114 lines
4.4 KiB
Django/Jinja
114 lines
4.4 KiB
Django/Jinja
{% set keystone_log_dir = '/var/log/kolla/keystone' %}
|
|
{% set binary_path = '/var/lib/kolla/venv/bin' %}
|
|
{% if keystone_enable_tls_backend | bool %}
|
|
{% if kolla_base_distro in ['centos', 'rocky'] %}
|
|
LoadModule ssl_module /usr/lib64/httpd/modules/mod_ssl.so
|
|
{% else %}
|
|
LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
|
|
{% endif %}
|
|
{% endif %}
|
|
Listen {{ api_interface_address | put_address_in_context('url') }}:{{ keystone_public_listen_port }}
|
|
|
|
ServerSignature Off
|
|
ServerTokens Prod
|
|
TraceEnable off
|
|
TimeOut {{ kolla_httpd_timeout }}
|
|
KeepAliveTimeout {{ kolla_httpd_keep_alive }}
|
|
|
|
ErrorLog "{{ keystone_log_dir }}/apache-error.log"
|
|
<IfModule log_config_module>
|
|
CustomLog "{{ keystone_log_dir }}/apache-access.log" common
|
|
</IfModule>
|
|
|
|
{% if keystone_logging_debug | bool %}
|
|
LogLevel info
|
|
{% endif %}
|
|
|
|
<Directory "{{ binary_path }}">
|
|
<FilesMatch "^keystone-wsgi-(public|admin)$">
|
|
AllowOverride None
|
|
Options None
|
|
Require all granted
|
|
</FilesMatch>
|
|
</Directory>
|
|
|
|
|
|
<VirtualHost *:{{ keystone_public_listen_port }}>
|
|
{# NOTE(darmach): with external tls enabled OIDC redirection fails, as TLS terminated on haproxy keystone is not aware that redirection should use https. -#}
|
|
{# With missing ServerName Keystone Apache uses fqdn, with http. Adding ServerName pointing to keystone_public_url corrects this. -#}
|
|
{% if kolla_enable_tls_external | bool %}
|
|
ServerName {{ keystone_public_url }}
|
|
{% endif %}
|
|
WSGIDaemonProcess keystone-public processes={{ keystone_api_workers }} threads=1 user=keystone group=keystone display-name=keystone-public
|
|
WSGIProcessGroup keystone-public
|
|
WSGIScriptAlias / {{ binary_path }}/keystone-wsgi-public
|
|
WSGIApplicationGroup %{GLOBAL}
|
|
WSGIPassAuthorization On
|
|
<IfVersion >= 2.4>
|
|
ErrorLogFormat "%{cu}t %M"
|
|
</IfVersion>
|
|
ErrorLog "{{ keystone_log_dir }}/keystone-apache-public-error.log"
|
|
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
|
|
CustomLog "{{ keystone_log_dir }}/keystone-apache-public-access.log" logformat
|
|
|
|
{% if keystone_enable_tls_backend | bool %}
|
|
SSLEngine on
|
|
SSLCertificateFile /etc/keystone/certs/keystone-cert.pem
|
|
SSLCertificateKeyFile /etc/keystone/certs/keystone-key.pem
|
|
{% endif -%}
|
|
|
|
{% if keystone_enable_federation_openid | bool %}
|
|
OIDCClaimPrefix "OIDC-"
|
|
OIDCClaimDelimiter ";"
|
|
OIDCResponseType "{{ keystone_federation_oidc_response_type }}"
|
|
OIDCScope "{{ keystone_federation_oidc_scopes }}"
|
|
OIDCMetadataDir {{ keystone_container_federation_oidc_metadata_folder }}
|
|
{% if keystone_federation_oidc_jwks_uri | length > 0 %}
|
|
OIDCOAuthVerifyJwksUri {{ keystone_federation_oidc_jwks_uri }}
|
|
{% endif %}
|
|
{% if keystone_federation_openid_certificate_key_ids | length > 0 %}
|
|
OIDCOAuthVerifyCertFiles {{ keystone_federation_openid_certificate_key_ids | join(" ") }}
|
|
{% endif %}
|
|
OIDCCryptoPassphrase {{ keystone_federation_openid_crypto_password }}
|
|
OIDCRedirectURI {{ keystone_public_url }}/redirect_uri
|
|
{% if enable_memcached | bool and keystone_oidc_enable_memcached | bool %}
|
|
OIDCCacheType memcache
|
|
OIDCMemCacheServers "{% for host in groups['memcached'] %}{{ 'api' | kolla_address(host) | put_address_in_context('memcache') }}:{{ memcached_port }}{% if not loop.last %} {% endif %}{% endfor %}"
|
|
{% endif %}
|
|
|
|
<Location ~ "/redirect_uri">
|
|
Require valid-user
|
|
AuthType openid-connect
|
|
</Location>
|
|
|
|
{# WebSSO authentication endpoint -#}
|
|
<Location /v3/auth/OS-FEDERATION/websso/openid>
|
|
Require valid-user
|
|
AuthType openid-connect
|
|
</Location>
|
|
|
|
{% for idp in keystone_identity_providers %}
|
|
{% if idp.protocol == 'openid' %}
|
|
<LocationMatch /v3/auth/OS-FEDERATION/identity_providers/{{ idp.name }}/protocols/{{ idp.protocol }}/websso>
|
|
OIDCDiscoverURL {{ keystone_public_url }}/redirect_uri?iss={{ idp.identifier | urlencode }}
|
|
Require valid-user
|
|
AuthType openid-connect
|
|
</LocationMatch>
|
|
{% endif %}
|
|
{% endfor %}
|
|
|
|
{# CLI / API authentication endpoint -#}
|
|
{% for idp in keystone_identity_providers %}
|
|
{% if idp.protocol == 'openid' -%}
|
|
<LocationMatch /v3/OS-FEDERATION/identity_providers/{{ idp.name }}/protocols/{{ idp.protocol }}/auth>
|
|
Require valid-user
|
|
{# Note(jasonanderson): `auth-openidc` is a special auth type that can -#}
|
|
{# additionally handle verifying bearer tokens -#}
|
|
AuthType auth-openidc
|
|
</LocationMatch>
|
|
{% endif %}
|
|
{% endfor %}
|
|
{% endif %}
|
|
</VirtualHost>
|
|
|