Rename keystone_ssl to keystone_backend_ssl
To standarize variable name across roles, this change renames `keystone_ssl` to `keystone_backend_ssl`. All other roles use `<service>_backend_ssl` format. It also better describes what it does. With `keystone_ssl` it's unclear whether it is about frontend or backend. Backward compatibility will not be implemented because securing haproxy traffic to its backends with TLS is currently not supported by OSA so it is hard to leverage `keystone_ssl` variable anyway. Change-Id: Ibf8607a4cf62ab518a09d64b1054ff7fbc580000
This commit is contained in:
parent
931695475c
commit
6661a9dab7
@ -240,8 +240,9 @@ keystone_default_uwsgi_overrides:
|
|||||||
uwsgi:
|
uwsgi:
|
||||||
socket: "127.0.0.1:{{ keystone_uwsgi_ports['keystone-wsgi-public']['socket'] }}"
|
socket: "127.0.0.1:{{ keystone_uwsgi_ports['keystone-wsgi-public']['socket'] }}"
|
||||||
|
|
||||||
# set keystone_ssl to true to enable SSL configuration on the keystone containers
|
# Define if communication between haproxy and service backends should be
|
||||||
keystone_ssl: "{{ openstack_backend_service_https | default(False) }}"
|
# encrypted with TLS.
|
||||||
|
keystone_backend_ssl: "{{ openstack_service_backend_ssl | default(False) }}"
|
||||||
|
|
||||||
# The local address used for the keystone node
|
# The local address used for the keystone node
|
||||||
keystone_node_address: "{{ management_address | default('127.0.0.1') }}"
|
keystone_node_address: "{{ management_address | default('127.0.0.1') }}"
|
||||||
@ -286,7 +287,7 @@ keystone_pki_certificates:
|
|||||||
cn: "{{ ansible_facts['hostname'] }}"
|
cn: "{{ ansible_facts['hostname'] }}"
|
||||||
san: "{{ 'DNS:' ~ ansible_facts['hostname'] ~ ',IP:' ~ keystone_node_address }}"
|
san: "{{ 'DNS:' ~ ansible_facts['hostname'] ~ ',IP:' ~ keystone_node_address }}"
|
||||||
signed_by: "{{ keystone_pki_intermediate_cert_name }}"
|
signed_by: "{{ keystone_pki_intermediate_cert_name }}"
|
||||||
condition: "{{ keystone_ssl }}"
|
condition: "{{ keystone_backend_ssl }}"
|
||||||
|
|
||||||
# Set to the value of keystone_idp_authority_name to regenerate the IDP CA
|
# Set to the value of keystone_idp_authority_name to regenerate the IDP CA
|
||||||
keystone_pki_regen_ca: ''
|
keystone_pki_regen_ca: ''
|
||||||
@ -304,13 +305,13 @@ keystone_pki_install_certificates:
|
|||||||
owner: "{{ keystone_system_user_name }}"
|
owner: "{{ keystone_system_user_name }}"
|
||||||
group: "{{ keystone_system_group_name }}"
|
group: "{{ keystone_system_group_name }}"
|
||||||
mode: "0644"
|
mode: "0644"
|
||||||
condition: "{{ keystone_ssl }}"
|
condition: "{{ keystone_backend_ssl }}"
|
||||||
- src: "{{ keystone_user_ssl_key | default(keystone_pki_keys_path ~ 'keystone_' ~ ansible_facts['hostname'] ~ '.key.pem') }}"
|
- src: "{{ keystone_user_ssl_key | default(keystone_pki_keys_path ~ 'keystone_' ~ ansible_facts['hostname'] ~ '.key.pem') }}"
|
||||||
dest: "{{ keystone_ssl_key }}"
|
dest: "{{ keystone_ssl_key }}"
|
||||||
owner: "{{ keystone_system_user_name }}"
|
owner: "{{ keystone_system_user_name }}"
|
||||||
group: "{{ keystone_system_group_name }}"
|
group: "{{ keystone_system_group_name }}"
|
||||||
mode: "0600"
|
mode: "0600"
|
||||||
condition: "{{ keystone_ssl }}"
|
condition: "{{ keystone_backend_ssl }}"
|
||||||
- src: "{{ keystone_user_ssl_ca_cert | default(keystone_pki_intermediate_cert_path) }}"
|
- src: "{{ keystone_user_ssl_ca_cert | default(keystone_pki_intermediate_cert_path) }}"
|
||||||
dest: "{{ keystone_ssl_ca_cert }}"
|
dest: "{{ keystone_ssl_ca_cert }}"
|
||||||
owner: "{{ keystone_system_user_name }}"
|
owner: "{{ keystone_system_user_name }}"
|
||||||
|
5
releasenotes/notes/keystone_ssl-4dc7676a36831f85.yaml
Normal file
5
releasenotes/notes/keystone_ssl-4dc7676a36831f85.yaml
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
upgrade:
|
||||||
|
- |
|
||||||
|
Variable ``keystone_ssl`` was deprecated in favor of
|
||||||
|
``keystone_backend_ssl``.
