openstack/openstack-ansible
Code Issues Proposed changes

Change keystone admin/internal insecure flags

Browse Source 
Fixing logic introduced in commit
I921031c676776884cb121a7914fcd9c505345e67 and documented the case
where a deployer provides certs from a non globally valid CA.

Change-Id: Ie0c2cac7ffd190c76acb9b4e650199dcdf724c4c
This commit is contained in:
Jean-Philippe Evrard
2016-04-21 19:59:19 +01:00
parent 6cb2ba7976
commit 8387b680f7
2 changed files with 7 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
doc/source/install-guide/configure-keystone.rst
View File

@@ -21,6 +21,11 @@ provide their own certificates by using the following Ansible variables in
keystone_user_ssl_key: # Path to private key
keystone_user_ssl_ca_cert: # Path to CA certificate
.. note:: If the deployer is providing certificate, key, and ca file for a
CA without chain of trust (or an invalid/self-generated ca), the variables
`keystone_service_internaluri_insecure` and
`keystone_service_adminuri_insecure` should be set to True.
Refer to `Securing services with SSL certificates`_ for more information on
these configuration options and how deployers can provide their own
certificates and keys to use with Keystone.

4
playbooks/inventory/group_vars/hosts.yml
View File

@@ -199,8 +199,8 @@ keystone_service_region: "{{ service_region }}"
keystone_rabbitmq_userid: keystone
keystone_rabbitmq_vhost: /keystone
keystone_service_internaluri_insecure: "{% if keystone_service_internaluri_proto == 'https' and (keystone_ssl_cert is not defined or haproxy_ssl_cert is not defined) | bool %}true{% else %}false{% endif %}"
keystone_service_adminuri_insecure: "{% if keystone_service_adminuri_proto == 'https' and (keystone_ssl_cert is not defined or haproxy_ssl_cert is not defined) | bool %}true{% else %}false{% endif %}"
keystone_service_internaluri_insecure: "{% if keystone_service_internaluri_proto == 'https' and (keystone_user_ssl_cert is not defined or haproxy_user_ssl_cert is not defined) | bool %}true{% else %}false{% endif %}"
keystone_service_adminuri_insecure: "{% if keystone_service_adminuri_proto == 'https' and (keystone_user_ssl_cert is not defined or haproxy_user_ssl_cert is not defined) | bool %}true{% else %}false{% endif %}"
keystone_service_publicuri: "{{ keystone_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ keystone_service_port }}"
keystone_service_internaluri: "{{ keystone_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_service_port }}"