openstack/openstack-ansible
Code Issues Proposed changes

Enable all services to use Keystone 'insecurely'

Browse Source 
This patch introduces an insecure flag for the Keystone internal
 and admin endpoints:

* keystone_service_adminuri_insecure
* keystone_service_internaluri_insecure

Both values default to false. If you have setup SSL endpoints
for Keystone using an untrusted certificate then you should
set the appropriate flag to true in your user_variables.

This patch is used to enable testing and development with
Keystone SSL endpoints without having to make use of SSL
certificates signed by a trusted, public CA.

The patch introduces a new optional argument (insecure) to the
keystone, glance and neutron Ansible libraries. This is a
boolean value which, when true, enables these libraries to
access Keystone endpoints 'insecurely'. When these libraries
are used in plays, the appropriate value is set automatically
as per the above conditions.

Implements: blueprint keystone-federation
Change-Id: Ia07e7e201f901042dd06a86efe5c6f6725e9ce13
This commit is contained in:
Jesse Pretorius 2015-07-07 21:01:20 +00:00
parent c1c7ffc1c7
commit 4341b79b3a
24 changed files with 126 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
etc/openstack_deploy/user_group_vars.yml
View File

@ -144,6 +144,8 @@ keystone_service_adminurl_v3: "{{ keystone_service_adminuri_v3 }}/v3"
keystone_cache_backend_argument: "url:{% for host in groups['memcached'] %}{{ hostvars[host]['container_address'] }}{% if not loop.last %},{% endif %}{% endfor %}:{{ memcached_port }}" keystone_cache_backend_argument: "url:{% for host in groups['memcached'] %}{{ hostvars[host]['container_address'] }}{% if not loop.last %},{% endif %}{% endfor %}:{{ memcached_port }}"
keystone_memcached_servers: "{% for host in groups['keystone_all'] %}{{ hostvars[host]['container_address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}" keystone_memcached_servers: "{% for host in groups['keystone_all'] %}{{ hostvars[host]['container_address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}"
keystone_service_region: "{{ service_region }}" keystone_service_region: "{{ service_region }}"
keystone_service_adminuri_insecure: false
keystone_service_internaluri_insecure: false
## Horizon ## Horizon

18
playbooks/library/glance
View File

@ -53,8 +53,16 @@ options:
description: description:
- which version of the glance api to use - which version of the glance api to use
choices: choices:
- 1 (default) - 1
- 2 - 2
default: 1
insecure:
description:
- Explicitly allow client to perform "insecure" TLS
choices:
- false
- true
default: false
author: Hugh Saunders author: Hugh Saunders
""" """
@ -114,7 +122,9 @@ class ManageGlance(object):
def _keystone_authenticate(self): def _keystone_authenticate(self):
"""Authenticate with Keystone.""" """Authenticate with Keystone."""
openrc = self._parse_openrc() openrc = self._parse_openrc()
self.keystone = ksclient.Client(username=openrc['OS_USERNAME'], insecure = self.module.params['insecure']
self.keystone = ksclient.Client(insecure=insecure,
username=openrc['OS_USERNAME'],
password=openrc['OS_PASSWORD'], password=openrc['OS_PASSWORD'],
tenant_name=openrc['OS_TENANT_NAME'], tenant_name=openrc['OS_TENANT_NAME'],
auth_url=openrc['OS_AUTH_URL']) auth_url=openrc['OS_AUTH_URL'])
@ -209,7 +219,9 @@ def main():
image_container_format=dict(required=False), image_container_format=dict(required=False),
image_disk_format=dict(required=False), image_disk_format=dict(required=False),
image_is_public=dict(required=False, choices=BOOLEANS), image_is_public=dict(required=False, choices=BOOLEANS),
api_version=dict(default='1', required=False, choices=['1', '2']) api_version=dict(default='1', required=False, choices=['1', '2']),
insecure=dict(default=False, required=False,
choices=BOOLEANS + ['True', 'False'])
), ),
supports_check_mode=False supports_check_mode=False
) )

