diff --git a/etc/openstack_deploy/user_group_vars.yml b/etc/openstack_deploy/user_group_vars.yml index 4f3f4fb76c..8836c4ed1f 100644 --- a/etc/openstack_deploy/user_group_vars.yml +++ b/etc/openstack_deploy/user_group_vars.yml @@ -144,6 +144,8 @@ keystone_service_adminurl_v3: "{{ keystone_service_adminuri_v3 }}/v3" keystone_cache_backend_argument: "url:{% for host in groups['memcached'] %}{{ hostvars[host]['container_address'] }}{% if not loop.last %},{% endif %}{% endfor %}:{{ memcached_port }}" keystone_memcached_servers: "{% for host in groups['keystone_all'] %}{{ hostvars[host]['container_address'] }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}" keystone_service_region: "{{ service_region }}" +keystone_service_adminuri_insecure: false +keystone_service_internaluri_insecure: false ## Horizon diff --git a/playbooks/library/glance b/playbooks/library/glance index d042e64583..ac9508b2ec 100644 --- a/playbooks/library/glance +++ b/playbooks/library/glance @@ -53,8 +53,16 @@ options: description: - which version of the glance api to use choices: - - 1 (default) + - 1 - 2 + default: 1 + insecure: + description: + - Explicitly allow client to perform "insecure" TLS + choices: + - false + - true + default: false author: Hugh Saunders """ @@ -114,7 +122,9 @@ class ManageGlance(object): def _keystone_authenticate(self): """Authenticate with Keystone.""" openrc = self._parse_openrc() - self.keystone = ksclient.Client(username=openrc['OS_USERNAME'], + insecure = self.module.params['insecure'] + self.keystone = ksclient.Client(insecure=insecure, + username=openrc['OS_USERNAME'], password=openrc['OS_PASSWORD'], tenant_name=openrc['OS_TENANT_NAME'], auth_url=openrc['OS_AUTH_URL']) @@ -209,7 +219,9 @@ def main(): image_container_format=dict(required=False), image_disk_format=dict(required=False), image_is_public=dict(required=False, choices=BOOLEANS), - api_version=dict(default='1', required=False, choices=['1', '2']) + api_version=dict(default='1', required=False, choices=['1', '2']), + insecure=dict(default=False, required=False, + choices=BOOLEANS + ['True', 'False']) ), supports_check_mode=False ) diff --git a/playbooks/library/keystone b/playbooks/library/keystone index 5bf442916c..1760b508ad 100644 --- a/playbooks/library/keystone +++ b/playbooks/library/keystone @@ -121,6 +121,13 @@ options: 'ensure_endpoint', 'ensure_role', 'ensure_user', 'ensure_user_role', 'ensure_tenant'] required: true + insecure: + description: + - Explicitly allow client to perform "insecure" TLS + choices: + - false + - true + default: false requirements: [ python-keystoneclient ] author: Kevin Carter """ @@ -357,7 +364,8 @@ class ManageKeystone(object): 'login_user', 'login_password', 'login_tenant_name', - 'token' + 'token', + 'insecure' ] variables_dict = self._get_vars(variables, required=required_vars) @@ -366,6 +374,7 @@ class ManageKeystone(object): login_password = variables_dict.pop('login_password') login_tenant_name = variables_dict.pop('login_tenant_name') token = variables_dict.pop('token') + insecure = variables_dict.pop('insecure') if token is None: if login_tenant_name is None: @@ -386,9 +395,14 @@ class ManageKeystone(object): ) if token: - self.keystone = client.Client(endpoint=endpoint, token=token) + self.keystone = client.Client( + insecure=insecure, + endpoint=endpoint, + token=token + ) else: self.keystone = client.Client( + insecure=insecure, auth_url=endpoint, username=login_user, password=login_password, @@ -797,6 +811,11 @@ def main(): required=True, choices=COMMAND_MAP.keys() ), + insecure=dict( + default=False, + required=False, + choices=BOOLEANS + ['True', 'False'] + ), return_code=dict( type='str', default='0' diff --git a/playbooks/library/neutron b/playbooks/library/neutron index c60d5e58c5..9bd7fb752b 100644 --- a/playbooks/library/neutron +++ b/playbooks/library/neutron @@ -58,9 +58,16 @@ options: router_external: description: - Specify router:external' when creating network - external_gateway_info + external_gateway_info: description: - Specify external_gateway_info when creating