Fixup keystone endpoint handling
Finish the removal of creating an admin endpoint for keystone. This was started in [0] but some fragments were still remaining. At the same time the option to create an internal identity endpoint that is different from the public one is reintroduced. [0] I01d44e48053cad7aeb92636f4b41649204006c93 Change-Id: Id74966d9f1279f725bc41c08e434230a7845bbc1
This commit is contained in:
parent
41b3463312
commit
e30e2cf418
|
@ -28,20 +28,17 @@ default['openstack']['identity']['custom_template_banner'] = '
|
|||
# Any changes will be overwritten
|
||||
'
|
||||
|
||||
%w(admin internal public).each do |ep_type|
|
||||
# host for openstack identity endpoint
|
||||
%w(internal public).each do |ep_type|
|
||||
# host for openstack internal/public identity endpoint
|
||||
default['openstack']['endpoints'][ep_type]['identity']['host'] = '127.0.0.1'
|
||||
# scheme for openstack identity endpoint
|
||||
# scheme for openstack internal/public identity endpoint
|
||||
default['openstack']['endpoints'][ep_type]['identity']['scheme'] = 'http'
|
||||
# path for openstack identity endpoint
|
||||
# port for openstack internal/public identity endpoint
|
||||
default['openstack']['endpoints'][ep_type]['identity']['port'] = 5000
|
||||
# path for openstack internal/public identity endpoint
|
||||
default['openstack']['endpoints'][ep_type]['identity']['path'] = '/v3'
|
||||
end
|
||||
|
||||
# port for openstack public identity endpoint
|
||||
default['openstack']['endpoints']['public']['identity']['port'] = 5000
|
||||
# port for openstack internal identity endpoint
|
||||
default['openstack']['endpoints']['internal']['identity']['port'] = 5000
|
||||
|
||||
# address for openstack identity service main endpoint to bind to
|
||||
default['openstack']['bind_service']['public']['identity']['host'] = '127.0.0.1'
|
||||
# port for openstack identity service main endpoint to bind to
|
||||
|
@ -65,19 +62,19 @@ default['openstack']['identity']['pastefile_url'] = nil
|
|||
# this value will be used in the templated version of keystone-paste.ini
|
||||
# The last item in this pipeline must be public_service or an equivalent
|
||||
# application. It cannot be a filter.
|
||||
default['openstack']['identity']['pipeline']['public_api'] = 'healthcheck cors sizelimit http_proxy_to_wsgi url_normalize request_id build_auth_context token_auth json_body ec2_extension public_service'
|
||||
default['openstack']['identity']['pipeline']['public_api'] = 'healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension public_service'
|
||||
# This specify the pipeline of the keystone admin API,
|
||||
# all Identity admin API requests will be processed by the order of the pipeline.
|
||||
# this value will be used in the templated version of keystone-paste.ini
|
||||
# The last item in this pipeline must be admin_service or an equivalent
|
||||
# application. It cannot be a filter.
|
||||
default['openstack']['identity']['pipeline']['admin_api'] = 'healthcheck cors sizelimit http_proxy_to_wsgi url_normalize request_id build_auth_context token_auth json_body ec2_extension s3_extension admin_service'
|
||||
default['openstack']['identity']['pipeline']['admin_api'] = 'healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension s3_extension admin_service'