23
playbooks/library/keystone
View File

@ -121,6 +121,13 @@ options:
'ensure_endpoint', 'ensure_role', 'ensure_user', 'ensure_endpoint', 'ensure_role', 'ensure_user',
'ensure_user_role', 'ensure_tenant'] 'ensure_user_role', 'ensure_tenant']
required: true required: true
insecure:
description:
- Explicitly allow client to perform "insecure" TLS
choices:
- false
- true
default: false
requirements: [ python-keystoneclient ] requirements: [ python-keystoneclient ]
author: Kevin Carter author: Kevin Carter
""" """
@ -357,7 +364,8 @@ class ManageKeystone(object):
'login_user', 'login_user',
'login_password', 'login_password',
'login_tenant_name', 'login_tenant_name',
'token' 'token',
'insecure'
] ]
variables_dict = self._get_vars(variables, required=required_vars) variables_dict = self._get_vars(variables, required=required_vars)
@ -366,6 +374,7 @@ class ManageKeystone(object):
login_password = variables_dict.pop('login_password') login_password = variables_dict.pop('login_password')
login_tenant_name = variables_dict.pop('login_tenant_name') login_tenant_name = variables_dict.pop('login_tenant_name')
token = variables_dict.pop('token') token = variables_dict.pop('token')
insecure = variables_dict.pop('insecure')
if token is None: if token is None:
if login_tenant_name is None: if login_tenant_name is None:
@ -386,9 +395,14 @@ class ManageKeystone(object):
) )
if token: if token:
self.keystone = client.Client(endpoint=endpoint, token=token) self.keystone = client.Client(
insecure=insecure,
endpoint=endpoint,
token=token
)
else: else:
self.keystone = client.Client( self.keystone = client.Client(
insecure=insecure,
auth_url=endpoint, auth_url=endpoint,
username=login_user, username=login_user,
password=login_password, password=login_password,
@ -797,6 +811,11 @@ def main():
required=True, required=True,
choices=COMMAND_MAP.keys() choices=COMMAND_MAP.keys()
), ),
insecure=dict(
default=False,
required=False,
choices=BOOLEANS + ['True', 'False']
),
return_code=dict( return_code=dict(
type='str', type='str',
default='0' default='0'

17
playbooks/library/neutron
View File

@ -58,9 +58,16 @@ options:
router_external: router_external:
description: description:
- Specify router:external' when creating network - Specify router:external' when creating network
external_gateway_info external_gateway_info:
description: description:
- Specify external_gateway_info when creating router - Specify external_gateway_info when creating router
insecure:
description:
- Explicitly allow client to perform "insecure" TLS
choices:
- false
- true
default: false
author: Hugh Saunders author: Hugh Saunders
""" """
@ -247,7 +254,9 @@ class ManageNeutron(object):
def _keystone_authenticate(self): def _keystone_authenticate(self):
"""Authenticate with Keystone.""" """Authenticate with Keystone."""
openrc = self._parse_openrc() openrc = self._parse_openrc()
self.keystone = ksclient.Client(username=openrc['OS_USERNAME'], insecure = self.module.params['insecure']
self.keystone = ksclient.Client(insecure=insecure,
username=openrc['OS_USERNAME'],
password=openrc['OS_PASSWORD'], password=openrc['OS_PASSWORD'],
tenant_name=openrc['OS_TENANT_NAME'], tenant_name=openrc['OS_TENANT_NAME'],
auth_url=openrc['OS_AUTH_URL']) auth_url=openrc['OS_AUTH_URL'])
@ -396,7 +405,9 @@ def main():
router_external=dict(required=False), router_external=dict(required=False),
router_name=dict(required=False), router_name=dict(required=False),
external_gateway_info=dict(required=False), external_gateway_info=dict(required=False),
tenant_id=dict(required=False) tenant_id=dict(required=False),
insecure=dict(default=False, required=False,
choices=BOOLEANS + ['True', 'False'])
), ),
supports_check_mode=False supports_check_mode=False
) )

3
playbooks/roles/openstack_openrc/defaults/main.yml
View File

@ -23,6 +23,9 @@ openrc_os_username: admin
openrc_os_tenant_name: admin openrc_os_tenant_name: admin
openrc_os_auth_url: "http://127.0.0.1:5000" openrc_os_auth_url: "http://127.0.0.1:5000"
## Deliberately allow access to SSL endpoints with bad certificates
openrc_insecure: "{{ (keystone_service_adminuri_insecure | bool or keystone_service_internaluri_insecure | bool) | default(false) }}"
## Create file ## Create file
openrc_file_dest: "{{ ansible_env.HOME }}/openrc" openrc_file_dest: "{{ ansible_env.HOME }}/openrc"
openrc_file_owner: "{{ ansible_user_id }}" openrc_file_owner: "{{ ansible_user_id }}"

12
playbooks/roles/openstack_openrc/templates/openrc
View File

@ -13,3 +13,15 @@ export OS_PASSWORD={{ openrc_os_password }}
export OS_TENANT_NAME={{ openrc_os_tenant_name }} export OS_TENANT_NAME={{ openrc_os_tenant_name }}
export OS_AUTH_URL={{ openrc_os_auth_url }} export OS_AUTH_URL={{ openrc_os_auth_url }}
export OS_NO_CACHE=1 export OS_NO_CACHE=1
{% if openrc_insecure | bool %}
# Convenience Aliases for Self-Signed Certs
alias cinder='cinder --insecure'
alias glance='glance --insecure'
alias heat='heat --insecure'
alias keystone='keystone --insecure'
alias neutron='neutron --insecure'
alias nova='nova --insecure'
alias openstack='openstack --insecure'
alias swift='swift --insecure'
{% endif %}

