Deployment host can provide shibboleth SP key-pair

If you don't want to generate shibboleth SP key-pair on first playbook run You can provide sp-cert.pem and sp-key.pem in /etc/openstack_deploy/keystone/ Change-Id: I6fb099cee10ef76f2cd6d20a03ffe53f45a1f85d Signed-off-by: Kourosh Vivan <kourosh.vivan@osones.com>
2018-08-02 15:07:01 +02:00 · 2018-08-02 15:07:01 +02:00 · b035c3d0fc
commit b035c3d0fc
parent 5132d6a839
3 changed files with 27 additions and 1 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -450,6 +450,14 @@ keystone_role_project_group: keystone_all
 #                  template engine and copied to the target host.
 # keystone_sso_callback_file_path: "/etc/openstack_deploy/keystone/sso_callback_template.html"

+#: Tunable file-based overrides
+# The contents of these files, if they exist, are read from the
+# specified path on the deployment host, interpreted by the
+# template engine and copied to the target host. If they do
+# not exist then they will be generated on first playbook run.
+shibboleth_cert_user_file_path: "/etc/openstack_deploy/keystone/sp-cert.pem"
+shibboleth_key_user_file_path: "/etc/openstack_deploy/keystone/sp-key.pem"
+
 #: Tunable var-based overrides
 # The contents of these are templated over the default files.
 keystone_keystone_conf_overrides: {}
--- a/tasks/keystone_federation_sp_setup.yml
+++ b/tasks/keystone_federation_sp_setup.yml
@ -26,11 +26,26 @@
  notify:
    - Restart Shibd

+- name: Copy Shibboleth SP key-pair (if provided)
+  copy:
+    content: "{{ item.content }}"
+    dest: "{{ item.dest }}"
+    mode: "{{ item.mode|default('0640') }}"
+  when:
+    - inventory_hostname == groups['keystone_all'][0]
+    - item.content != ''
+  with_items:
+    - { content: "{{ shibboleth_cert_user_content }}", dest: "/etc/shibboleth/sp-cert.pem" }
+    - { content: "{{ shibboleth_key_user_content }}", dest: "/etc/shibboleth/sp-key.pem" }
+  notify:
+    - Manage LB
+    - Restart web server
+    - Restart Shibd
+
 - name: Generate the Shibboleth SP key-pair
  command: "shib-keygen -h {{ external_lb_vip_address }} -y {{ keystone_sp.cert_duration_years }}"
  args:
    creates: "/etc/shibboleth/sp-cert.pem"
-  changed_when: false
  when: inventory_hostname == groups['keystone_all'][0]
  notify:
    - Manage LB
--- a/vars/source_install.yml
+++ b/vars/source_install.yml
@ -38,3 +38,6 @@ keystone_package_list: |-

 _keystone_bin: "/openstack/venvs/keystone-{{ keystone_venv_tag }}/bin"
 keystone_uwsgi_bin: "{{ _keystone_bin }}"
+# These vars find a file on the deployment node, if it exists - otherwise the result is empty.
+shibboleth_cert_user_content: "{{ lookup('pipe', 'cat ' ~ shibboleth_cert_user_file_path ~ ' 2>/dev/null || true') }}"
+shibboleth_key_user_content: "{{ lookup('pipe', 'cat ' ~  shibboleth_key_user_file_path ~ ' 2>/dev/null || true') }}"