Fixup keystone endpoint handling

Finish the removal of creating an admin endpoint for keystone. This was
started in [0] but some fragments were still remaining.

At the same time the option to create an internal identity endpoint that
is different from the public one is reintroduced.

[0] I01d44e48053cad7aeb92636f4b41649204006c93

Change-Id: Id74966d9f1279f725bc41c08e434230a7845bbc1

attributes/default.rb

@@ -28,20 +28,17 @@ default['openstack']['identity']['custom_template_banner'] = '
 # Any changes will be overwritten
 '
 
-%w(admin internal public).each do |ep_type|
-  # host for openstack identity endpoint
+%w(internal public).each do |ep_type|
+  # host for openstack internal/public identity endpoint
   default['openstack']['endpoints'][ep_type]['identity']['host'] = '127.0.0.1'
-  # scheme for openstack identity endpoint
+  # scheme for openstack internal/public identity endpoint
   default['openstack']['endpoints'][ep_type]['identity']['scheme'] = 'http'
-  # path for openstack identity endpoint
+  # port for openstack internal/public identity endpoint
+  default['openstack']['endpoints'][ep_type]['identity']['port'] = 5000
+  # path for openstack internal/public identity endpoint
   default['openstack']['endpoints'][ep_type]['identity']['path'] = '/v3'
 end
 
-# port for openstack public identity endpoint
-default['openstack']['endpoints']['public']['identity']['port'] = 5000
-# port for openstack internal identity endpoint
-default['openstack']['endpoints']['internal']['identity']['port'] = 5000
-
 # address for openstack identity service main endpoint to bind to
 default['openstack']['bind_service']['public']['identity']['host'] = '127.0.0.1'
 # port for openstack identity service main endpoint to bind to
@@ -65,19 +62,19 @@ default['openstack']['identity']['pastefile_url'] = nil
 # this value will be used in the templated version of keystone-paste.ini
 # The last item in this pipeline must be public_service or an equivalent
 # application. It cannot be a filter.
-default['openstack']['identity']['pipeline']['public_api'] = 'healthcheck cors sizelimit http_proxy_to_wsgi url_normalize request_id build_auth_context token_auth json_body ec2_extension public_service'
+default['openstack']['identity']['pipeline']['public_api'] = 'healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension public_service'
 # This specify the pipeline of the keystone admin API,
 # all Identity admin API requests will be processed by the order of the pipeline.
 # this value will be used in the templated version of keystone-paste.ini
 # The last item in this pipeline must be admin_service or an equivalent
 # application. It cannot be a filter.
-default['openstack']['identity']['pipeline']['admin_api'] = 'healthcheck cors sizelimit http_proxy_to_wsgi url_normalize request_id build_auth_context token_auth json_body ec2_extension s3_extension admin_service'
+default['openstack']['identity']['pipeline']['admin_api'] = 'healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension s3_extension admin_service'
 # This specify the pipeline of the keystone V3 API,
 # all Identity V3 API requests will be processed by the order of the pipeline.
 # this value will be used in the templated version of keystone-paste.ini
 # The last item in this pipeline must be service_v3 or an equivalent
 # application. It cannot be a filter.
-default['openstack']['identity']['pipeline']['api_v3'] = 'healthcheck cors sizelimit http_proxy_to_wsgi url_normalize request_id build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3'
+default['openstack']['identity']['pipeline']['api_v3'] = 'healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3'
 
 # region to be used for endpoint registration
 default['openstack']['identity']['region'] = node['openstack']['region']

recipes/openrc.rb

@@ -29,11 +29,10 @@ project_domain_name = node['openstack']['identity']['admin_project_domain']
 ksadmin_user = node['openstack']['identity']['admin_user']
 admin_domain_name = node['openstack']['identity']['admin_domain_name']
 
-# auth_api_version = node['openstack']['api']['auth']['version']
 ksadmin_pass = get_password 'user', ksadmin_user
 
 identity_endpoint = public_endpoint 'identity'
-auth_url = auth_uri_transform identity_endpoint.to_s, node['openstack']['api']['auth']['version']
+auth_url = ::URI.decode identity_endpoint.to_s
 
 directory node['openstack']['openrc']['path'] do
   owner node['openstack']['openrc']['user']

recipes/registration.rb

@@ -31,7 +31,8 @@ class ::Chef::Recipe
 end
 
 identity_endpoint = public_endpoint 'identity'
-auth_url = auth_uri_transform identity_endpoint.to_s, node['openstack']['api']['auth']['version']
+identity_internal_endpoint = internal_endpoint 'identity'
+auth_url = ::URI.decode identity_internal_endpoint.to_s
 
