Add extra headers for Keystone

This patch allows deployers to add arbitrary headers to Keystone
responses. This can be handy for CORS or for passing certain
headers through nginx to the requester.

Closes-Bug: 1695827
Change-Id: I8f838ecce118cb36081b98f483ddef465ddbae3f

defaults/main.yml

@@ -488,3 +488,17 @@ keystone_required_secrets:
   - keystone_service_password
 
 keystone_uwsgi_init_overrides: {}
+
+## Extra HTTP headers for Keystone
+# Add any additional headers here that Keystone should return.
+#
+# Example:
+#
+#   keystone_extra_headers:
+#     - parameter: "Access-Control-Expose-Headers"
+#       value: "X-Subject-Token"
+#     - parameter: "Access-Control-Allow-Headers"
+#       value: "Content-Type, X-Auth-Token"
+#     - parameter: "Access-Control-Allow-Origin"
+#       value: "*"
+keystone_extra_headers: []

releasenotes/notes/extra-headers-e54a672d3a78dd89.yaml

@@ -0,0 +1,15 @@
+---
+features:
+  - |
+    Extra headers can be added to Keystone responses by adding items to
+    ``keystone_extra_headers``. Example:
+
+    .. code-block:: yaml
+
+        keystone_extra_headers:
+          - parameter: "Access-Control-Expose-Headers"
+            value: "X-Subject-Token"
+          - parameter: "Access-Control-Allow-Headers"
+            value: "Content-Type, X-Auth-Token"
+          - parameter: "Access-Control-Allow-Origin"
+            value: "*"

templates/keystone_nginx.conf.j2

@@ -30,5 +30,8 @@ server {
         include     uwsgi_params;
         uwsgi_pass  127.0.0.1:{{ keystone_uwsgi_ports[item]['socket'] }};
         uwsgi_param SCRIPT_NAME '';
+{% for header in keystone_extra_headers %}
+        add_header "{{ header['parameter'] }}" "{{ header['value'] }}";
+{% endfor %}
     }
 }