openstack/openstack-ansible
Code Issues Proposed changes

Don't set keystone URI as unsecure

Browse Source 
Once PKI items are merged, we should have all self-signed SSLs
to be trusted, so no need in setting insecure even if no user cert
is provided.

Additionally cover all endpoints with SSL certificates for AIO
deployments in order to do CI testing of how properly CA
is configured and distributed across containers.

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-haproxy_server/+/796940
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-openstack_hosts/+/797129
Depends-On: https://review.opendev.org/c/openstack/ansible-role-uwsgi/+/797600
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-openstack_openrc/+/797818
Depends-On: https://review.opendev.org/c/openstack/openstack-ansible/+/797892
Change-Id: I0646b2c6d9e9e4e61f105abeb971726fa8f14274
This commit is contained in:
Dmitriy Rabotyagov 2021-06-17 12:48:05 +03:00
parent 112e0cd19a
commit 6e5b0094d5
2 changed files with 7 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
inventory/group_vars/all/keystone.yml
View File

@ -24,31 +24,19 @@ keystone_service_proto: http
keystone_service_region: "{{ service_region }}"
keystone_service_adminuri_proto: "{{ openstack_service_adminuri_proto | default(keystone_service_proto) }}"
keystone_service_adminuri_insecure: >-
{{
(keystone_service_adminuri_proto == 'https') and
(not (keystone_user_ssl_cert is defined or haproxy_user_ssl_cert is defined))
}}
keystone_service_adminuri_insecure: False
keystone_service_adminuri: "{{ keystone_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_admin_port }}"
keystone_service_adminurl: "{{ keystone_service_adminuri }}/v3"
keystone_service_internaluri_proto: "{{ openstack_service_internaluri_proto | default(keystone_service_proto) }}"
keystone_service_internaluri_insecure: >-
{{
(keystone_service_internaluri_proto == 'https') and
(not (keystone_user_ssl_cert is defined or haproxy_user_ssl_cert is defined))
}}
keystone_service_internaluri_insecure: False
keystone_service_internaluri: "{{ keystone_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_service_port }}"
keystone_service_internalurl: "{{ keystone_service_internaluri }}/v3"
keystone_service_publicuri_proto: "{{ openstack_service_publicuri_proto | default(keystone_service_proto) }}"
keystone_service_publicuri_insecure: >-
{{
(keystone_service_publicuri_proto == 'https') and
(not (keystone_user_ssl_cert is defined or haproxy_user_ssl_cert is defined))
}}
keystone_service_publicuri_insecure: False
keystone_service_publicuri: "{{ keystone_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ keystone_service_port }}"
keystone_service_publicurl: "{{ keystone_service_publicuri }}/v3"

4
tests/roles/bootstrap-host/templates/user_variables.aio.yml.j2
View File

@ -264,6 +264,10 @@ openstack_user_kernel_options:
openstack_hosts_package_state: latest
openstack_service_adminuri_proto: https
openstack_service_internaluri_proto: https
haproxy_ssl_all_vips: true
{% if 'octavia' in bootstrap_host_scenarios_expanded %}
# Enable Octavia V2 API/standalone
octavia_v2: True