 # define the credentials to use for the initial admin user
 admin_project = node['openstack']['identity']['admin_project']
@@ -45,7 +46,7 @@ connection_params = {
   openstack_username:     admin_user,
   openstack_api_key:      admin_pass,
   openstack_project_name: admin_project,
-  openstack_domain_name:    admin_domain,
+  openstack_domain_id:    admin_domain,
 }
 
 ruby_block 'wait for identity endpoint' do
@@ -64,7 +65,7 @@ ruby_block 'wait for identity endpoint' do
   end
 end
 
-openstack_domain admin_domain do
+openstack_domain 'identity' do
   connection_params connection_params
 end
 
@@ -85,6 +86,10 @@ openstack_role '_member_' do
   connection_params connection_params
 end
 
+node.normal['openstack']['identity']['adminURL'] = identity_internal_endpoint.to_s
+node.normal['openstack']['identity']['internalURL'] = identity_internal_endpoint.to_s
 node.normal['openstack']['identity']['publicURL'] = identity_endpoint.to_s
 
+Chef::Log.info "Keystone AdminURL: #{identity_internal_endpoint}"
+Chef::Log.info "Keystone InternalURL: #{identity_internal_endpoint}"
 Chef::Log.info "Keystone PublicURL: #{identity_endpoint}"

recipes/server-apache.rb

@@ -48,8 +48,14 @@ end
 
 platform_options = node['openstack']['identity']['platform']
 
+identity_internal_endpoint = internal_endpoint 'identity'
 identity_endpoint = public_endpoint 'identity'
 
+# define the address where the keystone public endpoint will be reachable
+ie = identity_endpoint
+# define the keystone public endpoint full path
+api_endpoint = "#{ie.scheme}://#{ie.host}:#{ie.port}/"
+
 # define the credentials to use for the initial admin user
 admin_project = node['openstack']['identity']['admin_project']
 admin_user = node['openstack']['identity']['admin_user']
@@ -136,15 +142,9 @@ node.default['openstack']['identity']['conf_secrets']
 # search for memcache servers using the method from cookbook-openstack-common
 memcache_servers = memcached_servers.join ','
 
-# define the address where the keystone public endpoint will be reachable
-ie = identity_endpoint
-# define the keystone public endpoint full path
-api_endpoint = "#{ie.scheme}://#{ie.host}:#{ie.port}/"
-
 # If a keystone-paste.ini is specified use it.
-# If platform_family is RHEL and we do not specify keystone-paste.ini,
-# copy in /usr/share/keystone/keystone-dist-paste.ini since
-# /etc/keystone/keystone-paste.ini is not packaged.
+# TODO(jh): Starting with Rocky keystone-paste.ini is no longer being used
+# and this block can be removed
 if node['openstack']['identity']['pastefile_url']
   remote_file '/etc/keystone/keystone-paste.ini' do
     action :create_if_missing
@@ -167,13 +167,14 @@ if node['openstack']['mq']['service_type'] == 'rabbit'
   node.default['openstack']['identity']['conf_secrets']['DEFAULT']['transport_url'] = rabbit_transport_url 'identity'
 end
 
-# set keystone config parameters for admin_token, endpoints and memcache
+# set keystone config parameters for endpoints, memcache
 node.default['openstack']['identity']['conf'].tap do |conf|
   conf['DEFAULT']['public_endpoint'] = api_endpoint
+  conf['DEFAULT']['admin_endpoint'] = api_endpoint
   conf['memcache']['servers'] = memcache_servers if memcache_servers
 end
 
-# merge all config options and secrets to be used in the nova.conf.erb
+# merge all config options and secrets to be used in the keystone.conf.erb
 keystone_conf_options = merge_config_options 'identity'
 
 # create the keystone.conf from attributes
@@ -211,9 +212,10 @@ if node['openstack']['identity']['catalog']['backend'] == 'templated'
   network_public_endpoint = public_endpoint 'network'
   volume_public_endpoint = public_endpoint 'block-storage'
 
-  # populate the templated catlog
+  # populate the templated catalog
   # TODO: (jklare) this should be done in a helper method
   uris = {
+    'identity-admin' => identity_internal_endpoint.to_s.gsub('%25', '%'),
     'identity' => identity_endpoint.to_s.gsub('%25', '%'),
     'image' => image_public_endpoint.to_s.gsub('%25', '%'),
     'compute' => compute_public_endpoint.to_s.gsub('%25', '%'),
@@ -248,9 +250,9 @@ execute 'bootstrap_keystone' do
           --bootstrap-role-name #{admin_role} \\
           --bootstrap-service-name keystone \\
           --bootstrap-region-id #{region} \\
-          --bootstrap-admin-url #{identity_endpoint} \\
+          --bootstrap-admin-url #{identity_internal_endpoint} \\
           --bootstrap-public-url #{identity_endpoint} \\
-          --bootstrap-internal-url #{identity_endpoint}"
+          --bootstrap-internal-url #{identity_internal_endpoint}"
 end
 
