OpenStack-Ansible

Bug #1466827
Comment #5

Comment 5 for bug 1466827

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-08-24: Fix merged to os-ansible-deployment (kilo)

Reviewed: https://review.openstack.org/214575
Committed: https://git.openstack.org/cgit/stackforge/os-ansible-deployment/commit/?id=caa9733788468886c6ac50cd2fde00a4f8a58321
Submitter: Jenkins
Branch: kilo

commit caa9733788468886c6ac50cd2fde00a4f8a58321
Author: Jesse Pretorius <email address hidden>
Date: Tue Jul 7 12:59:45 2015 +0100

Keystone SSL cert/key distribution and configuration

    This patch adds the option to provide an SSL certificate for the
    Keystone service (either self-signed or user provided) and to
    configure the endpoints and Keystone service appropriately.

* A new boolean variable called 'keystone_ssl' enables/disables
the configuration of SSL for the Keystone service.

    * The server key/certificate (and optionally a CA cert) are
      distributed to all keystone containers and used for the setup
      of SSL endpoints if the appropriate protocol is set.

    * The internal/public and the admin endpoints can be set to be
      served via http or https seperately via the
      'keystone_service_*_proto' variables.

    * The logic to determine the appropriate load balancing
      configuration based on the Keystone endpoint protocol has
      been implemented in the haproxy vars.

    * Two new variables have been implemented for a user-provided
      server key and certificate:
      - keystone_user_ssl_cert: <path to cert on deployment host>
      - keystone_user_ssl_key: <path to cert on deployment host>
      If either of these is not defined, but a Keystone endpoint
      has been configured for SSL, then the missing cert/key
      will be self generated on the first Keystone container and
      distributed to the other containers.

    * A new variable has been implemented for a user-provided CA
      certificate:
      - keystone_user_ssl_ca_cert: <path to cert on deployment host>

    * A new variable called 'keystone_ssl_self_signed_subject' has
      been implemented to allow the user to override the certificate
      properties, such as the CN and subjectAltName.

Upgrade notes:

* The SSL-based client authentication configuration in Apache
has been removed as it appears to be unused.

    * The minimum Ansible version for the os_keystone and
      haproxy_server roles have been increased to v1.9.0 as it's
      the minimum version that supports ternary filters.

    * The boolean 'keystone_ssl_enabled' has been renamed to
      'keystone_ssl'. This maintains a pattern set in the haproxy
      role for enablement of ssl offloading in the load balancer.

    * The Apache configuration appropriately implements the
      'SSLCACertificateFile' instead of the 'SSLCACertificatePath'
      directive in order to ensure that the appropriate signing
      certificate is provided to the browser.

* The 'keystone_self_signed_regen' variable has been renamed
to 'keystone_ssl_self_signed_regen'.

    * The default names for the deployed keys/certificates have been
      changed:
      - /etc/ssl/certs/apache.cert > /etc/ssl/certs/keystone.pem
      - /etc/ssl/private/apache.key > /etc/ssl/private/keystone.key

    DocImpact
    Partial-Bug: #1466827
    Implements: blueprint keystone-federation
    Change-Id: I4c5ea7b6bfc3d7d7230a7440fa501241826c9dee
    Co-Authored-By: Miguel Grinberg <email address hidden>
    (cherry picked from commit 4b35b3e929cbc728b903bf19d8d169e376920832)

Reviewed:  https://review.openstack.org/214575
Committed: https://git.openstack.org/cgit/stackforge/os-ansible-deployment/commit/?id=caa9733788468886c6ac50cd2fde00a4f8a58321
Submitter: Jenkins
Branch:    kilo

commit caa9733788468886c6ac50cd2fde00a4f8a58321
Author: Jesse Pretorius <jesse.pretorius@rackspace.co.uk>
Date:   Tue Jul 7 12:59:45 2015 +0100

Keystone SSL cert/key distribution and configuration
    
    This patch adds the option to provide an SSL certificate for the
    Keystone service (either self-signed or user provided) and to
    configure the endpoints and Keystone service appropriately.
    
    * A new boolean variable called 'keystone_ssl' enables/disables
      the configuration of SSL for the Keystone service.
    
    * The server key/certificate (and optionally a CA cert) are
      distributed to all keystone containers and used for the setup
      of SSL endpoints if the appropriate protocol is set.
    
    * The internal/public and the admin endpoints can be set to be
      served via http or https seperately via the
      'keystone_service_*_proto' variables.
    
    * The logic to determine the appropriate load balancing
      configuration based on the Keystone endpoint protocol has
      been implemented in the haproxy vars.
    
    * Two new variables have been implemented for a user-provided
      server key and certificate:
      - keystone_user_ssl_cert: <path to cert on deployment host>
      - keystone_user_ssl_key: <path to cert on deployment host>
      If either of these is not defined, but a Keystone endpoint
      has been configured for SSL, then the missing cert/key
      will be self generated on the first Keystone container and
      distributed to the other containers.
    
    * A new variable has been implemented for a user-provided CA
      certificate:
      - keystone_user_ssl_ca_cert: <path to cert on deployment host>
    
    * A new variable called 'keystone_ssl_self_signed_subject' has
      been implemented to allow the user to override the certificate
      properties, such as the CN and subjectAltName.
    
    Upgrade notes:
    
    * The SSL-based client authentication configuration in Apache
      has been removed as it appears to be unused.
    
    * The minimum Ansible version for the os_keystone and
      haproxy_server roles have been increased to v1.9.0 as it's
      the minimum version that supports ternary filters.
    
    * The boolean 'keystone_ssl_enabled' has been renamed to
      'keystone_ssl'. This maintains a pattern set in the haproxy
      role for enablement of ssl offloading in the load balancer.
    
    * The Apache configuration appropriately implements the
      'SSLCACertificateFile' instead of the 'SSLCACertificatePath'
      directive in order to ensure that the appropriate signing
      certificate is provided to the browser.
    
    * The 'keystone_self_signed_regen' variable has been renamed
      to 'keystone_ssl_self_signed_regen'.
    
    * The default names for the deployed keys/certificates have been
      changed:
      - /etc/ssl/certs/apache.cert  > /etc/ssl/certs/keystone.pem
      - /etc/ssl/private/apache.key > /etc/ssl/private/keystone.key
    
    DocImpact
    Partial-Bug: #1466827
    Implements: blueprint keystone-federation
    Change-Id: I4c5ea7b6bfc3d7d7230a7440fa501241826c9dee
    Co-Authored-By: Miguel Grinberg <miguelgrinberg50@gmail.com>
    (cherry picked from commit 4b35b3e929cbc728b903bf19d8d169e376920832)