Do not use a different port for Keystone admin endpoint
Docs and reno included. Change-Id: I5099b08953789b280c915a6b7a22bdd4e3404076
This commit is contained in:
parent
118ca739e3
commit
42c2520144
@ -351,6 +351,8 @@ kafka_port: "9092"
|
|||||||
|
|
||||||
keystone_public_port: "5000"
|
keystone_public_port: "5000"
|
||||||
keystone_public_listen_port: "{{ keystone_public_port }}"
|
keystone_public_listen_port: "{{ keystone_public_port }}"
|
||||||
|
# NOTE(yoctozepto): Admin port settings are kept only for upgrade compatibility.
|
||||||
|
# TODO(yoctozepto): Remove after Zed.
|
||||||
keystone_admin_port: "35357"
|
keystone_admin_port: "35357"
|
||||||
keystone_admin_listen_port: "{{ keystone_admin_port }}"
|
keystone_admin_listen_port: "{{ keystone_admin_port }}"
|
||||||
keystone_ssh_port: "8023"
|
keystone_ssh_port: "8023"
|
||||||
@ -844,7 +846,7 @@ kibana_log_prefix: "flog"
|
|||||||
keystone_internal_fqdn: "{{ kolla_internal_fqdn }}"
|
keystone_internal_fqdn: "{{ kolla_internal_fqdn }}"
|
||||||
keystone_external_fqdn: "{{ kolla_external_fqdn }}"
|
keystone_external_fqdn: "{{ kolla_external_fqdn }}"
|
||||||
|
|
||||||
keystone_admin_url: "{{ admin_protocol }}://{{ keystone_internal_fqdn | put_address_in_context('url') }}:{{ keystone_admin_port }}"
|
keystone_admin_url: "{{ admin_protocol }}://{{ keystone_internal_fqdn | put_address_in_context('url') }}:{{ keystone_public_port }}"
|
||||||
keystone_internal_url: "{{ internal_protocol }}://{{ keystone_internal_fqdn | put_address_in_context('url') }}:{{ keystone_public_port }}"
|
keystone_internal_url: "{{ internal_protocol }}://{{ keystone_internal_fqdn | put_address_in_context('url') }}:{{ keystone_public_port }}"
|
||||||
keystone_public_url: "{{ public_protocol }}://{{ keystone_external_fqdn | put_address_in_context('url') }}:{{ keystone_public_port }}"
|
keystone_public_url: "{{ public_protocol }}://{{ keystone_external_fqdn | put_address_in_context('url') }}:{{ keystone_public_port }}"
|
||||||
|
|
||||||
|
@ -5,7 +5,7 @@ transport_url = {{ rpc_transport_url }}
|
|||||||
host = {{ api_interface_address }}
|
host = {{ api_interface_address }}
|
||||||
port = {{ blazar_api_port }}
|
port = {{ blazar_api_port }}
|
||||||
os_auth_host = {{ keystone_internal_fqdn }}
|
os_auth_host = {{ keystone_internal_fqdn }}
|
||||||
os_auth_port = {{ keystone_admin_port }}
|
os_auth_port = {{ keystone_public_port }}
|
||||||
os_auth_protocol = {{ admin_protocol }}
|
os_auth_protocol = {{ admin_protocol }}
|
||||||
os_auth_version = v3
|
os_auth_version = v3
|
||||||
os_admin_username = {{ blazar_keystone_user }}
|
os_admin_username = {{ blazar_keystone_user }}
|
||||||
|
@ -25,8 +25,10 @@ keystone_services:
|
|||||||
port: "{{ keystone_public_port }}"
|
port: "{{ keystone_public_port }}"
|
||||||
listen_port: "{{ keystone_public_listen_port }}"
|
listen_port: "{{ keystone_public_listen_port }}"
|
||||||
backend_http_extra: "{{ ['balance source'] if enable_keystone_federation | bool else [] }}"
|
backend_http_extra: "{{ ['balance source'] if enable_keystone_federation | bool else [] }}"