router + insecure: + description: + - Explicitly allow client to perform "insecure" TLS + choices: + - false + - true + default: false author: Hugh Saunders """ @@ -247,7 +254,9 @@ class ManageNeutron(object): def _keystone_authenticate(self): """Authenticate with Keystone.""" openrc = self._parse_openrc() - self.keystone = ksclient.Client(username=openrc['OS_USERNAME'], + insecure = self.module.params['insecure'] + self.keystone = ksclient.Client(insecure=insecure, + username=openrc['OS_USERNAME'], password=openrc['OS_PASSWORD'], tenant_name=openrc['OS_TENANT_NAME'], auth_url=openrc['OS_AUTH_URL']) @@ -396,7 +405,9 @@ def main(): router_external=dict(required=False), router_name=dict(required=False), external_gateway_info=dict(required=False), - tenant_id=dict(required=False) + tenant_id=dict(required=False), + insecure=dict(default=False, required=False, + choices=BOOLEANS + ['True', 'False']) ), supports_check_mode=False ) diff --git a/playbooks/roles/openstack_openrc/defaults/main.yml b/playbooks/roles/openstack_openrc/defaults/main.yml index fda31de191..12982aa629 100644 --- a/playbooks/roles/openstack_openrc/defaults/main.yml +++ b/playbooks/roles/openstack_openrc/defaults/main.yml @@ -23,6 +23,9 @@ openrc_os_username: admin openrc_os_tenant_name: admin openrc_os_auth_url: "http://127.0.0.1:5000" +## Deliberately allow access to SSL endpoints with bad certificates +openrc_insecure: "{{ (keystone_service_adminuri_insecure | bool or keystone_service_internaluri_insecure | bool) | default(false) }}" + ## Create file openrc_file_dest: "{{ ansible_env.HOME }}/openrc" openrc_file_owner: "{{ ansible_user_id }}" diff --git a/playbooks/roles/openstack_openrc/templates/openrc b/playbooks/roles/openstack_openrc/templates/openrc index 1d43b554ee..749aa5fbb9 100644 --- a/playbooks/roles/openstack_openrc/templates/openrc +++ b/playbooks/roles/openstack_openrc/templates/openrc @@ -13,3 +13,15 @@ export OS_PASSWORD={{ openrc_os_password }} export OS_TENANT_NAME={{ openrc_os_tenant_name }} export OS_AUTH_URL={{ openrc_os_auth_url }} export OS_NO_CACHE=1 + +{% if openrc_insecure | bool %} +# Convenience Aliases for Self-Signed Certs +alias cinder='cinder --insecure' +alias glance='glance --insecure' +alias heat='heat --insecure' +alias keystone='keystone --insecure' +alias neutron='neutron --insecure' +alias nova='nova --insecure' +alias openstack='openstack --insecure' +alias swift='swift --insecure' +{% endif %} diff --git a/playbooks/roles/os_cinder/tasks/cinder_service_add.yml b/playbooks/roles/os_cinder/tasks/cinder_service_add.yml index 8e6fc495d9..5d727a85af 100644 --- a/playbooks/roles/os_cinder/tasks/cinder_service_add.yml +++ b/playbooks/roles/os_cinder/tasks/cinder_service_add.yml @@ -22,6 +22,7 @@ service_name: "{{ service_name }}" service_type: "{{ service_type }}" description: "{{ service_description }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -40,6 +41,7 @@ user_name: "{{ service_user_name }}" tenant_name: "{{ service_tenant_name }}" password: "{{ service_password }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -58,6 +60,7 @@ user_name: "{{ service_user_name }}" tenant_name: "{{ service_tenant_name }}" role_name: "{{ role_name }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -79,6 +82,7 @@ publicurl: "{{ service_publicurl }}" adminurl: "{{ service_internalurl }}" internalurl: "{{ service_adminurl }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 diff --git a/playbooks/roles/os_cinder/templates/cinder.conf.j2 b/playbooks/roles/os_cinder/templates/cinder.conf.j2 index 7b4060decf..89c50a15ab 100644 --- a/playbooks/roles/os_cinder/templates/cinder.conf.j2 +++ b/playbooks/roles/os_cinder/templates/cinder.conf.j2 @@ -111,6 +111,7 @@ profiler_enabled = {{ cinder_profiler_enabled }} trace_sqlalchemy = {{ cinder_profiler_trace_sqlalchemy }} [keystone_authtoken] +insecure = {{ keystone_service_internaluri_insecure | bool }} auth_plugin = {{ cinder_keystone_auth_plugin }} signing_dir = /var/cache/cinder auth_url = {{ keystone_service_adminuri }} diff --git