4
playbooks/roles/os_cinder/tasks/cinder_service_add.yml
View File

@ -22,6 +22,7 @@
service_name: "{{ service_name }}" service_name: "{{ service_name }}"
service_type: "{{ service_type }}" service_type: "{{ service_type }}"
description: "{{ service_description }}" description: "{{ service_description }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service register: add_service
until: add_service|success until: add_service|success
retries: 5 retries: 5
@ -40,6 +41,7 @@
user_name: "{{ service_user_name }}" user_name: "{{ service_user_name }}"
tenant_name: "{{ service_tenant_name }}" tenant_name: "{{ service_tenant_name }}"
password: "{{ service_password }}" password: "{{ service_password }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service register: add_service
until: add_service|success until: add_service|success
retries: 5 retries: 5
@ -58,6 +60,7 @@
user_name: "{{ service_user_name }}" user_name: "{{ service_user_name }}"
tenant_name: "{{ service_tenant_name }}" tenant_name: "{{ service_tenant_name }}"
role_name: "{{ role_name }}" role_name: "{{ role_name }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service register: add_service
until: add_service|success until: add_service|success
retries: 5 retries: 5
@ -79,6 +82,7 @@
publicurl: "{{ service_publicurl }}" publicurl: "{{ service_publicurl }}"
adminurl: "{{ service_internalurl }}" adminurl: "{{ service_internalurl }}"
internalurl: "{{ service_adminurl }}" internalurl: "{{ service_adminurl }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service register: add_service
until: add_service|success until: add_service|success
retries: 5 retries: 5

1
playbooks/roles/os_cinder/templates/cinder.conf.j2
View File

@ -111,6 +111,7 @@ profiler_enabled = {{ cinder_profiler_enabled }}
trace_sqlalchemy = {{ cinder_profiler_trace_sqlalchemy }} trace_sqlalchemy = {{ cinder_profiler_trace_sqlalchemy }}
[keystone_authtoken] [keystone_authtoken]
insecure = {{ keystone_service_internaluri_insecure | bool }}
auth_plugin = {{ cinder_keystone_auth_plugin }} auth_plugin = {{ cinder_keystone_auth_plugin }}
signing_dir = /var/cache/cinder signing_dir = /var/cache/cinder
auth_url = {{ keystone_service_adminuri }} auth_url = {{ keystone_service_adminuri }}

4
playbooks/roles/os_glance/tasks/glance_service_setup.yml
View File

@ -22,6 +22,7 @@
service_name: "{{ glance_service_name }}" service_name: "{{ glance_service_name }}"
service_type: "{{ glance_service_type }}" service_type: "{{ glance_service_type }}"
description: "{{ glance_service_description }}" description: "{{ glance_service_description }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service register: add_service
until: add_service|success until: add_service|success
retries: 5 retries: 5
@ -40,6 +41,7 @@
user_name: "{{ glance_service_user_name }}" user_name: "{{ glance_service_user_name }}"
tenant_name: "{{ glance_service_project_name }}" tenant_name: "{{ glance_service_project_name }}"
password: "{{ glance_service_password }}" password: "{{ glance_service_password }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service register: add_service
until: add_service|success until: add_service|success
retries: 5 retries: 5
@ -58,6 +60,7 @@
user_name: "{{ glance_service_user_name }}" user_name: "{{ glance_service_user_name }}"
tenant_name: "{{ glance_service_project_name }}" tenant_name: "{{ glance_service_project_name }}"
role_name: "{{ glance_role_name }}" role_name: "{{ glance_role_name }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service register: add_service
until: add_service|success until: add_service|success
retries: 5 retries: 5
@ -79,6 +82,7 @@
publicurl: "{{ glance_service_publicurl }}" publicurl: "{{ glance_service_publicurl }}"
adminurl: "{{ glance_service_internalurl }}" adminurl: "{{ glance_service_internalurl }}"
internalurl: "{{ glance_service_adminurl }}" internalurl: "{{ glance_service_adminurl }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service register: add_service
until: add_service|success until: add_service|success
retries: 5 retries: 5

