From 4341b79b3a0040a9da937f695dd865e421c8b0e3 Mon Sep 17 00:00:00 2001 From: Jesse Pretorius Date: Tue, 7 Jul 2015 21:01:20 +0000 Subject: [PATCH] Enable all services to use Keystone 'insecurely' This patch introduces an insecure flag for the Keystone internal and admin endpoints: * keystone_service_adminuri_insecure * keystone_service_internaluri_insecure Both values default to false. If you have setup SSL endpoints for Keystone using an untrusted certificate then you should set the appropriate flag to true in your user_variables. This patch is used to enable testing and development with Keystone SSL endpoints without having to make use of SSL certificates signed by a trusted, public CA. The patch introduces a new optional argument (insecure) to the keystone, glance and neutron Ansible libraries. This is a boolean value which, when true, enables these libraries to access Keystone endpoints 'insecurely'. When these libraries are used in plays, the appropriate value is set automatically as per the above conditions. Implements: blueprint keystone-federation Change-Id: Ia07e7e201f901042dd06a86efe5c6f6725e9ce13 --- etc/openstack_deploy/user_group_vars.yml | 2 ++ playbooks/library/glance | 18 ++++++++++++--- playbooks/library/keystone | 23 +++++++++++++++++-- playbooks/library/neutron | 17 +++++++++++--- .../roles/openstack_openrc/defaults/main.yml | 3 +++ .../roles/openstack_openrc/templates/openrc | 12 ++++++++++ .../os_cinder/tasks/cinder_service_add.yml | 4 ++++ .../roles/os_cinder/templates/cinder.conf.j2 | 1 + .../os_glance/tasks/glance_service_setup.yml | 4 ++++ .../os_glance/templates/glance-api.conf.j2 | 1 + .../templates/glance-registry.conf.j2 | 1 + .../roles/os_heat/tasks/heat_service_add.yml | 4 ++++ .../roles/os_heat/templates/heat.conf.j2 | 1 + .../templates/horizon_local_settings.py.j2 | 6 +---- .../tasks/keystone_service_setup.yml | 9 ++++++++ .../roles/os_neutron/tasks/neutron_l3_ha.yml | 2 +- .../os_neutron/tasks/neutron_service_add.yml | 4 ++++ .../os_neutron/templates/neutron.conf.j2 | 1 + .../roles/os_nova/tasks/nova_service_add.yml | 4 ++++ .../roles/os_nova/templates/nova.conf.j2 | 1 + .../os_swift/tasks/swift_service_setup.yml | 7 ++++++ .../os_swift/templates/proxy-server.conf.j2 | 1 + .../os_tempest/tasks/tempest_resources.yml | 13 +++++++++++ .../os_tempest/templates/tempest.conf.j2 | 2 +- 24 files changed, 126 insertions(+), 15 deletions(-) diff --git a/etc/openstack_deploy/user_group_vars.yml b/etc/openstack_deploy/user_group_vars.yml index 4f3f4fb76c..8836c4ed1f 100644 --- a/etc/openstack_deploy/user_group_vars.yml +++ b/etc/openstack_deploy/user_group_vars.yml @@ -144,6 +144,8 @@ keystone_service_adminurl_v3: "{{ keystone_service_adminuri_v3 }}/v3" keystone_cache_backend_argument: "url:{% for host in groups['memcached'] %}{{ hostvars[host]['container_address'] }}{% if not loop.last %},{% endif %}{% endfor %}:{{ memcached_port }}" keystone_memcached_servers: "{% for host in groups['keystone_all'] %}{{ hostvars[host]['container_address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}" keystone_service_region: "{{ service_region }}" +keystone_service_adminuri_insecure: false +keystone_service_internaluri_insecure: false ## Horizon diff --git a/playbooks/library/glance b/playbooks/library/glance index d042e64583..ac9508b2ec 100644 --- a/playbooks/library/glance +++ b/playbooks/library/glance @@ -53,8 +53,16 @@ options: description: - which version of the glance api to use choices: - - 1 (default) + - 1 - 2 + default: 1 + insecure: + description: + - Explicitly allow client to perform "insecure" TLS + choices: + - false + - true + default: false author: Hugh Saunders """ @@ -114,7 +122,9 @@ class ManageGlance(object): def _keystone_authenticate(self): """Authenticate with Keystone.""" openrc = self._parse_openrc() - self.keystone = ksclient.Client(username=openrc['OS_USERNAME'], + insecure = self.module.params['insecure'] + self.keystone = ksclient.Client(insecure=insecure, + username=openrc['OS_USERNAME'], password=openrc['OS_PASSWORD'], tenant_name=openrc['OS_TENANT_NAME'], auth_url=openrc['OS_AUTH_URL']) @@ -209,7 +219,9 @@ def main(): image_container_format=dict(required=False), image_disk_format=dict(required=False), image_is_public=dict(required=False, choices=BOOLEANS), - api_version=dict(default='1', required=False, choices=['1', '2']) + api_version=dict(default='1', required=False, choices=['1', '2']), + insecure=dict(default=False, required=False, + choices=BOOLEANS + ['True', 'False']) ), supports_check_mode=False ) diff --git a/playbooks/library/keystone b/playbooks/library/keystone index 5bf442916c..1760b508ad 100644 --- a/playbooks/library/keystone +++ b/playbooks/library/keystone @@ -121,6 +121,13 @@ options: 'ensure_endpoint', 'ensure_role', 'ensure_user', 'ensure_user_role', 'ensure_tenant'] required: true + insecure: + description: + - Explicitly allow client to perform "insecure" TLS + choices: + - false + - true + default: false requirements: [ python-keystoneclient ] author: Kevin Carter """ @@ -357,7 +364,8 @@ class ManageKeystone(object): 'login_user', 'login_password', 'login_tenant_name', - 'token' + 'token', + 'insecure' ] variables_dict = self._get_vars(variables, required=required_vars) @@ -366,6 +374,7 @@ class ManageKeystone(object): login_password = variables_dict.pop('login_password') login_tenant_name = variables_dict.pop('login_tenant_name') token = variables_dict.pop('token') + insecure = variables_dict.pop('insecure') if token is None: if login_tenant_name is None: @@ -386,9 +395,14 @@ class ManageKeystone(object): ) if token: - self.keystone = client.Client(endpoint=endpoint, token=token) + self.keystone = client.Client( + insecure=insecure, + endpoint=endpoint, + token=token + ) else: self.keystone = client.Client( + insecure=insecure, auth_url=endpoint, username=login_user, password=login_password, @@ -797,6 +811,11 @@ def main(): required=True, choices=COMMAND_MAP.keys() ), + insecure=dict( + default=False, + required=False, + choices=BOOLEANS + ['True', 'False'] + ), return_code=dict( type='str', default='0' diff --git a/playbooks/library/neutron b/playbooks/library/neutron index c60d5e58c5..9bd7fb752b 100644 --- a/playbooks/library/neutron +++ b/playbooks/library/neutron @@ -58,9 +58,16 @@ options: router_external: description: - Specify router:external' when creating network - external_gateway_info + external_gateway_info: description: - Specify external_gateway_info when creating router + insecure: + description: + - Explicitly allow client to perform "insecure" TLS + choices: + - false + - true + default: false author: Hugh Saunders """ @@ -247,7 +254,9 @@ class ManageNeutron(object): def _keystone_authenticate(self): """Authenticate with Keystone.""" openrc = self._parse_openrc() - self.keystone = ksclient.Client(username=openrc['OS_USERNAME'], + insecure = self.module.params['insecure'] + self.keystone = ksclient.Client(insecure=insecure, + username=openrc['OS_USERNAME'], password=openrc['OS_PASSWORD'], tenant_name=openrc['OS_TENANT_NAME'], auth_url=openrc['OS_AUTH_URL']) @@ -396,7 +405,9 @@ def main(): router_external=dict(required=False), router_name=dict(required=False), external_gateway_info=dict(required=False), - tenant_id=dict(required=False) + tenant_id=dict(required=False), + insecure=dict(default=False, required=False, + choices=BOOLEANS + ['True', 'False']) ), supports_check_mode=False ) diff --git a/playbooks/roles/openstack_openrc/defaults/main.yml b/playbooks/roles/openstack_openrc/defaults/main.yml index fda31de191..12982aa629 100644 --- a/playbooks/roles/openstack_openrc/defaults/main.yml +++ b/playbooks/roles/openstack_openrc/defaults/main.yml @@ -23,6 +23,9 @@ openrc_os_username: admin openrc_os_tenant_name: admin openrc_os_auth_url: "http://127.0.0.1:5000" +## Deliberately allow access to SSL endpoints with bad certificates +openrc_insecure: "{{ (keystone_service_adminuri_insecure | bool or keystone_service_internaluri_insecure | bool) | default(false) }}" + ## Create file openrc_file_dest: "{{ ansible_env.HOME }}/openrc" openrc_file_owner: "{{ ansible_user_id }}" diff --git a/playbooks/roles/openstack_openrc/templates/openrc b/playbooks/roles/openstack_openrc/templates/openrc index 1d43b554ee..749aa5fbb9 100644 --- a/playbooks/roles/openstack_openrc/templates/openrc +++ b/playbooks/roles/openstack_openrc/templates/openrc @@ -13,3 +13,15 @@ export OS_PASSWORD={{ openrc_os_password }} export OS_TENANT_NAME={{ openrc_os_tenant_name }} export OS_AUTH_URL={{ openrc_os_auth_url }} export OS_NO_CACHE=1 + +{% if openrc_insecure | bool %} +# Convenience Aliases for Self-Signed Certs +alias cinder='cinder --insecure' +alias glance='glance --insecure' +alias heat='heat --insecure' +alias keystone='keystone --insecure' +alias neutron='neutron --insecure' +alias nova='nova --insecure' +alias openstack='openstack --insecure' +alias swift='swift --insecure' +{% endif %} diff --git a/playbooks/roles/os_cinder/tasks/cinder_service_add.yml b/playbooks/roles/os_cinder/tasks/cinder_service_add.yml index 8e6fc495d9..5d727a85af 100644 --- a/playbooks/roles/os_cinder/tasks/cinder_service_add.yml +++ b/playbooks/roles/os_cinder/tasks/cinder_service_add.yml @@ -22,6 +22,7 @@ service_name: "{{ service_name }}" service_type: "{{ service_type }}" description: "{{ service_description }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -40,6 +41,7 @@ user_name: "{{ service_user_name }}" tenant_name: "{{ service_tenant_name }}" password: "{{ service_password }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -58,6 +60,7 @@ user_name: "{{ service_user_name }}" tenant_name: "{{ service_tenant_name }}" role_name: "{{ role_name }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -79,6 +82,7 @@ publicurl: "{{ service_publicurl }}" adminurl: "{{ service_internalurl }}" internalurl: "{{ service_adminurl }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 diff --git a/playbooks/roles/os_cinder/templates/cinder.conf.j2 b/playbooks/roles/os_cinder/templates/cinder.conf.j2 index 7b4060decf..89c50a15ab 100644 --- a/playbooks/roles/os_cinder/templates/cinder.conf.j2 +++ b/playbooks/roles/os_cinder/templates/cinder.conf.j2 @@ -111,6 +111,7 @@ profiler_enabled = {{ cinder_profiler_enabled }} trace_sqlalchemy = {{ cinder_profiler_trace_sqlalchemy }} [keystone_authtoken] +insecure = {{ keystone_service_internaluri_insecure | bool }} auth_plugin = {{ cinder_keystone_auth_plugin }} signing_dir = /var/cache/cinder auth_url = {{ keystone_service_adminuri }} diff --git a/playbooks/roles/os_glance/tasks/glance_service_setup.yml b/playbooks/roles/os_glance/tasks/glance_service_setup.yml index e0ed4f105d..c7c10077f1 100644 --- a/playbooks/roles/os_glance/tasks/glance_service_setup.yml +++ b/playbooks/roles/os_glance/tasks/glance_service_setup.yml @@ -22,6 +22,7 @@ service_name: "{{ glance_service_name }}" service_type: "{{ glance_service_type }}" description: "{{ glance_service_description }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -40,6 +41,7 @@ user_name: "{{ glance_service_user_name }}" tenant_name: "{{ glance_service_project_name }}" password: "{{ glance_service_password }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -58,6 +60,7 @@ user_name: "{{ glance_service_user_name }}" tenant_name: "{{ glance_service_project_name }}" role_name: "{{ glance_role_name }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -79,6 +82,7 @@ publicurl: "{{ glance_service_publicurl }}" adminurl: "{{ glance_service_internalurl }}" internalurl: "{{ glance_service_adminurl }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 diff --git a/playbooks/roles/os_glance/templates/glance-api.conf.j2 b/playbooks/roles/os_glance/templates/glance-api.conf.j2 index b86127c85b..57c85d2542 100644 --- a/playbooks/roles/os_glance/templates/glance-api.conf.j2 +++ b/playbooks/roles/os_glance/templates/glance-api.conf.j2 @@ -51,6 +51,7 @@ task_executor = {{ glance_task_executor }} connection = mysql://{{ glance_galera_user }}:{{ glance_container_mysql_password }}@{{ glance_galera_address }}/{{ glance_galera_database }}?charset=utf8 [keystone_authtoken] +insecure = {{ keystone_service_internaluri_insecure | bool }} auth_plugin = {{ glance_keystone_auth_plugin }} signing_dir = {{ glance_system_user_home }}/cache/api auth_url = {{ keystone_service_adminuri }} diff --git a/playbooks/roles/os_glance/templates/glance-registry.conf.j2 b/playbooks/roles/os_glance/templates/glance-registry.conf.j2 index 66ce65cbe5..2abf2df9c0 100644 --- a/playbooks/roles/os_glance/templates/glance-registry.conf.j2 +++ b/playbooks/roles/os_glance/templates/glance-registry.conf.j2 @@ -21,6 +21,7 @@ limit_param_default = 25 connection = mysql://{{ glance_galera_user }}:{{ glance_container_mysql_password }}@{{ glance_galera_address }}/{{ glance_galera_database }}?charset=utf8 [keystone_authtoken] +insecure = {{ keystone_service_internaluri_insecure | bool }} auth_plugin = {{ glance_keystone_auth_plugin }} signing_dir = {{ glance_system_user_home }}/cache/registry/ auth_url = {{ keystone_service_adminuri }} diff --git a/playbooks/roles/os_heat/tasks/heat_service_add.yml b/playbooks/roles/os_heat/tasks/heat_service_add.yml index 49c5660723..86613695c5 100644 --- a/playbooks/roles/os_heat/tasks/heat_service_add.yml +++ b/playbooks/roles/os_heat/tasks/heat_service_add.yml @@ -22,6 +22,7 @@ service_name: "{{ service_name }}" service_type: "{{ service_type }}" description: "{{ service_description }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -40,6 +41,7 @@ user_name: "{{ service_user_name }}" tenant_name: "{{ service_tenant_name }}" password: "{{ service_password }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -58,6 +60,7 @@ user_name: "{{ service_user_name }}" tenant_name: "{{ service_tenant_name }}" role_name: "{{ role_name }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -79,6 +82,7 @@ publicurl: "{{ service_publicurl }}" internalurl: "{{ service_internalurl }}" adminurl: "{{ service_adminurl }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 diff --git a/playbooks/roles/os_heat/templates/heat.conf.j2 b/playbooks/roles/os_heat/templates/heat.conf.j2 index 7d63e3d918..2d35c56a5e 100644 --- a/playbooks/roles/os_heat/templates/heat.conf.j2 +++ b/playbooks/roles/os_heat/templates/heat.conf.j2 @@ -63,6 +63,7 @@ trace_sqlalchemy = {{ heat_profiler_trace_sqlalchemy }} [keystone_authtoken] +insecure = {{ keystone_service_internaluri_insecure | bool }} signing_dir = /var/cache/heat identity_uri = {{ keystone_service_adminuri }} auth_uri = {{ keystone_service_internalurl }} diff --git a/playbooks/roles/os_horizon/templates/horizon_local_settings.py.j2 b/playbooks/roles/os_horizon/templates/horizon_local_settings.py.j2 index 99a4947e10..eb57f4df87 100644 --- a/playbooks/roles/os_horizon/templates/horizon_local_settings.py.j2 +++ b/playbooks/roles/os_horizon/templates/horizon_local_settings.py.j2 @@ -197,11 +197,7 @@ OPENSTACK_KEYSTONE_DEFAULT_ROLE = "_member_" # ("saml2", _("Security Assertion Markup Language"))) # Disable SSL certificate checks (useful for self-signed certificates): -{% if horizon_self_signed == true %} -OPENSTACK_SSL_NO_VERIFY = True -{% else %} -OPENSTACK_SSL_NO_VERIFY = False -{% endif %} +OPENSTACK_SSL_NO_VERIFY = {{ keystone_service_internaluri_insecure | bool }} {% if horizon_cacert_pem is defined %} # The