Use ansible facts for distributing SSL certs/keys

The os_keystone role previously relied on a memcached deployment to transfer
SSL certificates and keys to all keystone nodes. Many of the openstack-ansible
repositories have refactored this behavior out in place of registering the
certificates and keys as ansible facts and using ansible's copy module to
transfer them to each node in the deployment.

This breaks the dependency of requiring memcached in order to deploy keystone
with SSL.

Change-Id: I8db39a2a4a54aa9814c1b05988f05bfcae94f222

tasks/keystone_ssl_key_create.yml

@@ -34,3 +34,16 @@
   tags:
     - keystone-configs
     - keystone-ssl
+
+- name: Ensure keystone user owns the self-signed key and certificate
+  file:
+    path: "{{ item }}"
+    owner: "{{ keystone_system_user_name }}"
+    group: "{{ keystone_system_group_name }}"
+    mode: "0640"
+  with_items:
+    - "{{ keystone_ssl_key }}"
+    - "{{ keystone_ssl_cert }}"
+  notify: Restart Apache
+  tags:
+    - keystone-ssl

tasks/keystone_ssl_key_distribute.yml

@@ -13,23 +13,33 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-- name: Distribute self signed cert and key
-  memcached:
-    name: "{{ item.name }}"
-    file_path: "{{ item.src }}"
-    state: "retrieve"
-    file_mode: "{{ item.file_mode }}"
-    dir_mode: "{{ item.dir_mode }}"
-    server: "{{ memcached_servers }}"
-    encrypt_string: "{{ memcached_encryption_key }}"
-  with_items:
-    - { src: "{{ keystone_ssl_cert }}", name: "keystone_ssl_cert", file_mode: "0644", dir_mode: "0755" }
-    - { src: "{{ keystone_ssl_key }}", name: "keystone_ssl_key", file_mode: "0640", dir_mode: "0750" }
-  register: memcache_keys
-  until: memcache_keys|success
-  retries: 5
-  delay: 2
-  notify: Restart Apache
+- name: Distribute self signed ssl key
+  copy:
+    dest: "{{ keystone_ssl_key }}"
+    content: "{{ hostvars[groups['keystone_all'][0]]['keystone_ssl_key_fact'] | b64decode }}"
+    owner: "{{ keystone_system_user_name }}"
+    group: "{{ keystone_system_group_name }}"
+    mode: "0640"
+  tags:
+    - keystone-ssl
+
+- name: Distribute self signed ssl cert
+  copy:
+    dest: "{{ keystone_ssl_cert }}"
+    content: "{{ hostvars[groups['keystone_all'][0]]['keystone_ssl_cert_fact'] | b64decode }}"
+    owner: "{{ keystone_system_user_name }}"
+    group: "{{ keystone_system_group_name }}"
+    mode: "0640"
+  tags:
+    - keystone-ssl
+
+- name: Ensure keystone user owns the self-signed key and certificate
+  file:
+    path: "{{ item }}"
+    owner: "{{ keystone_system_user_name }}"
+    group: "{{ keystone_system_group_name }}"
+  with_items:
+    - "{{ keystone_ssl_key }}"
+    - "{{ keystone_ssl_cert }}"
   tags:
-    - keystone-config
     - keystone-ssl

tasks/keystone_ssl_key_store.yml

@@ -13,19 +13,25 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-- name: Store self signed cert and key
-  memcached:
-    name: "{{ item.name }}"
-    file_path: "{{ item.src }}"
-    state: "present"
-    server: "{{ memcached_servers }}"
-    encrypt_string: "{{ memcached_encryption_key }}"
-  with_items:
-    - { src: "{{ keystone_ssl_cert }}", name: "keystone_ssl_cert" }
-    - { src: "{{ keystone_ssl_key }}", name: "keystone_ssl_key" }
-  register: memcache_keys
-  until: memcache_keys|success
-  retries: 5
-  delay: 2
+- name: Store ssl cert
+  slurp:
+    src: "{{ keystone_ssl_cert }}"
+  register: _keystone_ssl_cert
+  changed_when: false
+  tags:
+    - keystone-ssl
+
+- name: Store ssl key
+  slurp:
+    src: "{{ keystone_ssl_key }}"
+  register: _keystone_ssl_key
+  changed_when: false
+  tags:
+    - keystone-ssl
+
+- name: Register a fact for the cert and key
+  set_fact:
+    keystone_ssl_cert_fact: "{{ _keystone_ssl_cert.content }}"
+    keystone_ssl_key_fact: "{{ _keystone_ssl_key.content }}"
   tags:
     - keystone-ssl

tests/test-keystone-functional.yml

@@ -51,5 +51,22 @@
       with_items:
         - "admin"
         - "service"
+    - name: Get SSL cert location and permissions
+      stat:
+        path: "/etc/ssl/certs/keystone.pem"
+      register: keystone_ssl_cert_stats
+    - name: Check SSL cert location and permissions
+      fail:
+        msg: "Keystone SSL cert permissions don't match 0640"
+      when: keystone_ssl_cert_stats.stat.mode != "0640"
+    - name: Get SSL key location and permissions
+      stat:
+        path: "/etc/ssl/private/keystone.key"
+      register: keystone_ssl_key_stats
+    - name: Check SSL key location and permissions
+      fail:
+        msg: "Keystone SSL key permissions don't match 0640"
+      when: keystone_ssl_key_stats.stat.mode != "0640"
+
   vars_files:
     - test-vars.yml

tests/test-vars.yml

@@ -28,6 +28,7 @@ keystone_rabbitmq_password: "secrete"
 keystone_rabbitmq_port: 5671
 keystone_rabbitmq_servers: 10.100.100.2
 keystone_rabbitmq_use_ssl: true
+keystone_ssl: true
 keystone_rabbitmq_userid: keystone
 keystone_rabbitmq_vhost: /keystone
 keystone_requirements_git_install_branch: master