Combine Ubuntu/Debian vars together

The only difference in Ubuntu/Debian vars were defenition of
`_keystone_sp_apache_mod_auth_openidc_gte_2_4_11`. Though,
all currently supported distros are shipped with Apache >= 2.4.11.

Ie:
* Debian: 2.4.61 [1]
* CentOS 9 Stream: 2.4.57 [2]

[1]  https://packages.debian.org/search?suite=bullseye&keywords=apache2
[2] https://rpmfind.net/linux/rpm2html/search.php?query=httpd(x86-64)

Change-Id: I916607130e6bf36580a7527d832c876ccd538eb9
This commit is contained in:
Dmitriy Rabotyagov 2024-07-15 14:34:01 +02:00
parent bfd4651fe5
commit d163d91730
5 changed files with 7 additions and 209 deletions

View File

@ -47,7 +47,7 @@ Listen {{ keystone_web_server_bind_address }}:{{ keystone_service_port }}
OIDCClientSecret {{ keystone_sp.trusted_idp_list.0.oidc_client_secret }} OIDCClientSecret {{ keystone_sp.trusted_idp_list.0.oidc_client_secret }}
OIDCCryptoPassphrase {{ keystone_sp.trusted_idp_list.0.oidc_crypto_passphrase }} OIDCCryptoPassphrase {{ keystone_sp.trusted_idp_list.0.oidc_crypto_passphrase }}
OIDCRedirectURI {{ keystone_service_publicuri }}{{ keystone_sp.trusted_idp_list.0.oidc_redirect_path | default('/oidc_redirect') }} OIDCRedirectURI {{ keystone_service_publicuri }}{{ keystone_sp.trusted_idp_list.0.oidc_redirect_path | default('/oidc_redirect') }}
{% if _keystone_sp_apache_mod_auth_openidc_gte_2_4_11 is defined -%} {% if _keystone_sp_apache_mod_auth_openidc_gte_2_4_11 is defined and _keystone_sp_apache_mod_auth_openidc_gte_2_4_11 -%}
OIDCXForwardedHeaders {{ keystone_secure_proxy_ssl_header }} OIDCXForwardedHeaders {{ keystone_secure_proxy_ssl_header }}
{% endif -%} {% endif -%}
{% if keystone_sp.trusted_idp_list.0.oidc_auth_verify_jwks_uri is defined -%} {% if keystone_sp.trusted_idp_list.0.oidc_auth_verify_jwks_uri is defined -%}

View File

@ -52,6 +52,9 @@ keystone_idp_distro_packages:
- ssl-cert - ssl-cert
- xmlsec1 - xmlsec1
# From 2.4.11, mod_auth_openidc ignores X-Forwarded headers unless explicitly configured
_keystone_sp_apache_mod_auth_openidc_gte_2_4_11: True
keystone_sp_apache_mod_packages: keystone_sp_apache_mod_packages:
- name: libapache2-mod-shib - name: libapache2-mod-shib
state: "{{ keystone_sp_apache_mod_shib | ternary('present', 'absent') }}" state: "{{ keystone_sp_apache_mod_shib | ternary('present', 'absent') }}"

View File

@ -45,6 +45,9 @@ keystone_apache_distro_packages:
keystone_idp_distro_packages: keystone_idp_distro_packages:
- xmlsec1 - xmlsec1
# From 2.4.11, mod_auth_openidc ignores X-Forwarded headers unless explicitly configured
_keystone_sp_apache_mod_auth_openidc_gte_2_4_11: True
keystone_sp_apache_mod_packages: keystone_sp_apache_mod_packages:
- name: shibboleth - name: shibboleth
state: "{{ keystone_sp_apache_mod_shib | ternary('present', 'absent') }}" state: "{{ keystone_sp_apache_mod_shib | ternary('present', 'absent') }}"

