From 67bc29d86a380181f888661743e3e50874cfb7b3 Mon Sep 17 00:00:00 2001 From: Jesse Pretorius Date: Tue, 7 Jul 2015 21:01:20 +0000 Subject: [PATCH] Enable all services to use Keystone 'insecurely' This patch introduces an insecure flag for the Keystone internal and admin endpoints: * keystone_service_adminuri_insecure * keystone_service_internaluri_insecure Both values default to false. If you have setup SSL endpoints for Keystone using an untrusted certificate then you should set the appropriate flag to true in your user_variables. This patch is used to enable testing and development with Keystone SSL endpoints without having to make use of SSL certificates signed by a trusted, public CA. The patch introduces a new optional argument (insecure) to the keystone, glance and neutron Ansible libraries. This is a boolean value which, when true, enables these libraries to access Keystone endpoints 'insecurely'. When these libraries are used in plays, the appropriate value is set automatically as per the above conditions. Implements: blueprint keystone-federation Change-Id: Ia07e7e201f901042dd06a86efe5c6f6725e9ce13 --- tasks/glance_service_setup.yml | 4 ++++ templates/glance-api.conf.j2 | 1 + templates/glance-registry.conf.j2 | 1 + 3 files changed, 6 insertions(+) diff --git a/tasks/glance_service_setup.yml b/tasks/glance_service_setup.yml index e0ed4f10..c7c10077 100644 --- a/tasks/glance_service_setup.yml +++ b/tasks/glance_service_setup.yml @@ -22,6 +22,7 @@ service_name: "{{ glance_service_name }}" service_type: "{{ glance_service_type }}" description: "{{ glance_service_description }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -40,6 +41,7 @@ user_name: "{{ glance_service_user_name }}" tenant_name: "{{ glance_service_project_name }}" password: "{{ glance_service_password }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -58,6 +60,7 @@ user_name: "{{ glance_service_user_name }}" tenant_name: "{{ glance_service_project_name }}" role_name: "{{ glance_role_name }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 @@ -79,6 +82,7 @@ publicurl: "{{ glance_service_publicurl }}" adminurl: "{{ glance_service_internalurl }}" internalurl: "{{ glance_service_adminurl }}" + insecure: "{{ keystone_service_adminuri_insecure }}" register: add_service until: add_service|success retries: 5 diff --git a/templates/glance-api.conf.j2 b/templates/glance-api.conf.j2 index b86127c8..57c85d25 100644 --- a/templates/glance-api.conf.j2 +++ b/templates/glance-api.conf.j2 @@ -51,6 +51,7 @@ task_executor = {{ glance_task_executor }} connection = mysql://{{ glance_galera_user }}:{{ glance_container_mysql_password }}@{{ glance_galera_address }}/{{ glance_galera_database }}?charset=utf8 [keystone_authtoken] +insecure = {{ keystone_service_internaluri_insecure | bool }} auth_plugin = {{ glance_keystone_auth_plugin }} signing_dir = {{ glance_system_user_home }}/cache/api auth_url = {{ keystone_service_adminuri }} diff --git a/templates/glance-registry.conf.j2 b/templates/glance-registry.conf.j2 index 66ce65cb..2abf2df9 100644 --- a/templates/glance-registry.conf.j2 +++ b/templates/glance-registry.conf.j2 @@ -21,6 +21,7 @@ limit_param_default = 25 connection = mysql://{{ glance_galera_user }}:{{ glance_container_mysql_password }}@{{ glance_galera_address }}/{{ glance_galera_database }}?charset=utf8 [keystone_authtoken] +insecure = {{ keystone_service_internaluri_insecure | bool }} auth_plugin = {{ glance_keystone_auth_plugin }} signing_dir = {{ glance_system_user_home }}/cache/registry/ auth_url = {{ keystone_service_adminuri }}