b2e13a5128
OSA_CONFIG_DIR environemntal variable allows to manage several deployments from same deploy host. That is handy feature which was broken for several roles and usecases. It should be respected and handled properly. Change-Id: Ie6210a71f7b9890b74d9006de86050c822002c69
68 lines
2.6 KiB
YAML
68 lines
2.6 KiB
YAML
---
|
|
# Copyright 2017, Rackspace US, Inc.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
## SSL
|
|
# These do not need to be configured unless you're creating certificates for
|
|
# services running behind Apache (currently, Horizon and Keystone).
|
|
ssl_protocol: "ALL -SSLv2 -SSLv3 -TLSv1 -TLSv1.1"
|
|
# Cipher suite string from https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
|
|
ssl_cipher_suite_tls12: "{{ ssl_cipher_suite | default('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS') }}"
|
|
ssl_cipher_suite_tls13: "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
|
|
|
|
#variables used in OSA roles which call the PKI role
|
|
openstack_pki_dir: "{{ openstack_config_dir }}/pki"
|
|
openstack_pki_service_intermediate_cert_name: "ExampleCorpIntermediate"
|
|
|
|
openstack_pki_service_intermediate_cert_path: "{{ openstack_pki_dir ~ '/roots/' ~ openstack_pki_service_intermediate_cert_name ~ '/certs/' ~ openstack_pki_service_intermediate_cert_name ~ '.crt' }}"
|
|
|
|
# regenerate the CA or intermediate CA
|
|
openstack_pki_regen_ca: ''
|
|
|
|
#example self-signed certificate authority
|
|
openstack_pki_authorities:
|
|
- name: "ExampleCorpRoot"
|
|
provider: selfsigned
|
|
basic_constraints: "CA:TRUE"
|
|
cn: "Example Corp Root CA"
|
|
email_address: "pki@example.com"
|
|
country_name: "GB"
|
|
state_or_province_name: "England"
|
|
organization_name: "Example Corporation"
|
|
organizational_unit_name: "IT Security"
|
|
key_usage:
|
|
- digitalSignature
|
|
- cRLSign
|
|
- keyCertSign
|
|
not_after: "+3650d"
|
|
- name: "ExampleCorpIntermediate"
|
|
provider: ownca
|
|
basic_constraints: "CA:TRUE,pathlen:0"
|
|
cn: "Example Corp Openstack Infrastructure Intermediate CA"
|
|
email_address: "pki@example.com"
|
|
country_name: "GB"
|
|
state_or_province_name: "England"
|
|
organization_name: "Example Corporation"
|
|
organizational_unit_name: "IT Security"
|
|
key_usage:
|
|
- digitalSignature
|
|
- cRLSign
|
|
- keyCertSign
|
|
not_after: "+3650d"
|
|
signed_by: "ExampleCorpRoot"
|
|
|
|
#install the root CA certificate on all hosts and containers
|
|
openstack_pki_install_ca:
|
|
- name: "ExampleCorpRoot"
|