Rename keystone_ssl to keystone_backend_ssl

To standarize variable name across roles, this change renames
`keystone_ssl` to `keystone_backend_ssl`.
All other roles use `<service>_backend_ssl` format.
It also better describes what it does. With `keystone_ssl` it's unclear
whether it is about frontend or backend.

Backward compatibility will not be implemented because securing haproxy
traffic to its backends with TLS is currently not supported by OSA so
it is hard to leverage `keystone_ssl` variable anyway.

Change-Id: Ibf8607a4cf62ab518a09d64b1054ff7fbc580000
This commit is contained in:
Damian Dabrowski 2023-03-31 00:05:40 +02:00 committed by Damian Dąbrowski
parent 931695475c
commit 6661a9dab7
7 changed files with 16 additions and 10 deletions

View File

@ -240,8 +240,9 @@ keystone_default_uwsgi_overrides:
uwsgi: uwsgi:
socket: "127.0.0.1:{{ keystone_uwsgi_ports['keystone-wsgi-public']['socket'] }}" socket: "127.0.0.1:{{ keystone_uwsgi_ports['keystone-wsgi-public']['socket'] }}"
# set keystone_ssl to true to enable SSL configuration on the keystone containers # Define if communication between haproxy and service backends should be
keystone_ssl: "{{ openstack_backend_service_https | default(False) }}" # encrypted with TLS.
keystone_backend_ssl: "{{ openstack_service_backend_ssl | default(False) }}"
# The local address used for the keystone node # The local address used for the keystone node
keystone_node_address: "{{ management_address | default('127.0.0.1') }}" keystone_node_address: "{{ management_address | default('127.0.0.1') }}"
@ -286,7 +287,7 @@ keystone_pki_certificates:
cn: "{{ ansible_facts['hostname'] }}" cn: "{{ ansible_facts['hostname'] }}"
san: "{{ 'DNS:' ~ ansible_facts['hostname'] ~ ',IP:' ~ keystone_node_address }}" san: "{{ 'DNS:' ~ ansible_facts['hostname'] ~ ',IP:' ~ keystone_node_address }}"
signed_by: "{{ keystone_pki_intermediate_cert_name }}" signed_by: "{{ keystone_pki_intermediate_cert_name }}"
condition: "{{ keystone_ssl }}" condition: "{{ keystone_backend_ssl }}"
# Set to the value of keystone_idp_authority_name to regenerate the IDP CA # Set to the value of keystone_idp_authority_name to regenerate the IDP CA
keystone_pki_regen_ca: '' keystone_pki_regen_ca: ''
@ -304,13 +305,13 @@ keystone_pki_install_certificates:
owner: "{{ keystone_system_user_name }}" owner: "{{ keystone_system_user_name }}"
group: "{{ keystone_system_group_name }}" group: "{{ keystone_system_group_name }}"
mode: "0644" mode: "0644"
condition: "{{ keystone_ssl }}" condition: "{{ keystone_backend_ssl }}"
- src: "{{ keystone_user_ssl_key | default(keystone_pki_keys_path ~ 'keystone_' ~ ansible_facts['hostname'] ~ '.key.pem') }}" - src: "{{ keystone_user_ssl_key | default(keystone_pki_keys_path ~ 'keystone_' ~ ansible_facts['hostname'] ~ '.key.pem') }}"
dest: "{{ keystone_ssl_key }}" dest: "{{ keystone_ssl_key }}"
owner: "{{ keystone_system_user_name }}" owner: "{{ keystone_system_user_name }}"
group: "{{ keystone_system_group_name }}" group: "{{ keystone_system_group_name }}"
mode: "0600" mode: "0600"
condition: "{{ keystone_ssl }}" condition: "{{ keystone_backend_ssl }}"
- src: "{{ keystone_user_ssl_ca_cert | default(keystone_pki_intermediate_cert_path) }}" - src: "{{ keystone_user_ssl_ca_cert | default(keystone_pki_intermediate_cert_path) }}"
dest: "{{ keystone_ssl_ca_cert }}" dest: "{{ keystone_ssl_ca_cert }}"
owner: "{{ keystone_system_user_name }}" owner: "{{ keystone_system_user_name }}"

View File

@ -0,0 +1,5 @@
---
upgrade:
- |
Variable ``keystone_ssl`` was deprecated in favor of
``keystone_backend_ssl``.

View File

@ -168,7 +168,7 @@
pki_certificates: "{{ keystone_pki_certificates }}" pki_certificates: "{{ keystone_pki_certificates }}"
pki_install_certificates: "{{ keystone_pki_install_certificates }}" pki_install_certificates: "{{ keystone_pki_install_certificates }}"
when: when:
- (keystone_ssl | bool) or (keystone_idp['certfile'] is defined) - (keystone_backend_ssl | bool) or (keystone_idp['certfile'] is defined)
tags: tags:
- keystone-config - keystone-config

View File

@ -26,7 +26,7 @@ Listen {{ keystone_web_server_bind_address }}:{{ keystone_service_port }}
RequestHeader set {{ keystone_secure_proxy_ssl_header }} "http" RequestHeader set {{ keystone_secure_proxy_ssl_header }} "http"
{% endif %} {% endif %}
{% if keystone_ssl | bool and keystone_service_internaluri_proto == "https" -%} {% if keystone_backend_ssl | bool and keystone_service_internaluri_proto == "https" -%}
SSLEngine on SSLEngine on
SSLCertificateFile {{ keystone_ssl_cert }} SSLCertificateFile {{ keystone_ssl_cert }}
SSLCertificateKeyFile {{ keystone_ssl_key }} SSLCertificateKeyFile {{ keystone_ssl_key }}

View File

@ -36,7 +36,7 @@
timeout="3600" timeout="3600"
relayState="ss:mc" relayState="ss:mc"
checkAddress="false" checkAddress="false"
handlerSSL="{% if keystone_ssl | bool %}true{% else %}false{% endif %}" handlerSSL="{% if keystone_backend_ssl | bool %}true{% else %}false{% endif %}"
{% if keystone_service_publicuri_proto == "https" %}cookieProps="; path=/; secure"{% endif %}> {% if keystone_service_publicuri_proto == "https" %}cookieProps="; path=/; secure"{% endif %}>
<!-- Triggers a login request directly to the IdP. --> <!-- Triggers a login request directly to the IdP. -->

View File

@ -82,7 +82,7 @@ keystone_apache_configs:
keystone_apache_modules: keystone_apache_modules:
- name: "ssl" - name: "ssl"
state: "{{ (keystone_ssl | bool) | ternary('present', 'absent') }}" state: "{{ (keystone_backend_ssl | bool) | ternary('present', 'absent') }}"
- name: "shib" - name: "shib"
state: "{{ keystone_sp_apache_mod_shib | ternary('present', 'absent') }}" state: "{{ keystone_sp_apache_mod_shib | ternary('present', 'absent') }}"
- name: "auth_openidc" - name: "auth_openidc"

View File

@ -82,7 +82,7 @@ keystone_apache_configs:
keystone_apache_modules: keystone_apache_modules:
- name: "ssl" - name: "ssl"
state: "{{ (keystone_ssl | bool) | ternary('present', 'absent') }}" state: "{{ (keystone_backend_ssl | bool) | ternary('present', 'absent') }}"
- name: "shib2" - name: "shib2"
state: "{{ keystone_sp_apache_mod_shib | ternary('present', 'absent') }}" state: "{{ keystone_sp_apache_mod_shib | ternary('present', 'absent') }}"
- name: "auth_openidc" - name: "auth_openidc"