1
playbooks/roles/os_glance/templates/glance-api.conf.j2
View File

@ -51,6 +51,7 @@ task_executor = {{ glance_task_executor }}
connection = mysql://{{ glance_galera_user }}:{{ glance_container_mysql_password }}@{{ glance_galera_address }}/{{ glance_galera_database }}?charset=utf8 connection = mysql://{{ glance_galera_user }}:{{ glance_container_mysql_password }}@{{ glance_galera_address }}/{{ glance_galera_database }}?charset=utf8
[keystone_authtoken] [keystone_authtoken]
insecure = {{ keystone_service_internaluri_insecure | bool }}
auth_plugin = {{ glance_keystone_auth_plugin }} auth_plugin = {{ glance_keystone_auth_plugin }}
signing_dir = {{ glance_system_user_home }}/cache/api signing_dir = {{ glance_system_user_home }}/cache/api
auth_url = {{ keystone_service_adminuri }} auth_url = {{ keystone_service_adminuri }}

1
playbooks/roles/os_glance/templates/glance-registry.conf.j2
View File

@ -21,6 +21,7 @@ limit_param_default = 25
connection = mysql://{{ glance_galera_user }}:{{ glance_container_mysql_password }}@{{ glance_galera_address }}/{{ glance_galera_database }}?charset=utf8 connection = mysql://{{ glance_galera_user }}:{{ glance_container_mysql_password }}@{{ glance_galera_address }}/{{ glance_galera_database }}?charset=utf8
[keystone_authtoken] [keystone_authtoken]
insecure = {{ keystone_service_internaluri_insecure | bool }}
auth_plugin = {{ glance_keystone_auth_plugin }} auth_plugin = {{ glance_keystone_auth_plugin }}
signing_dir = {{ glance_system_user_home }}/cache/registry/ signing_dir = {{ glance_system_user_home }}/cache/registry/
auth_url = {{ keystone_service_adminuri }} auth_url = {{ keystone_service_adminuri }}

4
playbooks/roles/os_heat/tasks/heat_service_add.yml
View File

@ -22,6 +22,7 @@
service_name: "{{ service_name }}" service_name: "{{ service_name }}"
service_type: "{{ service_type }}" service_type: "{{ service_type }}"
description: "{{ service_description }}" description: "{{ service_description }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service register: add_service
until: add_service|success until: add_service|success
retries: 5 retries: 5
@ -40,6 +41,7 @@
user_name: "{{ service_user_name }}" user_name: "{{ service_user_name }}"
tenant_name: "{{ service_tenant_name }}" tenant_name: "{{ service_tenant_name }}"
password: "{{ service_password }}" password: "{{ service_password }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service register: add_service
until: add_service|success until: add_service|success
retries: 5 retries: 5
@ -58,6 +60,7 @@
user_name: "{{ service_user_name }}" user_name: "{{ service_user_name }}"
tenant_name: "{{ service_tenant_name }}" tenant_name: "{{ service_tenant_name }}"
role_name: "{{ role_name }}" role_name: "{{ role_name }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service register: add_service
until: add_service|success until: add_service|success
retries: 5 retries: 5
@ -79,6 +82,7 @@
publicurl: "{{ service_publicurl }}" publicurl: "{{ service_publicurl }}"
internalurl: "{{ service_internalurl }}" internalurl: "{{ service_internalurl }}"
adminurl: "{{ service_adminurl }}" adminurl: "{{ service_adminurl }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service register: add_service
until: add_service|success until: add_service|success
retries: 5 retries: 5

1
playbooks/roles/os_heat/templates/heat.conf.j2
View File

@ -63,6 +63,7 @@ trace_sqlalchemy = {{ heat_profiler_trace_sqlalchemy }}
[keystone_authtoken] [keystone_authtoken]
insecure = {{ keystone_service_internaluri_insecure | bool }}
signing_dir = /var/cache/heat signing_dir = /var/cache/heat
identity_uri = {{ keystone_service_adminuri }} identity_uri = {{ keystone_service_adminuri }}
auth_uri = {{ keystone_service_internalurl }} auth_uri = {{ keystone_service_internalurl }}

6
playbooks/roles/os_horizon/templates/horizon_local_settings.py.j2
View File

@ -197,11 +197,7 @@ OPENSTACK_KEYSTONE_DEFAULT_ROLE = "_member_"
# ("saml2", _("Security Assertion Markup Language"))) # ("saml2", _("Security Assertion Markup Language")))
# Disable SSL certificate checks (useful for self-signed certificates): # Disable SSL certificate checks (useful for self-signed certificates):
{% if horizon_self_signed == true %} OPENSTACK_SSL_NO_VERIFY = {{ keystone_service_internaluri_insecure | bool }}
OPENSTACK_SSL_NO_VERIFY = True
{% else %}
OPENSTACK_SSL_NO_VERIFY = False
{% endif %}
{% if horizon_cacert_pem is defined %} {% if horizon_cacert_pem is defined %}
# The CA certificate to use to verify SSL connections # The CA certificate to use to verify SSL connections

