From 0fbba8a708f6de8555c48993b09130cbe3cd5742 Mon Sep 17 00:00:00 2001
From: Mohammed Naser <mnaser@vexxhost.com>
Date: Tue, 31 Jul 2018 15:48:33 -0400
Subject: [PATCH] Drop Admin API from Keystone

With the removal of Keystone V2, the admin and public APIs serve
no difference so we're better off removing those extra services.

Change-Id: I2a8743357934ace7aa2accc53b0df7b3865b866f
---
 defaults/main.yml                    | 11 +-------
 handlers/main.yml                    | 42 ++++++++++++++++++++++++++--
 tasks/keystone_install.yml           |  9 ++----
 tasks/keystone_service_bootstrap.yml |  7 ++---
 templates/keystone-httpd.conf.j2     | 40 --------------------------
 templates/keystone.conf.j2           |  1 -
 6 files changed, 45 insertions(+), 65 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index b7eac775..5c13df77 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -157,7 +157,6 @@ keystone_role_name: admin
 keystone_default_role_name: _member_
 
 ## Admin info
-keystone_admin_port: 35357
 keystone_admin_user_name: admin
 keystone_admin_tenant_name: admin
 keystone_admin_description: Admin Tenant
@@ -182,7 +181,7 @@ keystone_service_adminuri_insecure: false
 
 keystone_service_publicuri: "{{ keystone_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ keystone_service_port }}"
 keystone_service_internaluri: "{{ keystone_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_service_port }}"
-keystone_service_adminuri: "{{ keystone_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_admin_port }}"
+keystone_service_adminuri: "{{ keystone_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_service_port }}"
 
 ## Set this value to override the "public_endpoint" keystone.conf variable
 #keystone_public_endpoint: "{{ keystone_service_publicuri }}"
@@ -223,7 +222,6 @@ keystone_nginx_access_log_format_combined: '$remote_addr - $remote_user [$time_l
 keystone_nginx_access_log_format_extras: '$request_time $upstream_response_time'
 keystone_nginx_ports:
   keystone-wsgi-public: "{{ keystone_service_port }}"
-  keystone-wsgi-admin: "{{ keystone_admin_port }}"
 keystone_nginx_extra_conf:
   - keepalive_timeout   70;
 
@@ -237,9 +235,6 @@ keystone_uwsgi_ports:
   keystone-wsgi-public:
     http: 37358
     socket: 35358
-  keystone-wsgi-admin:
-    http: 37359
-    socket: 5001
 
 keystone_uwsgi_ini_overrides: {}
 
@@ -503,10 +498,6 @@ keystone_services:
     service_name: "keystone-wsgi-public"
     init_config_overrides: "{{ keystone_uwsgi_init_overrides }}"
     execstarts: "{{ keystone_uwsgi_bin }}/uwsgi --autoload --ini /etc/uwsgi/keystone-wsgi-public.ini"
-  keystone-wsgi-admin:
-    service_name: "keystone-wsgi-admin"
-    init_config_overrides: "{{ keystone_uwsgi_init_overrides }}"
-    execstarts: "{{ keystone_uwsgi_bin }}/uwsgi --autoload --ini /etc/uwsgi/keystone-wsgi-admin.ini"
 
 ## Extra HTTP headers for Keystone
 # Add any additional headers here that Keystone should return.
diff --git a/handlers/main.yml b/handlers/main.yml
index 7dc59823..2e71f13e 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -33,7 +33,6 @@
     delay: 10
   with_items:
     - "{{ keystone_service_port }}"
-    - "{{ keystone_admin_port }}"
   register: _wait_check
   until: _wait_check is success
   retries: 5
@@ -55,6 +54,46 @@
     - "venv changed"
     - "Restart uWSGI"
 
+# NOTE(mnaser): This should be removed in the Stein cycle
+- name: Stop and disable keystone-wsgi-admin
+  shell: |
+    return_code=0
+    if [[ "$(systemctl is-active keystone-wsgi-admin)" == "active" ]]; then
+      systemctl stop keystone-wsgi-admin
+      return_code=2
+    fi
+    if [[ "$(systemctl is-enabled keystone-wsgi-admin)" == "enabled" ]]; then
+      systemctl disable keystone-wsgi-admin
+      return_code=2
+    fi
+    exit ${return_code}
+  args:
+    executable: /bin/bash
+  register: _remove_admin_service
+  changed_when: _remove_admin_service.rc == 2
+  failed_when: _remove_admin_service.rc not in [0, 2]
+  listen: "Restart uWSGI"
+  # This task causes ansible-lint to give a ANSIBLE0014
+  # error, which does not make much sense given how the
+  # environment variable is used in this case.
+  # TODO(odyssey4me):
+  # Try to understand the issue ansible-lint is trying
+  # to highlight and address it.
+  tags:
+    - skip_ansible_lint
+
+# NOTE(mnaser): This should be removed in the Stein cycle
+- name: Clean up keystone-wsgi-admin service files
+  file:
+    path: "{{ item }}"
+    state: absent
+  with_items:
+    - "/etc/tmpfiles.d/openstack-keystone-wsgi-admin.conf"
+    - "/etc/systemd/system/keystone-wsgi-admin.service"
+    - "/etc/uwsgi/keystone-wsgi-admin.ini"
+    - "/var/www/cgi-bin/keystone/admin"
+  listen: "Restart uWSGI"
+
 # Note (odyssey4me):
 # The policy.json file is currently read continually by the services
 # and is not only read on service start. We therefore cannot template
@@ -106,7 +145,6 @@
     timeout: 25
     delay: 10
   with_items:
-    - "{{ keystone_uwsgi_ports['keystone-wsgi-admin']['socket'] }}"
     - "{{ keystone_uwsgi_ports['keystone-wsgi-public']['socket'] }}"
   register: _wait_check
   until: _wait_check is success
diff --git a/tasks/keystone_install.yml b/tasks/keystone_install.yml
index b17bb17a..15eddc85 100644
--- a/tasks/keystone_install.yml
+++ b/tasks/keystone_install.yml
@@ -146,15 +146,10 @@
 
