Mohammed Naser 15e2d85f41 Fix logic to check for insecure Keystone
The logic to check for insecure Keystone would only validate if
both HAproxy and Keystone SSL is installed.  However, in the case
where SSL happens at either of those (ex. SSL at HAproxy only),
then it would still declare it as insecure (it is not however
as we're hitting the VIP which does SSL termination).

This changes the behaviour to check if the protocol is HTTPs and
either the Keystone or HAproxy certificates are defined then it
considers it as secure, otherwise it is insecure.

Closes-Bug: #1745479
Co-Authored-By: Logan V <logan2211@gmail.com>
Change-Id: I3683c5d50cab2d321337c71bed565d2e2ab861fc
2018-01-25 16:39:36 -05:00

55 lines
2.5 KiB
YAML

---
# Copyright 2017, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# OpenRC and various OpenStack roles require the vars below so they are scoped
# to 'all' hosts.
keystone_admin_user_name: admin
keystone_admin_tenant_name: admin
keystone_admin_port: 35357
keystone_service_port: 5000
keystone_service_proto: http
keystone_service_region: "{{ service_region }}"
keystone_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(keystone_service_proto) }}"
keystone_service_adminuri_insecure: |-
{% set _insecure = false %}
{% if keystone_service_adminuri_proto == 'https' %}
{% set _insecure = not (keystone_user_ssl_cert is defined or haproxy_user_ssl_cert is defined) %}
{% endif %}
{{ _insecure }}
keystone_service_adminuri: "{{ keystone_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_admin_port }}"
keystone_service_adminurl: "{{ keystone_service_adminuri }}/v3"
keystone_service_internaluri_proto: "{{ openstack_service_internaluri_proto | default(keystone_service_proto) }}"
keystone_service_internaluri_insecure: |-
{% set _insecure = false %}
{% if keystone_service_internaluri_proto == 'https' %}
{% set _insecure = not (keystone_user_ssl_cert is defined or haproxy_user_ssl_cert is defined) %}
{% endif %}
{{ _insecure }}
keystone_service_internaluri: "{{ keystone_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_service_port }}"
keystone_service_internalurl: "{{ keystone_service_internaluri }}/v3"
keystone_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(keystone_service_proto) }}"
keystone_service_publicuri_insecure: |-
{% set _insecure = false %}
{% if keystone_service_publicuri_proto == 'https' %}
{% set _insecure = not (keystone_user_ssl_cert is defined or haproxy_user_ssl_cert is defined) %}
{% endif %}
{{ _insecure }}
keystone_service_publicuri: "{{ keystone_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ keystone_service_port }}"
keystone_service_publicurl: "{{ keystone_service_publicuri }}/v3"