diff --git a/defaults/main.yml b/defaults/main.yml index ac118388..302c2278 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -365,9 +365,6 @@ keystone_ssl_cipher_suite_tls13: >- # keystone_user_ssl_key: # keystone_user_ssl_ca_cert: -# Set to true when terminating SSL/TLS at a load balancer -keystone_external_ssl: "{{ (haproxy_ssl | default(True)) | bool }}" - # External SSL forwarding proto keystone_secure_proxy_ssl_header: X-Forwarded-Proto diff --git a/releasenotes/notes/keystone_external_ssl-removal-5d972299f98dcc32.yaml b/releasenotes/notes/keystone_external_ssl-removal-5d972299f98dcc32.yaml new file mode 100644 index 00000000..521d9635 --- /dev/null +++ b/releasenotes/notes/keystone_external_ssl-removal-5d972299f98dcc32.yaml @@ -0,0 +1,8 @@ +--- +deprecations: + - | + The variable ``keystone_external_ssl`` was deprecated and is no longer used. + You still can control if communication between HAProxy and Keystone should + be covered with TLS through ``keystone_backend_ssl`` or + ``haproxy_ssl``/``haproxy_ssl_all_vips`` for communication between clients + and HAProxy on frontend. diff --git a/templates/keystone-httpd.conf.j2 b/templates/keystone-httpd.conf.j2 index 918eb511..0bbbacc3 100644 --- a/templates/keystone-httpd.conf.j2 +++ b/templates/keystone-httpd.conf.j2 @@ -20,12 +20,6 @@ Listen {{ keystone_web_server_bind_address }}:{{ keystone_service_port }} {% endif -%} Header set X-Frame-Options "{{ keystone_x_frame_options | default ('DENY') }}" - {% if (keystone_external_ssl | bool) %} - RequestHeader set {{ keystone_secure_proxy_ssl_header }} "https" - {% else %} - RequestHeader set {{ keystone_secure_proxy_ssl_header }} "http" - {% endif %} - {% if keystone_backend_ssl | bool -%} SSLEngine on SSLCertificateFile {{ keystone_ssl_cert }}