Fix logic to check for insecure Keystone

The logic to check for insecure Keystone would only validate if
both HAproxy and Keystone SSL is installed.  However, in the case
where SSL happens at either of those (ex. SSL at HAproxy only),
then it would still declare it as insecure (it is not however
as we're hitting the VIP which does SSL termination).

This changes the behaviour to check if the protocol is HTTPs and
either the Keystone or HAproxy certificates are defined then it
considers it as secure, otherwise it is insecure.

Closes-Bug: #1745479
Co-Authored-By: Logan V <logan2211@gmail.com>
Change-Id: I3683c5d50cab2d321337c71bed565d2e2ab861fc

inventory/group_vars/all/keystone.yml

@@ -24,16 +24,31 @@ keystone_service_proto: http
 keystone_service_region: "{{ service_region }}"
 
 keystone_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(keystone_service_proto) }}"
-keystone_service_adminuri_insecure: "{% if keystone_service_adminuri_proto == 'https' and (keystone_user_ssl_cert is not defined or haproxy_user_ssl_cert is not defined) | bool %}true{% else %}false{% endif %}"
+keystone_service_adminuri_insecure: |-
+  {% set _insecure = false %}
+  {% if keystone_service_adminuri_proto == 'https' %}
+  {% set _insecure = not (keystone_user_ssl_cert is defined or haproxy_user_ssl_cert is defined) %}
+  {% endif %}
+  {{ _insecure }}
 keystone_service_adminuri: "{{ keystone_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_admin_port }}"
 keystone_service_adminurl: "{{ keystone_service_adminuri }}/v3"
 
 keystone_service_internaluri_proto: "{{ openstack_service_internaluri_proto | default(keystone_service_proto) }}"
-keystone_service_internaluri_insecure: "{% if keystone_service_internaluri_proto == 'https' and (keystone_user_ssl_cert is not defined or haproxy_user_ssl_cert is not defined) | bool %}true{% else %}false{% endif %}"
+keystone_service_internaluri_insecure: |-
+  {% set _insecure = false %}
+  {% if keystone_service_internaluri_proto == 'https' %}
+  {% set _insecure = not (keystone_user_ssl_cert is defined or haproxy_user_ssl_cert is defined) %}
+  {% endif %}
+  {{ _insecure }}
 keystone_service_internaluri: "{{ keystone_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_service_port }}"
 keystone_service_internalurl: "{{ keystone_service_internaluri }}/v3"
 
 keystone_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(keystone_service_proto) }}"
-keystone_service_publicuri_insecure: "{% if keystone_service_publicuri_proto == 'https' and (keystone_user_ssl_cert is not defined or haproxy_user_ssl_cert is not defined) | bool %}true{% else %}false{% endif %}"
+keystone_service_publicuri_insecure: |-
+  {% set _insecure = false %}
+  {% if keystone_service_publicuri_proto == 'https' %}
+  {% set _insecure = not (keystone_user_ssl_cert is defined or haproxy_user_ssl_cert is defined) %}
+  {% endif %}
+  {{ _insecure }}
 keystone_service_publicuri: "{{ keystone_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ keystone_service_port }}"
 keystone_service_publicurl: "{{ keystone_service_publicuri }}/v3"