Change keystone admin/internal insecure flags

Fixing logic introduced in commit I921031c676776884cb121a7914fcd9c505345e67 and documented the case where a deployer provides certs from a non globally valid CA. Change-Id: Ie0c2cac7ffd190c76acb9b4e650199dcdf724c4c
openstack · Apr 22, 2016 · 8387b68 · 8387b68
1 parent 6cb2ba7
commit 8387b68
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 2 deletions.
diff --git a/doc/source/install-guide/configure-keystone.rst b/doc/source/install-guide/configure-keystone.rst
@@ -21,6 +21,11 @@ provide their own certificates by using the following Ansible variables in
     keystone_user_ssl_key:           # Path to private key
     keystone_user_ssl_ca_cert:       # Path to CA certificate
 
+.. note:: If the deployer is providing certificate, key, and ca file for a
+   CA without chain of trust (or an invalid/self-generated ca), the variables
+   `keystone_service_internaluri_insecure` and
+   `keystone_service_adminuri_insecure` should be set to True.
+
 Refer to `Securing services with SSL certificates`_ for more information on
 these configuration options and how deployers can provide their own
 certificates and keys to use with Keystone.

diff --git a/playbooks/inventory/group_vars/hosts.yml b/playbooks/inventory/group_vars/hosts.yml
@@ -199,8 +199,8 @@ keystone_service_region: "{{ service_region }}"
 keystone_rabbitmq_userid: keystone
 keystone_rabbitmq_vhost: /keystone
 
-keystone_service_internaluri_insecure: "{% if keystone_service_internaluri_proto == 'https' and (keystone_ssl_cert is not defined or haproxy_ssl_cert is not defined) | bool %}true{% else %}false{% endif %}"
-keystone_service_adminuri_insecure: "{% if keystone_service_adminuri_proto == 'https' and (keystone_ssl_cert is not defined or haproxy_ssl_cert is not defined) | bool %}true{% else %}false{% endif %}"
+keystone_service_internaluri_insecure: "{% if keystone_service_internaluri_proto == 'https' and (keystone_user_ssl_cert is not defined or haproxy_user_ssl_cert is not defined) | bool %}true{% else %}false{% endif %}"
+keystone_service_adminuri_insecure: "{% if keystone_service_adminuri_proto == 'https' and (keystone_user_ssl_cert is not defined or haproxy_user_ssl_cert is not defined) | bool %}true{% else %}false{% endif %}"
 
 keystone_service_publicuri: "{{ keystone_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ keystone_service_port }}"
 keystone_service_internaluri: "{{ keystone_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_service_port }}"