This change adds Federation support via OpenIDC. This is the first part
of the needed support to enable federated identity in Sunbeam. The following
items have been addressed in this PR:
Keystone:
* Implemented the oauth requirer relation which enables the oidc integration.
* The implementation supports relations to multiple oauth providers.
* Added a new template that generates the proper OIDC configuration parameters.
* The receive-ca-cert relation has been implemented. This relation is needed
for situations in which we want to relate keystone to canonical identity
platform, or some other IDP that has its own certificate authority deployed
in another model.
* Certificates uploaded to keystone via the add-ca-cert action and certificates
that come in via receive-ca-cert are now added to the system certificate store
in the keystone container. This was needed due to the fact that apache2 needs
to trust the remote IDP in order to fetch the jwks URL and validate bearer tokens.
We also need to continue trusting other IDPs that use certificates signed by
CAs already present in the system CA store.
* Added a new require trusted-dashboard relation that integrates a dashboard
with keystone.
Horizon:
* Added a new provides trusted-dashboard relation. This will integrate horizon
as a trusted dashboard for federated identity.
* Enable SSL settings in horizon's local_settings.py. This includes enabling the
SECURE_PROXY_SSL_HEADER option that looks for HTTP_X_FORWARDED_PROTO to determine
whether or not horizon is being accessed over TLS or not.
* Make sure the public and internal URLs areset in CSRF_TRUSTED_ORIGINS. Otherwise
a csrf token validation error may appear during login, regardless of authentication
method used (keystone credentials or federated identity).
Change-Id: I3b579e9e936e73cd83c06575b13b95339c6fa257
Signed-off-by: Gabriel Adrian Samfira <gsamfira@cloudbasesolutions.com>
0344c737ed