|
||||
# This specify the pipeline of the keystone V3 API,
|
||||
# all Identity V3 API requests will be processed by the order of the pipeline.
|
||||
# this value will be used in the templated version of keystone-paste.ini
|
||||
# The last item in this pipeline must be service_v3 or an equivalent
|
||||
# application. It cannot be a filter.
|
||||
default['openstack']['identity']['pipeline']['api_v3'] = 'healthcheck cors sizelimit http_proxy_to_wsgi url_normalize request_id build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3'
|
||||
default['openstack']['identity']['pipeline']['api_v3'] = 'healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3'
|
||||
|
||||
# region to be used for endpoint registration
|
||||
default['openstack']['identity']['region'] = node['openstack']['region']
|
||||
|
|
|
@ -29,11 +29,10 @@ project_domain_name = node['openstack']['identity']['admin_project_domain']
|
|||
ksadmin_user = node['openstack']['identity']['admin_user']
|
||||
admin_domain_name = node['openstack']['identity']['admin_domain_name']
|
||||
|
||||
# auth_api_version = node['openstack']['api']['auth']['version']
|
||||
ksadmin_pass = get_password 'user', ksadmin_user
|
||||
|
||||
identity_endpoint = public_endpoint 'identity'
|
||||
auth_url = auth_uri_transform identity_endpoint.to_s, node['openstack']['api']['auth']['version']
|
||||
auth_url = ::URI.decode identity_endpoint.to_s
|
||||
|
||||
directory node['openstack']['openrc']['path'] do
|
||||
owner node['openstack']['openrc']['user']
|
||||
|
|
|
@ -31,7 +31,8 @@ class ::Chef::Recipe
|
|||
end
|
||||
|
||||
identity_endpoint = public_endpoint 'identity'
|
||||
auth_url = auth_uri_transform identity_endpoint.to_s, node['openstack']['api']['auth']['version']
|
||||
identity_internal_endpoint = internal_endpoint 'identity'
|
||||
auth_url = ::URI.decode identity_internal_endpoint.to_s
|
||||
|
||||
# define the credentials to use for the initial admin user
|
||||
admin_project = node['openstack']['identity']['admin_project']
|
||||
|
@ -45,7 +46,7 @@ connection_params = {
|
|||
openstack_username: admin_user,
|
||||
openstack_api_key: admin_pass,
|
||||
openstack_project_name: admin_project,
|
||||
openstack_domain_name: admin_domain,
|
||||
openstack_domain_id: admin_domain,
|
||||
}
|
||||
|
||||
ruby_block 'wait for identity endpoint' do
|
||||
|
@ -64,7 +65,7 @@ ruby_block 'wait for identity endpoint' do
|
|||
end
|
||||
end
|
||||
|
||||
openstack_domain admin_domain do
|
||||
openstack_domain 'identity' do
|
||||
connection_params connection_params
|
||||
end
|
||||
|
||||
|
@ -85,6 +86,10 @@ openstack_role '_member_' do
|
|||
connection_params connection_params
|
||||
end
|
||||
|
||||
node.normal['openstack']['identity']['adminURL'] = identity_internal_endpoint.to_s
|
||||
node.normal['openstack']['identity']['internalURL'] = identity_internal_endpoint.to_s
|
||||
node.normal['openstack']['identity']['publicURL'] = identity_endpoint.to_s
|
||||
|
||||
Chef::Log.info "Keystone AdminURL: #{identity_internal_endpoint}"
|
||||
Chef::Log.info "Keystone InternalURL: #{identity_internal_endpoint}"
|
||||
Chef::Log.info "Keystone PublicURL: #{identity_endpoint}"
|
||||
|
|
|
@ -48,8 +48,14 @@ end
|
|||
|
||||
platform_options = node['openstack']['identity']['platform']
|
||||
|
||||
identity_internal_endpoint = internal_endpoint 'identity'
|
||||
identity_endpoint = public_endpoint 'identity'
|
||||
|
||||
# define the address where the keystone public endpoint will be reachable
|
||||
ie = identity_endpoint
|
||||
# define the keystone public endpoint full path
|
||||
api_endpoint = "#{ie.scheme}://#{ie.host}:#{ie.port}/"
|
||||
|
||||
# define the credentials to use for the initial admin user
|
||||
admin_project = node['openstack']['identity']['admin_project']
|
||||
admin_user = node['openstack']['identity']['admin_user']
|
||||
|
@ -136,15 +142,9 @@ node.default['openstack']['identity']['conf_secrets']
|
|||
# search for memcache servers using the method from cookbook-openstack-common
|
||||
memcache_servers = memcached_servers.join ','
|
||||
|
||||
# define the address where the keystone public endpoint will be reachable
|
||||
ie = identity_endpoint
|
||||
# define the keystone public endpoint full path
|
||||
api_endpoint = "#{ie.scheme}://#{ie.host}:#{ie.port}/"