9
playbooks/roles/os_keystone/tasks/keystone_service_setup.yml
View File

@ -50,6 +50,7 @@
endpoint: "{{ keystone_service_adminurl }}" endpoint: "{{ keystone_service_adminurl }}"
tenant_name: "{{ keystone_service_tenant_name }}" tenant_name: "{{ keystone_service_tenant_name }}"
description: "{{ keystone_service_description }}" description: "{{ keystone_service_description }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service register: add_service
until: add_service|success until: add_service|success
retries: 5 retries: 5
@ -66,6 +67,7 @@
endpoint: "{{ keystone_service_adminurl }}" endpoint: "{{ keystone_service_adminurl }}"
tenant_name: "{{ keystone_admin_tenant_name }}" tenant_name: "{{ keystone_admin_tenant_name }}"
description: "{{ keystone_admin_description }}" description: "{{ keystone_admin_description }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service register: add_service
until: add_service|success until: add_service|success
retries: 5 retries: 5
@ -83,6 +85,7 @@
user_name: "{{ keystone_admin_user_name }}" user_name: "{{ keystone_admin_user_name }}"
tenant_name: "{{ keystone_admin_tenant_name }}" tenant_name: "{{ keystone_admin_tenant_name }}"
password: "{{ keystone_auth_admin_password }}" password: "{{ keystone_auth_admin_password }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service register: add_service
until: add_service|success until: add_service|success
retries: 5 retries: 5
@ -98,6 +101,7 @@
token: "{{ keystone_auth_admin_token }}" token: "{{ keystone_auth_admin_token }}"
endpoint: "{{ keystone_service_adminurl }}" endpoint: "{{ keystone_service_adminurl }}"
role_name: "{{ keystone_role_name }}" role_name: "{{ keystone_role_name }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service register: add_service
until: add_service|success until: add_service|success
retries: 5 retries: 5
@ -115,6 +119,7 @@
user_name: "{{ keystone_admin_user_name }}" user_name: "{{ keystone_admin_user_name }}"
tenant_name: "{{ keystone_admin_tenant_name }}" tenant_name: "{{ keystone_admin_tenant_name }}"
role_name: "{{ keystone_role_name }}" role_name: "{{ keystone_role_name }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service register: add_service
until: add_service|success until: add_service|success
retries: 5 retries: 5
@ -132,6 +137,7 @@
service_name: "{{ keystone_service_name }}" service_name: "{{ keystone_service_name }}"
service_type: "{{ keystone_service_type }}" service_type: "{{ keystone_service_type }}"
description: "{{ keystone_service_description }}" description: "{{ keystone_service_description }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service register: add_service
until: add_service|success until: add_service|success
retries: 5 retries: 5
@ -150,6 +156,7 @@
user_name: "{{ keystone_service_user_name }}" user_name: "{{ keystone_service_user_name }}"
tenant_name: "{{ keystone_service_tenant_name }}" tenant_name: "{{ keystone_service_tenant_name }}"
password: "{{ keystone_service_password }}" password: "{{ keystone_service_password }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service register: add_service
until: add_service|success until: add_service|success
retries: 5 retries: 5
@ -168,6 +175,7 @@
user_name: "{{ keystone_service_user_name }}" user_name: "{{ keystone_service_user_name }}"
tenant_name: "{{ keystone_service_tenant_name }}" tenant_name: "{{ keystone_service_tenant_name }}"
role_name: "{{ keystone_role_name }}" role_name: "{{ keystone_role_name }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service register: add_service
until: add_service|success until: add_service|success
retries: 5 retries: 5
@ -189,6 +197,7 @@
publicurl: "{{ keystone_service_publicurl }}" publicurl: "{{ keystone_service_publicurl }}"
adminurl: "{{ keystone_service_adminurl }}" adminurl: "{{ keystone_service_adminurl }}"
internalurl: "{{ keystone_service_internalurl }}" internalurl: "{{ keystone_service_internalurl }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service register: add_service
until: add_service|success until: add_service|success
retries: 5 retries: 5

2
playbooks/roles/os_neutron/tasks/neutron_l3_ha.yml
View File

@ -36,7 +36,7 @@
# These are used in the Neutron HA Cron job script, and processed in the template. # These are used in the Neutron HA Cron job script, and processed in the template.
- name: Creating Job Facts - name: Creating Job Facts
set_fact: set_fact:
do_job: ". /root/openrc && /opt/neutron-ha-tool.py --l3-agent-migrate" do_job: ". /root/openrc && /opt/neutron-ha-tool.py {% if keystone_service_internaluri_insecure | bool %}--insecure {% endif %}--l3-agent-migrate"
sleep_time: "{{ hashed_name.int_value }}" sleep_time: "{{ hashed_name.int_value }}"
tags: tags:
- neutron-ha-tool - neutron-ha-tool

