Make SSL settings configurable for Keystone

Currently, one cannot enable SSL for Keystone service endpoint since
the recipes do not allow configuring the SSL specific parameters. To
address this issue, this commit defines some new node attributes for
specifying SSL key, certificate and CA certificate paths. Also, this
commit exposes few other node attributes giving users more flexibility
in their SSL deployment options.

Closes-Bug #1441385

Change-Id: I2ee71f4f11e0cba619418bd5c356ec490c3be6e4

README.md

@@ -275,6 +275,12 @@ Please refer to the Common cookbook for more attributes.
 * `openstack['identity']['pipeline']['public_api']` - Pipeline of identity public api
 * `openstack['identity']['pipeline']['admin_api']` - Pipeline of identity admin api
 * `openstack['identity']['pipeline']['api_v3']` - Pipeline of identity V3 api
+* `openstack['identity']['ssl']['enabled']` - Enable HTTPS Keystone API endpoint. Default is false
+* `openstack['identity']['ssl']['cert_required']` - When SSL is enabled this flag is used to require client certificate. Default is false.
+* `openstack['identity']['ssl']['basedir']` - Path to Keystone SSL directory
+* `openstack['identity']['ssl']['certfile']`- Cert file location
+* `openstack['identity']['ssl']['keyfile']` - Key file location
+* `openstack['identity']['ssl']['ca_certs']` - Path to CA certificate file
 
 Most `openstack['identity']['ldap']` attributes map directly to the corresponding config options in keystone.conf's `[ldap]` backend.  They are primarily used when configuring `openstack['identity']['identity']['backend']` and/or `openstack["identity"]["assignment"]["backend"]` as `ldap` (both default to `sql`).
 
@@ -283,7 +289,6 @@ The `openstack['identity']['ldap']['use_tls']` option should not be used in conj
 If `openstack['identity']['ldap']['tls_cacertfile']` is set, `openstack['identity']['ldap']['tls_cacertdir']` will be ignored.  Set `openstack['identity']['ldap']['tls_cacertfile']` to `nil` if `openstack['identity']['ldap']['tls_cacertdir']` is desired.
 Values of `openstack['identity']['ldap']['tls_req_cert']` correspond to the standard options permitted by the TLS_REQCERT TLS option (`never` performs no validation of certs, `allow` performs some basic name checks but no thorough CA validation, `demand` requires the certificate chain to be valid for the connection to succeed).
 
-
 The following attributes are defined in attributes/default.rb of the common cookbook, but are documented here due to their relevance:
 
 * `openstack['endpoints']['identity-bind']['host']` - The IP address to bind the identity services to
@@ -294,7 +299,8 @@ The following attributes are defined in attributes/default.rb of the common cook
 
 If the value of the 'bind_interface' attribute is non-nil, then the identity service will be bound to the first IP address on that interface.  If the value of the 'bind_interface' attribute is nil, then the identity service will be bound to the IP address specified in the host attribute.
 
-
+### SSL enabling
+To enable SSL on Keystone, a key and certficate must be created and installed on server running Keystone. The location of these files can be provided with the node attributes described above. Also, note that `openstack['endpoints']['identity-bind']['scheme']`, from openstack common cookbook, must be set to 'https' in order to enable SSL.
 
 ### Token flushing
 When managing tokens with an SQL backend the token database may grow unboundedly as new tokens are issued and expired

attributes/default.rb

@@ -128,6 +128,20 @@ default['openstack']['identity']['users'] = {
   }
 }
 
+# SSL Options
+# Specify whether to enable SSL for Keystone API endpoint
+default['openstack']['identity']['ssl']['enabled'] = false
+# Specify server whether to enforce client certificate requirement
+default['openstack']['identity']['ssl']['cert_required'] = false
+# SSL certificate, keyfile and CA certficate file locations
+default['openstack']['identity']['ssl']['basedir'] = '/etc/keystone/ssl'
+# Path of the cert file for SSL.
+default['openstack']['identity']['ssl']['certfile'] = "#{node['openstack']['identity']['ssl']['basedir']}/certs/sslcert.pem"
+# Path of the keyfile for SSL.
+default['openstack']['identity']['ssl']['keyfile'] = "#{node['openstack']['identity']['ssl']['basedir']}/private/sslkey.pem"
+# Path of the CA cert file for SSL.
+default['openstack']['identity']['ssl']['ca_certs'] = "#{node['openstack']['identity']['ssl']['basedir']}/certs/sslca.pem"
+
 # Security Assertion Markup Language (SAML)
 
 # Default TTL, in seconds, for any generated SAML assertion

spec/server_spec.rb

@@ -377,6 +377,51 @@ describe 'openstack-identity::server' do
         end
       end
 
+      describe '[eventlet_server_ssl] section' do
+        opts = {
+            enable: 'True',
+            certfile: '/etc/keystone/ssl/certs/sslcert.pem',
+            keyfile: '/etc/keystone/ssl/private/sslkey.pem',
+            ca_certs: '/etc/keystone/ssl/certs/sslca.pem',
+            cert_required: 'false'
+        }
+        describe 'with ssl enabled' do
+          before do
+            node.set['openstack']['identity']['ssl']['enabled'] = true
+            node.set['openstack']['identity']['ssl']['basedir'] = '/etc/keystone/ssl'
+          end
+          describe 'with client cert not required' do
+            it 'configures ssl options without client certificate' do
+              opts.each do |key, val|
+                r = line_regexp("#{key} = #{val}")
+                expect(chef_run).to render_config_file(path).with_section_content('eventlet_server_ssl', r)
+              end
+            end
+          end
+          describe 'with client cert required' do
+            before do
+              node.set['openstack']['identity']['ssl']['cert_required'] = true
+              opts['cert_required'.to_sym] = 'true'
+            end
+            it 'configures ssl options with client certificate' do
+              opts.each do |key, val|
+                r = line_regexp("#{key} = #{val}")
+                expect(chef_run).to render_config_file(path).with_section_content('eventlet_server_ssl', r)
+              end
+            end
+          end
+        end
+
+        describe 'without ssl disabled' do
+          before { node.set['openstack']['identity']['ssl']['enabled'] = false }
+          it 'does not configure ssl options' do
+            opts.each do |key, val|
+              expect(chef_run).not_to render_config_file(path).with_section_content('eventlet_server_ssl', /^#{key} = /)
+            end
+          end
+        end
+      end
+
       describe '[saml] section' do
         describe 'saml attributes' do
           saml_default_attrs = %w(assertion_expiration_time=3600

templates/default/keystone.conf.erb

@@ -240,13 +240,20 @@ admin_bind_host = <%= @admin_bind_address %>
 #admin_port = 35357
 admin_port = <%= @admin_port %>
 
+<% if node['openstack']['identity']['ssl']['enabled'] %>
 [eventlet_server_ssl]
 
 #
 # From keystone
 #
-# (boolean value)
-#return_all_endpoints_if_no_filter=true
+
+enable = True
+certfile = <%= node['openstack']['identity']['ssl']['certfile'] %>
+keyfile = <%= node['openstack']['identity']['ssl']['keyfile'] %>
+ca_certs = <%= node['openstack']['identity']['ssl']['ca_certs'] %>
+# Require client certificate. (boolean value)
+cert_required = <%= node['openstack']['identity']['ssl']['cert_required'] %>
+<% end %>
 
 [federation]