This patch adds the option to provide an SSL certificate for the
Keystone service (either self-signed or user provided) and to
configure the endpoints and Keystone service appropriately.
* A new boolean variable called 'keystone_ssl' enables/disables
the configuration of SSL for the Keystone service.
* The server key/certificate (and optionally a CA cert) are
distributed to all keystone containers and used for the setup
of SSL endpoints if the appropriate protocol is set.
* The internal/public and the admin endpoints can be set to be
served via http or https seperately via the
'keystone_service_*_proto' variables.
* The logic to determine the appropriate load balancing
configuration based on the Keystone endpoint protocol has
been implemented in the haproxy vars.
* Two new variables have been implemented for a user-provided
server key and certificate:
- keystone_user_ssl_cert: <path to cert on deployment host>
- keystone_user_ssl_key: <path to cert on deployment host>
If either of these is not defined, but a Keystone endpoint
has been configured for SSL, then the missing cert/key
will be self generated on the first Keystone container and
distributed to the other containers.
* A new variable has been implemented for a user-provided CA
certificate:
- keystone_user_ssl_ca_cert: <path to cert on deployment host>
* A new variable called 'keystone_ssl_self_signed_subject' has
been implemented to allow the user to override the certificate
properties, such as the CN and subjectAltName.
Upgrade notes:
* The SSL-based client authentication configuration in Apache
has been removed as it appears to be unused.
* The minimum Ansible version for the os_keystone and
haproxy_server roles have been increased to v1.9.0 as it's
the minimum version that supports ternary filters.
* The boolean 'keystone_ssl_enabled' has been renamed to
'keystone_ssl'. This maintains a pattern set in the haproxy
role for enablement of ssl offloading in the load balancer.
* The Apache configuration appropriately implements the
'SSLCACertificateFile' instead of the 'SSLCACertificatePath'
directive in order to ensure that the appropriate signing
certificate is provided to the browser.
* The 'keystone_self_signed_regen' variable has been renamed
to 'keystone_ssl_self_signed_regen'.
* The default names for the deployed keys/certificates have been
changed:
- /etc/ssl/certs/apache.cert > /etc/ssl/certs/keystone.pem
- /etc/ssl/private/apache.key > /etc/ssl/private/keystone.key
DocImpact
Partial-Bug: #1466827
Implements: blueprint keystone-federation
Change-Id: I4c5ea7b6bfc3d7d7230a7440fa501241826c9dee
Co-Authored-By: Miguel Grinberg <miguelgrinberg50@gmail.com>
4b35b3e929