openstack/openstack-ansible
Code Issues Proposed changes
Files
master
openstack-ansible/inventory/group_vars/all/ssl.yml
T
Damian Dabrowski 5f72ff2fa9 Do not define openstack_pki_san in integrated repo 
Explicit definition of `openstack_pki_san` in integrated repository is
reduntant because all service roles using PKI role already have a
`default()` filter applied that matches the value of `openstack_pki_san`
in integrated repo.

Example:

```
placement_pki_san: "{{ openstack_pki_san | default({'dns': [ansible_facts['hostname']], 'ip': [management_address]}) }}"
```

It's not necessary to define `openstack_pki_san` in integrated repo.
This patch removes it. However, it still can be used by the users to
override cert SAN globally for all openstack services.

Change-Id: Ia00c9c8a22218bc3ad2b37fc824eaa40430f5fe2
Signed-off-by: Damian Dabrowski <damian.dabrowski@cleura.com>
2025-12-17 16:04:21 +00:00

68 lines
2.5 KiB
YAML
Raw Permalink Blame History

---
# Copyright 2017, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
## SSL
# These do not need to be configured unless you're creating certificates for
# services running behind Apache (currently, Horizon and Keystone).
ssl_protocol: "ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1"
# Cipher suite string from https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
ssl_cipher_suite_tls12: "{{ ssl_cipher_suite | default('ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES256:ECDH+AES128:!aNULL:!SHA1:!AESCCM') }}"
ssl_cipher_suite_tls13: "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
#variables used in OSA roles which call the PKI role
openstack_pki_dir: "{{ openstack_config_dir }}/pki"
openstack_pki_service_intermediate_cert_name: "ExampleCorpIntermediate"
openstack_pki_service_intermediate_cert_path: "{{ openstack_pki_dir ~ '/roots/' ~ openstack_pki_service_intermediate_cert_name ~ '/certs/' ~ openstack_pki_service_intermediate_cert_name ~ '.crt' }}"
# regenerate the CA or intermediate CA
openstack_pki_regen_ca: ''
#example self-signed certificate authority
openstack_pki_authorities:
- name: "ExampleCorpRoot"
provider: selfsigned
basic_constraints: "CA:TRUE"
cn: "Example Corp Root CA"
email_address: "pki@example.com"
country_name: "GB"
state_or_province_name: "England"
organization_name: "Example Corporation"
organizational_unit_name: "IT Security"
key_usage:
- digitalSignature
- cRLSign
- keyCertSign
ttl: "3650d"
- name: "ExampleCorpIntermediate"
provider: ownca
basic_constraints: "CA:TRUE,pathlen:0"
cn: "Example Corp Openstack Infrastructure Intermediate CA"
email_address: "pki@example.com"
country_name: "GB"
state_or_province_name: "England"
organization_name: "Example Corporation"
organizational_unit_name: "IT Security"
key_usage:
- digitalSignature
- cRLSign
- keyCertSign
ttl: "3650d"
signed_by: "ExampleCorpRoot"
#install the root CA certificate on all hosts and containers
openstack_pki_install_ca:
- name: "ExampleCorpRoot"
View Git Blame Copy Permalink