Enable SSL termination for all services

This change makes it so that all services are expecting SSL termination
at the load balancer by default. This is more indicative of how a real
world deployment will be setup and is being added such that we can test
a more production like deployment system by default.

The AIO will now terminate SSL in HAProxy using a self-signed cert.

Change-Id: I09a7b9f0f180a79b4f46bb51322f96b1b2715f5b
Re-Implementation-Of: https://review.openstack.org/#/c/277199/9
Signed-off-by: Kevin Carter <kevin.carter@rackspace.com>

defaults/main.yml

@@ -108,9 +108,6 @@ keystone_admin_user_name: admin
 keystone_admin_tenant_name: admin
 keystone_admin_description: Admin Tenant
 
-## Secure Proxy SSL Information
-#keystone_secure_proxy_ssl_header: X-Forwarded-For
-
 ## Service Type and Data
 keystone_service_setup: true
 keystone_service_region: RegionOne
@@ -171,6 +168,10 @@ keystone_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ inter
 #keystone_user_ssl_key: <path to cert on ansible deployment host>
 #keystone_user_ssl_ca_cert: <path to cert on ansible deployment host>
 
+# External SSL forwarding proto
+keystone_ssl_external: true
+keystone_secure_proxy_ssl_header: HTTP_X_FORWARDED_PROTO
+
 ## Caching
 # If set this will enable dog pile cache for keystone.
 # keystone_cache_backend_argument: url:127.0.0.1:11211

templates/keystone.conf.j2

@@ -11,7 +11,7 @@ admin_endpoint = {{ keystone_service_adminuri }}
 fatal_deprecations = {{ keystone_fatal_deprecations }}
 member_role_name = {{ keystone_default_role_name }}
 
-{% if keystone_ssl | bool and keystone_secure_proxy_ssl_header is defined %}
+{% if keystone_external_ssl | bool %}
 secure_proxy_ssl_header = {{ keystone_secure_proxy_ssl_header }}
 {% endif %}