From d163d9173050a53eb52f3889e8a1cdcb3ce1bfdd Mon Sep 17 00:00:00 2001 From: Dmitriy Rabotyagov Date: Mon, 15 Jul 2024 14:34:01 +0200 Subject: [PATCH] Combine Ubuntu/Debian vars together The only difference in Ubuntu/Debian vars were defenition of `_keystone_sp_apache_mod_auth_openidc_gte_2_4_11`. Though, all currently supported distros are shipped with Apache >= 2.4.11. Ie: * Debian: 2.4.61 [1] * CentOS 9 Stream: 2.4.57 [2] [1] https://packages.debian.org/search?suite=bullseye&keywords=apache2 [2] https://rpmfind.net/linux/rpm2html/search.php?query=httpd(x86-64) Change-Id: I916607130e6bf36580a7527d832c876ccd538eb9 --- templates/keystone-httpd.conf.j2 | 2 +- vars/debian.yml | 3 + vars/redhat.yml | 3 + vars/ubuntu-18.04.yml | 102 ----------------------------- vars/ubuntu-22.04.yml | 106 ------------------------------- 5 files changed, 7 insertions(+), 209 deletions(-) delete mode 100644 vars/ubuntu-18.04.yml delete mode 100644 vars/ubuntu-22.04.yml diff --git a/templates/keystone-httpd.conf.j2 b/templates/keystone-httpd.conf.j2 index 0bbbacc3..6421514a 100644 --- a/templates/keystone-httpd.conf.j2 +++ b/templates/keystone-httpd.conf.j2 @@ -47,7 +47,7 @@ Listen {{ keystone_web_server_bind_address }}:{{ keystone_service_port }} OIDCClientSecret {{ keystone_sp.trusted_idp_list.0.oidc_client_secret }} OIDCCryptoPassphrase {{ keystone_sp.trusted_idp_list.0.oidc_crypto_passphrase }} OIDCRedirectURI {{ keystone_service_publicuri }}{{ keystone_sp.trusted_idp_list.0.oidc_redirect_path | default('/oidc_redirect') }} - {% if _keystone_sp_apache_mod_auth_openidc_gte_2_4_11 is defined -%} + {% if _keystone_sp_apache_mod_auth_openidc_gte_2_4_11 is defined and _keystone_sp_apache_mod_auth_openidc_gte_2_4_11 -%} OIDCXForwardedHeaders {{ keystone_secure_proxy_ssl_header }} {% endif -%} {% if keystone_sp.trusted_idp_list.0.oidc_auth_verify_jwks_uri is defined -%} diff --git a/vars/debian.yml b/vars/debian.yml index ba1a7e89..a0f96ab0 100644 --- a/vars/debian.yml +++ b/vars/debian.yml @@ -52,6 +52,9 @@ keystone_idp_distro_packages: - ssl-cert - xmlsec1 +# From 2.4.11, mod_auth_openidc ignores X-Forwarded headers unless explicitly configured +_keystone_sp_apache_mod_auth_openidc_gte_2_4_11: True + keystone_sp_apache_mod_packages: - name: libapache2-mod-shib state: "{{ keystone_sp_apache_mod_shib | ternary('present', 'absent') }}" diff --git a/vars/redhat.yml b/vars/redhat.yml index 2c590102..277306a3 100644 --- a/vars/redhat.yml +++ b/vars/redhat.yml @@ -45,6 +45,9 @@ keystone_apache_distro_packages: keystone_idp_distro_packages: - xmlsec1 +# From 2.4.11, mod_auth_openidc ignores X-Forwarded headers unless explicitly configured +_keystone_sp_apache_mod_auth_openidc_gte_2_4_11: True + keystone_sp_apache_mod_packages: - name: shibboleth state: "{{ keystone_sp_apache_mod_shib | ternary('present', 'absent') }}" diff --git a/vars/ubuntu-18.04.yml b/vars/ubuntu-18.04.yml deleted file mode 100644 index 5ce9e407..00000000 --- a/vars/ubuntu-18.04.yml +++ /dev/null @@ -1,102 +0,0 @@ ---- -# Copyright 2016, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -cache_timeout: 600 - -keystone_distro_packages: - - git - - openssh-server - - rsync - - cron - - libpython3-dev - -keystone_devel_distro_packages: - - docutils-common - - libffi-dev - - libjs-sphinxdoc - - libjs-underscore - - libldap2-dev - - libsasl2-dev - - libsystemd-dev - - libssl-dev - - libxslt1.1 - - libxslt1-dev - - libxml2-dev - - pkg-config - -keystone_service_distro_packages: - - python3-keystone - - python3-systemd - - uwsgi - - uwsgi-plugin-python3 - -keystone_apache_distro_packages: - - apache2 - - apache2-utils - - libapache2-mod-proxy-uwsgi - -keystone_idp_distro_packages: - - ssl-cert - - xmlsec1 - -keystone_sp_apache_mod_packages: - - name: libapache2-mod-shib2 - state: "{{ keystone_sp_apache_mod_shib | ternary('present', 'absent') }}" - - name: libapache2-mod-auth-openidc - state: "{{ keystone_sp_apache_mod_auth_openidc | ternary('present', 'absent') }}" - -keystone_developer_mode_distro_packages: - - build-essential - -keystone_oslomsg_amqp1_distro_packages: - - libsasl2-modules - - sasl2-bin - -keystone_apache_default_sites: - - "/etc/apache2/sites-enabled/000-default.conf" - -keystone_apache_site_available: "/etc/apache2/sites-available/keystone-httpd.conf" -keystone_apache_site_enabled: "/etc/apache2/sites-enabled/keystone-httpd.conf" -keystone_apache_conf: "/etc/apache2/apache2.conf" -keystone_apache_default_log_folder: "/var/log/apache2" -keystone_apache_default_log_owner: "root" -keystone_apache_default_log_grp: "adm" -keystone_apache_security_conf: "/etc/apache2/conf-available/security.conf" - -keystone_apache_configs: - - { src: "keystone-ports.conf.j2", dest: "/etc/apache2/ports.conf" } - - { src: "keystone-httpd.conf.j2", dest: "/etc/apache2/sites-available/keystone-httpd.conf" } - - { src: "keystone-httpd-mpm.conf.j2", dest: "/etc/apache2/mods-available/mpm_{{ keystone_httpd_mpm_backend }}.conf" } - -keystone_apache_modules: - - name: "ssl" - state: "{{ (keystone_backend_ssl | bool) | ternary('present', 'absent') }}" - - name: "shib2" - state: "{{ keystone_sp_apache_mod_shib | ternary('present', 'absent') }}" - - name: "auth_openidc" - state: "{{ keystone_sp_apache_mod_auth_openidc | ternary('present', 'absent') }}" - - name: "proxy_uwsgi" - state: "present" - - name: "headers" - state: "present" -# This can be enabled when Apache2.5+ is available -# - name: "mod_journald" -# state: "present - -keystone_system_service_name: "{{ (keystone_use_uwsgi | bool) | ternary('keystone-wsgi-public', 'apache2') }}" - -keystone_uwsgi_bin: '/usr/bin' - -keystone_sshd: ssh diff --git a/vars/ubuntu-22.04.yml b/vars/ubuntu-22.04.yml deleted file mode 100644 index 3bce800e..00000000 --- a/vars/ubuntu-22.04.yml +++ /dev/null @@ -1,106 +0,0 @@ ---- -# Copyright 2016, Rackspace US, Inc. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -cache_timeout: 600 - -keystone_distro_packages: - - git - - libldap-common - - openssh-server - - rsync - - cron - - libpython3-dev - -keystone_devel_distro_packages: - - docutils-common - - libffi-dev - - libjs-sphinxdoc - - libjs-underscore - - libldap2-dev - - libsasl2-dev - - libsystemd-dev - - libssl-dev - - libxslt1.1 - - libxslt1-dev - - libxml2-dev - - pkg-config - -keystone_service_distro_packages: - - python3-keystone - - python3-systemd - - uwsgi - - uwsgi-plugin-python3 - -keystone_apache_distro_packages: - - apache2 - - apache2-utils - - libapache2-mod-proxy-uwsgi - -keystone_idp_distro_packages: - - ssl-cert - - xmlsec1 - -keystone_sp_apache_mod_packages: - - name: libapache2-mod-shib - state: "{{ keystone_sp_apache_mod_shib | ternary('present', 'absent') }}" - - name: libapache2-mod-auth-openidc - state: "{{ keystone_sp_apache_mod_auth_openidc | ternary('present', 'absent') }}" - -keystone_developer_mode_distro_packages: - - build-essential - -keystone_oslomsg_amqp1_distro_packages: - - libsasl2-modules - - sasl2-bin - -keystone_apache_default_sites: - - "/etc/apache2/sites-enabled/000-default.conf" - -keystone_apache_site_available: "/etc/apache2/sites-available/keystone-httpd.conf" -keystone_apache_site_enabled: "/etc/apache2/sites-enabled/keystone-httpd.conf" -keystone_apache_conf: "/etc/apache2/apache2.conf" -keystone_apache_default_log_folder: "/var/log/apache2" -keystone_apache_default_log_owner: "root" -keystone_apache_default_log_grp: "adm" -keystone_apache_security_conf: "/etc/apache2/conf-available/security.conf" - -keystone_apache_configs: - - { src: "keystone-ports.conf.j2", dest: "/etc/apache2/ports.conf" } - - { src: "keystone-httpd.conf.j2", dest: "/etc/apache2/sites-available/keystone-httpd.conf" } - - { src: "keystone-httpd-mpm.conf.j2", dest: "/etc/apache2/mods-available/mpm_{{ keystone_httpd_mpm_backend }}.conf" } - -keystone_apache_modules: - - name: "ssl" - state: "{{ (keystone_backend_ssl | bool) | ternary('present', 'absent') }}" - - name: "shib" - state: "{{ keystone_sp_apache_mod_shib | ternary('present', 'absent') }}" - - name: "auth_openidc" - state: "{{ keystone_sp_apache_mod_auth_openidc | ternary('present', 'absent') }}" - - name: "proxy_uwsgi" - state: "present" - - name: "headers" - state: "present" -# This can be enabled when Apache2.5+ is available -# - name: "mod_journald" -# state: "present - -keystone_system_service_name: "{{ (keystone_use_uwsgi | bool) | ternary('keystone-wsgi-public', 'apache2') }}" - -keystone_uwsgi_bin: '/usr/bin' - -keystone_sshd: ssh - -# From 2.4.11, mod_auth_openidc ignores X-Forwarded headers unless explicitly configured -_keystone_sp_apache_mod_auth_openidc_gte_2_4_11: True