Allow setting up ldap backend TLS certs
diff --git a/keystone/files/keystone.domain.conf b/keystone/files/keystone.domain.conf
index d87b6d9..9d4a571 100644
--- a/keystone/files/keystone.domain.conf
+++ b/keystone/files/keystone.domain.conf
@@ -32,12 +32,26 @@
group_allow_update = false
group_allow_delete = false
-{%- if domain.ldap.get("tls", {}).get("enabled", False) %}
+{%- if domain.ldap.tls is defined %}
+
+{%- if domain.ldap.tls.get("enabled", False) %}
use_tls = true
-{%- if domain.ldap.tls.cacertfile is defined %}
-tls_cacertfile = /etc/ipa/ca.crt
{%- endif %}
+
+{%- if domain.ldap.tls.cacertdir is defined %}
+tls_cacertdir = {{ domain.ldap.tls.cacertdir }}
{%- endif %}
+
+{%- if domain.ldap.tls.cacert is defined %}
+tls_cacertfile = /etc/keystone/domains/{{ domain_name }}.pem
+{%- elif domain.ldap.tls.cacertfile is defined %}
+tls_cacertfile = {{ domain.ldap.tls.cacertfile }}
+{%- endif %}
+
+{%- if domain.ldap.tls.req_cert is defined %}
+tls_req_cert = {{ domain.ldap.tls.req_cert }}
+{%- endif %}
+
{%- endif %}
[identity]
diff --git a/keystone/server.sls b/keystone/server.sls
index 6173ec6..d87c9c2 100644
--- a/keystone/server.sls
+++ b/keystone/server.sls
@@ -74,6 +74,17 @@
- defaults:
domain_name: {{ domain_name }}
+{%- if domain.ldap.tls.cacert is defined %}
+keystone_domain_{{ domain_name }}_cacert:
+ file.managed:
+ - name: /etc/keystone/domains/{{ domain_name }}.pem
+ - contents_pillar: keystone:server:domain:{{ domain_name }}:tls:cacert
+ - require:
+ - file: /etc/keystone/domains
+ - watch_in:
+ - service: keystone_service
+{%- endif %}
+
keystone_domain_{{ domain_name }}:
cmd.run:
- name: source /root/keystonercv3 && openstack domain create --description "{{ domain.description }}" {{ domain_name }}