Do not use a different port for Keystone admin endpoint
Docs and reno included. Change-Id: I5099b08953789b280c915a6b7a22bdd4e3404076
This commit is contained in:
parent
118ca739e3
commit
42c2520144
@ -351,6 +351,8 @@ kafka_port: "9092"
|
||||
|
||||
keystone_public_port: "5000"
|
||||
keystone_public_listen_port: "{{ keystone_public_port }}"
|
||||
# NOTE(yoctozepto): Admin port settings are kept only for upgrade compatibility.
|
||||
# TODO(yoctozepto): Remove after Zed.
|
||||
keystone_admin_port: "35357"
|
||||
keystone_admin_listen_port: "{{ keystone_admin_port }}"
|
||||
keystone_ssh_port: "8023"
|
||||
@ -844,7 +846,7 @@ kibana_log_prefix: "flog"
|
||||
keystone_internal_fqdn: "{{ kolla_internal_fqdn }}"
|
||||
keystone_external_fqdn: "{{ kolla_external_fqdn }}"
|
||||
|
||||
keystone_admin_url: "{{ admin_protocol }}://{{ keystone_internal_fqdn | put_address_in_context('url') }}:{{ keystone_admin_port }}"
|
||||
keystone_admin_url: "{{ admin_protocol }}://{{ keystone_internal_fqdn | put_address_in_context('url') }}:{{ keystone_public_port }}"
|
||||
keystone_internal_url: "{{ internal_protocol }}://{{ keystone_internal_fqdn | put_address_in_context('url') }}:{{ keystone_public_port }}"
|
||||
keystone_public_url: "{{ public_protocol }}://{{ keystone_external_fqdn | put_address_in_context('url') }}:{{ keystone_public_port }}"
|
||||
|
||||
|
@ -5,7 +5,7 @@ transport_url = {{ rpc_transport_url }}
|
||||
host = {{ api_interface_address }}
|
||||
port = {{ blazar_api_port }}
|
||||
os_auth_host = {{ keystone_internal_fqdn }}
|
||||
os_auth_port = {{ keystone_admin_port }}
|
||||
os_auth_port = {{ keystone_public_port }}
|
||||
os_auth_protocol = {{ admin_protocol }}
|
||||
os_auth_version = v3
|
||||
os_admin_username = {{ blazar_keystone_user }}
|
||||
|
@ -25,8 +25,10 @@ keystone_services:
|
||||
port: "{{ keystone_public_port }}"
|
||||
listen_port: "{{ keystone_public_listen_port }}"
|
||||
backend_http_extra: "{{ ['balance source'] if enable_keystone_federation | bool else [] }}"
|
||||
# NOTE(yoctozepto): Admin port settings are kept only for upgrade compatibility.
|
||||
# TODO(yoctozepto): Remove after Zed.
|
||||
keystone_admin:
|
||||
enabled: "{{ enable_keystone }}"
|
||||
enabled: "{{ enable_keystone and kolla_action == 'upgrade' }}"
|
||||
mode: "http"
|
||||
external: false
|
||||
tls_backend: "{{ keystone_enable_tls_backend }}"
|
||||
|
@ -13,17 +13,6 @@
|
||||
- keystone_ssh
|
||||
register: container_facts
|
||||
|
||||
- name: Checking free port for Keystone Admin
|
||||
wait_for:
|
||||
host: "{{ api_interface_address }}"
|
||||
port: "{{ keystone_admin_listen_port }}"
|
||||
connect_timeout: 1
|
||||
timeout: 1
|
||||
state: stopped
|
||||
when:
|
||||
- container_facts['keystone'] is not defined
|
||||
- inventory_hostname in groups['keystone']
|
||||
|
||||
- name: Checking free port for Keystone Public
|
||||
wait_for:
|
||||
host: "{{ api_interface_address }}"
|
||||
|
@ -8,7 +8,11 @@ LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
|
||||
{% endif %}
|
||||
{% endif %}
|
||||
Listen {{ api_interface_address | put_address_in_context('url') }}:{{ keystone_public_listen_port }}
|
||||
{% if kolla_action == 'upgrade' %}
|
||||
# NOTE(yoctozepto): Admin port settings are kept only for upgrade compatibility.
|
||||
# TODO(yoctozepto): Remove after Zed.
|
||||
Listen {{ api_interface_address | put_address_in_context('url') }}:{{ keystone_admin_listen_port }}
