4b35b3e929
This patch adds the option to provide an SSL certificate for the Keystone service (either self-signed or user provided) and to configure the endpoints and Keystone service appropriately. * A new boolean variable called 'keystone_ssl' enables/disables the configuration of SSL for the Keystone service. * The server key/certificate (and optionally a CA cert) are distributed to all keystone containers and used for the setup of SSL endpoints if the appropriate protocol is set. * The internal/public and the admin endpoints can be set to be served via http or https seperately via the 'keystone_service_*_proto' variables. * The logic to determine the appropriate load balancing configuration based on the Keystone endpoint protocol has been implemented in the haproxy vars. * Two new variables have been implemented for a user-provided server key and certificate: - keystone_user_ssl_cert: <path to cert on deployment host> - keystone_user_ssl_key: <path to cert on deployment host> If either of these is not defined, but a Keystone endpoint has been configured for SSL, then the missing cert/key will be self generated on the first Keystone container and distributed to the other containers. * A new variable has been implemented for a user-provided CA certificate: - keystone_user_ssl_ca_cert: <path to cert on deployment host> * A new variable called 'keystone_ssl_self_signed_subject' has been implemented to allow the user to override the certificate properties, such as the CN and subjectAltName. Upgrade notes: * The SSL-based client authentication configuration in Apache has been removed as it appears to be unused. * The minimum Ansible version for the os_keystone and haproxy_server roles have been increased to v1.9.0 as it's the minimum version that supports ternary filters. * The boolean 'keystone_ssl_enabled' has been renamed to 'keystone_ssl'. This maintains a pattern set in the haproxy role for enablement of ssl offloading in the load balancer. * The Apache configuration appropriately implements the 'SSLCACertificateFile' instead of the 'SSLCACertificatePath' directive in order to ensure that the appropriate signing certificate is provided to the browser. * The 'keystone_self_signed_regen' variable has been renamed to 'keystone_ssl_self_signed_regen'. * The default names for the deployed keys/certificates have been changed: - /etc/ssl/certs/apache.cert > /etc/ssl/certs/keystone.pem - /etc/ssl/private/apache.key > /etc/ssl/private/keystone.key DocImpact Partial-Bug: #1466827 Implements: blueprint keystone-federation Change-Id: I4c5ea7b6bfc3d7d7230a7440fa501241826c9dee Co-Authored-By: Miguel Grinberg <miguelgrinberg50@gmail.com>
36 lines
1.2 KiB
YAML
36 lines
1.2 KiB
YAML
---
|
|
# Copyright 2014, Rackspace US, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
- name: Distribute self signed cert and key
|
|
memcached:
|
|
name: "{{ item.name }}"
|
|
file_path: "{{ item.src }}"
|
|
state: "retrieve"
|
|
file_mode: "{{ item.file_mode }}"
|
|
dir_mode: "{{ item.dir_mode }}"
|
|
server: "{{ memcached_servers }}"
|
|
encrypt_string: "{{ memcached_encryption_key }}"
|
|
with_items:
|
|
- { src: "{{ keystone_ssl_cert }}", name: "keystone_ssl_cert", file_mode: "0644", dir_mode: "0755" }
|
|
- { src: "{{ keystone_ssl_key }}", name: "keystone_ssl_key", file_mode: "0640", dir_mode: "0750" }
|
|
register: memcache_keys
|
|
until: memcache_keys|success
|
|
retries: 5
|
|
delay: 2
|
|
notify: Restart Apache
|
|
tags:
|
|
- keystone-config
|
|
- keystone-ssl
|