From 6661a9dab73b35c4b72bc4c0b4c6c3097ae0dc68 Mon Sep 17 00:00:00 2001 From: Damian Dabrowski Date: Fri, 31 Mar 2023 00:05:40 +0200 Subject: [PATCH] Rename keystone_ssl to keystone_backend_ssl To standarize variable name across roles, this change renames `keystone_ssl` to `keystone_backend_ssl`. All other roles use `_backend_ssl` format. It also better describes what it does. With `keystone_ssl` it's unclear whether it is about frontend or backend. Backward compatibility will not be implemented because securing haproxy traffic to its backends with TLS is currently not supported by OSA so it is hard to leverage `keystone_ssl` variable anyway. Change-Id: Ibf8607a4cf62ab518a09d64b1054ff7fbc580000 --- defaults/main.yml | 11 ++++++----- releasenotes/notes/keystone_ssl-4dc7676a36831f85.yaml | 5 +++++ tasks/main.yml | 2 +- templates/keystone-httpd.conf.j2 | 2 +- templates/shibboleth2.xml.j2 | 2 +- vars/debian.yml | 2 +- vars/ubuntu-18.04.yml | 2 +- 7 files changed, 16 insertions(+), 10 deletions(-) create mode 100644 releasenotes/notes/keystone_ssl-4dc7676a36831f85.yaml diff --git a/defaults/main.yml b/defaults/main.yml index 2c4f7e63..f07d1c96 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -240,8 +240,9 @@ keystone_default_uwsgi_overrides: uwsgi: socket: "127.0.0.1:{{ keystone_uwsgi_ports['keystone-wsgi-public']['socket'] }}" -# set keystone_ssl to true to enable SSL configuration on the keystone containers -keystone_ssl: "{{ openstack_backend_service_https | default(False) }}" +# Define if communication between haproxy and service backends should be +# encrypted with TLS. +keystone_backend_ssl: "{{ openstack_service_backend_ssl | default(False) }}" # The local address used for the keystone node keystone_node_address: "{{ management_address | default('127.0.0.1') }}" @@ -286,7 +287,7 @@ keystone_pki_certificates: cn: "{{ ansible_facts['hostname'] }}" san: "{{ 'DNS:' ~ ansible_facts['hostname'] ~ ',IP:' ~ keystone_node_address }}" signed_by: "{{ keystone_pki_intermediate_cert_name }}" - condition: "{{ keystone_ssl }}" + condition: "{{ keystone_backend_ssl }}" # Set to the value of keystone_idp_authority_name to regenerate the IDP CA keystone_pki_regen_ca: '' @@ -304,13 +305,13 @@ keystone_pki_install_certificates: owner: "{{ keystone_system_user_name }}" group: "{{ keystone_system_group_name }}" mode: "0644" - condition: "{{ keystone_ssl }}" + condition: "{{ keystone_backend_ssl }}" - src: "{{ keystone_user_ssl_key | default(keystone_pki_keys_path ~ 'keystone_' ~ ansible_facts['hostname'] ~ '.key.pem') }}" dest: "{{ keystone_ssl_key }}" owner: "{{ keystone_system_user_name }}" group: "{{ keystone_system_group_name }}" mode: "0600" - condition: "{{ keystone_ssl }}" + condition: "{{ keystone_backend_ssl }}" - src: "{{ keystone_user_ssl_ca_cert | default(keystone_pki_intermediate_cert_path) }}" dest: "{{ keystone_ssl_ca_cert }}" owner: "{{ keystone_system_user_name }}" diff --git a/releasenotes/notes/keystone_ssl-4dc7676a36831f85.yaml b/releasenotes/notes/keystone_ssl-4dc7676a36831f85.yaml new file mode 100644 index 00000000..af3167eb --- /dev/null +++ b/releasenotes/notes/keystone_ssl-4dc7676a36831f85.yaml @@ -0,0 +1,5 @@ +--- +upgrade: + - | + Variable ``keystone_ssl`` was deprecated in favor of + ``keystone_backend_ssl``. diff --git a/tasks/main.yml b/tasks/main.yml index 7416f60b..a3307cd6 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -168,7 +168,7 @@ pki_certificates: "{{ keystone_pki_certificates }}" pki_install_certificates: "{{ keystone_pki_install_certificates }}" when: - - (keystone_ssl | bool) or (keystone_idp['certfile'] is defined) + - (keystone_backend_ssl | bool) or (keystone_idp['certfile'] is defined) tags: - keystone-config diff --git a/templates/keystone-httpd.conf.j2 b/templates/keystone-httpd.conf.j2 index ba014c72..6fd29da7 100644 --- a/templates/keystone-httpd.conf.j2 +++ b/templates/keystone-httpd.conf.j2 @@ -26,7 +26,7 @@ Listen {{ keystone_web_server_bind_address }}:{{ keystone_service_port }} RequestHeader set {{ keystone_secure_proxy_ssl_header }} "http" {% endif %} - {% if keystone_ssl | bool and keystone_service_internaluri_proto == "https" -%} + {% if keystone_backend_ssl | bool and keystone_service_internaluri_proto == "https" -%} SSLEngine on SSLCertificateFile {{ keystone_ssl_cert }} SSLCertificateKeyFile {{ keystone_ssl_key }} diff --git a/templates/shibboleth2.xml.j2 b/templates/shibboleth2.xml.j2 index 27d2d847..ac604ab6 100644 --- a/templates/shibboleth2.xml.j2 +++ b/templates/shibboleth2.xml.j2 @@ -36,7 +36,7 @@ timeout="3600" relayState="ss:mc" checkAddress="false" - handlerSSL="{% if keystone_ssl | bool %}true{% else %}false{% endif %}" + handlerSSL="{% if keystone_backend_ssl | bool %}true{% else %}false{% endif %}" {% if keystone_service_publicuri_proto == "https" %}cookieProps="; path=/; secure"{% endif %}> diff --git a/vars/debian.yml b/vars/debian.yml index 3408cd7e..443498e0 100644 --- a/vars/debian.yml +++ b/vars/debian.yml @@ -82,7 +82,7 @@ keystone_apache_configs: keystone_apache_modules: - name: "ssl" - state: "{{ (keystone_ssl | bool) | ternary('present', 'absent') }}" + state: "{{ (keystone_backend_ssl | bool) | ternary('present', 'absent') }}" - name: "shib" state: "{{ keystone_sp_apache_mod_shib | ternary('present', 'absent') }}" - name: "auth_openidc" diff --git a/vars/ubuntu-18.04.yml b/vars/ubuntu-18.04.yml index 81f5adc4..5ce9e407 100644 --- a/vars/ubuntu-18.04.yml +++ b/vars/ubuntu-18.04.yml @@ -82,7 +82,7 @@ keystone_apache_configs: keystone_apache_modules: - name: "ssl" - state: "{{ (keystone_ssl | bool) | ternary('present', 'absent') }}" + state: "{{ (keystone_backend_ssl | bool) | ternary('present', 'absent') }}" - name: "shib2" state: "{{ keystone_sp_apache_mod_shib | ternary('present', 'absent') }}" - name: "auth_openidc"