From b035c3d0fc506a9a1bf5c475b05c6bf558a41bb1 Mon Sep 17 00:00:00 2001 From: Kourosh Vivan Date: Thu, 2 Aug 2018 15:07:01 +0200 Subject: [PATCH] Deployment host can provide shibboleth SP key-pair If you don't want to generate shibboleth SP key-pair on first playbook run You can provide sp-cert.pem and sp-key.pem in /etc/openstack_deploy/keystone/ Change-Id: I6fb099cee10ef76f2cd6d20a03ffe53f45a1f85d Signed-off-by: Kourosh Vivan --- defaults/main.yml | 8 ++++++++ tasks/keystone_federation_sp_setup.yml | 17 ++++++++++++++++- vars/source_install.yml | 3 +++ 3 files changed, 27 insertions(+), 1 deletion(-) diff --git a/defaults/main.yml b/defaults/main.yml index 63a64153..8fa84b42 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -450,6 +450,14 @@ keystone_role_project_group: keystone_all # template engine and copied to the target host. # keystone_sso_callback_file_path: "/etc/openstack_deploy/keystone/sso_callback_template.html" +#: Tunable file-based overrides +# The contents of these files, if they exist, are read from the +# specified path on the deployment host, interpreted by the +# template engine and copied to the target host. If they do +# not exist then they will be generated on first playbook run. +shibboleth_cert_user_file_path: "/etc/openstack_deploy/keystone/sp-cert.pem" +shibboleth_key_user_file_path: "/etc/openstack_deploy/keystone/sp-key.pem" + #: Tunable var-based overrides # The contents of these are templated over the default files. keystone_keystone_conf_overrides: {} diff --git a/tasks/keystone_federation_sp_setup.yml b/tasks/keystone_federation_sp_setup.yml index 04e8e1f0..6065b660 100644 --- a/tasks/keystone_federation_sp_setup.yml +++ b/tasks/keystone_federation_sp_setup.yml @@ -26,11 +26,26 @@ notify: - Restart Shibd +- name: Copy Shibboleth SP key-pair (if provided) + copy: + content: "{{ item.content }}" + dest: "{{ item.dest }}" + mode: "{{ item.mode|default('0640') }}" + when: + - inventory_hostname == groups['keystone_all'][0] + - item.content != '' + with_items: + - { content: "{{ shibboleth_cert_user_content }}", dest: "/etc/shibboleth/sp-cert.pem" } + - { content: "{{ shibboleth_key_user_content }}", dest: "/etc/shibboleth/sp-key.pem" } + notify: + - Manage LB + - Restart web server + - Restart Shibd + - name: Generate the Shibboleth SP key-pair command: "shib-keygen -h {{ external_lb_vip_address }} -y {{ keystone_sp.cert_duration_years }}" args: creates: "/etc/shibboleth/sp-cert.pem" - changed_when: false when: inventory_hostname == groups['keystone_all'][0] notify: - Manage LB diff --git a/vars/source_install.yml b/vars/source_install.yml index c9e6d6aa..fe5d4450 100644 --- a/vars/source_install.yml +++ b/vars/source_install.yml @@ -38,3 +38,6 @@ keystone_package_list: |- _keystone_bin: "/openstack/venvs/keystone-{{ keystone_venv_tag }}/bin" keystone_uwsgi_bin: "{{ _keystone_bin }}" +# These vars find a file on the deployment node, if it exists - otherwise the result is empty. +shibboleth_cert_user_content: "{{ lookup('pipe', 'cat ' ~ shibboleth_cert_user_file_path ~ ' 2>/dev/null || true') }}" +shibboleth_key_user_content: "{{ lookup('pipe', 'cat ' ~ shibboleth_key_user_file_path ~ ' 2>/dev/null || true') }}"