From 4686326650d265fbd287e4bccb3e38f4b2292c20 Mon Sep 17 00:00:00 2001
From: Damian Dabrowski <damian.dabrowski@cleura.com>
Date: Tue, 4 Apr 2023 23:18:47 +0200
Subject: [PATCH] Rename horizon_enable_ssl to horizon_backend_ssl

To standarize variable name across roles, this change renames
`horizon_enable_ssl` to `horizon_backend_ssl`.
All other roles use `<service>_backend_ssl` format.
It also better describes what it does. With `horizon_enable_ssl` it's
unclear whether it is about frontend or backend.

Backward compatibility will be kept until 2024.1.

Change-Id: I218d45b7be667732e4204316b8d18fa3e136962b
---
 defaults/main.yml                                           | 3 ++-
 .../notes/horizon_backend_https-105d9050aa3ec125.yaml       | 5 +++++
 tasks/main.yml                                              | 6 +++---
 templates/horizon_local_settings.py.j2                      | 2 +-
 templates/openstack_dashboard.conf.j2                       | 6 +++---
 tests/os_horizon-overrides.yml                              | 2 +-
 6 files changed, 15 insertions(+), 9 deletions(-)
 create mode 100644 releasenotes/notes/horizon_backend_https-105d9050aa3ec125.yaml

diff --git a/defaults/main.yml b/defaults/main.yml
index 2bf90cd6..8ee5ba29 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -240,7 +240,8 @@ horizon_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ horizo
 # horizon_user_ssl_ca_cert: <path to cert on ansible deployment host>
 
 # Toggle whether horizon should be served via SSL
-horizon_enable_ssl: "{{ openstack_service_backend_ssl | default(False) }}"
+# NOTE(damiandabrowski): Remove backward compatibility with horizon_enable_ssl in 2024.1
+horizon_backend_ssl: "{{ horizon_enable_ssl | default(openstack_service_backend_ssl | default(False)) }}"
 
 # Toggle whether horizon is served via an external device, like a load
 # balancer. This enables the use of the horizon_secure_proxy_ssl_header
diff --git a/releasenotes/notes/horizon_backend_https-105d9050aa3ec125.yaml b/releasenotes/notes/horizon_backend_https-105d9050aa3ec125.yaml
new file mode 100644
index 00000000..d3ab4c3d
--- /dev/null
+++ b/releasenotes/notes/horizon_backend_https-105d9050aa3ec125.yaml
@@ -0,0 +1,5 @@
+---
+other:
+  - |
+    ``horizon_enable_ssl`` has been renamed to ``horizon_backend_ssl``
+    for consistency reasons.
diff --git a/tasks/main.yml b/tasks/main.yml
index 01232f8c..75c0a4e9 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -57,21 +57,21 @@
 
 - import_tasks: horizon_ssl_self_signed.yml
   when:
-    - horizon_enable_ssl | bool
+    - horizon_backend_ssl | bool
     - horizon_user_ssl_cert is not defined or horizon_user_ssl_key is not defined
   tags:
     - horizon-config
 
 - import_tasks: horizon_ssl_user_provided.yml
   when:
-    - horizon_enable_ssl | bool
+    - horizon_backend_ssl | bool
   tags:
     - horizon-config
 
 - name: Update the ca certificates
   command: "update-ca-certificates -f"
   when:
-    - horizon_enable_ssl | bool
+    - horizon_backend_ssl | bool
     - ansible_facts['pkg_mgr'] == 'apt'
   tags:
     - horizon-config
diff --git a/templates/horizon_local_settings.py.j2 b/templates/horizon_local_settings.py.j2
index f6d462a1..df8914f3 100644
--- a/templates/horizon_local_settings.py.j2
+++ b/templates/horizon_local_settings.py.j2
@@ -59,7 +59,7 @@ SECURE_PROXY_SSL_HEADER = ('{{ horizon_secure_proxy_ssl_header_django }}', 'http
 SECURE_PROXY_ADDR_HEADER = 'HTTP_X_FORWARDED_FOR'
 {% endif %}
 
-{% if horizon_enable_ssl | bool %}
+{% if horizon_backend_ssl | bool %}
 # If Horizon is being served through SSL, then uncomment the following two
 # settings to better secure the cookies from security exploits
 CSRF_COOKIE_SECURE = True
diff --git a/templates/openstack_dashboard.conf.j2 b/templates/openstack_dashboard.conf.j2
index 5e921776..8ed5f8af 100644
--- a/templates/openstack_dashboard.conf.j2
+++ b/templates/openstack_dashboard.conf.j2
@@ -6,7 +6,7 @@ Listen {{ horizon_bind_address }}:{{ horizon_listen_port }}
 
 # If horizon is being served via SSL from this web server,
 # then we must redirect HTTP requests to HTTPS.
-{% if (horizon_enable_ssl | bool) %}
+{% if (horizon_backend_ssl | bool) %}
 <VirtualHost {{ horizon_bind_address }}:{{ horizon_listen_ports.http }}>
     ServerName {{ horizon_server_name }}
     RewriteEngine On
@@ -18,13 +18,13 @@ Listen {{ horizon_bind_address }}:{{ horizon_listen_port }}
 # If horizon is being served via SSL via a load balancer, we
 # need to listen via HTTP on this web server. If SSL is not
 # enabled, then the same applies.
-<VirtualHost {{ horizon_bind_address }}:{{ (horizon_enable_ssl | bool) | ternary(horizon_listen_ports.https, horizon_listen_ports.http) }}>
+<VirtualHost {{ horizon_bind_address }}:{{ (horizon_backend_ssl | bool) | ternary(horizon_listen_ports.https, horizon_listen_ports.http) }}>
     ServerName {{ horizon_server_name }}
     LogLevel  {{ horizon_log_level }}
     ErrorLog  syslog:daemon
     CustomLog "|/usr/bin/env logger -p daemon.info -t {{ horizon_system_service_name }}" {{ horizon_apache_custom_log_format }}
     Options +FollowSymLinks
-{% if horizon_enable_ssl | bool %}
+{% if horizon_backend_ssl | bool %}
     SSLEngine on
     SSLCertificateFile    {{ horizon_ssl_cert }}
     SSLCertificateKeyFile {{ horizon_ssl_key }}
diff --git a/tests/os_horizon-overrides.yml b/tests/os_horizon-overrides.yml
index 97b96dba..fee76c2e 100644
--- a/tests/os_horizon-overrides.yml
+++ b/tests/os_horizon-overrides.yml
@@ -35,5 +35,5 @@ horizon_config_overrides:
 
 # This has to be set here because the common test-vars
 # has haproxy_ssl set to no.
-horizon_enable_ssl: yes
+horizon_backend_ssl: yes