View File

@ -1,102 +0,0 @@
---
# Copyright 2016, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
cache_timeout: 600
keystone_distro_packages:
- git
- openssh-server
- rsync
- cron
- libpython3-dev
keystone_devel_distro_packages:
- docutils-common
- libffi-dev
- libjs-sphinxdoc
- libjs-underscore
- libldap2-dev
- libsasl2-dev
- libsystemd-dev
- libssl-dev
- libxslt1.1
- libxslt1-dev
- libxml2-dev
- pkg-config
keystone_service_distro_packages:
- python3-keystone
- python3-systemd
- uwsgi
- uwsgi-plugin-python3
keystone_apache_distro_packages:
- apache2
- apache2-utils
- libapache2-mod-proxy-uwsgi
keystone_idp_distro_packages:
- ssl-cert
- xmlsec1
keystone_sp_apache_mod_packages:
- name: libapache2-mod-shib2
state: "{{ keystone_sp_apache_mod_shib | ternary('present', 'absent') }}"
- name: libapache2-mod-auth-openidc
state: "{{ keystone_sp_apache_mod_auth_openidc | ternary('present', 'absent') }}"
keystone_developer_mode_distro_packages:
- build-essential
keystone_oslomsg_amqp1_distro_packages:
- libsasl2-modules
- sasl2-bin
keystone_apache_default_sites:
- "/etc/apache2/sites-enabled/000-default.conf"
keystone_apache_site_available: "/etc/apache2/sites-available/keystone-httpd.conf"
keystone_apache_site_enabled: "/etc/apache2/sites-enabled/keystone-httpd.conf"
keystone_apache_conf: "/etc/apache2/apache2.conf"
keystone_apache_default_log_folder: "/var/log/apache2"
keystone_apache_default_log_owner: "root"
keystone_apache_default_log_grp: "adm"
keystone_apache_security_conf: "/etc/apache2/conf-available/security.conf"
keystone_apache_configs:
- { src: "keystone-ports.conf.j2", dest: "/etc/apache2/ports.conf" }
- { src: "keystone-httpd.conf.j2", dest: "/etc/apache2/sites-available/keystone-httpd.conf" }
- { src: "keystone-httpd-mpm.conf.j2", dest: "/etc/apache2/mods-available/mpm_{{ keystone_httpd_mpm_backend }}.conf" }
keystone_apache_modules:
- name: "ssl"
state: "{{ (keystone_backend_ssl | bool) | ternary('present', 'absent') }}"
- name: "shib2"
state: "{{ keystone_sp_apache_mod_shib | ternary('present', 'absent') }}"
- name: "auth_openidc"
state: "{{ keystone_sp_apache_mod_auth_openidc | ternary('present', 'absent') }}"
- name: "proxy_uwsgi"
state: "present"
- name: "headers"
state: "present"
# This can be enabled when Apache2.5+ is available
# - name: "mod_journald"
# state: "present
keystone_system_service_name: "{{ (keystone_use_uwsgi | bool) | ternary('keystone-wsgi-public', 'apache2') }}"
keystone_uwsgi_bin: '/usr/bin'
keystone_sshd: ssh

View File

@ -1,106 +0,0 @@
---
# Copyright 2016, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
cache_timeout: 600
keystone_distro_packages:
- git
- libldap-common
- openssh-server
- rsync
- cron
- libpython3-dev
keystone_devel_distro_packages:
- docutils-common
- libffi-dev
- libjs-sphinxdoc
- libjs-underscore
- libldap2-dev
- libsasl2-dev
- libsystemd-dev
- libssl-dev
- libxslt1.1
- libxslt1-dev
- libxml2-dev
- pkg-config
keystone_service_distro_packages:
- python3-keystone
- python3-systemd
- uwsgi
- uwsgi-plugin-python3
keystone_apache_distro_packages:
- apache2
- apache2-utils
- libapache2-mod-proxy-uwsgi
keystone_idp_distro_packages:
- ssl-cert
- xmlsec1
keystone_sp_apache_mod_packages:
- name: libapache2-mod-shib
state: "{{ keystone_sp_apache_mod_shib | ternary('present', 'absent') }}"
- name: libapache2-mod-auth-openidc
state: "{{ keystone_sp_apache_mod_auth_openidc | ternary('present', 'absent') }}"
keystone_developer_mode_distro_packages:
- build-essential
keystone_oslomsg_amqp1_distro_packages:
- libsasl2-modules
- sasl2-bin
keystone_apache_default_sites:
- "/etc/apache2/sites-enabled/000-default.conf"
keystone_apache_site_available: "/etc/apache2/sites-available/keystone-httpd.conf"
keystone_apache_site_enabled: "/etc/apache2/sites-enabled/keystone-httpd.conf"
keystone_apache_conf: "/etc/apache2/apache2.conf"
keystone_apache_default_log_folder: "/var/log/apache2"
keystone_apache_default_log_owner: "root"
keystone_apache_default_log_grp: "adm"
keystone_apache_security_conf: "/etc/apache2/conf-available/security.conf"
keystone_apache_configs:
- { src: "keystone-ports.conf.j2", dest: "/etc/apache2/ports.conf" }
- { src: "keystone-httpd.conf.j2", dest: "/etc/apache2/sites-available/keystone-httpd.conf" }
- { src: "keystone-httpd-mpm.conf.j2", dest: "/etc/apache2/mods-available/mpm_{{ keystone_httpd_mpm_backend }}.conf" }
keystone_apache_modules:
- name: "ssl"
state: "{{ (keystone_backend_ssl | bool) | ternary('present', 'absent') }}"
- name: "shib"
state: "{{ keystone_sp_apache_mod_shib | ternary('present', 'absent') }}"
- name: "auth_openidc"
state: "{{ keystone_sp_apache_mod_auth_openidc | ternary('present', 'absent') }}"
- name: "proxy_uwsgi"
state: "present"
- name: "headers"
state: "present"
# This can be enabled when Apache2.5+ is available
# - name: "mod_journald"
# state: "present
keystone_system_service_name: "{{ (keystone_use_uwsgi | bool) | ternary('keystone-wsgi-public', 'apache2') }}"
keystone_uwsgi_bin: '/usr/bin'
keystone_sshd: ssh
# From 2.4.11, mod_auth_openidc ignores X-Forwarded headers unless explicitly configured
_keystone_sp_apache_mod_auth_openidc_gte_2_4_11: True