This is now common functionality in an ansible role, rather than
being implemented directly in openstack-ansible service roles.
This patch creates the apache server certificate and key using the
pki role when keystone_ssl is true.
A CA certificate and key are generated and installed when keystone
is configured to be an IDP, triggered by keystone_idp.certfile being
defined.
Depends-On: https://review.opendev.org/c/openstack/ansible-role-pki/+/830794
Change-Id: Ie70aecc93b8acb7c1bbad02e98254b7c50c4c86f
The numerous tags within the role have been condensed
to two tags: keystone-install and keystone-config
These tags have been chosen as they are namespaced
and cover the two major functions of the role.
Documentation has been updated to inform how each tag
influences the function of the role.
Change-Id: Iea4bff944ce0a35a4b1bc044171472ea44eda323
The os_keystone role previously relied on a memcached deployment to transfer
SSL certificates and keys to all keystone nodes. Many of the openstack-ansible
repositories have refactored this behavior out in place of registering the
certificates and keys as ansible facts and using ansible's copy module to
transfer them to each node in the deployment.
This breaks the dependency of requiring memcached in order to deploy keystone
with SSL.
Change-Id: I8db39a2a4a54aa9814c1b05988f05bfcae94f222
This patch adds the option to provide an SSL certificate for the
Keystone service (either self-signed or user provided) and to
configure the endpoints and Keystone service appropriately.
* A new boolean variable called 'keystone_ssl' enables/disables
the configuration of SSL for the Keystone service.
* The server key/certificate (and optionally a CA cert) are
distributed to all keystone containers and used for the setup
of SSL endpoints if the appropriate protocol is set.
* The internal/public and the admin endpoints can be set to be
served via http or https seperately via the
'keystone_service_*_proto' variables.
* The logic to determine the appropriate load balancing
configuration based on the Keystone endpoint protocol has
been implemented in the haproxy vars.
* Two new variables have been implemented for a user-provided
server key and certificate:
- keystone_user_ssl_cert: <path to cert on deployment host>
- keystone_user_ssl_key: <path to cert on deployment host>
If either of these is not defined, but a Keystone endpoint
has been configured for SSL, then the missing cert/key
will be self generated on the first Keystone container and
distributed to the other containers.
* A new variable has been implemented for a user-provided CA
certificate:
- keystone_user_ssl_ca_cert: <path to cert on deployment host>
* A new variable called 'keystone_ssl_self_signed_subject' has
been implemented to allow the user to override the certificate
properties, such as the CN and subjectAltName.
Upgrade notes:
* The SSL-based client authentication configuration in Apache
has been removed as it appears to be unused.
* The minimum Ansible version for the os_keystone and
haproxy_server roles have been increased to v1.9.0 as it's
the minimum version that supports ternary filters.
* The boolean 'keystone_ssl_enabled' has been renamed to
'keystone_ssl'. This maintains a pattern set in the haproxy
role for enablement of ssl offloading in the load balancer.
* The Apache configuration appropriately implements the
'SSLCACertificateFile' instead of the 'SSLCACertificatePath'
directive in order to ensure that the appropriate signing
certificate is provided to the browser.
* The 'keystone_self_signed_regen' variable has been renamed
to 'keystone_ssl_self_signed_regen'.
* The default names for the deployed keys/certificates have been
changed:
- /etc/ssl/certs/apache.cert > /etc/ssl/certs/keystone.pem
- /etc/ssl/private/apache.key > /etc/ssl/private/keystone.key
DocImpact
Partial-Bug: #1466827
Implements: blueprint keystone-federation
Change-Id: I4c5ea7b6bfc3d7d7230a7440fa501241826c9dee
Co-Authored-By: Miguel Grinberg <miguelgrinberg50@gmail.com>
Jonathan Rosser