|
||||||
|
# NOTE(yoctozepto): Admin port settings are kept only for upgrade compatibility.
|
||||||
|
# TODO(yoctozepto): Remove after Zed.
|
||||||
keystone_admin:
|
keystone_admin:
|
||||||
enabled: "{{ enable_keystone }}"
|
enabled: "{{ enable_keystone and kolla_action == 'upgrade' }}"
|
||||||
mode: "http"
|
mode: "http"
|
||||||
external: false
|
external: false
|
||||||
tls_backend: "{{ keystone_enable_tls_backend }}"
|
tls_backend: "{{ keystone_enable_tls_backend }}"
|
||||||
|
@ -13,17 +13,6 @@
|
|||||||
- keystone_ssh
|
- keystone_ssh
|
||||||
register: container_facts
|
register: container_facts
|
||||||
|
|
||||||
- name: Checking free port for Keystone Admin
|
|
||||||
wait_for:
|
|
||||||
host: "{{ api_interface_address }}"
|
|
||||||
port: "{{ keystone_admin_listen_port }}"
|
|
||||||
connect_timeout: 1
|
|
||||||
timeout: 1
|
|
||||||
state: stopped
|
|
||||||
when:
|
|
||||||
- container_facts['keystone'] is not defined
|
|
||||||
- inventory_hostname in groups['keystone']
|
|
||||||
|
|
||||||
- name: Checking free port for Keystone Public
|
- name: Checking free port for Keystone Public
|
||||||
wait_for:
|
wait_for:
|
||||||
host: "{{ api_interface_address }}"
|
host: "{{ api_interface_address }}"
|
||||||
|
@ -8,7 +8,11 @@ LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
|
|||||||
{% endif %}
|
{% endif %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
Listen {{ api_interface_address | put_address_in_context('url') }}:{{ keystone_public_listen_port }}
|
Listen {{ api_interface_address | put_address_in_context('url') }}:{{ keystone_public_listen_port }}
|
||||||
|
{% if kolla_action == 'upgrade' %}
|
||||||
|
# NOTE(yoctozepto): Admin port settings are kept only for upgrade compatibility.
|
||||||
|
# TODO(yoctozepto): Remove after Zed.
|
||||||
Listen {{ api_interface_address | put_address_in_context('url') }}:{{ keystone_admin_listen_port }}
|
Listen {{ api_interface_address | put_address_in_context('url') }}:{{ keystone_admin_listen_port }}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
ServerSignature Off
|
ServerSignature Off
|
||||||
ServerTokens Prod
|
ServerTokens Prod
|
||||||
@ -104,6 +108,9 @@ LogLevel info
|
|||||||
{% endif %}
|
{% endif %}
|
||||||
</VirtualHost>
|
</VirtualHost>
|
||||||
|
|
||||||
|
{% if kolla_action == 'upgrade' %}
|
||||||
|
# NOTE(yoctozepto): Admin port settings are kept only for upgrade compatibility.
|
||||||
|
# TODO(yoctozepto): Remove after Zed.
|
||||||
<VirtualHost *:{{ keystone_admin_listen_port }}>
|
<VirtualHost *:{{ keystone_admin_listen_port }}>
|
||||||
WSGIDaemonProcess keystone-admin processes={{ openstack_service_workers }} threads=1 user=keystone group=keystone display-name=keystone-admin
|
WSGIDaemonProcess keystone-admin processes={{ openstack_service_workers }} threads=1 user=keystone group=keystone display-name=keystone-admin
|
||||||
WSGIProcessGroup keystone-admin
|
WSGIProcessGroup keystone-admin
|
||||||
@ -123,3 +130,4 @@ LogLevel info
|
|||||||
SSLCertificateKeyFile /etc/keystone/certs/keystone-key.pem
|
SSLCertificateKeyFile /etc/keystone/certs/keystone-key.pem
|
||||||
{% endif %}
|
{% endif %}
|
||||||
</VirtualHost>
|
</VirtualHost>
|
||||||
|
{% endif %}
|
||||||
|
@ -404,19 +404,6 @@
|
|||||||
- haproxy_stat.find('ironic_inspector') == -1
|
- haproxy_stat.find('ironic_inspector') == -1
|
||||||
- haproxy_vip_prechecks
|
- haproxy_vip_prechecks
|
||||||
|
|
||||||
- name: Checking free port for Keystone Admin HAProxy
|
|
||||||
wait_for:
|
|
||||||
host: "{{ kolla_internal_vip_address }}"
|
|
||||||
port: "{{ keystone_admin_port }}"
|
|
||||||
connect_timeout: 1
|
|
||||||
timeout: 1
|
|
||||||
state: stopped
|
|
||||||
when:
|
|
||||||
- enable_keystone | bool
|
|
||||||
- inventory_hostname in groups['loadbalancer']
|
|
||||||
- haproxy_stat.find('keystone_admin') == -1
|
|
||||||
- haproxy_vip_prechecks
|
|
||||||
|
|
||||||
- name: Checking free port for Keystone Internal HAProxy
|
- name: Checking free port for Keystone Internal HAProxy
|
||||||
wait_for:
|
wait_for:
|
||||||
host: "{{ kolla_internal_vip_address }}"