|
||||
|
||||
# If a keystone-paste.ini is specified use it.
|
||||
# If platform_family is RHEL and we do not specify keystone-paste.ini,
|
||||
# copy in /usr/share/keystone/keystone-dist-paste.ini since
|
||||
# /etc/keystone/keystone-paste.ini is not packaged.
|
||||
# TODO(jh): Starting with Rocky keystone-paste.ini is no longer being used
|
||||
# and this block can be removed
|
||||
if node['openstack']['identity']['pastefile_url']
|
||||
remote_file '/etc/keystone/keystone-paste.ini' do
|
||||
action :create_if_missing
|
||||
|
@ -167,13 +167,14 @@ if node['openstack']['mq']['service_type'] == 'rabbit'
|
|||
node.default['openstack']['identity']['conf_secrets']['DEFAULT']['transport_url'] = rabbit_transport_url 'identity'
|
||||
end
|
||||
|
||||
# set keystone config parameters for admin_token, endpoints and memcache
|
||||
# set keystone config parameters for endpoints, memcache
|
||||
node.default['openstack']['identity']['conf'].tap do |conf|
|
||||
conf['DEFAULT']['public_endpoint'] = api_endpoint
|
||||
conf['DEFAULT']['admin_endpoint'] = api_endpoint
|
||||
conf['memcache']['servers'] = memcache_servers if memcache_servers
|
||||
end
|
||||
|
||||
# merge all config options and secrets to be used in the nova.conf.erb
|
||||
# merge all config options and secrets to be used in the keystone.conf.erb
|
||||
keystone_conf_options = merge_config_options 'identity'
|
||||
|
||||
# create the keystone.conf from attributes
|
||||
|
@ -211,9 +212,10 @@ if node['openstack']['identity']['catalog']['backend'] == 'templated'
|
|||
network_public_endpoint = public_endpoint 'network'
|
||||
volume_public_endpoint = public_endpoint 'block-storage'
|
||||
|
||||
# populate the templated catlog
|
||||
# populate the templated catalog
|
||||
# TODO: (jklare) this should be done in a helper method
|
||||
uris = {
|
||||
'identity-admin' => identity_internal_endpoint.to_s.gsub('%25', '%'),
|
||||
'identity' => identity_endpoint.to_s.gsub('%25', '%'),
|
||||
'image' => image_public_endpoint.to_s.gsub('%25', '%'),
|
||||
'compute' => compute_public_endpoint.to_s.gsub('%25', '%'),
|
||||
|
@ -248,9 +250,9 @@ execute 'bootstrap_keystone' do
|
|||
--bootstrap-role-name #{admin_role} \\
|
||||
--bootstrap-service-name keystone \\
|
||||
--bootstrap-region-id #{region} \\
|
||||
--bootstrap-admin-url #{identity_endpoint} \\
|
||||
--bootstrap-admin-url #{identity_internal_endpoint} \\
|
||||
--bootstrap-public-url #{identity_endpoint} \\
|
||||
--bootstrap-internal-url #{identity_endpoint}"
|
||||
--bootstrap-internal-url #{identity_internal_endpoint}"
|
||||
end
|
||||
|
||||
#### Start of Apache specific work
|
||||
|
|
|
@ -63,12 +63,12 @@ describe 'openstack-identity::openrc' do
|
|||
node.set['openstack']['identity']['admin_domain_id'] =
|
||||
'admin-domain-override'
|
||||
node.set['openstack']['endpoints']['public']['identity']['uri'] =
|
||||
'https://public.identity:1234/v3'
|
||||
'https://public.identity:1234/'
|
||||
[
|
||||
/^export OS_USERNAME=identity_admin$/,
|
||||
/^export OS_PROJECT_NAME=admin-project-name-override$/,
|
||||
/^export OS_PASSWORD=identity_admin_pass$/,
|
||||
%r{^export OS_AUTH_URL=https://public.identity:1234/v3$},
|
||||
%r{^export OS_AUTH_URL=https://public.identity:1234/$},
|
||||
].each do |line|
|
||||
expect(chef_run).to render_file(file.name).with_content(line)
|
||||
end
|
||||
|
|
|
@ -16,11 +16,12 @@ describe 'openstack-identity::registration' do
|
|||
openstack_username: 'admin',
|
||||
openstack_api_key: 'admin',
|
||||
openstack_project_name: 'admin',
|
||||
openstack_domain_name: 'default',
|
||||
openstack_domain_id: 'default',
|
||||
}
|
||||
service_user = 'admin'
|
||||
role_name = 'admin'
|
||||
domain_name = 'default'
|
||||