 #### Start of Apache specific work

spec/openrc_spec.rb

@@ -63,12 +63,12 @@ describe 'openstack-identity::openrc' do
         node.set['openstack']['identity']['admin_domain_id'] =
           'admin-domain-override'
         node.set['openstack']['endpoints']['public']['identity']['uri'] =
-          'https://public.identity:1234/v3'
+          'https://public.identity:1234/'
         [
           /^export OS_USERNAME=identity_admin$/,
           /^export OS_PROJECT_NAME=admin-project-name-override$/,
           /^export OS_PASSWORD=identity_admin_pass$/,
-          %r{^export OS_AUTH_URL=https://public.identity:1234/v3$},
+          %r{^export OS_AUTH_URL=https://public.identity:1234/$},
         ].each do |line|
           expect(chef_run).to render_file(file.name).with_content(line)
         end

spec/registration_spec.rb

@@ -16,11 +16,12 @@ describe 'openstack-identity::registration' do
       openstack_username: 'admin',
       openstack_api_key: 'admin',
       openstack_project_name: 'admin',
-      openstack_domain_name: 'default',
+      openstack_domain_id: 'default',
     }
     service_user = 'admin'
     role_name = 'admin'
-    domain_name = 'default'
+    admin_domain_name = 'default'
+    domain_name = 'identity'
 
     describe 'keystone bootstrap' do
       context 'default values' do
@@ -40,7 +41,7 @@ describe 'openstack-identity::registration' do
           expect(chef_run).to grant_domain_openstack_user(
             service_user
           ).with(
-            domain_name: domain_name,
+            domain_name: admin_domain_name,
             role_name: role_name,
             connection_params: connection_params
           )

spec/server-apache_spec.rb

@@ -20,6 +20,7 @@ describe 'openstack-identity::server-apache' do
     project_name = 'admin'
     role_name = 'admin'
     password = 'admin'
+    admin_url = 'http://127.0.0.1:5000/v3'
     public_url = 'http://127.0.0.1:5000/v3'
     internal_url = 'http://127.0.0.1:5000/v3'
 
@@ -52,7 +53,7 @@ describe 'openstack-identity::server-apache' do
           --bootstrap-role-name #{role_name} \\
           --bootstrap-service-name #{service_name} \\
           --bootstrap-region-id #{region} \\
-          --bootstrap-admin-url #{public_url} \\
+          --bootstrap-admin-url #{admin_url} \\
           --bootstrap-public-url #{public_url} \\
           --bootstrap-internal-url #{internal_url}")
     end
@@ -277,15 +278,15 @@ describe 'openstack-identity::server-apache' do
       it 'has default api pipeline values' do
         expect(chef_run).to render_config_file(path).with_section_content(
           'pipeline:public_api',
-          /^pipeline = healthcheck cors sizelimit http_proxy_to_wsgi url_normalize request_id build_auth_context token_auth json_body ec2_extension public_service$/
+          /^pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension public_service$/
         )
         expect(chef_run).to render_config_file(path).with_section_content(
           'pipeline:admin_api',
-          /^pipeline = healthcheck cors sizelimit http_proxy_to_wsgi url_normalize request_id build_auth_context token_auth json_body ec2_extension s3_extension admin_service$/
+          /^pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension s3_extension admin_service$/
         )
         expect(chef_run).to render_config_file(path).with_section_content(
           'pipeline:api_v3',
-          /^pipeline = healthcheck cors sizelimit http_proxy_to_wsgi url_normalize request_id build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3$/
+          /^pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3$/
         )
       end
       it 'template api pipeline set correct' do

templates/default/default_catalog.templates.erb

@@ -1,29 +1,29 @@
-catalog.<%= node["openstack"]["identity"]["region"] %>.identity.publicURL = <%= @uris["identity"].to_s %>
-catalog.<%= node["openstack"]["identity"]["region"] %>.identity.adminURL = <%= @uris["identity-admin"].to_s %>
-catalog.<%= node["openstack"]["identity"]["region"] %>.identity.internalURL = <%= @uris["identity"].to_s %>
-catalog.<%= node["openstack"]["identity"]["region"] %>.identity.name = Identity Service
+catalog.<%= node['openstack']['identity']['region'] %>.identity.publicURL = <%= @uris['identity'].to_s %>
+catalog.<%= node['openstack']['identity']['region'] %>.identity.adminURL = <%= @uris['identity-admin'].to_s %>
+catalog.<%= node['openstack']['identity']['region'] %>.identity.internalURL = <%= @uris['identity-admin'].to_s %>
+catalog.<%= node['openstack']['identity']['region'] %>.identity.name = Identity Service
 
