Further Keystone-related cleanups
Per comments on [1]. [1] https://review.opendev.org/c/openstack/kolla-ansible/+/843727 Change-Id: I60162b54bc06e158534d29311d4474b34750c64d
This commit is contained in:
parent
92f8e93bb3
commit
72b63dfee7
@ -40,7 +40,7 @@ policy_file = {{ aodh_policy_file }}
|
||||
{% endif %}
|
||||
|
||||
[service_credentials]
|
||||
auth_url = {{ keystone_internal_url }}/v3
|
||||
auth_url = {{ keystone_internal_url }}
|
||||
region_name = {{ openstack_region_name }}
|
||||
password = {{ aodh_keystone_password }}
|
||||
username = {{ aodh_keystone_user }}
|
||||
|
@ -7,7 +7,6 @@ port = {{ blazar_api_port }}
|
||||
os_auth_host = {{ keystone_internal_fqdn }}
|
||||
os_auth_port = {{ keystone_public_port }}
|
||||
os_auth_protocol = {{ internal_protocol }}
|
||||
os_auth_version = v3
|
||||
os_admin_username = {{ blazar_keystone_user }}
|
||||
os_admin_password = {{ blazar_keystone_password }}
|
||||
os_admin_project_name = service
|
||||
@ -21,8 +20,8 @@ plugins = virtual.instance.plugin,physical.host.plugin
|
||||
|
||||
[keystone_authtoken]
|
||||
service_type = reservation
|
||||
www_authenticate_uri = {{ keystone_internal_url }}/v3
|
||||
auth_url = {{ keystone_internal_url }}/v3
|
||||
www_authenticate_uri = {{ keystone_internal_url }}
|
||||
auth_url = {{ keystone_internal_url }}
|
||||
auth_type = password
|
||||
project_domain_id = default
|
||||
user_domain_id = default
|
||||
|
@ -10,7 +10,7 @@ hypervisor_inspector = vsphere
|
||||
{% endif %}
|
||||
|
||||
[service_credentials]
|
||||
auth_url = {{ keystone_internal_url }}/v3
|
||||
auth_url = {{ keystone_internal_url }}
|
||||
region_name = {{ openstack_region_name }}
|
||||
password = {{ ceilometer_keystone_password }}
|
||||
username = {{ ceilometer_keystone_user }}
|
||||
|
@ -8,7 +8,7 @@ export OS_PROJECT_NAME={{ keystone_admin_project }}
|
||||
export OS_TENANT_NAME={{ keystone_admin_project }}
|
||||
export OS_USERNAME={{ keystone_admin_user }}
|
||||
export OS_PASSWORD={{ keystone_admin_password }}
|
||||
export OS_AUTH_URL={{ keystone_internal_url }}/v3
|
||||
export OS_AUTH_URL={{ keystone_internal_url }}
|
||||
export OS_INTERFACE=internal
|
||||
export OS_ENDPOINT_TYPE=internalURL
|
||||
{% if enable_manila | bool %}
|
||||
|
@ -14,7 +14,7 @@ jobs_dir = /etc/freezer/scheduler/conf.d
|
||||
|
||||
os_username = {{ openstack_auth.username }}
|
||||
os_password = {{ openstack_auth.password }}
|
||||
os_auth_url = {{ openstack_auth.auth_url }}/v3
|
||||
os_auth_url = {{ openstack_auth.auth_url }}
|
||||
os_project_name = {{ keystone_admin_project }}
|
||||
os_project_domain_name = {{ openstack_auth.domain_name }}
|
||||
# TODO: transition to system scoped token when freezer supports that
|
||||
|
@ -1,6 +1,6 @@
|
||||
[swift]
|
||||
auth_version = 3
|
||||
auth_address = {{ openstack_auth.auth_url }}/v3
|
||||
auth_address = {{ openstack_auth.auth_url }}
|
||||
user = service:{{ glance_keystone_user }}
|
||||
key = {{ glance_keystone_password }}
|
||||
project_domain_id = default
|
||||
|
@ -45,7 +45,7 @@ url = mysql+pymysql://{{ gnocchi_database_user }}:{{ gnocchi_database_password }
|
||||
|
||||
[keystone_authtoken]
|
||||
service_type = metric
|
||||
www_authenticate_uri = {{ keystone_internal_url }}/v3
|
||||
www_authenticate_uri = {{ keystone_internal_url }}
|
||||
