Enable all services to use Keystone 'insecurely'

This patch introduces an insecure flag for the Keystone internal
 and admin endpoints:

* keystone_service_adminuri_insecure
* keystone_service_internaluri_insecure

Both values default to false. If you have setup SSL endpoints
for Keystone using an untrusted certificate then you should
set the appropriate flag to true in your user_variables.

This patch is used to enable testing and development with
Keystone SSL endpoints without having to make use of SSL
certificates signed by a trusted, public CA.

The patch introduces a new optional argument (insecure) to the
keystone, glance and neutron Ansible libraries. This is a
boolean value which, when true, enables these libraries to
access Keystone endpoints 'insecurely'. When these libraries
are used in plays, the appropriate value is set automatically
as per the above conditions.

Implements: blueprint keystone-federation
Change-Id: Ia07e7e201f901042dd06a86efe5c6f6725e9ce13

defaults/main.yml

@@ -23,6 +23,9 @@ openrc_os_username: admin
 openrc_os_tenant_name: admin
 openrc_os_auth_url: "http://127.0.0.1:5000"
 
+## Deliberately allow access to SSL endpoints with bad certificates
+openrc_insecure: "{{ (keystone_service_adminuri_insecure | bool or keystone_service_internaluri_insecure | bool) | default(false) }}"
+
 ## Create file
 openrc_file_dest: "{{ ansible_env.HOME }}/openrc"
 openrc_file_owner: "{{ ansible_user_id }}"

templates/openrc

@@ -13,3 +13,15 @@ export OS_PASSWORD={{ openrc_os_password }}
 export OS_TENANT_NAME={{ openrc_os_tenant_name }}
 export OS_AUTH_URL={{ openrc_os_auth_url }}
 export OS_NO_CACHE=1
+
+{% if openrc_insecure | bool %}
+# Convenience Aliases for Self-Signed Certs
+alias cinder='cinder --insecure'
+alias glance='glance --insecure'
+alias heat='heat --insecure'
+alias keystone='keystone --insecure'
+alias neutron='neutron --insecure'
+alias nova='nova --insecure'
+alias openstack='openstack --insecure'
+alias swift='swift --insecure'
+{% endif %}