-catalog.<%= node["openstack"]["identity"]["region"] %>.compute.publicURL = <%= @uris["compute"].to_s %>
-catalog.<%= node["openstack"]["identity"]["region"] %>.compute.adminURL = <%= @uris["compute"].to_s %>
-catalog.<%= node["openstack"]["identity"]["region"] %>.compute.internalURL = <%= @uris["compute"].to_s %>
-catalog.<%= node["openstack"]["identity"]["region"] %>.compute.name = Compute Service
+catalog.<%= node['openstack']['identity']['region'] %>.compute.publicURL = <%= @uris['compute'].to_s %>
+catalog.<%= node['openstack']['identity']['region'] %>.compute.adminURL = <%= @uris['compute'].to_s %>
+catalog.<%= node['openstack']['identity']['region'] %>.compute.internalURL = <%= @uris['compute'].to_s %>
+catalog.<%= node['openstack']['identity']['region'] %>.compute.name = Compute Service
 
-catalog.<%= node["openstack"]["identity"]["region"] %>.volume.publicURL = <%= @uris["volume"].to_s %>
-catalog.<%= node["openstack"]["identity"]["region"] %>.volume.adminURL = <%= @uris["volume"].to_s %>
-catalog.<%= node["openstack"]["identity"]["region"] %>.volume.internalURL = <%= @uris["volume"].to_s %>
-catalog.<%= node["openstack"]["identity"]["region"] %>.volume.name = Volume Service
+catalog.<%= node['openstack']['identity']['region'] %>.volume.publicURL = <%= @uris['volume'].to_s %>
+catalog.<%= node['openstack']['identity']['region'] %>.volume.adminURL = <%= @uris['volume'].to_s %>
+catalog.<%= node['openstack']['identity']['region'] %>.volume.internalURL = <%= @uris['volume'].to_s %>
+catalog.<%= node['openstack']['identity']['region'] %>.volume.name = Volume Service
 
-catalog.<%= node["openstack"]["identity"]["region"] %>.ec2.publicURL = <%= @uris["ec2"].to_s %>
-catalog.<%= node["openstack"]["identity"]["region"] %>.ec2.adminURL = <%= @uris["ec2"].to_s %>
-catalog.<%= node["openstack"]["identity"]["region"] %>.ec2.internalURL = <%= @uris["ec2"].to_s %>
-catalog.<%= node["openstack"]["identity"]["region"] %>.ec2.name = EC2 Service
+catalog.<%= node['openstack']['identity']['region'] %>.ec2.publicURL = <%= @uris['ec2'].to_s %>
+catalog.<%= node['openstack']['identity']['region'] %>.ec2.adminURL = <%= @uris['ec2'].to_s %>
+catalog.<%= node['openstack']['identity']['region'] %>.ec2.internalURL = <%= @uris['ec2'].to_s %>
+catalog.<%= node['openstack']['identity']['region'] %>.ec2.name = EC2 Service
 
-catalog.<%= node["openstack"]["identity"]["region"] %>.image.publicURL = <%= @uris["image"].to_s %>
-catalog.<%= node["openstack"]["identity"]["region"] %>.image.adminURL = <%= @uris["image"].to_s %>
-catalog.<%= node["openstack"]["identity"]["region"] %>.image.internalURL = <%= @uris["image"].to_s %>
-catalog.<%= node["openstack"]["identity"]["region"] %>.image.name = Image Service
+catalog.<%= node['openstack']['identity']['region'] %>.image.publicURL = <%= @uris['image'].to_s %>
+catalog.<%= node['openstack']['identity']['region'] %>.image.adminURL = <%= @uris['image'].to_s %>
+catalog.<%= node['openstack']['identity']['region'] %>.image.internalURL = <%= @uris['image'].to_s %>
+catalog.<%= node['openstack']['identity']['region'] %>.image.name = Image Service
 
-catalog.<%= node["openstack"]["identity"]["region"] %>.network.publicURL = <%= @uris["network"].to_s %>
-catalog.<%= node["openstack"]["identity"]["region"] %>.network.adminURL = <%= @uris["network"].to_s %>
-catalog.<%= node["openstack"]["identity"]["region"] %>.network.internalURL = <%= @uris["network"].to_s %>
-catalog.<%= node["openstack"]["identity"]["region"] %>.network.name = Network Service
+catalog.<%= node['openstack']['identity']['region'] %>.network.publicURL = <%= @uris['network'].to_s %>
+catalog.<%= node['openstack']['identity']['region'] %>.network.adminURL = <%= @uris['network'].to_s %>
+catalog.<%= node['openstack']['identity']['region'] %>.network.internalURL = <%= @uris['network'].to_s %>
+catalog.<%= node['openstack']['identity']['region'] %>.network.name = Network Service