project_domain_id = {{ default_project_domain_id }}
|
||||
project_name = service
|
||||
user_domain_id = {{ default_user_domain_id }}
|
||||
@ -83,7 +83,7 @@ ceph_keyring = /etc/ceph/{{ ceph_gnocchi_keyring }}
|
||||
ceph_conffile = /etc/ceph/ceph.conf
|
||||
{% elif gnocchi_backend_storage == 'swift' %}
|
||||
driver = swift
|
||||
swift_authurl = {{ keystone_internal_url }}/v3
|
||||
swift_authurl = {{ keystone_internal_url }}
|
||||
swift_auth_version = 3
|
||||
swift_user = service:{{ swift_keystone_user }}
|
||||
swift_key = {{ swift_keystone_password }}
|
||||
|
@ -61,7 +61,7 @@ username = {{ heat_keystone_user }}
|
||||
password = {{ heat_keystone_password }}
|
||||
|
||||
[ec2authtoken]
|
||||
auth_uri = {{ keystone_internal_url }}/v3
|
||||
auth_uri = {{ keystone_internal_url }}
|
||||
|
||||
[oslo_messaging_notifications]
|
||||
transport_url = {{ notify_transport_url }}
|
||||
|
@ -122,7 +122,7 @@ horizon_extra_volumes: "{{ default_extra_volumes }}"
|
||||
# OpenStack
|
||||
####################
|
||||
horizon_logging_debug: "{{ openstack_logging_debug }}"
|
||||
horizon_keystone_url: "{{ keystone_public_url if horizon_use_keystone_public_url | bool else keystone_internal_url }}/v3"
|
||||
horizon_keystone_url: "{{ keystone_public_url if horizon_use_keystone_public_url | bool else keystone_internal_url }}"
|
||||
|
||||
|
||||
####################
|
||||
|
@ -224,7 +224,7 @@ WEBSSO_ENABLED = True
|
||||
# Do not remove the mandatory credentials mechanism.
|
||||
# Note: The last two tuples are sample mapping keys to a identity provider
|
||||
# and federation protocol combination (WEBSSO_IDP_MAPPING).
|
||||
WEBSSO_KEYSTONE_URL = "{{ keystone_public_url }}/v3"
|
||||
WEBSSO_KEYSTONE_URL = "{{ keystone_public_url }}"
|
||||
WEBSSO_CHOICES = (
|
||||
("credentials", _("Keystone Credentials")),
|
||||
{% for idp in keystone_identity_providers %}
|
||||
@ -856,7 +856,7 @@ REST_API_REQUIRED_SETTINGS = [
|
||||
|
||||
{% if enable_murano | bool and enable_barbican | bool %}
|
||||
KEY_MANAGER = {
|
||||
'auth_url': '{{ keystone_internal_url }}/v3',
|
||||
'auth_url': '{{ keystone_internal_url }}',
|
||||
'username': '{{ murano_keystone_user }}',
|
||||
'user_domain_name': '{{ default_project_domain_name }}',
|
||||
'password': '{{ murano_keystone_password }}',
|
||||
|
@ -65,7 +65,7 @@ endpoint_type = internalURL
|
||||
ca_file = {{ openstack_cacert }}
|
||||
|
||||
[keystone_auth]
|
||||
auth_url = {{ keystone_internal_url }}/v3
|
||||
auth_url = {{ keystone_internal_url }}
|
||||
user_domain_name = {{ default_user_domain_name }}
|
||||
project_domain_name = {{ default_project_domain_name }}
|
||||
project_name = service
|
||||
@ -76,8 +76,7 @@ cafile = {{ openstack_cacert }}
|
||||
|
||||
[keystone_authtoken]
|
||||
service_type = container-infra
|
||||
auth_version = v3
|
||||
www_authenticate_uri = {{ keystone_internal_url }}/v3
|
||||
www_authenticate_uri = {{ keystone_internal_url }}
|
||||
auth_url = {{ keystone_internal_url }}
|
||||
auth_type = password
|
||||
project_domain_name = {{ default_project_domain_name }}
|
||||
|
@ -10,7 +10,7 @@ os_region_name = {{ openstack_region_name }}
|
||||
os_user_domain_name = {{ default_user_domain_id }}
|
||||
os_project_domain_name = {{ default_project_domain_id }}
|
||||
os_privileged_user_tenant = service
|
||||