4
playbooks/roles/os_neutron/tasks/neutron_service_add.yml
View File

@ -22,6 +22,7 @@
service_name: "{{ service_name }}" service_name: "{{ service_name }}"
service_type: "{{ service_type }}" service_type: "{{ service_type }}"
description: "{{ service_description }}" description: "{{ service_description }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service register: add_service
until: add_service|success until: add_service|success
retries: 5 retries: 5
@ -40,6 +41,7 @@
user_name: "{{ service_user_name }}" user_name: "{{ service_user_name }}"
tenant_name: "{{ service_tenant_name }}" tenant_name: "{{ service_tenant_name }}"
password: "{{ service_password }}" password: "{{ service_password }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service register: add_service
until: add_service|success until: add_service|success
retries: 5 retries: 5
@ -58,6 +60,7 @@
user_name: "{{ service_user_name }}" user_name: "{{ service_user_name }}"
tenant_name: "{{ service_tenant_name }}" tenant_name: "{{ service_tenant_name }}"
role_name: "{{ role_name }}" role_name: "{{ role_name }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service register: add_service
until: add_service|success until: add_service|success
retries: 5 retries: 5
@ -79,6 +82,7 @@
publicurl: "{{ service_publicurl }}" publicurl: "{{ service_publicurl }}"
adminurl: "{{ service_internalurl }}" adminurl: "{{ service_internalurl }}"
internalurl: "{{ service_adminurl }}" internalurl: "{{ service_adminurl }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service register: add_service
until: add_service|success until: add_service|success
retries: 5 retries: 5

1
playbooks/roles/os_neutron/templates/neutron.conf.j2
View File

@ -94,6 +94,7 @@ root_helper = sudo /usr/local/bin/neutron-rootwrap /etc/neutron/rootwrap.conf
[keystone_authtoken] [keystone_authtoken]
insecure = {{ keystone_service_internaluri_insecure | bool }}
auth_plugin = {{ neutron_keystone_auth_plugin }} auth_plugin = {{ neutron_keystone_auth_plugin }}
signing_dir = /var/cache/neutron signing_dir = /var/cache/neutron
auth_url = {{ keystone_service_adminuri }} auth_url = {{ keystone_service_adminuri }}

4
playbooks/roles/os_nova/tasks/nova_service_add.yml
View File

@ -22,6 +22,7 @@
service_name: "{{ service_name }}" service_name: "{{ service_name }}"
service_type: "{{ service_type }}" service_type: "{{ service_type }}"
description: "{{ service_description }}" description: "{{ service_description }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service register: add_service
until: add_service|success until: add_service|success
retries: 5 retries: 5
@ -40,6 +41,7 @@
user_name: "{{ service_user_name }}" user_name: "{{ service_user_name }}"
tenant_name: "{{ service_tenant_name }}" tenant_name: "{{ service_tenant_name }}"
password: "{{ service_password }}" password: "{{ service_password }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service register: add_service
until: add_service|success until: add_service|success
retries: 5 retries: 5
@ -58,6 +60,7 @@
user_name: "{{ service_user_name }}" user_name: "{{ service_user_name }}"
tenant_name: "{{ service_tenant_name }}" tenant_name: "{{ service_tenant_name }}"
role_name: "{{ role_name }}" role_name: "{{ role_name }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service register: add_service
until: add_service|success until: add_service|success
retries: 5 retries: 5
@ -79,6 +82,7 @@
publicurl: "{{ service_publicurl }}" publicurl: "{{ service_publicurl }}"
adminurl: "{{ service_internalurl }}" adminurl: "{{ service_internalurl }}"
internalurl: "{{ service_adminurl }}" internalurl: "{{ service_adminurl }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service register: add_service
until: add_service|success until: add_service|success
retries: 5 retries: 5

1
playbooks/roles/os_nova/templates/nova.conf.j2
View File

@ -157,6 +157,7 @@ enabled = false
[keystone_authtoken] [keystone_authtoken]
insecure = {{ keystone_service_internaluri_insecure | bool }}
auth_plugin = {{ nova_keystone_auth_plugin }} auth_plugin = {{ nova_keystone_auth_plugin }}
signing_dir = {{ nova_system_home_folder }}/cache/api signing_dir = {{ nova_system_home_folder }}/cache/api
auth_url = {{ keystone_service_adminuri }} auth_url = {{ keystone_service_adminuri }}

