Use path-mounted keystone when running in httpd

When running in httpd, keystone accepts requests on /identity and
/identity_v2_admin.

The path endpoints should be preferred over the ports so keystone
is configured to point applications to the path endpoints by
setting admin_endpoint and public_endpoint.

Change-Id: I34569b9e03c3f36748c92d803349e22a7ee1a633

files/apache-keystone.template

@@ -44,8 +44,8 @@ Alias /identity %KEYSTONE_BIN%/keystone-wsgi-public
     WSGIPassAuthorization On
 </Location>
 
-Alias /identity_admin %KEYSTONE_BIN%/keystone-wsgi-admin
+Alias /identity_v2_admin %KEYSTONE_BIN%/keystone-wsgi-admin
-<Location /identity_admin>
+<Location /identity_v2_admin>
     SetHandler wsgi-script
     Options +ExecCGI
 

lib/keystone

@@ -122,8 +122,14 @@ if is_ssl_enabled_service "key" || is_service_enabled tls-proxy; then
 fi
 
 # complete URIs
-KEYSTONE_AUTH_URI=${KEYSTONE_AUTH_PROTOCOL}://${KEYSTONE_AUTH_HOST}:${KEYSTONE_AUTH_PORT}
+if [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then
-KEYSTONE_SERVICE_URI=${KEYSTONE_SERVICE_PROTOCOL}://${KEYSTONE_SERVICE_HOST}:${KEYSTONE_SERVICE_PORT}
+    # If running in Apache, use path access rather than port.
+    KEYSTONE_AUTH_URI=${KEYSTONE_AUTH_PROTOCOL}://${KEYSTONE_AUTH_HOST}/identity_v2_admin
+    KEYSTONE_SERVICE_URI=${KEYSTONE_SERVICE_PROTOCOL}://${KEYSTONE_SERVICE_HOST}/identity
+else
+    KEYSTONE_AUTH_URI=${KEYSTONE_AUTH_PROTOCOL}://${KEYSTONE_AUTH_HOST}:${KEYSTONE_AUTH_PORT}
+    KEYSTONE_SERVICE_URI=${KEYSTONE_SERVICE_PROTOCOL}://${KEYSTONE_SERVICE_HOST}:${KEYSTONE_SERVICE_PORT}
+fi
 
 # V3 URIs
 KEYSTONE_AUTH_URI_V3=$KEYSTONE_AUTH_URI/v3
@@ -259,7 +265,15 @@ function configure_keystone {
         # Set the service ports for a proxy to take the originals
         service_port=$KEYSTONE_SERVICE_PORT_INT
         auth_port=$KEYSTONE_AUTH_PORT_INT
+    fi
 
+    # Override the endpoints advertised by keystone (the public_endpoint and
+    # admin_endpoint) so that clients use the correct endpoint. By default, the
+    # keystone server uses the public_port and admin_port which isn't going to
+    # work when you want to use a different port (in the case of proxy), or you
+    # don't want the port (in the case of putting keystone on a path in
+    # apache).
+    if is_service_enabled tls-proxy || [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then
         iniset $KEYSTONE_CONF DEFAULT public_endpoint $KEYSTONE_SERVICE_URI
         iniset $KEYSTONE_CONF DEFAULT admin_endpoint $KEYSTONE_AUTH_URI
     fi
@@ -582,7 +596,14 @@ function start_keystone {
     # Check that the keystone service is running. Even if the tls tunnel
     # should be enabled, make sure the internal port is checked using
     # unencryted traffic at this point.
-    if ! wait_for_service $SERVICE_TIMEOUT $auth_protocol://$KEYSTONE_SERVICE_HOST:$service_port/v$IDENTITY_API_VERSION/; then
+    # If running in Apache, use the path rather than port.
+
+    local service_uri=$auth_protocol://$KEYSTONE_SERVICE_HOST:$service_port/v$IDENTITY_API_VERSION/
+    if [ "$KEYSTONE_DEPLOY" == "mod_wsgi" ]; then
+        service_uri=$auth_protocol://$KEYSTONE_SERVICE_HOST/identity/v$IDENTITY_API_VERSION/
+    fi
+
+    if ! wait_for_service $SERVICE_TIMEOUT $service_uri; then
         die $LINENO "keystone did not start"
     fi
 
@@ -625,8 +646,8 @@ function bootstrap_keystone {
         --bootstrap-service-name keystone \
         --bootstrap-region-id "$REGION_NAME" \
         --bootstrap-admin-url "$KEYSTONE_AUTH_URI" \
-        --bootstrap-public-url "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT" \
+        --bootstrap-public-url "$KEYSTONE_SERVICE_URI" \
-        --bootstrap-internal-url "$KEYSTONE_SERVICE_PROTOCOL://$KEYSTONE_SERVICE_HOST:$KEYSTONE_SERVICE_PORT"
+        --bootstrap-internal-url "$KEYSTONE_SERVICE_URI"
 }
 
 # Restore xtrace