a/playbooks/roles/os_glance/tasks/glance_service_setup.yml b/playbooks/roles/os_glance/tasks/glance_service_setup.yml index e0ed4f105d..c7c10077f1 100644 --- a/playbooks/roles/os_glance/tasks/glance_service_setup.yml +++ b/playbooks/roles/os_glance/tasks/glance_service_setup.yml @@ -22,6 +22,7 @@ service_name: "{{ glance_service_name }}" service_type: "{{ glance_service_type }}" description: "{{ glance_service_description }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -40,6 +41,7 @@ user_name: "{{ glance_service_user_name }}" tenant_name: "{{ glance_service_project_name }}" password: "{{ glance_service_password }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -58,6 +60,7 @@ user_name: "{{ glance_service_user_name }}" tenant_name: "{{ glance_service_project_name }}" role_name: "{{ glance_role_name }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -79,6 +82,7 @@ publicurl: "{{ glance_service_publicurl }}" adminurl: "{{ glance_service_internalurl }}" internalurl: "{{ glance_service_adminurl }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 diff --git a/playbooks/roles/os_glance/templates/glance-api.conf.j2 b/playbooks/roles/os_glance/templates/glance-api.conf.j2 index b86127c85b..57c85d2542 100644 --- a/playbooks/roles/os_glance/templates/glance-api.conf.j2 +++ b/playbooks/roles/os_glance/templates/glance-api.conf.j2 @@ -51,6 +51,7 @@ task_executor = {{ glance_task_executor }} connection = mysql://{{ glance_galera_user }}:{{ glance_container_mysql_password }}@{{ glance_galera_address }}/{{ glance_galera_database }}?charset=utf8 [keystone_authtoken] +insecure = {{ keystone_service_internaluri_insecure | bool }} auth_plugin = {{ glance_keystone_auth_plugin }} signing_dir = {{ glance_system_user_home }}/cache/api auth_url = {{ keystone_service_adminuri }} diff --git a/playbooks/roles/os_glance/templates/glance-registry.conf.j2 b/playbooks/roles/os_glance/templates/glance-registry.conf.j2 index 66ce65cbe5..2abf2df9c0 100644 --- a/playbooks/roles/os_glance/templates/glance-registry.conf.j2 +++ b/playbooks/roles/os_glance/templates/glance-registry.conf.j2 @@ -21,6 +21,7 @@ limit_param_default = 25 connection = mysql://{{ glance_galera_user }}:{{ glance_container_mysql_password }}@{{ glance_galera_address }}/{{ glance_galera_database }}?charset=utf8 [keystone_authtoken] +insecure = {{ keystone_service_internaluri_insecure | bool }} auth_plugin = {{ glance_keystone_auth_plugin }} signing_dir = {{ glance_system_user_home }}/cache/registry/ auth_url = {{ keystone_service_adminuri }} diff --git a/playbooks/roles/os_heat/tasks/heat_service_add.yml b/playbooks/roles/os_heat/tasks/heat_service_add.yml index 49c5660723..86613695c5 100644 --- a/playbooks/roles/os_heat/tasks/heat_service_add.yml +++ b/playbooks/roles/os_heat/tasks/heat_service_add.yml @@ -22,6 +22,7 @@ service_name: "{{ service_name }}" service_type: "{{ service_type }}" description: "{{ service_description }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -40,6 +41,7 @@ user_name: "{{ service_user_name }}" tenant_name: "{{ service_tenant_name }}" password: "{{ service_password }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -58,6 +60,7 @@ user_name: "{{ service_user_name }}" tenant_name: "{{ service_tenant_name }}" role_name: "{{ role_name }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -79,6 +82,7 @@ publicurl: "{{ service_publicurl }}" internalurl: "{{ service_internalurl }}" adminurl: "{{ service_adminurl }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 diff --git a/playbooks/roles/os_heat/templates/heat.conf.j2 b/playbooks/roles/os_heat/templates/heat.conf.j2 index 7d63e3d918..2d35c56a5e 100644 --- a/playbooks/roles/os_heat/templates/heat.conf.j2 +++ b/playbooks/roles/os_heat/templates/heat.conf.j2 @@ -63,6 +63,7 @@ trace_sqlalchemy = {{ heat_profiler_trace_sqlalchemy }} [keystone_authtoken] +insecure = {{ keystone_service_internaluri_insecure | bool }} signing_dir = /var/cache/heat identity_uri = {{ keystone_service_adminuri }} auth_uri = {{ keystone_service_internalurl }} diff --git a/playbooks/roles/os_horizon/templates/horizon_local_settings.py.j2 