7
playbooks/roles/os_swift/tasks/swift_service_setup.yml
View File

@ -22,6 +22,7 @@
service_name: "{{ swift_service_name }}" service_name: "{{ swift_service_name }}"
service_type: "{{ swift_service_type }}" service_type: "{{ swift_service_type }}"
description: "{{ swift_service_description }}" description: "{{ swift_service_description }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service register: add_service
until: add_service|success until: add_service|success
retries: 5 retries: 5
@ -40,6 +41,7 @@
user_name: "{{ swift_service_user_name }}" user_name: "{{ swift_service_user_name }}"
tenant_name: "{{ swift_service_project_name }}" tenant_name: "{{ swift_service_project_name }}"
password: "{{ swift_service_password }}" password: "{{ swift_service_password }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service register: add_service
until: add_service|success until: add_service|success
retries: 5 retries: 5
@ -58,6 +60,7 @@
user_name: "{{ swift_service_user_name }}" user_name: "{{ swift_service_user_name }}"
tenant_name: "{{ swift_service_project_name }}" tenant_name: "{{ swift_service_project_name }}"
role_name: "{{ swift_service_role_name }}" role_name: "{{ swift_service_role_name }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service register: add_service
until: add_service|success until: add_service|success
retries: 5 retries: 5
@ -73,6 +76,7 @@
token: "{{ keystone_auth_admin_token }}" token: "{{ keystone_auth_admin_token }}"
endpoint: "{{ keystone_service_adminurl }}" endpoint: "{{ keystone_service_adminurl }}"
role_name: "{{ swift_operator_role }}" role_name: "{{ swift_operator_role }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service register: add_service
until: add_service|success until: add_service|success
retries: 5 retries: 5
@ -90,6 +94,7 @@
user_name: "{{ swift_dispersion_user }}" user_name: "{{ swift_dispersion_user }}"
tenant_name: "{{ swift_service_project_name }}" tenant_name: "{{ swift_service_project_name }}"
password: "{{ swift_dispersion_password }}" password: "{{ swift_dispersion_password }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service register: add_service
until: add_service|success until: add_service|success
retries: 5 retries: 5
@ -107,6 +112,7 @@
user_name: "{{ swift_dispersion_user }}" user_name: "{{ swift_dispersion_user }}"
tenant_name: "{{ swift_service_project_name }}" tenant_name: "{{ swift_service_project_name }}"
role_name: "{{ swift_operator_role }}" role_name: "{{ swift_operator_role }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service register: add_service
until: add_service|success until: add_service|success
retries: 5 retries: 5
@ -128,6 +134,7 @@
publicurl: "{{ swift_service_publicurl }}" publicurl: "{{ swift_service_publicurl }}"
adminurl: "{{ swift_service_internalurl }}" adminurl: "{{ swift_service_internalurl }}"
internalurl: "{{ swift_service_adminurl }}" internalurl: "{{ swift_service_adminurl }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service register: add_service
until: add_service|success until: add_service|success
retries: 5 retries: 5

1
playbooks/roles/os_swift/templates/proxy-server.conf.j2
View File

@ -46,6 +46,7 @@ user_test_tester3 = testing3
{% elif swift_authtoken_active %} {% elif swift_authtoken_active %}
[filter:authtoken] [filter:authtoken]
paste.filter_factory = keystonemiddleware.auth_token:filter_factory paste.filter_factory = keystonemiddleware.auth_token:filter_factory
insecure = {{ keystone_service_internaluri_insecure | bool }}
auth_plugin = {{ swift_keystone_auth_plugin }} auth_plugin = {{ swift_keystone_auth_plugin }}
auth_url = {{ keystone_service_adminuri }} auth_url = {{ keystone_service_adminuri }}
auth_uri = {{ keystone_service_internaluri }} auth_uri = {{ keystone_service_internaluri }}