os_privileged_user_auth_url = {{ keystone_internal_url }}/v3
|
||||
os_privileged_user_auth_url = {{ keystone_internal_url }}
|
||||
os_privileged_user_name = {{ nova_keystone_user }}
|
||||
os_privileged_user_password = {{ nova_keystone_password }}
|
||||
nova_ca_certificates_file = {{ openstack_cacert }}
|
||||
@ -23,7 +23,7 @@ max_retries = -1
|
||||
|
||||
[keystone_authtoken]
|
||||
service_type = instance-ha
|
||||
www_authenticate_uri = {{ keystone_internal_url }}/v3
|
||||
www_authenticate_uri = {{ keystone_internal_url }}
|
||||
auth_url = {{ keystone_internal_url }}
|
||||
auth_type = password
|
||||
project_domain_name = {{ default_project_domain_name }}
|
||||
|
@ -40,8 +40,8 @@ max_retries = -1
|
||||
|
||||
[keystone_authtoken]
|
||||
service_type = workflow
|
||||
www_authenticate_uri = {{ keystone_internal_url }}/v3
|
||||
auth_url = {{ keystone_internal_url }}/v3
|
||||
www_authenticate_uri = {{ keystone_internal_url }}
|
||||
auth_url = {{ keystone_internal_url }}
|
||||
auth_type = password
|
||||
project_domain_id = {{ default_project_domain_id }}
|
||||
user_domain_id = {{ default_user_domain_id }}
|
||||
|
@ -38,7 +38,7 @@ memcache_secret_key = {{ memcache_secret_key }}
|
||||
memcached_servers = {% for host in groups['memcached'] %}{{ 'api' | kolla_address(host) | put_address_in_context('memcache') }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
|
||||
|
||||
[murano_auth]
|
||||
auth_uri = {{ keystone_internal_url }}/v3
|
||||
auth_uri = {{ keystone_internal_url }}
|
||||
auth_url = {{ keystone_internal_url }}
|
||||
auth_type = password
|
||||
project_domain_name = {{ default_project_domain_name }}
|
||||
@ -86,7 +86,7 @@ virtual_host = {{ murano_agent_rabbitmq_vhost }}
|
||||
{% if enable_barbican | bool %}
|
||||
[key_manager]
|
||||
auth_type = keystone_password
|
||||
auth_url = {{ keystone_internal_url }}/v3
|
||||
auth_url = {{ keystone_internal_url }}
|
||||
username = {{ murano_keystone_user }}
|
||||
password = {{ murano_keystone_password }}
|
||||
user_domain_name = {{ default_project_domain_name }}
|
||||
|
@ -84,7 +84,7 @@ proxyclient_address = {{ api_interface_address }}
|
||||
[ironic]
|
||||
username = {{ ironic_keystone_user }}
|
||||
password = {{ ironic_keystone_password }}
|
||||
auth_url = {{ openstack_auth.auth_url }}/v3
|
||||
auth_url = {{ openstack_auth.auth_url }}
|
||||
cafile = {{ openstack_cacert }}
|
||||
auth_type = password
|
||||
project_name = service
|
||||
|
@ -5,6 +5,6 @@ export OS_USER_DOMAIN_NAME=Default
|
||||
export OS_PROJECT_NAME={{ octavia_service_auth_project }}
|
||||
export OS_USERNAME={{ octavia_keystone_user }}
|
||||
export OS_PASSWORD={{ octavia_keystone_password }}
|
||||
export OS_AUTH_URL={{ keystone_internal_url }}/v3
|
||||
export OS_AUTH_URL={{ keystone_internal_url }}
|
||||
export OS_INTERFACE=internal
|
||||
export OS_ENDPOINT_TYPE=internalURL
|
||||
|
@ -11,4 +11,4 @@ clouds:
|
||||
project_domain_name: 'Default'
|
||||
user_domain_name: 'Default'
|
||||
cacert: {{ openstack_cacert }}
|
||||
auth_url: {{ keystone_internal_url }}/v3
|
||||
auth_url: {{ keystone_internal_url }}
|
||||
|
@ -61,5 +61,5 @@ project_name = service
|
||||
user_domain_name = {{ default_user_domain_name }}
|
||||
username = {{ sahara_keystone_user }}
|
||||
password = {{ sahara_keystone_password }}
|
||||
