This is now common functionality in an ansible role, rather than
being implemented directly in openstack-ansible service roles.
This patch creates the apache server certificate and key using the
pki role when keystone_ssl is true.
A CA certificate and key are generated and installed when keystone
is configured to be an IDP, triggered by keystone_idp.certfile being
defined.
Depends-On: https://review.opendev.org/c/openstack/ansible-role-pki/+/830794
Change-Id: Ie70aecc93b8acb7c1bbad02e98254b7c50c4c86f
This removes warnings in Ansible 2.4+.
The patch also removes "static:" from the playbooks since that
argument is no longer used by Ansible.
Change-Id: I6e5fcbccd4239db73de20e640a3423d1a2333bbe
Ansible 2.1.1 introduces a regression in the way conditional
includes are handled which results in every task in the
included file being evaluated even if the condition for the
include is not met. This extends the run time significantly
for a deployment.
This patch forces all conditional includes to be dynamic.
Change-Id: Ia4c26126a7c1fc2728252eacf71870b7bfb5b6a5
Related-Bug: https://github.com/ansible/ansible/issues/17687
The numerous tags within the role have been condensed
to two tags: keystone-install and keystone-config
These tags have been chosen as they are namespaced
and cover the two major functions of the role.
Documentation has been updated to inform how each tag
influences the function of the role.
Change-Id: Iea4bff944ce0a35a4b1bc044171472ea44eda323
This patch adds the option to provide an SSL certificate for the
Keystone service (either self-signed or user provided) and to
configure the endpoints and Keystone service appropriately.
* A new boolean variable called 'keystone_ssl' enables/disables
the configuration of SSL for the Keystone service.
* The server key/certificate (and optionally a CA cert) are
distributed to all keystone containers and used for the setup
of SSL endpoints if the appropriate protocol is set.
* The internal/public and the admin endpoints can be set to be
served via http or https seperately via the
'keystone_service_*_proto' variables.
* The logic to determine the appropriate load balancing
configuration based on the Keystone endpoint protocol has
been implemented in the haproxy vars.
* Two new variables have been implemented for a user-provided
server key and certificate:
- keystone_user_ssl_cert: <path to cert on deployment host>
- keystone_user_ssl_key: <path to cert on deployment host>
If either of these is not defined, but a Keystone endpoint
has been configured for SSL, then the missing cert/key
will be self generated on the first Keystone container and
distributed to the other containers.
* A new variable has been implemented for a user-provided CA
certificate:
- keystone_user_ssl_ca_cert: <path to cert on deployment host>
* A new variable called 'keystone_ssl_self_signed_subject' has
been implemented to allow the user to override the certificate
properties, such as the CN and subjectAltName.
Upgrade notes:
* The SSL-based client authentication configuration in Apache
has been removed as it appears to be unused.
* The minimum Ansible version for the os_keystone and
haproxy_server roles have been increased to v1.9.0 as it's
the minimum version that supports ternary filters.
* The boolean 'keystone_ssl_enabled' has been renamed to
'keystone_ssl'. This maintains a pattern set in the haproxy
role for enablement of ssl offloading in the load balancer.
* The Apache configuration appropriately implements the
'SSLCACertificateFile' instead of the 'SSLCACertificatePath'
directive in order to ensure that the appropriate signing
certificate is provided to the browser.
* The 'keystone_self_signed_regen' variable has been renamed
to 'keystone_ssl_self_signed_regen'.
* The default names for the deployed keys/certificates have been
changed:
- /etc/ssl/certs/apache.cert > /etc/ssl/certs/keystone.pem
- /etc/ssl/private/apache.key > /etc/ssl/private/keystone.key
DocImpact
Partial-Bug: #1466827
Implements: blueprint keystone-federation
Change-Id: I4c5ea7b6bfc3d7d7230a7440fa501241826c9dee
Co-Authored-By: Miguel Grinberg <miguelgrinberg50@gmail.com>
Jonathan Rosser