CA certificate to use to verify SSL connections diff --git a/playbooks/roles/os_keystone/tasks/keystone_service_setup.yml b/playbooks/roles/os_keystone/tasks/keystone_service_setup.yml index 771971ce55..616837f703 100644 --- a/playbooks/roles/os_keystone/tasks/keystone_service_setup.yml +++ b/playbooks/roles/os_keystone/tasks/keystone_service_setup.yml @@ -50,6 +50,7 @@ endpoint: "{{ keystone_service_adminurl }}" tenant_name: "{{ keystone_service_tenant_name }}" description: "{{ keystone_service_description }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -66,6 +67,7 @@ endpoint: "{{ keystone_service_adminurl }}" tenant_name: "{{ keystone_admin_tenant_name }}" description: "{{ keystone_admin_description }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -83,6 +85,7 @@ user_name: "{{ keystone_admin_user_name }}" tenant_name: "{{ keystone_admin_tenant_name }}" password: "{{ keystone_auth_admin_password }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -98,6 +101,7 @@ token: "{{ keystone_auth_admin_token }}" endpoint: "{{ keystone_service_adminurl }}" role_name: "{{ keystone_role_name }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -115,6 +119,7 @@ user_name: "{{ keystone_admin_user_name }}" tenant_name: "{{ keystone_admin_tenant_name }}" role_name: "{{ keystone_role_name }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -132,6 +137,7 @@ service_name: "{{ keystone_service_name }}" service_type: "{{ keystone_service_type }}" description: "{{ keystone_service_description }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -150,6 +156,7 @@ user_name: "{{ keystone_service_user_name }}" tenant_name: "{{ keystone_service_tenant_name }}" password: "{{ keystone_service_password }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -168,6 +175,7 @@ user_name: "{{ keystone_service_user_name }}" tenant_name: "{{ keystone_service_tenant_name }}" role_name: "{{ keystone_role_name }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -189,6 +197,7 @@ publicurl: "{{ keystone_service_publicurl }}" adminurl: "{{ keystone_service_adminurl }}" internalurl: "{{ keystone_service_internalurl }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 diff --git a/playbooks/roles/os_neutron/tasks/neutron_l3_ha.yml b/playbooks/roles/os_neutron/tasks/neutron_l3_ha.yml index 3bbd546787..28c4e12070 100644 --- a/playbooks/roles/os_neutron/tasks/neutron_l3_ha.yml +++ b/playbooks/roles/os_neutron/tasks/neutron_l3_ha.yml @@ -36,7 +36,7 @@ # These are used in the Neutron HA Cron job script, and processed in the template. - name: Creating Job Facts set_fact: - do_job: ". /root/openrc && /opt/neutron-ha-tool.py --l3-agent-migrate" + do_job: ". /root/openrc && /opt/neutron-ha-tool.py {% if keystone_service_internaluri_insecure | bool %}--insecure {% endif %}--l3-agent-migrate" sleep_time: "{{ hashed_name.int_value }}" tags: - neutron-ha-tool diff --git a/playbooks/roles/os_neutron/tasks/neutron_service_add.yml b/playbooks/roles/os_neutron/tasks/neutron_service_add.yml index 55e0b6cb4c..ccdfa9a4a4 100644 --- a/playbooks/roles/os_neutron/tasks/neutron_service_add.yml +++ b/playbooks/roles/os_neutron/tasks/neutron_service_add.yml @@ -22,6 +22,7 @@ service_name: "{{ service_name }}" service_type: "{{ service_type }}" description: "{{ service_description }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -40,6 +41,7 @@ user_name: "{{ service_user_name }}" tenant_name: "{{ service_tenant_name }}" password: "{{ service_password }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -58,6 +60,7 @@ user_name: "{{ service_user_name }}" tenant_name: "{{ service_tenant_name }}" role_name: "{{ role_name }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -79,6 +82,7 @@ publicurl: "{{ service_publicurl }}" adminurl: "{{ service_internalurl }}" internalurl: "{{ service_adminurl }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 diff --git a/playbooks/roles/os_neutron/templates/neutron.conf.j2 b/playbooks/roles/os_neutron/templates/neutron.conf.j2 index 82b4943891..af03743bbf 100644 --- a/playbooks/roles/os_neutron/templates/neutron.conf.j2 +++ b/playbooks/roles/os_neutron/templates/neutron.conf.j2 @@ -94,6 +94,7 @@ root_helper = sudo /usr/local/bin/neutron-rootwrap /etc/neutron/rootwrap.conf [keystone_authtoken] +insecure = {{ keystone_service_internaluri_insecure | bool }} auth_plugin = {{ neutron_keystone_auth_plugin }} signing_dir = /var/cache/neutron auth_url = {{ keystone_service_adminuri }} diff --git a/playbooks/roles/os_nova/tasks/nova_service_add.yml b/playbooks/roles/os_nova/tasks/nova_service_add.yml index 20c4523991..60bfa48d80 100644 --- a/playbooks/roles/os_nova/tasks/nova_service_add.yml +++ b/playbooks/roles/os_nova/tasks/nova_service_add.yml @@ -22,6 +22,7 @@ service_name: "{{ service_name }}" service_type: "{{ service_type }}" description: "{{ service_description }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -40,6 +41,7 @@ user_name: "{{ service_user_name }}" tenant_name: "{{ service_tenant_name }}" password: "{{ service_password }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -58,6 +60,7 @@ user_name: "{{ service_user_name }}" tenant_name: "{{ service_tenant_name }}" role_name: "{{ role_name }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -79,6 +82,7 @@ publicurl: "{{ service_publicurl }}" adminurl: "{{ service_internalurl }}" internalurl: "{{ service_adminurl }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 diff --git a/playbooks/roles/os_nova/templates/nova.conf.j2 b/playbooks/roles/os_nova/templates/nova.conf.j2 index 3fb8be1bb5..2f8db64635 100644 --- a/playbooks/roles/os_nova/templates/nova.conf.j2 +++ b/playbooks/roles/os_nova/templates/nova.conf.j2 @@ -157,6 +157,7 @@ enabled = false [keystone_authtoken] +insecure = {{ keystone_service_internaluri_insecure | bool }} auth_plugin = {{ nova_keystone_auth_plugin }} signing_dir = {{ nova_system_home_folder }}/cache/api auth_url = {{ keystone_service_adminuri }} diff --git a/playbooks/roles/os_swift/tasks/swift_service_setup.yml b/playbooks/roles/os_swift/tasks/swift_service_setup.yml index 08ef02ce66..a90fed52bd 100644 --- a/playbooks/roles/os_swift/tasks/swift_service_setup.yml +++ b/playbooks/roles/os_swift/tasks/swift_service_setup.yml @@ -22,6 +22,7 @@ service_name: "{{ swift_service_name }}" service_type: "{{ swift_service_type }}" description: "{{ swift_service_description }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -40,6 +41,7 @@ user_name: "{{ swift_service_user_name }}" tenant_name: "{{ swift_service_project_name }}" password: "{{ swift_service_password }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -58,6 +60,7 @@ user_name: "{{ swift_service_user_name }}" tenant_name: "{{ swift_service_project_name }}" role_name: "{{ swift_service_role_name }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -73,6 +76,7 @@ token: "{{ keystone_auth_admin_token }}" endpoint: "{{ keystone_service_adminurl }}" role_name: "{{ swift_operator_role }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -90,6 +94,7 @@ user_name: "{{ swift_dispersion_user }}" tenant_name: "{{ swift_service_project_name }}" password: "{{ swift_dispersion_password }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -107,6 +112,7 @@ user_name: "{{ swift_dispersion_user }}" tenant_name: "{{ swift_service_project_name }}" role_name: "{{ swift_operator_role }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -128,6 +134,7 @@ publicurl: "{{ swift_service_publicurl }}" adminurl: "{{ swift_service_internalurl }}" internalurl: "{{ swift_service_adminurl }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 diff --git a/playbooks/roles/os_swift/templates/proxy-server.conf.j2 