From 6e5b0094d52bb5972e3b5d805afc5302f8696d2f Mon Sep 17 00:00:00 2001
From: Dmitriy Rabotyagov <dmitriy.rabotyagov@citynetwork.eu>
Date: Thu, 17 Jun 2021 12:48:05 +0300
Subject: [PATCH] Don't set keystone URI as unsecure

Once PKI items are merged, we should have all self-signed SSLs
to be trusted, so no need in setting insecure even if no user cert
is provided.

Additionally cover all endpoints with SSL certificates for AIO
deployments in order to do CI testing of how properly CA
is configured and distributed across containers.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/796940
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-openstack_hosts/+/797129
Depends-On: https://review.opendev.org/c/openstack/ansible-role-uwsgi/+/797600
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-openstack_openrc/+/797818
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/797892
Change-Id: I0646b2c6d9e9e4e61f105abeb971726fa8f14274
---
 inventory/group_vars/all/keystone.yml          | 18 +++---------------
 .../templates/user_variables.aio.yml.j2        |  4 ++++
 2 files changed, 7 insertions(+), 15 deletions(-)

diff --git a/inventory/group_vars/all/keystone.yml b/inventory/group_vars/all/keystone.yml
index 309499d2e0..f82f1022a7 100644
--- a/inventory/group_vars/all/keystone.yml
+++ b/inventory/group_vars/all/keystone.yml
@@ -24,31 +24,19 @@ keystone_service_proto: http
 keystone_service_region: "{{ service_region }}"
 
 keystone_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(keystone_service_proto) }}"
-keystone_service_adminuri_insecure: >-
-  {{
-    (keystone_service_adminuri_proto == 'https') and
-    (not (keystone_user_ssl_cert is defined or haproxy_user_ssl_cert is defined))
-  }}
+keystone_service_adminuri_insecure: False
 
 keystone_service_adminuri: "{{ keystone_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_admin_port }}"
 keystone_service_adminurl: "{{ keystone_service_adminuri }}/v3"
 
 keystone_service_internaluri_proto: "{{ openstack_service_internaluri_proto | default(keystone_service_proto) }}"
-keystone_service_internaluri_insecure: >-
-  {{
-    (keystone_service_internaluri_proto == 'https') and
-    (not (keystone_user_ssl_cert is defined or haproxy_user_ssl_cert is defined))
-  }}
+keystone_service_internaluri_insecure: False
 
 keystone_service_internaluri: "{{ keystone_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_service_port }}"
 keystone_service_internalurl: "{{ keystone_service_internaluri }}/v3"
 
 keystone_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(keystone_service_proto) }}"
-keystone_service_publicuri_insecure: >-
-  {{
-    (keystone_service_publicuri_proto == 'https') and
-    (not (keystone_user_ssl_cert is defined or haproxy_user_ssl_cert is defined))
-  }}
+keystone_service_publicuri_insecure: False
 
 keystone_service_publicuri: "{{ keystone_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ keystone_service_port }}"
 keystone_service_publicurl: "{{ keystone_service_publicuri }}/v3"
diff --git a/tests/roles/bootstrap-host/templates/user_variables.aio.yml.j2 b/tests/roles/bootstrap-host/templates/user_variables.aio.yml.j2
index 1c4d405133..6616a418fd 100644
--- a/tests/roles/bootstrap-host/templates/user_variables.aio.yml.j2
+++ b/tests/roles/bootstrap-host/templates/user_variables.aio.yml.j2
@@ -264,6 +264,10 @@ openstack_user_kernel_options:
 
 openstack_hosts_package_state: latest
 
+openstack_service_adminuri_proto: https
+openstack_service_internaluri_proto: https
+haproxy_ssl_all_vips: true
+
 {% if 'octavia' in bootstrap_host_scenarios_expanded %}
 # Enable Octavia V2 API/standalone
 octavia_v2: True