auth_url = {{ keystone_internal_url }}/v3
|
||||
auth_url = {{ keystone_internal_url }}
|
||||
cafile = {{ openstack_cacert }}
|
||||
|
@ -47,7 +47,7 @@ agent:
|
||||
|
||||
### TODO migrate from tenant_name to system_scope when supported in skydive
|
||||
neutron:
|
||||
auth_url: {{ keystone_internal_url }}/v3
|
||||
auth_url: {{ keystone_internal_url }}
|
||||
username: {{ openstack_auth['username'] }}
|
||||
password: {{ openstack_auth['password'] }}
|
||||
tenant_name: {{ skydive_admin_tenant_name }}
|
||||
|
@ -4,7 +4,7 @@
|
||||
auth:
|
||||
keystone:
|
||||
type: keystone
|
||||
auth_url: {{ keystone_internal_url }}/v3
|
||||
auth_url: {{ keystone_internal_url }}
|
||||
region_name: {{ openstack_region_name }}
|
||||
tenant_name: {{ skydive_admin_tenant_name }}
|
||||
domain_name: Default
|
||||
|
@ -99,5 +99,5 @@ use = egg:swift#s3api
|
||||
|
||||
[filter:s3token]
|
||||
use = egg:swift#s3token
|
||||
auth_uri = {{ keystone_internal_url }}/v3
|
||||
auth_uri = {{ keystone_internal_url }}
|
||||
{% endif %}
|
||||
|
@ -35,7 +35,7 @@ network_driver = trove.network.neutron.NeutronDriver
|
||||
control_exchange = trove
|
||||
|
||||
[service_credentials]
|
||||
auth_url = {{ keystone_internal_url }}/v3
|
||||
auth_url = {{ keystone_internal_url }}
|
||||
region_name = {{ openstack_region_name }}
|
||||
project_name = service
|
||||
password = {{ trove_keystone_password }}
|
||||
|
@ -45,7 +45,7 @@ memcache_secret_key = {{ memcache_secret_key }}
|
||||
memcached_servers = {% for host in groups['memcached'] %}{{ 'api' | kolla_address(host) | put_address_in_context('memcache') }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
|
||||
|
||||
[service_credentials]
|
||||
auth_url = {{ keystone_internal_url }}/v3
|
||||
auth_url = {{ keystone_internal_url }}
|
||||
region_name = {{ openstack_region_name }}
|
||||
auth_type = password
|
||||
project_domain_id = {{ default_project_domain_id }}
|
||||
|
@ -114,19 +114,18 @@ additional configuration:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
keystone_admin_url: "http://172.28.128.254:35357"
|
||||
keystone_internal_url: "http://172.28.128.254:5000"
|
||||
monasca_openstack_auth:
|
||||
auth_url: "{{ keystone_admin_url }}"
|
||||
auth_url: "{{ keystone_internal_url }}"
|
||||
username: "admin"
|
||||
password: "{{ external_keystone_admin_password }}"
|
||||
project_name: "admin"
|
||||
domain_name: "default"
|
||||
user_domain_name: "default"
|
||||
|
||||
In this example it is assumed that the external Keystone admin and internal
|
||||
URLs are `http://172.28.128.254:35357` and `http://172.28.128.254:5000`
|
||||
respectively, and that the external Keystone admin password is defined by
|
||||
In this example it is assumed that the external Keystone's internal URL is
|
||||
`http://172.28.128.254:5000`, and that the external Keystone's admin password
|
||||
is defined by
|
||||
the variable `external_keystone_admin_password` which you will most likely
|
||||
want to save in `/etc/kolla/passwords.yml`. Note that the Keystone URLs can
|
||||
be obtained from the external OpenStack CLI, for example:
|
||||
@ -134,13 +133,12 @@ be obtained from the external OpenStack CLI, for example:
|
||||
.. code-block:: console
|
||||
|
||||
openstack endpoint list --service identity
|
||||