|
||||
{% endif %}
|
||||
|
||||
ServerSignature Off
|
||||
ServerTokens Prod
|
||||
@ -104,6 +108,9 @@ LogLevel info
|
||||
{% endif %}
|
||||
</VirtualHost>
|
||||
|
||||
{% if kolla_action == 'upgrade' %}
|
||||
# NOTE(yoctozepto): Admin port settings are kept only for upgrade compatibility.
|
||||
# TODO(yoctozepto): Remove after Zed.
|
||||
<VirtualHost *:{{ keystone_admin_listen_port }}>
|
||||
WSGIDaemonProcess keystone-admin processes={{ openstack_service_workers }} threads=1 user=keystone group=keystone display-name=keystone-admin
|
||||
WSGIProcessGroup keystone-admin
|
||||
@ -123,3 +130,4 @@ LogLevel info
|
||||
SSLCertificateKeyFile /etc/keystone/certs/keystone-key.pem
|
||||
{% endif %}
|
||||
</VirtualHost>
|
||||
{% endif %}
|
||||
|
@ -404,19 +404,6 @@
|
||||
- haproxy_stat.find('ironic_inspector') == -1
|
||||
- haproxy_vip_prechecks
|
||||
|
||||
- name: Checking free port for Keystone Admin HAProxy
|
||||
wait_for:
|
||||
host: "{{ kolla_internal_vip_address }}"
|
||||
port: "{{ keystone_admin_port }}"
|
||||
connect_timeout: 1
|
||||
timeout: 1
|
||||
state: stopped
|
||||
when:
|
||||
- enable_keystone | bool
|
||||
- inventory_hostname in groups['loadbalancer']
|
||||
- haproxy_stat.find('keystone_admin') == -1
|
||||
- haproxy_vip_prechecks
|
||||
|
||||
- name: Checking free port for Keystone Internal HAProxy
|
||||
wait_for:
|
||||
host: "{{ kolla_internal_vip_address }}"
|
||||
|
@ -23,7 +23,7 @@ cafile = {{ openstack_cacert }}
|
||||
project_name = service
|
||||
password = {{ venus_keystone_password }}
|
||||
username = {{ venus_keystone_user }}
|
||||
auth_url = {{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_admin_port }}
|
||||
auth_url = {{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_public_port }}
|
||||
project_domain_id = {{ default_project_domain_id }}
|
||||
user_domain_id = {{ default_user_domain_id }}
|
||||
auth_type = password
|
||||
|
@ -69,7 +69,7 @@ the value of ``kolla_internal_fqdn`` in RegionOne:
|
||||
|
||||
kolla_internal_fqdn_r1: 10.10.10.254
|
||||
|
||||
keystone_admin_url: "{{ admin_protocol }}://{{ kolla_internal_fqdn_r1 }}:{{ keystone_admin_port }}"
|
||||
keystone_admin_url: "{{ admin_protocol }}://{{ kolla_internal_fqdn_r1 }}:{{ keystone_public_port }}"
|
||||
keystone_internal_url: "{{ internal_protocol }}://{{ kolla_internal_fqdn_r1 }}:{{ keystone_public_port }}"
|
||||
|
||||
openstack_auth:
|
||||
|
@ -189,6 +189,23 @@ After this command is complete, the containers will have been recreated from
|
||||
the new images and all database schema upgrades and similar actions performed
|
||||
for you.
|
||||
|
||||
Cleanup the Keystone admin port (Zed only)
|
||||
------------------------------------------
|
||||
|
||||
The Keystone admin port is no longer used in Zed. The admin interface points
|
||||
to the common port. However, during upgrade, the port is preserved for
|
||||
intermediate compatibility. To clean up the port, it is necessary to run
|
||||
the ``deploy`` action for Keystone. Additionally, the generated
|
||||
``admin-openrc.sh`` file may need regeneration as it used the admin
|
||||
port:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
kolla-ansible deploy --tags keystone
|
||||
kolla-ansible post-deploy
|
||||
|
||||
After these commands are complete, there are no leftovers of the admin port.
|
||||
|
||||
Tips and Tricks
|
||||
~~~~~~~~~~~~~~~
|
||||
|
||||
|
@ -0,0 +1,8 @@
|
||||
---
|
||||
upgrade:
|
||||
- |
|
||||
Keystone's admin interface no longer points to a separate port.
|
||||
On upgrade, the port is preserved to maintain the intermediate
|
||||
compatibility. Users are advised to run the deploy and post-deploy
|
||||
commands afterwards to ensure port's cleanup.
|
||||
For more information, please refer to the docs.
|
@ -13,6 +13,11 @@ function upgrade {
|
||||
kolla-ansible -i ${RAW_INVENTORY} -vvv prechecks &> /tmp/logs/ansible/upgrade-prechecks
|
||||
kolla-ansible -i ${RAW_INVENTORY} -vvv pull &> /tmp/logs/ansible/pull-upgrade
|
||||
kolla-ansible -i ${RAW_INVENTORY} -vvv upgrade &> /tmp/logs/ansible/upgrade
|
||||
|
||||
# NOTE(yoctozepto): These actions remove the leftovers of the admin port.
|
||||
# TODO(yoctozepto): Remove after Zed.
|
||||
kolla-ansible -i ${RAW_INVENTORY} -vvv deploy --tags keystone &> /tmp/logs/ansible/upgrade-deploy
|
||||
kolla-ansible -i ${RAW_INVENTORY} -vvv post-deploy &> /tmp/logs/ansible/upgrade-post-deploy
|
||||
}
|
||||
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user