keystone_ssl_enabled does not enable mod_ssl

master commit https://review.openstack.org/#/c/194672/
kilo cherry pick https://review.openstack.org/#/c/195227/

Reviewed: https://review.openstack.org/195227
Committed: https://git.openstack.org/cgit/stackforge/os-ansible-deployment/commit/?id=12ec305d09a5dd4689b01d26d3ab417b7259d528
Submitter: Jenkins
Branch: kilo

commit 12ec305d09a5dd4689b01d26d3ab417b7259d528
Author: git-harry <email address hidden>
Date: Tue Jun 23 14:15:24 2015 +0100

    Fix errors when enabling SSL for apache

    keystone_ssl_enabled is used to determine whether or not to configure
    apache to use SSL. Currently when this variable is set to true the
    apache SSL module is not enabled.

    This commit adds a task to enable/disable the SSL module based on the
    variable keystone_ssl_enabled.

    The keystone-httpd.conf template causes a formatting error. This commit
    fixes the error so that additional whitespace is no longer added before
    SSLEngine.

    Change-Id: I1415e5822684af12e1a1dd8a306e708e8931fa38
    Closes-bug: #1466827
    (cherry picked from commit 042771fd0713885ba26193c7a0708fccf187a744)

Reviewed: https://review.openstack.org/194474
Committed: https://git.openstack.org/cgit/stackforge/os-ansible-deployment/commit/?id=4b35b3e929cbc728b903bf19d8d169e376920832
Submitter: Jenkins
Branch: master

commit 4b35b3e929cbc728b903bf19d8d169e376920832
Author: Jesse Pretorius <email address hidden>
Date: Tue Jul 7 12:59:45 2015 +0100

    Keystone SSL cert/key distribution and configuration

    This patch adds the option to provide an SSL certificate for the
    Keystone service (either self-signed or user provided) and to
    configure the endpoints and Keystone service appropriately.

    * A new boolean variable called 'keystone_ssl' enables/disables
      the configuration of SSL for the Keystone service.

    * The server key/certificate (and optionally a CA cert) are
      distributed to all keystone containers and used for the setup
      of SSL endpoints if the appropriate protocol is set.

    * The internal/public and the admin endpoints can be set to be
      served via http or https seperately via the
      'keystone_service_*_proto' variables.

    * The logic to determine the appropriate load balancing
      configuration based on the Keystone endpoint protocol has
      been implemented in the haproxy vars.

    * Two new variables have been implemented for a user-provided
      server key and certificate:
      - keystone_user_ssl_cert: <path to cert on deployment host>
      - keystone_user_ssl_key: <path to cert on deployment host>
      If either of these is not defined, but a Keystone endpoint
      has been configured for SSL, then the missing cert/key
      will be self generated on the first Keystone container and
      distributed to the other containers.

    * A new variable has been implemented for a user-provided CA
      certificate:
      - keystone_user_ssl_ca_cert: <path to cert on deployment host>

    * A new variable called 'keystone_ssl_self_signed_subject' has
      been implemented to allow the user to override the certificate
      properties, such as the CN and subjectAltName.

    Upgrade notes:

    * The SSL-based client authentication configuration in Apache
      has been removed as it appears to be unused.

    * The minimum Ansible version for the os_keystone and
      haproxy_server roles have been increased to v1.9.0 as it's
      the minimum version that supports ternary filters.

    * The boolean 'keystone_ssl_enabled' has been renamed to
      'keystone_ssl'. This maintains a pattern set in the haproxy
      role for enablement of ssl offloading in the load balancer.

    * The Apache configuration appropriately implements the
      'SSLCACertificateFile' instead of the 'SSLCACertificatePath'
      directive in order to ensure that the appropriate signing
      certificate is provided to the browser.

    * The 'keystone_self_signed_regen' variable has been renamed
      to 'keystone_ssl_self_signed_regen'.

    * The default names for the deployed keys/certificates have been
      changed:
      - /etc/ssl/certs/apache.cert > /etc/ssl/certs/keystone.pem
      - /etc/ssl/private/apache.key > /etc/ssl/private/k...

Fix proposed to branch: kilo
Review: https://review.openstack.org/214575

Reviewed: https://review.openstack.org/214575
Committed: https://git.openstack.org/cgit/stackforge/os-ansible-deployment/commit/?id=caa9733788468886c6ac50cd2fde00a4f8a58321
Submitter: Jenkins
Branch: kilo

commit caa9733788468886c6ac50cd2fde00a4f8a58321
Author: Jesse Pretorius <email address hidden>
Date: Tue Jul 7 12:59:45 2015 +0100

    Keystone SSL cert/key distribution and configuration

    This patch adds the option to provide an SSL certificate for the
    Keystone service (either self-signed or user provided) and to
    configure the endpoints and Keystone service appropriately.

    * A new boolean variable called 'keystone_ssl' enables/disables
      the configuration of SSL for the Keystone service.

    * The server key/certificate (and optionally a CA cert) are
      distributed to all keystone containers and used for the setup
      of SSL endpoints if the appropriate protocol is set.

    * The internal/public and the admin endpoints can be set to be
      served via http or https seperately via the
      'keystone_service_*_proto' variables.

    * The logic to determine the appropriate load balancing
      configuration based on the Keystone endpoint protocol has
      been implemented in the haproxy vars.

    * Two new variables have been implemented for a user-provided
      server key and certificate:
      - keystone_user_ssl_cert: <path to cert on deployment host>
      - keystone_user_ssl_key: <path to cert on deployment host>
      If either of these is not defined, but a Keystone endpoint
      has been configured for SSL, then the missing cert/key
      will be self generated on the first Keystone container and
      distributed to the other containers.

    * A new variable has been implemented for a user-provided CA
      certificate:
      - keystone_user_ssl_ca_cert: <path to cert on deployment host>

    * A new variable called 'keystone_ssl_self_signed_subject' has
      been implemented to allow the user to override the certificate
      properties, such as the CN and subjectAltName.

    Upgrade notes:

    * The SSL-based client authentication configuration in Apache
      has been removed as it appears to be unused.

    * The minimum Ansible version for the os_keystone and
      haproxy_server roles have been increased to v1.9.0 as it's
      the minimum version that supports ternary filters.

    * The boolean 'keystone_ssl_enabled' has been renamed to
      'keystone_ssl'. This maintains a pattern set in the haproxy
      role for enablement of ssl offloading in the load balancer.

    * The Apache configuration appropriately implements the
      'SSLCACertificateFile' instead of the 'SSLCACertificatePath'
      directive in order to ensure that the appropriate signing
      certificate is provided to the browser.

    * The 'keystone_self_signed_regen' variable has been renamed
      to 'keystone_ssl_self_signed_regen'.

    * The default names for the deployed keys/certificates have been
      changed:
      - /etc/ssl/certs/apache.cert > /etc/ssl/certs/keystone.pem
      - /etc/ssl/private/apache.key > /etc/ssl/private/key...

This issue was fixed in the openstack/openstack-ansible 11.2.14 release.