Changes for federated login on merlin. Not yet working....

Add ssl keystone endpoints Add ssl keystone endpoints use fqdn for keystone everywhere. Iadded certs for horizon. Also increased yield of nuke.yml
2018-08-16 16:27:45 +02:00
parent 89910a1dba
commit 87514a5705
20 changed files with 542 additions and 20 deletions
--- a/roles/keystone/tasks/main.yml
+++ b/roles/keystone/tasks/main.yml
@ -15,9 +15,21 @@
    - /srv/keystone
    - /srv/keystone/fernet-keys
    - /srv/keystone/root
+    - /srv/keystone/certs
+    - /srv/keystone/shibboleth
+
+- name: install ssl files
+  template:
+    src: templates/certs/{{ item }}
+    dest: /srv/keystone/certs/{{ item }}
+    mode: 400
+  with_items:
+    - merlin.hpc.rug.nl.key
+    - merlin.hpc.rug.nl.crt
+    - DigiCertCA.crt

 - set_fact:
-    docker_image: registry.webhosting.rug.nl/hpc/openstack-keystone:latest
+    docker_image: registry.webhosting.rug.nl/hpc/openstack-keystone-merlin:latest

 - name: pull docker image
  docker_image:
@ -57,7 +69,7 @@
             /usr/bin/docker run --rm
             --add-host=mariadb:{{ listen_ip | default(hostvars[groups['databases'][0]]['ansible_default_ipv4']['address']) }}
             -v /srv/keystone/fernet-keys:/etc/keystone/fernet-keys
-             -e "KEYSTONE_HOST={{ listen_ip | default(hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address']) }}"
+             -e "KEYSTONE_HOST={{ keystone_external_fqdn | default(hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address']) }}"
             {{ docker_image }} keystone-manage {{ item }}
  with_items:
      - db_sync
@ -65,9 +77,9 @@
      - credential_setup --keystone-user keystone --keystone-group keystone
      - >
          bootstrap --bootstrap-password {{ secrets['OS_PASSWORD'] }}
-                    --bootstrap-admin-url http://{{ listen_ip | default(hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address']) }}:35357/v3/
-                    --bootstrap-internal-url http://{{ listen_ip | default(hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address']) }}:35357/v3/
-                    --bootstrap-public-url http://{{ listen_ip | default(hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address']) }}:5000/v3/
+                    --bootstrap-admin-url https://{{ keystone_external_fqdn | default(hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address']) }}:35357/v3/
+                    --bootstrap-internal-url https://{{ keystone_external_fqdn | default(hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address']) }}:35357/v3/
+                    --bootstrap-public-url https://{{ keystone_external_fqdn | default(hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address']) }}:5000/v3/
                    --bootstrap-region-id RegionOne
  # sometimes the initial connect fails.
  # Retry until it succeeds.
@ -86,8 +98,8 @@
             --add-host=mariadb:{{ listen_ip | default(hostvars[groups['databases'][0]]['ansible_default_ipv4']['address']) }}
             -v /srv/keystone/fernet-keys:/etc/keystone/fernet-keys
             -v /srv/keystone/root:/root
-             -e "KEYSTONE_HOST={{ listen_ip | default(hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address']) }}"
-             -e "OS_AUTH_URL=http://${KEYSTONE_HOST}:35357/v3"
+             -e "KEYSTONE_HOST={{ keystone_external_fqdn | default(hostvars[groups['keystone'][0]]['ansible_default_ipv4']['address']) }}"
+             -e "OS_AUTH_URL=https://${KEYSTONE_HOST}:35357/v3"
             -e "OS_PASSWORD={{ secrets['OS_PASSWORD'] }}"
             {{ docker_image }} bash /etc/bootstrap.sh
  register: result