Horizon user provided ssl certs don't work

Fix proposed to branch: master
Review: https://review.openstack.org/202977

Reviewed: https://review.openstack.org/202977
Committed: https://git.openstack.org/cgit/stackforge/os-ansible-deployment/commit/?id=3a14a988b921627fccfd930ae292381d3338a294
Submitter: Jenkins
Branch: master

commit 3a14a988b921627fccfd930ae292381d3338a294
Author: Jesse Pretorius <email address hidden>
Date: Fri Jul 17 11:38:00 2015 +0100

    Fix Horizon SSL certificate management and distribution

    This patch revises the SSL certificate management and
    distribution with something that is more consistent with how
    it's done everywhere else in the project. It also repairs the
    current user provided certificate distribution which was broken.

    * The server key/certificate (and optionally a CA cert) are
      distributed to all horizon containers.

    * Two new variables have been implemented for a user-provided
      server key and certificate:
      - horizon_user_ssl_cert: <path to cert on deployment host>
      - horizon_user_ssl_key: <path to cert on deployment host>
      If either of these is not defined, then the missing cert/key
      will be self generated on the first Horizon container and
      distributed to the other containers.

    * A new variable has been implemented for a user-provided CA
      certificate:
      - horizon_user_ssl_ca_cert: <path to cert on deployment host>

    * A new variable called 'horizon_ssl_self_signed_subject' has
      been implemented to allow the user to override the self-signed
      certificate properties, such as the CN and subjectAltName.

    Upgrade notes:

    * The Apache configuration appropriately implements the
      'SSLCACertificateFile' instead of the 'SSLCACertificatePath'
      directive in order to ensure that the appropriate signing
      certificate is provided to the browser.

    * The variable 'horizon_self_signed' (which defaulted to true)
      has been removed. The decision of whether to generate a
      self-signed certificate has been made based on whether a
      user provided key/cert pair has been provided.

    * The 'horizon_self_signed_regen' variable has been renamed
      to 'horizon_ssl_self_signed_regen'.

    * The default names for the deployed keys/certificates have been
      changed:
      - /etc/ssl/certs/apache.cert > /etc/ssl/certs/horizon.pem
      - /etc/ssl/private/apache.key > /etc/ssl/private/horizon.key

    DocImpact
    UpgradeImpact
    Closes-Bug: #1475578

    Change-Id: I7089abbd81ce422b21ce65488e8bc32053ba32ca

Fix proposed to branch: kilo
Review: https://review.openstack.org/204251

Reviewed: https://review.openstack.org/204251
Committed: https://git.openstack.org/cgit/stackforge/os-ansible-deployment/commit/?id=c694e11c9e1c1b8fa5a373d26c9106bf0bf8c11b
Submitter: Jenkins
Branch: kilo

commit c694e11c9e1c1b8fa5a373d26c9106bf0bf8c11b
Author: Jesse Pretorius <email address hidden>
Date: Fri Jul 17 11:38:00 2015 +0100

    Fix Horizon SSL certificate management and distribution

    This patch revises the SSL certificate management and
    distribution with something that is more consistent with how
    it's done everywhere else in the project. It also repairs the
    current user provided certificate distribution which was broken.

    * The server key/certificate (and optionally a CA cert) are
      distributed to all horizon containers.

    * Two new variables have been implemented for a user-provided
      server key and certificate:
      - horizon_user_ssl_cert: <path to cert on deployment host>
      - horizon_user_ssl_key: <path to cert on deployment host>
      If either of these is not defined, then the missing cert/key
      will be self generated on the first Horizon container and
      distributed to the other containers.

    * A new variable has been implemented for a user-provided CA
      certificate:
      - horizon_user_ssl_ca_cert: <path to cert on deployment host>

    * A new variable called 'horizon_ssl_self_signed_subject' has
      been implemented to allow the user to override the self-signed
      certificate properties, such as the CN and subjectAltName.

    Upgrade notes:

    * The Apache configuration appropriately implements the
      'SSLCACertificateFile' instead of the 'SSLCACertificatePath'
      directive in order to ensure that the appropriate signing
      certificate is provided to the browser.

    * The variable 'horizon_self_signed' (which defaulted to true)
      has been removed. The decision of whether to generate a
      self-signed certificate has been made based on whether a
      user provided key/cert pair has been provided.

    * The 'horizon_self_signed_regen' variable has been renamed
      to 'horizon_ssl_self_signed_regen'.

    * The default names for the deployed keys/certificates have been
      changed:
      - /etc/ssl/certs/apache.cert > /etc/ssl/certs/horizon.pem
      - /etc/ssl/private/apache.key > /etc/ssl/private/horizon.key

    DocImpact
    UpgradeImpact
    Closes-Bug: #1475578

    Change-Id: I7089abbd81ce422b21ce65488e8bc32053ba32ca
    (cherry picked from commit 3a14a988b921627fccfd930ae292381d3338a294)

This issue was fixed in the openstack/openstack-ansible 11.2.11 release.

This issue was fixed in the openstack/openstack-ansible 11.2.12 release.

This issue was fixed in the openstack/openstack-ansible 11.2.14 release.