b/playbooks/roles/os_horizon/templates/horizon_local_settings.py.j2 index 99a4947e10..eb57f4df87 100644 --- a/playbooks/roles/os_horizon/templates/horizon_local_settings.py.j2 +++ b/playbooks/roles/os_horizon/templates/horizon_local_settings.py.j2 @@ -197,11 +197,7 @@ OPENSTACK_KEYSTONE_DEFAULT_ROLE = "_member_" # ("saml2", _("Security Assertion Markup Language"))) # Disable SSL certificate checks (useful for self-signed certificates): -{% if horizon_self_signed == true %} -OPENSTACK_SSL_NO_VERIFY = True -{% else %} -OPENSTACK_SSL_NO_VERIFY = False -{% endif %} +OPENSTACK_SSL_NO_VERIFY = {{ keystone_service_internaluri_insecure | bool }} {% if horizon_cacert_pem is defined %} # The CA certificate to use to verify SSL connections diff --git a/playbooks/roles/os_keystone/tasks/keystone_service_setup.yml b/playbooks/roles/os_keystone/tasks/keystone_service_setup.yml index 771971ce55..616837f703 100644 --- a/playbooks/roles/os_keystone/tasks/keystone_service_setup.yml +++ b/playbooks/roles/os_keystone/tasks/keystone_service_setup.yml @@ -50,6 +50,7 @@ endpoint: "{{ keystone_service_adminurl }}" tenant_name: "{{ keystone_service_tenant_name }}" description: "{{ keystone_service_description }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -66,6 +67,7 @@ endpoint: "{{ keystone_service_adminurl }}" tenant_name: "{{ keystone_admin_tenant_name }}" description: "{{ keystone_admin_description }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -83,6 +85,7 @@ user_name: "{{ keystone_admin_user_name }}" tenant_name: "{{ keystone_admin_tenant_name }}" password: "{{ keystone_auth_admin_password }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -98,6 +101,7 @@ token: "{{ keystone_auth_admin_token }}" endpoint: "{{ keystone_service_adminurl }}" role_name: "{{ keystone_role_name }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -115,6 +119,7 @@ user_name: "{{ keystone_admin_user_name }}" tenant_name: "{{ keystone_admin_tenant_name }}" role_name: "{{ keystone_role_name }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -132,6 +137,7 @@ service_name: "{{ keystone_service_name }}" service_type: "{{ keystone_service_type }}" description: "{{ keystone_service_description }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -150,6 +156,7 @@ user_name: "{{ keystone_service_user_name }}" tenant_name: "{{ keystone_service_tenant_name }}" password: "{{ keystone_service_password }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -168,6 +175,7 @@ user_name: "{{ keystone_service_user_name }}" tenant_name: "{{ keystone_service_tenant_name }}" role_name: "{{ keystone_role_name }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -189,6 +197,7 @@ publicurl: "{{ keystone_service_publicurl }}" adminurl: "{{ keystone_service_adminurl }}" internalurl: "{{ keystone_service_internalurl }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 diff --git a/playbooks/roles/os_neutron/tasks/neutron_l3_ha.yml b/playbooks/roles/os_neutron/tasks/neutron_l3_ha.yml index 3bbd546787..28c4e12070 100644 --- a/playbooks/roles/os_neutron/tasks/neutron_l3_ha.yml +++ b/playbooks/roles/os_neutron/tasks/neutron_l3_ha.yml @@ -36,7 +36,7 @@ # These are used in the Neutron HA Cron job script, and processed in the template. - name: Creating Job Facts set_fact: - do_job: ". /root/openrc && /opt/neutron-ha-tool.py --l3-agent-migrate" + do_job: ". /root/openrc && /opt/neutron-ha-tool.py {% if keystone_service_internaluri_insecure | bool %}--insecure {% endif %}--l3-agent-migrate" sleep_time: "{{ hashed_name.int_value }}" tags: - neutron-ha-tool diff --git a/playbooks/roles/os_neutron/tasks/neutron_service_add.yml b/playbooks/roles/os_neutron/tasks/neutron_service_add.yml index 55e0b6cb4c..ccdfa9a4a4 100644 --- a/playbooks/roles/os_neutron/tasks/neutron_service_add.yml +++ b/playbooks/roles/os_neutron/tasks/neutron_service_add.yml @@ -22,6 +22,7 @@ service_name: "{{ service_name }}" service_type: "{{ service_type }}" description: "{{ service_description }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -40,6 +41,7 @@ user_name: "{{ service_user_name }}" tenant_name: "{{ service_tenant_name }}" password: "{{ service_password }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -58,6 +60,7 @@ user_name: "{{ service_user_name }}" tenant_name: "{{ service_tenant_name }}" role_name: "{{ role_name }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -79,6 +82,7 @@ publicurl: "{{ service_publicurl }}" adminurl: "{{ service_internalurl }}" internalurl: "{{ service_adminurl }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 diff --git a/playbooks/roles/os_neutron/templates/neutron.conf.j2 b/playbooks/roles/os_neutron/templates/neutron.conf.j2 index 82b4943891..af03743bbf 100644 --- a/playbooks/roles/os_neutron/templates/neutron.conf.j2 +++ b/playbooks/roles/os_neutron/templates/neutron.conf.j2 @@ -94,6 +94,7 @@ root_helper = sudo /usr/local/bin/neutron-rootwrap /etc/neutron/rootwrap.conf [keystone_authtoken] +insecure = {{ keystone_service_internaluri_insecure | bool }} auth_plugin = {{ neutron_keystone_auth_plugin }} signing_dir = /var/cache/neutron auth_url = {{ keystone_service_adminuri }} diff --git a/playbooks/roles/os_nova/tasks/nova_service_add.yml b/playbooks/roles/os_nova/tasks/nova_service_add.yml index 20c4523991..60bfa48d80 100644 --- a/playbooks/roles/os_nova/tasks/nova_service_add.yml +++ b/playbooks/roles/os_nova/tasks/nova_service_add.yml @@ -22,6 +22,7 @@ service_name: "{{ service_name }}" service_type: "{{ service_type }}" description: "{{ service_description }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -40,6 +41,7 @@ user_name: "{{ service_user_name }}" tenant_name: "{{ service_tenant_name }}" password: "{{ service_password }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -58,6 +60,7 @@ user_name: "{{ service_user_name }}" tenant_name: "{{ service_tenant_name }}" role_name: "{{ role_name }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -79,6 +82,7 @@ publicurl: "{{ service_publicurl }}" adminurl: "{{ service_internalurl }}" internalurl: "{{ service_adminurl }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 diff --git a/playbooks/roles/os_nova/templates/nova.conf.j2 b/playbooks/roles/os_nova/templates/nova.conf.j2 index 3fb8be1bb5..2f8db64635 100644 --- a/playbooks/roles/os_nova/templates/nova.conf.j2 +++ b/playbooks/roles/os_nova/templates/nova.conf.j2 @@ -157,6 +157,7 @@ enabled = false [keystone_authtoken] +insecure = {{ keystone_service_internaluri_insecure | bool }} auth_plugin = {{ nova_keystone_auth_plugin }} signing_dir = {{ nova_system_home_folder }}/cache/api auth_url = {{ keystone_service_adminuri }} diff --git a/playbooks/roles/os_swift/tasks/swift_service_setup.yml b/playbooks/roles/os_swift/tasks/swift_service_setup.yml index 08ef02ce66..a90fed52bd 100644 --- a/playbooks/roles/os_swift/tasks/swift_service_setup.yml +++ b/playbooks/roles/os_swift/tasks/swift_service_setup.yml @@ -22,6 +22,7 @@ service_name: "{{ swift_service_name }}" service_type: "{{ swift_service_type }}" description: "{{ swift_service_description }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -40,6 +41,7 @@ user_name: "{{ swift_service_user_name }}" tenant_name: "{{ swift_service_project_name }}" password: "{{ swift_service_password }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -58,6 +60,7 @@ user_name: "{{ swift_service_user_name }}" tenant_name: "{{ swift_service_project_name }}" role_name: "{{ swift_service_role_name }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -73,6 +76,7 @@ token: "{{ keystone_auth_admin_token }}" endpoint: "{{ keystone_service_adminurl }}" role_name: "{{ swift_operator_role }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -90,6 +94,7 @@ user_name: "{{ swift_dispersion_user }}" tenant_name: "{{ swift_service_project_name }}" password: "{{ swift_dispersion_password }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -107,6 +112,7 @@ user_name: "{{ swift_dispersion_user }}" tenant_name: "{{ swift_service_project_name }}" role_name: "{{ swift_operator_role }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -128,6 +134,7 @@ publicurl: "{{ swift_service_publicurl }}" adminurl: "{{ swift_service_internalurl }}" internalurl: "{{ swift_service_adminurl }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 diff --git a/playbooks/roles/os_swift/templates/proxy-server.conf.j2 b/playbooks/roles/os_swift/templates/proxy-server.conf.j2 index af34dc3f65..96071602ff 100644 --- a/playbooks/roles/os_swift/templates/proxy-server.conf.j2 +++ b/playbooks/roles/os_swift/templates/proxy-server.conf.j2 @@ -46,6 +46,7 @@ user_test_tester3 = testing3 {% elif swift_authtoken_active %} [filter:authtoken] paste.filter_factory = keystonemiddleware.auth_token:filter_factory +insecure = {{ keystone_service_internaluri_insecure | bool }} auth_plugin = {{ swift_keystone_auth_plugin }} auth_url = {{ keystone_service_adminuri }} auth_uri = {{ keystone_service_internaluri }} diff --git a/playbooks/roles/os_tempest/tasks/tempest_resources.yml b/playbooks/roles/os_tempest/tasks/tempest_resources.yml index 26c41cdb50..a02782d02f 100644 --- a/playbooks/roles/os_tempest/tasks/tempest_resources.yml +++ b/playbooks/roles/os_tempest/tasks/tempest_resources.yml @@ -22,6 +22,7 @@ image_container_format: bare image_disk_format: qcow2 image_is_public: True + insecure: "{{ keystone_service_internaluri_insecure }}" tags: - tempest-setup - tempest-config @@ -40,6 +41,7 @@ tenant_name: "{{ item }}" description: "{{ item }} Tenant" endpoint: "{{ keystone_service_adminurl }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -59,6 +61,7 @@ password: "{{ item }}" description: "{{ item }} User" endpoint: "{{ keystone_service_adminurl }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -77,6 +80,7 @@ user_name: "{{ item }}" role_name: heat_stack_owner endpoint: "{{ keystone_service_adminurl }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -93,6 +97,7 @@ token: "{{ keystone_auth_admin_token }}" endpoint: "{{ keystone_service_adminurl }}" role_name: "reseller_admin" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -106,6 +111,7 @@ token: "{{ keystone_auth_admin_token }}" role_name: remote_image endpoint: "{{ keystone_service_adminurl }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -119,6 +125,7 @@ token: "{{ keystone_auth_admin_token }}" tenant_name: demo endpoint: "{{ keystone_service_adminurl }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -140,6 +147,7 @@ openrc_path: /root/openrc net_name: private tenant_id: "{{ keystone_demo_tenant_id }}" + insecure: "{{ keystone_service_internaluri_insecure }}" tags: - tempest-setup - tempest-config @@ -159,6 +167,7 @@ provider_network_type: flat provider_physical_network: flat router_external: true + insecure: "{{ keystone_service_internaluri_insecure }}" tags: - tempest-setup - tempest-config @@ -178,6 +187,7 @@ subnet_name: private-subnet cidr: "{{ tempest_private_subnet_cidr }}" tenant_id: "{{ keystone_demo_tenant_id }}" + insecure: "{{ keystone_service_internaluri_insecure }}" tags: - tempest-setup @@ -188,6 +198,7 @@ net_name: public subnet_name: public-subnet cidr: "{{ tempest_public_subnet_cidr }}" + insecure: "{{ keystone_service_internaluri_insecure }}" tags: - tempest-setup @@ -198,6 +209,7 @@ router_name: router external_gateway_info: public tenant_id: "{{ keystone_demo_tenant_id }}" + insecure: "{{ keystone_service_internaluri_insecure }}" tags: - tempest-setup @@ -207,6 +219,7 @@ openrc_path: /root/openrc router_name: router subnet_name: private-subnet + insecure: "{{ keystone_service_internaluri_insecure }}" tags: - tempest-setup diff --git a/playbooks/roles/os_tempest/templates/tempest.conf.j2 b/playbooks/roles/os_tempest/templates/tempest.conf.j2 index 28b59332af..6f38724ee1 100644 --- a/playbooks/roles/os_tempest/templates/tempest.conf.j2 +++ b/playbooks/roles/os_tempest/templates/tempest.conf.j2 @@ -112,7 +112,7 @@ alt_password = alt_demo alt_username = alt_demo auth_version = v2 catalog_type = identity -disable_ssl_certificate_validation = false +disable_ssl_certificate_validation = {{ keystone_service_internaluri_insecure | bool }} endpoint_type = internalURL password = demo tenant_name = demo