Implement SSL configuration for Tendrl [blocked]

[mbukatov]

tendrl-ansible is expected to handle deployment of ssl as described in Tendrl/api#264

• explore the default cert approach
• allow admin to provide their own ssl certificate
• implement reconfiguration, or disabling ssl setup
• implement the grafana related setup (see Issues section below)
• documentation update

Questions about related changes

Unification related to non ssl setup:

• In tendrl-ssl.conf we setup ip address of apache virtual host, but in non ssl setup we just seem to listed on all interfaces. Would it make sense to unify this and set the ip address there as well?
  • actually @dahorak suggests to not specify ip address for ssl setup: work in progress: ssl configuration for Tendrl [blocked] #46 (comment)
  • but using * alone breaks the setup (tendrl ui is not reachable)
  • we can consider specifying ip address for non ssl setup, but that would make such setup more complicated

Questions to figure out:

• Should I validate that lookup('dig', httpd_server_name) == httpd_ip_address ? Probably not.
  • Moreover if @dahorak 's suggestion to drop ip address in virtual hosts is used, this check would not be needed
• Is reconfiguration (eg. turning ssl on and off) required? Yes.
• Shipping the default config as an ansible template would may be easier wrt ansible, but it would hide the configuration away from both developers and admin/users of tendrl, moreover it would make manual tweaks harder. For these reason, we will keep the sample ssl config in tendrl-api-httpd package.

Issues blocking merging of this feature

• grafana web works over ssl as well, reported as Grafana Dashboards are not using SSL when SSL is configured for Tendrl api#303
• IP address is not present in url of redirect requests: Sample SSL configuration redirects to ip address api#302
• In tendrl-ssl.conf we specify ServerName as fqdn, but in non ssl setup, we just leave this with default tendrl value, see: What should we do with ServerName value in /etc/httpd/conf.d/tendrl.conf? api#217 This should be unified.
• tendrl web - grafana authentication

[mbukatov]

@dahorak fyi

[mbukatov]

Partial https setup is drafted in https://github.com/Tendrl/documentation/wiki/Enabling-Https-on-tendrl-server, but note the known limitations, which includes missing authentication between grafana and tendrl web. Until all remaining gaps are addressed, it doesn't make sense to include any ssl setup into tendrl-ansible.

See also: https://github.com/Tendrl/documentation/wiki/SSL-Configuration-for-Tendrl