|
@ -168,7 +168,7 @@
|
|||||||
pki_certificates: "{{ keystone_pki_certificates }}"
|
pki_certificates: "{{ keystone_pki_certificates }}"
|
||||||
pki_install_certificates: "{{ keystone_pki_install_certificates }}"
|
pki_install_certificates: "{{ keystone_pki_install_certificates }}"
|
||||||
when:
|
when:
|
||||||
- (keystone_ssl | bool) or (keystone_idp['certfile'] is defined)
|
- (keystone_backend_ssl | bool) or (keystone_idp['certfile'] is defined)
|
||||||
tags:
|
tags:
|
||||||
- keystone-config
|
- keystone-config
|
||||||
|
|
||||||
|
@ -26,7 +26,7 @@ Listen {{ keystone_web_server_bind_address }}:{{ keystone_service_port }}
|
|||||||
RequestHeader set {{ keystone_secure_proxy_ssl_header }} "http"
|
RequestHeader set {{ keystone_secure_proxy_ssl_header }} "http"
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
{% if keystone_ssl | bool and keystone_service_internaluri_proto == "https" -%}
|
{% if keystone_backend_ssl | bool and keystone_service_internaluri_proto == "https" -%}
|
||||||
SSLEngine on
|
SSLEngine on
|
||||||
SSLCertificateFile {{ keystone_ssl_cert }}
|
SSLCertificateFile {{ keystone_ssl_cert }}
|
||||||
SSLCertificateKeyFile {{ keystone_ssl_key }}
|
SSLCertificateKeyFile {{ keystone_ssl_key }}
|
||||||
|
@ -36,7 +36,7 @@
|
|||||||
timeout="3600"
|
timeout="3600"
|
||||||
relayState="ss:mc"
|
relayState="ss:mc"
|
||||||
checkAddress="false"
|
checkAddress="false"
|
||||||
handlerSSL="{% if keystone_ssl | bool %}true{% else %}false{% endif %}"
|
handlerSSL="{% if keystone_backend_ssl | bool %}true{% else %}false{% endif %}"
|
||||||
{% if keystone_service_publicuri_proto == "https" %}cookieProps="; path=/; secure"{% endif %}>
|
{% if keystone_service_publicuri_proto == "https" %}cookieProps="; path=/; secure"{% endif %}>
|
||||||
|
|
||||||
<!-- Triggers a login request directly to the IdP. -->
|
<!-- Triggers a login request directly to the IdP. -->
|
||||||
|
@ -82,7 +82,7 @@ keystone_apache_configs:
|
|||||||
|
|
||||||
keystone_apache_modules:
|
keystone_apache_modules:
|
||||||
- name: "ssl"
|
- name: "ssl"
|
||||||
state: "{{ (keystone_ssl | bool) | ternary('present', 'absent') }}"
|
state: "{{ (keystone_backend_ssl | bool) | ternary('present', 'absent') }}"
|
||||||
- name: "shib"
|
- name: "shib"
|
||||||
state: "{{ keystone_sp_apache_mod_shib | ternary('present', 'absent') }}"
|
state: "{{ keystone_sp_apache_mod_shib | ternary('present', 'absent') }}"
|
||||||
- name: "auth_openidc"
|
- name: "auth_openidc"
|
||||||
|
@ -82,7 +82,7 @@ keystone_apache_configs:
|
|||||||
|
|
||||||
keystone_apache_modules:
|
keystone_apache_modules:
|
||||||
- name: "ssl"
|
- name: "ssl"
|
||||||
state: "{{ (keystone_ssl | bool) | ternary('present', 'absent') }}"
|
state: "{{ (keystone_backend_ssl | bool) | ternary('present', 'absent') }}"
|
||||||
- name: "shib2"
|
- name: "shib2"
|
||||||
state: "{{ keystone_sp_apache_mod_shib | ternary('present', 'absent') }}"
|
state: "{{ keystone_sp_apache_mod_shib | ternary('present', 'absent') }}"
|
||||||
- name: "auth_openidc"
|
- name: "auth_openidc"
|
||||||
|
Loading…
Reference in New Issue
Block a user