From ee32736c1575500e374acdfb6067fd8d0950fdd4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rados=C5=82aw=20Piliszek?= <radoslaw.piliszek@gmail.com>
Date: Sat, 28 May 2022 18:39:04 +0200
Subject: [PATCH] Make Keystone admin endpoint creation optional

The admin endpoint is kept on upgrade to allow the upgrade to
happen (as it allows to rewrite the previous admin endpoint entry
to the new one).

Change-Id: I1c16892bab67f281d539843f1f0fa658df1c4874
Depends-On: https://review.opendev.org/c/openstack/kolla/+/854837
---
 ansible/roles/keystone/defaults/main.yml            | 13 +++++++++----
 ansible/roles/keystone/tasks/register.yml           |  2 +-
 ansible/roles/keystone/tasks/upgrade.yml            | 11 +++++++++++
 ...ne-admin-endpoint-optional-8eb8c9a18085d64e.yaml |  9 +++++++++
 4 files changed, 30 insertions(+), 5 deletions(-)
 create mode 100644 releasenotes/notes/keystone-admin-endpoint-optional-8eb8c9a18085d64e.yaml

diff --git a/ansible/roles/keystone/defaults/main.yml b/ansible/roles/keystone/defaults/main.yml
index c07c0b1fc0..f612c48e7c 100644
--- a/ansible/roles/keystone/defaults/main.yml
+++ b/ansible/roles/keystone/defaults/main.yml
@@ -195,14 +195,19 @@ keystone_enabled_notification_topics: "{{ keystone_notification_topics | selecta
 ####################
 # Keystone
 ####################
+keystone_service_endpoints:
+  - {'interface': 'internal', 'url': '{{ keystone_internal_url }}'}
+  - {'interface': 'public', 'url': '{{ keystone_public_url }}'}
+
+# TODO(yoctozepto): Remove admin_endpoint leftovers in Antelope (2023.1).
+keystone_service_admin_endpoint: {'interface': 'admin', 'url': '{{ keystone_internal_url }}'}
+keystone_create_admin_endpoint: false
+
 keystone_ks_services:
   - name: "keystone"
     type: "identity"
     description: "Openstack Identity Service"
-    endpoints:
-      - {'interface': 'admin', 'url': '{{ keystone_internal_url }}'}
-      - {'interface': 'internal', 'url': '{{ keystone_internal_url }}'}
-      - {'interface': 'public', 'url': '{{ keystone_public_url }}'}
+    endpoints: "{{ keystone_service_endpoints + ([keystone_service_admin_endpoint] if kolla_action == 'upgrade' or keystone_create_admin_endpoint | bool else []) }}"
 
 ####################
 # TLS
diff --git a/ansible/roles/keystone/tasks/register.yml b/ansible/roles/keystone/tasks/register.yml
index 1afb3fce71..90b0457795 100644
--- a/ansible/roles/keystone/tasks/register.yml
+++ b/ansible/roles/keystone/tasks/register.yml
@@ -4,7 +4,7 @@
   command: >
     docker exec keystone kolla_keystone_bootstrap
     {{ openstack_auth.username }} {{ openstack_auth.password }} {{ keystone_admin_project }}
-    admin {{ keystone_internal_url }} {{ keystone_internal_url }} {{ keystone_public_url }} {{ item }}
+    admin {{ keystone_internal_url }} {{ keystone_public_url }} {{ item }}
   register: keystone_bootstrap
   changed_when: (keystone_bootstrap.stdout | from_json).changed
   failed_when: (keystone_bootstrap.stdout | from_json).failed
diff --git a/ansible/roles/keystone/tasks/upgrade.yml b/ansible/roles/keystone/tasks/upgrade.yml
index 7a1df217d6..af68e54600 100644
--- a/ansible/roles/keystone/tasks/upgrade.yml
+++ b/ansible/roles/keystone/tasks/upgrade.yml
@@ -47,3 +47,14 @@
   when:
     - inventory_hostname == groups['keystone'][-1]
     - not use_preconfigured_databases | bool
+
+# TODO(yoctozepto): Remove after Zed (in AA).
+# This is needed to update the admin endpoint as the port has
+# changed in the same release (Zed), i.e., the admin endpoint uses the
+# same port as the other ones (public, internal).
+- import_role:
+    name: service-ks-register
+  vars:
+    service_ks_register_auth: "{{ openstack_keystone_auth }}"
+    service_ks_register_services: "{{ keystone_ks_services }}"
+  run_once: True
diff --git a/releasenotes/notes/keystone-admin-endpoint-optional-8eb8c9a18085d64e.yaml b/releasenotes/notes/keystone-admin-endpoint-optional-8eb8c9a18085d64e.yaml
new file mode 100644
index 0000000000..15833be612
--- /dev/null
+++ b/releasenotes/notes/keystone-admin-endpoint-optional-8eb8c9a18085d64e.yaml
@@ -0,0 +1,9 @@
+---
+upgrade:
+  - |
+    The Keystone's admin endpoint is no longer created by default. Operators
+    of existing deployments may wish to remove it after the upgrade
+    completes. Operators having external services relying on the availability
+    of the Keystone's admin endpoint may set ``keystone_create_admin_endpoint``
+    to ``true`` to keep creating the admin endpoint but such support will
+    be removed after Zed.