From ee32736c1575500e374acdfb6067fd8d0950fdd4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rados=C5=82aw=20Piliszek?= Date: Sat, 28 May 2022 18:39:04 +0200 Subject: [PATCH] Make Keystone admin endpoint creation optional The admin endpoint is kept on upgrade to allow the upgrade to happen (as it allows to rewrite the previous admin endpoint entry to the new one). Change-Id: I1c16892bab67f281d539843f1f0fa658df1c4874 Depends-On: https://review.opendev.org/c/openstack/kolla/+/854837 --- ansible/roles/keystone/defaults/main.yml | 13 +++++++++---- ansible/roles/keystone/tasks/register.yml | 2 +- ansible/roles/keystone/tasks/upgrade.yml | 11 +++++++++++ ...ne-admin-endpoint-optional-8eb8c9a18085d64e.yaml | 9 +++++++++ 4 files changed, 30 insertions(+), 5 deletions(-) create mode 100644 releasenotes/notes/keystone-admin-endpoint-optional-8eb8c9a18085d64e.yaml diff --git a/ansible/roles/keystone/defaults/main.yml b/ansible/roles/keystone/defaults/main.yml index c07c0b1fc0..f612c48e7c 100644 --- a/ansible/roles/keystone/defaults/main.yml +++ b/ansible/roles/keystone/defaults/main.yml @@ -195,14 +195,19 @@ keystone_enabled_notification_topics: "{{ keystone_notification_topics | selecta #################### # Keystone #################### +keystone_service_endpoints: + - {'interface': 'internal', 'url': '{{ keystone_internal_url }}'} + - {'interface': 'public', 'url': '{{ keystone_public_url }}'} + +# TODO(yoctozepto): Remove admin_endpoint leftovers in Antelope (2023.1). +keystone_service_admin_endpoint: {'interface': 'admin', 'url': '{{ keystone_internal_url }}'} +keystone_create_admin_endpoint: false + keystone_ks_services: - name: "keystone" type: "identity" description: "Openstack Identity Service" - endpoints: - - {'interface': 'admin', 'url': '{{ keystone_internal_url }}'} - - {'interface': 'internal', 'url': '{{ keystone_internal_url }}'} - - {'interface': 'public', 'url': '{{ keystone_public_url }}'} + endpoints: "{{ keystone_service_endpoints + ([keystone_service_admin_endpoint] if kolla_action == 'upgrade' or keystone_create_admin_endpoint | bool else []) }}" #################### # TLS diff --git a/ansible/roles/keystone/tasks/register.yml b/ansible/roles/keystone/tasks/register.yml index 1afb3fce71..90b0457795 100644 --- a/ansible/roles/keystone/tasks/register.yml +++ b/ansible/roles/keystone/tasks/register.yml @@ -4,7 +4,7 @@ command: > docker exec keystone kolla_keystone_bootstrap {{ openstack_auth.username }} {{ openstack_auth.password }} {{ keystone_admin_project }} - admin {{ keystone_internal_url }} {{ keystone_internal_url }} {{ keystone_public_url }} {{ item }} + admin {{ keystone_internal_url }} {{ keystone_public_url }} {{ item }} register: keystone_bootstrap changed_when: (keystone_bootstrap.stdout | from_json).changed failed_when: (keystone_bootstrap.stdout | from_json).failed diff --git a/ansible/roles/keystone/tasks/upgrade.yml b/ansible/roles/keystone/tasks/upgrade.yml index 7a1df217d6..af68e54600 100644 --- a/ansible/roles/keystone/tasks/upgrade.yml +++ b/ansible/roles/keystone/tasks/upgrade.yml @@ -47,3 +47,14 @@ when: - inventory_hostname == groups['keystone'][-1] - not use_preconfigured_databases | bool + +# TODO(yoctozepto): Remove after Zed (in AA). +# This is needed to update the admin endpoint as the port has +# changed in the same release (Zed), i.e., the admin endpoint uses the +# same port as the other ones (public, internal). +- import_role: + name: service-ks-register + vars: + service_ks_register_auth: "{{ openstack_keystone_auth }}" + service_ks_register_services: "{{ keystone_ks_services }}" + run_once: True diff --git a/releasenotes/notes/keystone-admin-endpoint-optional-8eb8c9a18085d64e.yaml b/releasenotes/notes/keystone-admin-endpoint-optional-8eb8c9a18085d64e.yaml new file mode 100644 index 0000000000..15833be612 --- /dev/null +++ b/releasenotes/notes/keystone-admin-endpoint-optional-8eb8c9a18085d64e.yaml @@ -0,0 +1,9 @@ +--- +upgrade: + - | + The Keystone's admin endpoint is no longer created by default. Operators + of existing deployments may wish to remove it after the upgrade + completes. Operators having external services relying on the availability + of the Keystone's admin endpoint may set ``keystone_create_admin_endpoint`` + to ``true`` to keep creating the admin endpoint but such support will + be removed after Zed.