Merge "Rename keystone_ssl to keystone_backend_ssl"

2023-04-20 18:46:50 +00:00 · 2023-04-20 18:46:50 +00:00 · 2378e452ad
commit 2378e452ad
parent 674c8a5434 6661a9dab7
7 changed files with 16 additions and 10 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -228,8 +228,9 @@ keystone_default_uwsgi_overrides:
  uwsgi:
    socket: "127.0.0.1:{{ keystone_uwsgi_ports['keystone-wsgi-public']['socket'] }}"

-# set keystone_ssl to true to enable SSL configuration on the keystone containers
-keystone_ssl: "{{ openstack_backend_service_https | default(False) }}"
+# Define if communication between haproxy and service backends should be
+# encrypted with TLS.
+keystone_backend_ssl: "{{ openstack_service_backend_ssl | default(False) }}"

 # The local address used for the keystone node
 keystone_node_address: "{{ management_address | default('127.0.0.1') }}"
@ -274,7 +275,7 @@ keystone_pki_certificates:
    cn: "{{ ansible_facts['hostname'] }}"
    san: "{{ 'DNS:' ~ ansible_facts['hostname'] ~ ',IP:' ~ keystone_node_address }}"
    signed_by: "{{ keystone_pki_intermediate_cert_name }}"
-    condition: "{{ keystone_ssl }}"
+    condition: "{{ keystone_backend_ssl }}"

 # Set to the value of keystone_idp_authority_name to regenerate the IDP CA
 keystone_pki_regen_ca: ''
@ -292,13 +293,13 @@ keystone_pki_install_certificates:
    owner: "{{ keystone_system_user_name }}"
    group: "{{ keystone_system_group_name }}"
    mode: "0644"
-    condition: "{{ keystone_ssl }}"
+    condition: "{{ keystone_backend_ssl }}"
  - src: "{{ keystone_user_ssl_key | default(keystone_pki_keys_path ~ 'keystone_' ~ ansible_facts['hostname'] ~ '.key.pem') }}"
    dest: "{{ keystone_ssl_key }}"
    owner: "{{ keystone_system_user_name }}"
    group: "{{ keystone_system_group_name }}"
    mode: "0600"
-    condition: "{{ keystone_ssl }}"
+    condition: "{{ keystone_backend_ssl }}"
  - src: "{{ keystone_user_ssl_ca_cert | default(keystone_pki_intermediate_cert_path) }}"
    dest: "{{ keystone_ssl_ca_cert }}"
    owner: "{{ keystone_system_user_name }}"
--- a/releasenotes/notes/keystone_ssl-4dc7676a36831f85.yaml
+++ b/releasenotes/notes/keystone_ssl-4dc7676a36831f85.yaml
@ -0,0 +1,5 @@
+---
+upgrade:
+  - |
+    Variable ``keystone_ssl`` was deprecated in favor of
+    ``keystone_backend_ssl``.
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -168,7 +168,7 @@
    pki_certificates: "{{ keystone_pki_certificates }}"
    pki_install_certificates: "{{ keystone_pki_install_certificates }}"
  when:
-    - (keystone_ssl | bool) or (keystone_idp['certfile'] is defined)
+    - (keystone_backend_ssl | bool) or (keystone_idp['certfile'] is defined)
  tags:
    - keystone-config

--- a/templates/keystone-httpd.conf.j2
+++ b/templates/keystone-httpd.conf.j2
@ -26,7 +26,7 @@ Listen {{ keystone_web_server_bind_address }}:{{ keystone_service_port }}
    RequestHeader set {{ keystone_secure_proxy_ssl_header }} "http"
    {% endif %}

-    {% if keystone_ssl | bool and keystone_service_internaluri_proto == "https" -%}
+    {% if keystone_backend_ssl | bool and keystone_service_internaluri_proto == "https" -%}
    SSLEngine on
    SSLCertificateFile    {{ keystone_ssl_cert }}
    SSLCertificateKeyFile {{ keystone_ssl_key }}
--- a/templates/shibboleth2.xml.j2
+++ b/templates/shibboleth2.xml.j2
@ -36,7 +36,7 @@
                  timeout="3600"
                  relayState="ss:mc"
                  checkAddress="false"
-                  handlerSSL="{% if keystone_ssl | bool %}true{% else %}false{% endif %}"
+                  handlerSSL="{% if keystone_backend_ssl | bool %}true{% else %}false{% endif %}"
                  {% if keystone_service_publicuri_proto == "https" %}cookieProps="; path=/; secure"{% endif %}>

            <!-- Triggers a login request directly to the IdP. -->
--- a/vars/debian.yml
+++ b/vars/debian.yml
@ -82,7 +82,7 @@ keystone_apache_configs:

 keystone_apache_modules:
  - name: "ssl"
-    state: "{{ (keystone_ssl | bool) | ternary('present', 'absent') }}"
+    state: "{{ (keystone_backend_ssl | bool) | ternary('present', 'absent') }}"
  - name: "shib"
    state: "{{ keystone_sp_apache_mod_shib | ternary('present', 'absent') }}"
  - name: "auth_openidc"
--- a/vars/ubuntu-18.04.yml
+++ b/vars/ubuntu-18.04.yml
@ -82,7 +82,7 @@ keystone_apache_configs:

 keystone_apache_modules:
  - name: "ssl"
-    state: "{{ (keystone_ssl | bool) | ternary('present', 'absent') }}"
+    state: "{{ (keystone_backend_ssl | bool) | ternary('present', 'absent') }}"
  - name: "shib2"
    state: "{{ keystone_sp_apache_mod_shib | ternary('present', 'absent') }}"
  - name: "auth_openidc"