Do not use a different port for Keystone admin endpoint

Docs and reno included.

Change-Id: I5099b08953789b280c915a6b7a22bdd4e3404076
This commit is contained in:
Radosław Piliszek 2022-05-06 15:30:52 +02:00
parent 118ca739e3
commit 42c2520144
11 changed files with 47 additions and 29 deletions

View File

@ -351,6 +351,8 @@ kafka_port: "9092"
keystone_public_port: "5000" keystone_public_port: "5000"
keystone_public_listen_port: "{{ keystone_public_port }}" keystone_public_listen_port: "{{ keystone_public_port }}"
# NOTE(yoctozepto): Admin port settings are kept only for upgrade compatibility.
# TODO(yoctozepto): Remove after Zed.
keystone_admin_port: "35357" keystone_admin_port: "35357"
keystone_admin_listen_port: "{{ keystone_admin_port }}" keystone_admin_listen_port: "{{ keystone_admin_port }}"
keystone_ssh_port: "8023" keystone_ssh_port: "8023"
@ -844,7 +846,7 @@ kibana_log_prefix: "flog"
keystone_internal_fqdn: "{{ kolla_internal_fqdn }}" keystone_internal_fqdn: "{{ kolla_internal_fqdn }}"
keystone_external_fqdn: "{{ kolla_external_fqdn }}" keystone_external_fqdn: "{{ kolla_external_fqdn }}"
keystone_admin_url: "{{ admin_protocol }}://{{ keystone_internal_fqdn | put_address_in_context('url') }}:{{ keystone_admin_port }}" keystone_admin_url: "{{ admin_protocol }}://{{ keystone_internal_fqdn | put_address_in_context('url') }}:{{ keystone_public_port }}"
keystone_internal_url: "{{ internal_protocol }}://{{ keystone_internal_fqdn | put_address_in_context('url') }}:{{ keystone_public_port }}" keystone_internal_url: "{{ internal_protocol }}://{{ keystone_internal_fqdn | put_address_in_context('url') }}:{{ keystone_public_port }}"
keystone_public_url: "{{ public_protocol }}://{{ keystone_external_fqdn | put_address_in_context('url') }}:{{ keystone_public_port }}" keystone_public_url: "{{ public_protocol }}://{{ keystone_external_fqdn | put_address_in_context('url') }}:{{ keystone_public_port }}"

View File

@ -5,7 +5,7 @@ transport_url = {{ rpc_transport_url }}
host = {{ api_interface_address }} host = {{ api_interface_address }}
port = {{ blazar_api_port }} port = {{ blazar_api_port }}
os_auth_host = {{ keystone_internal_fqdn }} os_auth_host = {{ keystone_internal_fqdn }}
os_auth_port = {{ keystone_admin_port }} os_auth_port = {{ keystone_public_port }}
os_auth_protocol = {{ admin_protocol }} os_auth_protocol = {{ admin_protocol }}
os_auth_version = v3 os_auth_version = v3
os_admin_username = {{ blazar_keystone_user }} os_admin_username = {{ blazar_keystone_user }}

View File

@ -25,8 +25,10 @@ keystone_services:
port: "{{ keystone_public_port }}" port: "{{ keystone_public_port }}"
listen_port: "{{ keystone_public_listen_port }}" listen_port: "{{ keystone_public_listen_port }}"
backend_http_extra: "{{ ['balance source'] if enable_keystone_federation | bool else [] }}" backend_http_extra: "{{ ['balance source'] if enable_keystone_federation | bool else [] }}"
# NOTE(yoctozepto): Admin port settings are kept only for upgrade compatibility.
# TODO(yoctozepto): Remove after Zed.
keystone_admin: keystone_admin:
enabled: "{{ enable_keystone }}" enabled: "{{ enable_keystone and kolla_action == 'upgrade' }}"
mode: "http" mode: "http"
external: false external: false
tls_backend: "{{ keystone_enable_tls_backend }}" tls_backend: "{{ keystone_enable_tls_backend }}"

View File

@ -13,17 +13,6 @@
- keystone_ssh - keystone_ssh
register: container_facts register: container_facts
- name: Checking free port for Keystone Admin
wait_for:
host: "{{ api_interface_address }}"
port: "{{ keystone_admin_listen_port }}"
connect_timeout: 1
timeout: 1
state: stopped
when:
- container_facts['keystone'] is not defined
- inventory_hostname in groups['keystone']
- name: Checking free port for Keystone Public - name: Checking free port for Keystone Public
wait_for: wait_for:
host: "{{ api_interface_address }}" host: "{{ api_interface_address }}"

View File

@ -8,7 +8,11 @@ LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so
{% endif %} {% endif %}
{% endif %} {% endif %}
Listen {{ api_interface_address | put_address_in_context('url') }}:{{ keystone_public_listen_port }} Listen {{ api_interface_address | put_address_in_context('url') }}:{{ keystone_public_listen_port }}
{% if kolla_action == 'upgrade' %}
# NOTE(yoctozepto): Admin port settings are kept only for upgrade compatibility.
# TODO(yoctozepto): Remove after Zed.
Listen {{ api_interface_address | put_address_in_context('url') }}:{{ keystone_admin_listen_port }} Listen {{ api_interface_address | put_address_in_context('url') }}:{{ keystone_admin_listen_port }}
{% endif %}
ServerSignature Off ServerSignature Off
ServerTokens Prod ServerTokens Prod
@ -104,6 +108,9 @@ LogLevel info
{% endif %} {% endif %}
</VirtualHost> </VirtualHost>
{% if kolla_action == 'upgrade' %}
# NOTE(yoctozepto): Admin port settings are kept only for upgrade compatibility.
# TODO(yoctozepto): Remove after Zed.
<VirtualHost *:{{ keystone_admin_listen_port }}> <VirtualHost *:{{ keystone_admin_listen_port }}>
WSGIDaemonProcess keystone-admin processes={{ openstack_service_workers }} threads=1 user=keystone group=keystone display-name=keystone-admin WSGIDaemonProcess keystone-admin processes={{ openstack_service_workers }} threads=1 user=keystone group=keystone display-name=keystone-admin
WSGIProcessGroup keystone-admin WSGIProcessGroup keystone-admin
@ -123,3 +130,4 @@ LogLevel info
SSLCertificateKeyFile /etc/keystone/certs/keystone-key.pem SSLCertificateKeyFile /etc/keystone/certs/keystone-key.pem
{% endif %} {% endif %}
</VirtualHost> </VirtualHost>
{% endif %}

