used or
+    provided by HAproxy the puppet-apache module by default purges the
+    ssl.conf file. The package update then recreates the file with default
+    Listen 443 option. This causes conflict on 443 port during httpd restart.
+    If we include ::apache::mod::ssl the ssl.conf file will be configured and
+    the Listen option will be used only if there is vhost set to use SSL.
-- 
cgit 1.2.3-korg