|
host: "{{ kolla_internal_vip_address }}"
|
||||||
|
@ -23,7 +23,7 @@ cafile = {{ openstack_cacert }}
|
|||||||
project_name = service
|
project_name = service
|
||||||
password = {{ venus_keystone_password }}
|
password = {{ venus_keystone_password }}
|
||||||
username = {{ venus_keystone_user }}
|
username = {{ venus_keystone_user }}
|
||||||
auth_url = {{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_admin_port }}
|
auth_url = {{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_public_port }}
|
||||||
project_domain_id = {{ default_project_domain_id }}
|
project_domain_id = {{ default_project_domain_id }}
|
||||||
user_domain_id = {{ default_user_domain_id }}
|
user_domain_id = {{ default_user_domain_id }}
|
||||||
auth_type = password
|
auth_type = password
|
||||||
|
@ -69,7 +69,7 @@ the value of ``kolla_internal_fqdn`` in RegionOne:
|
|||||||
|
|
||||||
kolla_internal_fqdn_r1: 10.10.10.254
|
kolla_internal_fqdn_r1: 10.10.10.254
|
||||||
|
|
||||||
keystone_admin_url: "{{ admin_protocol }}://{{ kolla_internal_fqdn_r1 }}:{{ keystone_admin_port }}"
|
keystone_admin_url: "{{ admin_protocol }}://{{ kolla_internal_fqdn_r1 }}:{{ keystone_public_port }}"
|
||||||
keystone_internal_url: "{{ internal_protocol }}://{{ kolla_internal_fqdn_r1 }}:{{ keystone_public_port }}"
|
keystone_internal_url: "{{ internal_protocol }}://{{ kolla_internal_fqdn_r1 }}:{{ keystone_public_port }}"
|
||||||
|
|
||||||
openstack_auth:
|
openstack_auth:
|
||||||
|
@ -189,6 +189,23 @@ After this command is complete, the containers will have been recreated from
|
|||||||
the new images and all database schema upgrades and similar actions performed
|
the new images and all database schema upgrades and similar actions performed
|
||||||
for you.
|
for you.
|
||||||
|
|
||||||
|
Cleanup the Keystone admin port (Zed only)
|
||||||
|
------------------------------------------
|
||||||
|
|
||||||
|
The Keystone admin port is no longer used in Zed. The admin interface points
|
||||||
|
to the common port. However, during upgrade, the port is preserved for
|
||||||
|
intermediate compatibility. To clean up the port, it is necessary to run
|
||||||
|
the ``deploy`` action for Keystone. Additionally, the generated
|
||||||
|
``admin-openrc.sh`` file may need regeneration as it used the admin
|
||||||
|
port:
|
||||||
|
|
||||||
|
.. code-block:: console
|
||||||
|
|
||||||
|
kolla-ansible deploy --tags keystone
|
||||||
|
kolla-ansible post-deploy
|
||||||
|
|
||||||
|
After these commands are complete, there are no leftovers of the admin port.
|
||||||
|
|
||||||
Tips and Tricks
|
Tips and Tricks
|
||||||
~~~~~~~~~~~~~~~
|
~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
@ -0,0 +1,8 @@
|
|||||||
|
---
|
||||||
|
upgrade:
|
||||||
|
- |
|
||||||
|
Keystone's admin interface no longer points to a separate port.
|
||||||
|
On upgrade, the port is preserved to maintain the intermediate
|
||||||
|
compatibility. Users are advised to run the deploy and post-deploy
|
||||||
|
commands afterwards to ensure port's cleanup.
|
||||||
|
For more information, please refer to the docs.
|
@ -13,6 +13,11 @@ function upgrade {
|
|||||||
kolla-ansible -i ${RAW_INVENTORY} -vvv prechecks &> /tmp/logs/ansible/upgrade-prechecks
|
kolla-ansible -i ${RAW_INVENTORY} -vvv prechecks &> /tmp/logs/ansible/upgrade-prechecks
|
||||||
kolla-ansible -i ${RAW_INVENTORY} -vvv pull &> /tmp/logs/ansible/pull-upgrade
|
kolla-ansible -i ${RAW_INVENTORY} -vvv pull &> /tmp/logs/ansible/pull-upgrade
|
||||||
kolla-ansible -i ${RAW_INVENTORY} -vvv upgrade &> /tmp/logs/ansible/upgrade
|
kolla-ansible -i ${RAW_INVENTORY} -vvv upgrade &> /tmp/logs/ansible/upgrade
|
||||||
|
|
||||||
|
# NOTE(yoctozepto): These actions remove the leftovers of the admin port.
|
||||||
|
# TODO(yoctozepto): Remove after Zed.
|
||||||
|
kolla-ansible -i ${RAW_INVENTORY} -vvv deploy --tags keystone &> /tmp/logs/ansible/upgrade-deploy
|
||||||
|
kolla-ansible -i ${RAW_INVENTORY} -vvv post-deploy &> /tmp/logs/ansible/upgrade-post-deploy
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user