From 1c4e8aa7bbe27d238828ec6c9881b0ac13618896 Mon Sep 17 00:00:00 2001
From: Travis Truman <travis_truman@cable.comcast.com>
Date: Fri, 4 Mar 2016 16:48:32 -0500
Subject: [PATCH] Role should default to no external SSL termination

This decouples the role more completely from the AIO
build default configuration in
Id87fab39c929e0860abbc3755ad386aa6893b151
which enables SSL termination at the HAProxy LB.

Change-Id: I076d20edd45a7b35e9db52e1fb65005971c06348
---
 defaults/main.yml | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 38a10c46..23592703 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -113,15 +113,19 @@ keystone_service_setup: true
 keystone_service_region: RegionOne
 keystone_service_name: keystone
 keystone_service_port: 5000
-keystone_service_proto: http
-keystone_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(keystone_service_proto) }}"
-keystone_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(keystone_service_proto) }}"
-keystone_service_internaluri_proto: "{{ openstack_service_internaluri_proto | default(keystone_service_proto) }}"
 keystone_service_type: identity
 keystone_service_description: "Keystone Identity Service"
 keystone_service_user_name: keystone
 keystone_service_tenant_name: service
 
+keystone_service_proto: http
+keystone_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(keystone_service_proto) }}"
+keystone_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(keystone_service_proto) }}"
+keystone_service_internaluri_proto: "{{ openstack_service_internaluri_proto | default(keystone_service_proto) }}"
+
+keystone_service_internaluri_insecure: false
+keystone_service_adminuri_insecure: false
+
 keystone_service_publicuri: "{{ keystone_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ keystone_service_port }}"
 keystone_service_internaluri: "{{ keystone_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_service_port }}"
 keystone_service_adminuri: "{{ keystone_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_admin_port }}"
@@ -138,8 +142,6 @@ keystone_service_publicurl: "{{ keystone_service_publicurl_v3 }}"
 keystone_service_internalurl: "{{ keystone_service_internalurl_v3 }}"
 keystone_service_adminurl: "{{ keystone_service_adminurl_v3 }}"
 
-keystone_service_internaluri_insecure: false
-keystone_service_adminuri_insecure: false
 
 ## Set this value to override the "public_endpoint" keystone.conf variable
 #keystone_public_endpoint: "{{ keystone_service_publicuri }}"
@@ -168,8 +170,11 @@ keystone_ssl_self_signed_subject: "/C=US/ST=Texas/L=San Antonio/O=IT/CN={{ inter
 #keystone_user_ssl_key: <path to cert on ansible deployment host>
 #keystone_user_ssl_ca_cert: <path to cert on ansible deployment host>
 
+
+# Set to true when terminating SSL/TLS at a load balancer
+keystone_external_ssl: false
+
 # External SSL forwarding proto
-keystone_ssl_external: true
 keystone_secure_proxy_ssl_header: HTTP_X_FORWARDED_PROTO
 
 ## Caching