From 8387b680f7724b80ff9cf4b4577e6a7afbd15322 Mon Sep 17 00:00:00 2001 From: Jean-Philippe Evrard Date: Thu, 21 Apr 2016 19:59:19 +0100 Subject: [PATCH] Change keystone admin/internal insecure flags Fixing logic introduced in commit I921031c676776884cb121a7914fcd9c505345e67 and documented the case where a deployer provides certs from a non globally valid CA. Change-Id: Ie0c2cac7ffd190c76acb9b4e650199dcdf724c4c --- doc/source/install-guide/configure-keystone.rst | 5 +++++ playbooks/inventory/group_vars/hosts.yml | 4 ++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/doc/source/install-guide/configure-keystone.rst b/doc/source/install-guide/configure-keystone.rst index b6b7c76dd6..58c5bd7f09 100644 --- a/doc/source/install-guide/configure-keystone.rst +++ b/doc/source/install-guide/configure-keystone.rst @@ -21,6 +21,11 @@ provide their own certificates by using the following Ansible variables in keystone_user_ssl_key: # Path to private key keystone_user_ssl_ca_cert: # Path to CA certificate +.. note:: If the deployer is providing certificate, key, and ca file for a + CA without chain of trust (or an invalid/self-generated ca), the variables + `keystone_service_internaluri_insecure` and + `keystone_service_adminuri_insecure` should be set to True. + Refer to `Securing services with SSL certificates`_ for more information on these configuration options and how deployers can provide their own certificates and keys to use with Keystone. diff --git a/playbooks/inventory/group_vars/hosts.yml b/playbooks/inventory/group_vars/hosts.yml index 56a489b23b..6287e0dce4 100644 --- a/playbooks/inventory/group_vars/hosts.yml +++ b/playbooks/inventory/group_vars/hosts.yml @@ -199,8 +199,8 @@ keystone_service_region: "{{ service_region }}" keystone_rabbitmq_userid: keystone keystone_rabbitmq_vhost: /keystone -keystone_service_internaluri_insecure: "{% if keystone_service_internaluri_proto == 'https' and (keystone_ssl_cert is not defined or haproxy_ssl_cert is not defined) | bool %}true{% else %}false{% endif %}" -keystone_service_adminuri_insecure: "{% if keystone_service_adminuri_proto == 'https' and (keystone_ssl_cert is not defined or haproxy_ssl_cert is not defined) | bool %}true{% else %}false{% endif %}" +keystone_service_internaluri_insecure: "{% if keystone_service_internaluri_proto == 'https' and (keystone_user_ssl_cert is not defined or haproxy_user_ssl_cert is not defined) | bool %}true{% else %}false{% endif %}" +keystone_service_adminuri_insecure: "{% if keystone_service_adminuri_proto == 'https' and (keystone_user_ssl_cert is not defined or haproxy_user_ssl_cert is not defined) | bool %}true{% else %}false{% endif %}" keystone_service_publicuri: "{{ keystone_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ keystone_service_port }}" keystone_service_internaluri: "{{ keystone_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_service_port }}"