Keystone SSL cert/key distribution and configuration
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack-Ansible |
Confirmed
|
Low
|
Major Hayden |
Bug Description
https:/
commit caa973378846888
Author: Jesse Pretorius <email address hidden>
Date: Tue Jul 7 12:59:45 2015 +0100
Keystone SSL cert/key distribution and configuration
This patch adds the option to provide an SSL certificate for the
Keystone service (either self-signed or user provided) and to
configure the endpoints and Keystone service appropriately.
* A new boolean variable called 'keystone_ssl' enables/disables
the configuration of SSL for the Keystone service.
* The server key/certificate (and optionally a CA cert) are
distributed to all keystone containers and used for the setup
of SSL endpoints if the appropriate protocol is set.
* The internal/public and the admin endpoints can be set to be
served via http or https seperately via the
'
* The logic to determine the appropriate load balancing
configuration based on the Keystone endpoint protocol has
been implemented in the haproxy vars.
* Two new variables have been implemented for a user-provided
server key and certificate:
- keystone_
- keystone_
If either of these is not defined, but a Keystone endpoint
has been configured for SSL, then the missing cert/key
will be self generated on the first Keystone container and
distributed to the other containers.
* A new variable has been implemented for a user-provided CA
certificate:
- keystone_
* A new variable called 'keystone_
been implemented to allow the user to override the certificate
properties, such as the CN and subjectAltName.
Upgrade notes:
* The SSL-based client authentication configuration in Apache
has been removed as it appears to be unused.
* The minimum Ansible version for the os_keystone and
haproxy_
the minimum version that supports ternary filters.
* The boolean 'keystone_
'
role for enablement of ssl offloading in the load balancer.
* The Apache configuration appropriately implements the
'
directive in order to ensure that the appropriate signing
certificate is provided to the browser.
* The 'keystone_
to 'keystone_
* The default names for the deployed keys/certificates have been
changed:
- /etc/ssl/
- /etc/ssl/
DocImpact
Partial-Bug: #1466827
Implements: blueprint keystone-federation
Change-Id: I4c5ea7b6bfc3d7
Co-Authored-By: Miguel Grinberg <email address hidden>
(cherry picked from commit 4b35b3e929cbc72
Changed in openstack-ansible: | |
assignee: | nobody → RPC Documentation (rpcdocs) |
importance: | Undecided → Low |
status: | New → Confirmed |
Changed in openstack-ansible: | |
assignee: | RPC Documentation (rpcdocs) → Major Hayden (rackerhacker) |