13
playbooks/roles/os_tempest/tasks/tempest_resources.yml
View File

@ -22,6 +22,7 @@
image_container_format: bare image_container_format: bare
image_disk_format: qcow2 image_disk_format: qcow2
image_is_public: True image_is_public: True
insecure: "{{ keystone_service_internaluri_insecure }}"
tags: tags:
- tempest-setup - tempest-setup
- tempest-config - tempest-config
@ -40,6 +41,7 @@
tenant_name: "{{ item }}" tenant_name: "{{ item }}"
description: "{{ item }} Tenant" description: "{{ item }} Tenant"
endpoint: "{{ keystone_service_adminurl }}" endpoint: "{{ keystone_service_adminurl }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service register: add_service
until: add_service|success until: add_service|success
retries: 5 retries: 5
@ -59,6 +61,7 @@
password: "{{ item }}" password: "{{ item }}"
description: "{{ item }} User" description: "{{ item }} User"
endpoint: "{{ keystone_service_adminurl }}" endpoint: "{{ keystone_service_adminurl }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service register: add_service
until: add_service|success until: add_service|success
retries: 5 retries: 5
@ -77,6 +80,7 @@
user_name: "{{ item }}" user_name: "{{ item }}"
role_name: heat_stack_owner role_name: heat_stack_owner
endpoint: "{{ keystone_service_adminurl }}" endpoint: "{{ keystone_service_adminurl }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service register: add_service
until: add_service|success until: add_service|success
retries: 5 retries: 5
@ -93,6 +97,7 @@
token: "{{ keystone_auth_admin_token }}" token: "{{ keystone_auth_admin_token }}"
endpoint: "{{ keystone_service_adminurl }}" endpoint: "{{ keystone_service_adminurl }}"
role_name: "reseller_admin" role_name: "reseller_admin"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service register: add_service
until: add_service|success until: add_service|success
retries: 5 retries: 5
@ -106,6 +111,7 @@
token: "{{ keystone_auth_admin_token }}" token: "{{ keystone_auth_admin_token }}"
role_name: remote_image role_name: remote_image
endpoint: "{{ keystone_service_adminurl }}" endpoint: "{{ keystone_service_adminurl }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service register: add_service
until: add_service|success until: add_service|success
retries: 5 retries: 5
@ -119,6 +125,7 @@
token: "{{ keystone_auth_admin_token }}" token: "{{ keystone_auth_admin_token }}"
tenant_name: demo tenant_name: demo
endpoint: "{{ keystone_service_adminurl }}" endpoint: "{{ keystone_service_adminurl }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
register: add_service register: add_service
until: add_service|success until: add_service|success
retries: 5 retries: 5
@ -140,6 +147,7 @@
openrc_path: /root/openrc openrc_path: /root/openrc
net_name: private net_name: private
tenant_id: "{{ keystone_demo_tenant_id }}" tenant_id: "{{ keystone_demo_tenant_id }}"
insecure: "{{ keystone_service_internaluri_insecure }}"
tags: tags:
- tempest-setup - tempest-setup
- tempest-config - tempest-config
@ -159,6 +167,7 @@
provider_network_type: flat provider_network_type: flat
provider_physical_network: flat provider_physical_network: flat
router_external: true router_external: true
insecure: "{{ keystone_service_internaluri_insecure }}"
tags: tags:
- tempest-setup - tempest-setup
- tempest-config - tempest-config
@ -178,6 +187,7 @@
subnet_name: private-subnet subnet_name: private-subnet
cidr: "{{ tempest_private_subnet_cidr }}" cidr: "{{ tempest_private_subnet_cidr }}"
tenant_id: "{{ keystone_demo_tenant_id }}" tenant_id: "{{ keystone_demo_tenant_id }}"
insecure: "{{ keystone_service_internaluri_insecure }}"
tags: tags:
- tempest-setup - tempest-setup
@ -188,6 +198,7 @@
net_name: public net_name: public
subnet_name: public-subnet subnet_name: public-subnet
cidr: "{{ tempest_public_subnet_cidr }}" cidr: "{{ tempest_public_subnet_cidr }}"
insecure: "{{ keystone_service_internaluri_insecure }}"
tags: tags:
- tempest-setup - tempest-setup
@ -198,6 +209,7 @@
router_name: router router_name: router
external_gateway_info: public external_gateway_info: public
tenant_id: "{{ keystone_demo_tenant_id }}" tenant_id: "{{ keystone_demo_tenant_id }}"
insecure: "{{ keystone_service_internaluri_insecure }}"
tags: tags:
- tempest-setup - tempest-setup
@ -207,6 +219,7 @@
openrc_path: /root/openrc openrc_path: /root/openrc
router_name: router router_name: router
subnet_name: private-subnet subnet_name: private-subnet
insecure: "{{ keystone_service_internaluri_insecure }}"
tags: tags:
- tempest-setup - tempest-setup

2
playbooks/roles/os_tempest/templates/tempest.conf.j2
View File

@ -112,7 +112,7 @@ alt_password = alt_demo
alt_username = alt_demo alt_username = alt_demo
auth_version = v2 auth_version = v2
catalog_type = identity catalog_type = identity
disable_ssl_certificate_validation = false disable_ssl_certificate_validation = {{ keystone_service_internaluri_insecure | bool }}
endpoint_type = internalURL endpoint_type = internalURL
password = demo password = demo
tenant_name = demo tenant_name = demo