Fix Horizon SSL certificate management and distribution
This patch revises the SSL certificate management and
distribution with something that is more consistent with how
it's done everywhere else in the project. It also repairs the
current user provided certificate distribution which was broken.
* The server key/certificate (and optionally a CA cert) are
distributed to all horizon containers.
* Two new variables have been implemented for a user-provided
server key and certificate:
- horizon_user_ssl_cert: <path to cert on deployment host>
- horizon_user_ssl_key: <path to cert on deployment host>
If either of these is not defined, then the missing cert/key
will be self generated on the first Horizon container and
distributed to the other containers.
* A new variable has been implemented for a user-provided CA
certificate:
- horizon_user_ssl_ca_cert: <path to cert on deployment host>
* A new variable called 'horizon_ssl_self_signed_subject' has
been implemented to allow the user to override the self-signed
certificate properties, such as the CN and subjectAltName.
Upgrade notes:
* The Apache configuration appropriately implements the
'SSLCACertificateFile' instead of the 'SSLCACertificatePath'
directive in order to ensure that the appropriate signing
certificate is provided to the browser.
* The variable 'horizon_self_signed' (which defaulted to true)
has been removed. The decision of whether to generate a
self-signed certificate has been made based on whether a
user provided key/cert pair has been provided.
* The 'horizon_self_signed_regen' variable has been renamed
to 'horizon_ssl_self_signed_regen'.
* The default names for the deployed keys/certificates have been
changed:
- /etc/ssl/certs/apache.cert > /etc/ssl/certs/horizon.pem
- /etc/ssl/private/apache.key > /etc/ssl/private/horizon.key
Reviewed: https:/ /review. openstack. org/202977 /git.openstack. org/cgit/ stackforge/ os-ansible- deployment/ commit/ ?id=3a14a988b92 1627fccfd930ae2 92381d3338a294
Committed: https:/
Submitter: Jenkins
Branch: master
commit 3a14a988b921627 fccfd930ae29238 1d3338a294
Author: Jesse Pretorius <email address hidden>
Date: Fri Jul 17 11:38:00 2015 +0100
Fix Horizon SSL certificate management and distribution
This patch revises the SSL certificate management and
distribution with something that is more consistent with how
it's done everywhere else in the project. It also repairs the
current user provided certificate distribution which was broken.
* The server key/certificate (and optionally a CA cert) are
distributed to all horizon containers.
* Two new variables have been implemented for a user-provided user_ssl_ cert: <path to cert on deployment host> user_ssl_ key: <path to cert on deployment host>
server key and certificate:
- horizon_
- horizon_
If either of these is not defined, then the missing cert/key
will be self generated on the first Horizon container and
distributed to the other containers.
* A new variable has been implemented for a user-provided CA user_ssl_ ca_cert: <path to cert on deployment host>
certificate:
- horizon_
* A new variable called 'horizon_ ssl_self_ signed_ subject' has
been implemented to allow the user to override the self-signed
certificate properties, such as the CN and subjectAltName.
Upgrade notes:
* The Apache configuration appropriately implements the SSLCACertificat eFile' instead of the 'SSLCACertifica tePath'
'
directive in order to ensure that the appropriate signing
certificate is provided to the browser.
* The variable 'horizon_ self_signed' (which defaulted to true)
has been removed. The decision of whether to generate a
self-signed certificate has been made based on whether a
user provided key/cert pair has been provided.
* The 'horizon_ self_signed_ regen' variable has been renamed ssl_self_ signed_ regen'.
to 'horizon_
* The default names for the deployed keys/certificates have been certs/apache. cert > /etc/ssl/ certs/horizon. pem private/ apache. key > /etc/ssl/ private/ horizon. key
changed:
- /etc/ssl/
- /etc/ssl/
DocImpact
UpgradeImpact
Closes-Bug: #1475578
Change-Id: I7089abbd81ce42 2b21ce65488e8bc 32053ba32ca