+----------------------------------+-----------+--------------+--------------+---------+-----------+-----------------------------+
|
||||
+----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------+
|
||||
| ID | Region | Service Name | Service Type | Enabled | Interface | URL |
|
||||
+----------------------------------+-----------+--------------+--------------+---------+-----------+-----------------------------+
|
||||
| 162365440e6c43d092ad6069f0581a57 | RegionOne | keystone | identity | True | admin | http://172.28.128.254:35357 |
|
||||
+----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------+
|
||||
| 6d768ee2ce1c4302a49e9b7ac2af472c | RegionOne | keystone | identity | True | public | http://172.28.128.254:5000 |
|
||||
| e02067a58b1946c7ae53abf0cfd0bf11 | RegionOne | keystone | identity | True | internal | http://172.28.128.254:5000 |
|
||||
+----------------------------------+-----------+--------------+--------------+---------+-----------+-----------------------------+
|
||||
+----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------+
|
||||
|
||||
If you are also using Kolla Ansible to manage the external OpenStack
|
||||
installation, the external Keystone admin password will most likely
|
||||
|
@ -9,7 +9,7 @@ with Kolla. A basic multiple region deployment consists of separate
|
||||
OpenStack installations in two or more regions (RegionOne, RegionTwo, ...)
|
||||
with a shared Keystone and Horizon. The rest of this documentation assumes
|
||||
Keystone and Horizon are deployed in RegionOne, and other regions have
|
||||
access to the admin endpoint (for example, ``kolla_internal_fqdn``) of
|
||||
access to the internal endpoint (for example, ``kolla_internal_fqdn``) of
|
||||
RegionOne.
|
||||
It also assumes that the operator knows the name of all OpenStack regions
|
||||
in advance, and considers as many Kolla deployments as there are regions.
|
||||
@ -69,11 +69,10 @@ the value of ``kolla_internal_fqdn`` in RegionOne:
|
||||
|
||||
kolla_internal_fqdn_r1: 10.10.10.254
|
||||
|
||||
keystone_admin_url: "{{ admin_protocol }}://{{ kolla_internal_fqdn_r1 }}:{{ keystone_public_port }}"
|
||||
keystone_internal_url: "{{ internal_protocol }}://{{ kolla_internal_fqdn_r1 }}:{{ keystone_public_port }}"
|
||||
|
||||
openstack_auth:
|
||||
auth_url: "{{ keystone_admin_url }}"
|
||||
auth_url: "{{ keystone_internal_url }}"
|
||||
username: "{{ keystone_admin_user }}"
|
||||
password: "{{ keystone_admin_password }}"
|
||||
user_domain_name: "{{ default_user_domain_name }}"
|
||||
@ -97,7 +96,7 @@ create a ``global.conf`` file with the following content:
|
||||
|
||||
[keystone_authtoken]
|
||||
www_authenticate_uri = {{ keystone_internal_url }}
|
||||
auth_url = {{ keystone_admin_url }}
|
||||
auth_url = {{ keystone_internal_url }}
|
||||
|
||||
The Placement API section inside the nova configuration file also has
|
||||
to be updated to contact RegionOne's Keystone. So create, in the same
|
||||
@ -106,7 +105,7 @@ directory, a ``nova.conf`` file with below content:
|
||||
.. code-block:: ini
|
||||
|
||||
[placement]
|
||||
auth_url = {{ keystone_admin_url }}
|
||||
auth_url = {{ keystone_internal_url }}
|
||||
|
||||
The Heat section inside the configuration file also
|
||||
has to be updated to contact RegionOne's Keystone. So create, in the same
|
||||
|
Loading…
x
Reference in New Issue
Block a user