Playbook #4
/home/zuul/src/opendev.org/openstack/openstack-ansible/playbooks/setup-openstack.yml
Execution
Date 08 Dec 2025 13:57:07 +0000
Duration 00:24:46.17
Controller aio1.openstack.local
User root
Versions
Ansible 2.18.6
ara 1.7.4 / 1.7.4
Python 3.12.11
Summary
12 Hosts
1505 Tasks
1497 Results
32 Plays
487 Files
0 Records
check:False tags:all

File: /home/zuul/src/opendev.org/openstack/openstack-ansible-os_keystone/tasks/keystone_apache.yml

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
---
# Copyright 2014, Rackspace US, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

- name: Clean-up old vhost files
  ansible.builtin.file:
    path: "{{ item }}"
    state: absent
  loop: "{{ keystone_deprecated_apache_configs }}"

- name: Including HTTPD role
  ansible.builtin.import_role:
    name: httpd
  vars:
    httpd_pki_dir: "{{ keystone_pki_dir }}"
    httpd_pki_setup_host: "{{ keystone_pki_setup_host }}"
    httpd_ssl_protocol: "{{ keystone_ssl_protocol }}"
    httpd_ssl_cipher_suite_tls12: "{{ keystone_ssl_cipher_suite_tls12 }}"
    httpd_ssl_cipher_suite_tls13: "{{ keystone_ssl_cipher_suite_tls13 }}"
    httpd_pki_regen_cert: "{{ keystone_pki_regen_cert }}"
    httpd_extra_packages: "{{ keystone_sp_apache_mod_packages | selectattr('state', 'eq', 'present') | map(attribute='name') }}"
    httpd_extra_modules: "{{ keystone_apache_modules }}"
    httpd_vhosts:
      - name: openstack_keystone
        address: "{{ keystone_web_server_bind_address }}"
        port: "{{ keystone_service_port }}"
        log_level: "{{  keystone_apache_log_level }}"
        log_format: "{{ keystone_apache_custom_log_format }}"
        server_name: "{{ ansible_facts['hostname'] }}"
        headers:
          - 'Header set X-Content-Type-Options "nosniff"'
          - 'Header set X-XSS-Protection "1; mode=block"'
          - >-
            Header set Content-Security-Policy "default-src 'self' https: wss:;"
          - >-
            {% set scp_script_src = "script-src 'sha256-oBahlBFQem+nMs1JwgcBB03Hy8nRh5e8qEGTOcxmAuM=';" -%}
            {{ (keystone_sp != {}) | ternary('Header set Content-Security-Policy "' ~ scp_script_src ~ '"', '') }}
          - "Header set X-Frame-Options {{ keystone_x_frame_options | default('DENY') }}"
        options: |-
          {% set options = _keystone_httpd_base_options %}
          {% if keystone_sp_apache_mod_auth_openidc %}
          {%   set _ = options.extend(_keystone_httpd_openidc_options) %}
          {% endif %}
          {% if keystone_sp_apache_mod_shib %}
          {%   set _ = options.extend(_keystone_httpd_shib_options) %}
          {% endif %}
          {% set _ = options.append('ProxyPass / uwsgi://127.0.0.1:' ~ keystone_uwsgi_ports['keystone-wsgi-public']['socket'] ~ '/') %}
          {{ options }}
        locations: |-
          {% set locations = [] %}
          {% if keystone_sp_apache_mod_auth_openidc %}
          {%   set _ = locations.extend(_keystone_httpd_openidc_locations) %}
          {% endif %}
          {% if keystone_sp_apache_mod_shib %}
          {%   set _ = locations.extend(_keystone_httpd_shib_locations) %}
          {% endif %}
          {{ locations }}
        directories: "{{ (keystone_sp != {}) | ternary(_keystone_httpd_sp_directories, []) }}"
        ssl: "{{ keystone_backend_ssl | ternary(_keystone_httpd_vhost_ssl, false) }}"
  tags:
    - horizon-install
    - horizon-config
    - httpd