 - name: Create WSGI symlinks
   file:
-    src: "{{ item.src }}"
-    dest: "/var/www/cgi-bin/keystone/{{ item.dest }}"
+    src: "{{ keystone_bin }}/keystone-wsgi-public"
+    dest: "/var/www/cgi-bin/keystone/main"
     state: link
     force: yes
-  with_items:
-    - src: "{{ keystone_bin }}/keystone-wsgi-admin"
-      dest: admin
-    - src: "{{ keystone_bin }}/keystone-wsgi-public"
-      dest: main
   notify:
     - Manage LB
     - Restart web server
diff --git a/tasks/keystone_service_bootstrap.yml b/tasks/keystone_service_bootstrap.yml
index fdddd7b2..e96fc5f0 100644
--- a/tasks/keystone_service_bootstrap.yml
+++ b/tasks/keystone_service_bootstrap.yml
@@ -13,14 +13,11 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-- name: Wait for services to be up
+- name: Wait for service to be up
   uri:
-    url: "{{ item }}"
+    url: "http://{{ ansible_host }}:{{ keystone_uwsgi_ports['keystone-wsgi-public']['http'] }}"
     method: "HEAD"
     status_code: 300
-  with_items:
-    - "http://{{ ansible_host }}:{{ keystone_uwsgi_ports['keystone-wsgi-admin']['http'] }}"
-    - "http://{{ ansible_host }}:{{ keystone_uwsgi_ports['keystone-wsgi-public']['http'] }}"
   register: _wait_check
   until: _wait_check  is success
   retries: 12
diff --git a/templates/keystone-httpd.conf.j2 b/templates/keystone-httpd.conf.j2
index 9b563a30..f54afb34 100644
--- a/templates/keystone-httpd.conf.j2
+++ b/templates/keystone-httpd.conf.j2
@@ -69,44 +69,4 @@ Listen {{ keystone_service_port }}
 
 </VirtualHost>
 
-Listen {{ keystone_admin_port }}
-<VirtualHost *:{{ keystone_admin_port }}>
-
-    <IfVersion >= 2.4>
-      ErrorLogFormat "%{cu}t %M"
-    </IfVersion>
-
-    LogLevel  {{  keystone_apache_log_level }}
-    # NOTE(Cloudnull): Log files can changed to use "mod_journal" when Apache 2.5 is released
-    ErrorLog  {{ keystone_apache_default_log_folder }}/keystone-apache-error.log
-    CustomLog {{ keystone_apache_default_log_folder }}/ssl_access.log {{ keystone_apache_custom_log_format }}
-    Options +FollowSymLinks
-
-
-    {% if keystone_ssl | bool and keystone_service_adminuri_proto == "https" -%}
-    SSLEngine on
-    SSLCertificateFile    {{ keystone_ssl_cert }}
-    SSLCertificateKeyFile {{ keystone_ssl_key }}
-    {% if keystone_user_ssl_ca_cert is defined -%}
-    SSLCACertificateFile  {{ keystone_ssl_ca_cert }}
-    {% endif -%}
-    SSLCompression Off
-    SSLProtocol {{ keystone_ssl_protocol }}
-    SSLHonorCipherOrder On
-    SSLCipherSuite {{ keystone_ssl_cipher_suite }}
-    SSLOptions +StdEnvVars +ExportCertData
-    {% endif %}
-
-    <Directory /var/www/cgi-bin/keystone>
-        Options Indexes FollowSymLinks MultiViews
-        AllowOverride All
-        Order allow,deny
-        allow from all
-    </Directory>
-
-    ProxyPass / uwsgi://127.0.0.1:{{ keystone_uwsgi_ports['keystone-wsgi-admin']["socket"] }}/
-
-</VirtualHost>
-
 ProxyPass /identity uwsgi://127.0.0.1:{{ keystone_uwsgi_ports['keystone-wsgi-public']['socket'] }}/
-ProxyPass /identity_admin uwsgi://127.0.0.1:{{ keystone_uwsgi_ports['keystone-wsgi-admin']['socket'] }}/
diff --git a/templates/keystone.conf.j2 b/templates/keystone.conf.j2
index 320ee480..eec27194 100644
--- a/templates/keystone.conf.j2
+++ b/templates/keystone.conf.j2
@@ -139,7 +139,6 @@ idp_contact_type = {{ keystone_idp.contact_type }}
 
 [eventlet_server]
 admin_bind_host = {{ keystone_bind_address }}
-admin_port = {{ keystone_admin_port }}
 public_port = {{ keystone_service_port }}
 
 [credential]