View File

@ -404,19 +404,6 @@
- haproxy_stat.find('ironic_inspector') == -1 - haproxy_stat.find('ironic_inspector') == -1
- haproxy_vip_prechecks - haproxy_vip_prechecks
- name: Checking free port for Keystone Admin HAProxy
wait_for:
host: "{{ kolla_internal_vip_address }}"
port: "{{ keystone_admin_port }}"
connect_timeout: 1
timeout: 1
state: stopped
when:
- enable_keystone | bool
- inventory_hostname in groups['loadbalancer']
- haproxy_stat.find('keystone_admin') == -1
- haproxy_vip_prechecks
- name: Checking free port for Keystone Internal HAProxy - name: Checking free port for Keystone Internal HAProxy
wait_for: wait_for:
host: "{{ kolla_internal_vip_address }}" host: "{{ kolla_internal_vip_address }}"

View File

@ -23,7 +23,7 @@ cafile = {{ openstack_cacert }}
project_name = service project_name = service
password = {{ venus_keystone_password }} password = {{ venus_keystone_password }}
username = {{ venus_keystone_user }} username = {{ venus_keystone_user }}
auth_url = {{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_admin_port }} auth_url = {{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_public_port }}
project_domain_id = {{ default_project_domain_id }} project_domain_id = {{ default_project_domain_id }}
user_domain_id = {{ default_user_domain_id }} user_domain_id = {{ default_user_domain_id }}
auth_type = password auth_type = password

View File

@ -69,7 +69,7 @@ the value of ``kolla_internal_fqdn`` in RegionOne:
kolla_internal_fqdn_r1: 10.10.10.254 kolla_internal_fqdn_r1: 10.10.10.254
keystone_admin_url: "{{ admin_protocol }}://{{ kolla_internal_fqdn_r1 }}:{{ keystone_admin_port }}" keystone_admin_url: "{{ admin_protocol }}://{{ kolla_internal_fqdn_r1 }}:{{ keystone_public_port }}"
keystone_internal_url: "{{ internal_protocol }}://{{ kolla_internal_fqdn_r1 }}:{{ keystone_public_port }}" keystone_internal_url: "{{ internal_protocol }}://{{ kolla_internal_fqdn_r1 }}:{{ keystone_public_port }}"
openstack_auth: openstack_auth:

View File

@ -189,6 +189,23 @@ After this command is complete, the containers will have been recreated from
the new images and all database schema upgrades and similar actions performed the new images and all database schema upgrades and similar actions performed
for you. for you.
Cleanup the Keystone admin port (Zed only)
------------------------------------------
The Keystone admin port is no longer used in Zed. The admin interface points
to the common port. However, during upgrade, the port is preserved for
intermediate compatibility. To clean up the port, it is necessary to run
the ``deploy`` action for Keystone. Additionally, the generated
``admin-openrc.sh`` file may need regeneration as it used the admin
port:
.. code-block:: console
kolla-ansible deploy --tags keystone
kolla-ansible post-deploy
After these commands are complete, there are no leftovers of the admin port.
Tips and Tricks Tips and Tricks
~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~

View File

@ -0,0 +1,8 @@
---
upgrade:
- |
Keystone's admin interface no longer points to a separate port.
On upgrade, the port is preserved to maintain the intermediate
compatibility. Users are advised to run the deploy and post-deploy
commands afterwards to ensure port's cleanup.
For more information, please refer to the docs.

View File

@ -13,6 +13,11 @@ function upgrade {
kolla-ansible -i ${RAW_INVENTORY} -vvv prechecks &> /tmp/logs/ansible/upgrade-prechecks kolla-ansible -i ${RAW_INVENTORY} -vvv prechecks &> /tmp/logs/ansible/upgrade-prechecks
kolla-ansible -i ${RAW_INVENTORY} -vvv pull &> /tmp/logs/ansible/pull-upgrade kolla-ansible -i ${RAW_INVENTORY} -vvv pull &> /tmp/logs/ansible/pull-upgrade
kolla-ansible -i ${RAW_INVENTORY} -vvv upgrade &> /tmp/logs/ansible/upgrade kolla-ansible -i ${RAW_INVENTORY} -vvv upgrade &> /tmp/logs/ansible/upgrade
# NOTE(yoctozepto): These actions remove the leftovers of the admin port.
# TODO(yoctozepto): Remove after Zed.
kolla-ansible -i ${RAW_INVENTORY} -vvv deploy --tags keystone &> /tmp/logs/ansible/upgrade-deploy
kolla-ansible -i ${RAW_INVENTORY} -vvv post-deploy &> /tmp/logs/ansible/upgrade-post-deploy
} }