b/playbooks/roles/os_swift/templates/proxy-server.conf.j2 index af34dc3f65..96071602ff 100644 --- a/playbooks/roles/os_swift/templates/proxy-server.conf.j2 +++ b/playbooks/roles/os_swift/templates/proxy-server.conf.j2 @@ -46,6 +46,7 @@ user_test_tester3 = testing3 {% elif swift_authtoken_active %} [filter:authtoken] paste.filter_factory = keystonemiddleware.auth_token:filter_factory +insecure = {{ keystone_service_internaluri_insecure | bool }} auth_plugin = {{ swift_keystone_auth_plugin }} auth_url = {{ keystone_service_adminuri }} auth_uri = {{ keystone_service_internaluri }} diff --git a/playbooks/roles/os_tempest/tasks/tempest_resources.yml b/playbooks/roles/os_tempest/tasks/tempest_resources.yml index 26c41cdb50..a02782d02f 100644 --- a/playbooks/roles/os_tempest/tasks/tempest_resources.yml +++ b/playbooks/roles/os_tempest/tasks/tempest_resources.yml @@ -22,6 +22,7 @@ image_container_format: bare image_disk_format: qcow2 image_is_public: True + insecure: "{{ keystone_service_internaluri_insecure }}" tags: - tempest-setup - tempest-config @@ -40,6 +41,7 @@ tenant_name: "{{ item }}" description: "{{ item }} Tenant" endpoint: "{{ keystone_service_adminurl }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -59,6 +61,7 @@ password: "{{ item }}" description: "{{ item }} User" endpoint: "{{ keystone_service_adminurl }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -77,6 +80,7 @@ user_name: "{{ item }}" role_name: heat_stack_owner endpoint: "{{ keystone_service_adminurl }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -93,6 +97,7 @@ token: "{{ keystone_auth_admin_token }}" endpoint: "{{ keystone_service_adminurl }}" role_name: "reseller_admin" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -106,6 +111,7 @@ token: "{{ keystone_auth_admin_token }}" role_name: remote_image endpoint: "{{ keystone_service_adminurl }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -119,6 +125,7 @@ token: "{{ keystone_auth_admin_token }}" tenant_name: demo endpoint: "{{ keystone_service_adminurl }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -140,6 +147,7 @@ openrc_path: /root/openrc net_name: private tenant_id: "{{ keystone_demo_tenant_id }}" + insecure: "{{ keystone_service_internaluri_insecure }}" tags: - tempest-setup - tempest-config @@ -159,6 +167,7 @@ provider_network_type: flat provider_physical_network: flat router_external: true + insecure: "{{ keystone_service_internaluri_insecure }}" tags: - tempest-setup - tempest-config @@ -178,6 +187,7 @@ subnet_name: private-subnet cidr: "{{ tempest_private_subnet_cidr }}" tenant_id: "{{ keystone_demo_tenant_id }}" + insecure: "{{ keystone_service_internaluri_insecure }}" tags: - tempest-setup @@ -188,6 +198,7 @@ net_name: public subnet_name: public-subnet cidr: "{{ tempest_public_subnet_cidr }}" + insecure: "{{ keystone_service_internaluri_insecure }}" tags: - tempest-setup @@ -198,6 +209,7 @@ router_name: router external_gateway_info: public tenant_id: "{{ keystone_demo_tenant_id }}" + insecure: "{{ keystone_service_internaluri_insecure }}" tags: - tempest-setup @@ -207,6 +219,7 @@ openrc_path: /root/openrc router_name: router subnet_name: private-subnet + insecure: "{{ keystone_service_internaluri_insecure }}" tags: - tempest-setup diff --git a/playbooks/roles/os_tempest/templates/tempest.conf.j2 b/playbooks/roles/os_tempest/templates/tempest.conf.j2 index 28b59332af..6f38724ee1 100644 --- a/playbooks/roles/os_tempest/templates/tempest.conf.j2 +++ b/playbooks/roles/os_tempest/templates/tempest.conf.j2 @@ -112,7 +112,7 @@ alt_password = alt_demo alt_username = alt_demo auth_version = v2 catalog_type = identity -disable_ssl_certificate_validation = false +disable_ssl_certificate_validation = {{ keystone_service_internaluri_insecure | bool }} endpoint_type = internalURL password = demo tenant_name = demo