admin_domain_name = 'default'
|
||||
domain_name = 'identity'
|
||||
|
||||
describe 'keystone bootstrap' do
|
||||
context 'default values' do
|
||||
|
@ -40,7 +41,7 @@ describe 'openstack-identity::registration' do
|
|||
expect(chef_run).to grant_domain_openstack_user(
|
||||
service_user
|
||||
).with(
|
||||
domain_name: domain_name,
|
||||
domain_name: admin_domain_name,
|
||||
role_name: role_name,
|
||||
connection_params: connection_params
|
||||
)
|
||||
|
|
|
@ -20,6 +20,7 @@ describe 'openstack-identity::server-apache' do
|
|||
project_name = 'admin'
|
||||
role_name = 'admin'
|
||||
password = 'admin'
|
||||
admin_url = 'http://127.0.0.1:5000/v3'
|
||||
public_url = 'http://127.0.0.1:5000/v3'
|
||||
internal_url = 'http://127.0.0.1:5000/v3'
|
||||
|
||||
|
@ -52,7 +53,7 @@ describe 'openstack-identity::server-apache' do
|
|||
--bootstrap-role-name #{role_name} \\
|
||||
--bootstrap-service-name #{service_name} \\
|
||||
--bootstrap-region-id #{region} \\
|
||||
--bootstrap-admin-url #{public_url} \\
|
||||
--bootstrap-admin-url #{admin_url} \\
|
||||
--bootstrap-public-url #{public_url} \\
|
||||
--bootstrap-internal-url #{internal_url}")
|
||||
end
|
||||
|
@ -277,15 +278,15 @@ describe 'openstack-identity::server-apache' do
|
|||
it 'has default api pipeline values' do
|
||||
expect(chef_run).to render_config_file(path).with_section_content(
|
||||
'pipeline:public_api',
|
||||
/^pipeline = healthcheck cors sizelimit http_proxy_to_wsgi url_normalize request_id build_auth_context token_auth json_body ec2_extension public_service$/
|
||||
/^pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension public_service$/
|
||||
)
|
||||
expect(chef_run).to render_config_file(path).with_section_content(
|
||||
'pipeline:admin_api',
|
||||
/^pipeline = healthcheck cors sizelimit http_proxy_to_wsgi url_normalize request_id build_auth_context token_auth json_body ec2_extension s3_extension admin_service$/
|
||||
/^pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension s3_extension admin_service$/
|
||||
)
|
||||
expect(chef_run).to render_config_file(path).with_section_content(
|
||||
'pipeline:api_v3',
|
||||
/^pipeline = healthcheck cors sizelimit http_proxy_to_wsgi url_normalize request_id build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3$/
|
||||
/^pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3$/
|
||||
)
|
||||
end
|
||||
it 'template api pipeline set correct' do
|
||||
|
|
|
@ -1,29 +1,29 @@
|
|||
catalog.<%= node["openstack"]["identity"]["region"] %>.identity.publicURL = <%= @uris["identity"].to_s %>
|
||||
catalog.<%= node["openstack"]["identity"]["region"] %>.identity.adminURL = <%= @uris["identity-admin"].to_s %>
|
||||
catalog.<%= node["openstack"]["identity"]["region"] %>.identity.internalURL = <%= @uris["identity"].to_s %>
|
||||
catalog.<%= node["openstack"]["identity"]["region"] %>.identity.name = Identity Service
|
||||
catalog.<%= node['openstack']['identity']['region'] %>.identity.publicURL = <%= @uris['identity'].to_s %>
|
||||
catalog.<%= node['openstack']['identity']['region'] %>.identity.adminURL = <%= @uris['identity-admin'].to_s %>
|
||||
catalog.<%= node['openstack']['identity']['region'] %>.identity.internalURL = <%= @uris['identity-admin'].to_s %>
|
||||
catalog.<%= node['openstack']['identity']['region'] %>.identity.name = Identity Service
|
||||
|
||||
catalog.<%= node["openstack"]["identity"]["region"] %>.compute.publicURL = <%= @uris["compute"].to_s %>
|
||||
catalog.<%= node["openstack"]["identity"]["region"] %>.compute.adminURL = <%= @uris["compute"].to_s %>
|
||||
catalog.<%= node["openstack"]["identity"]["region"] %>.compute.internalURL = <%= @uris["compute"].to_s %>
|
||||
catalog.<%= node["openstack"]["identity"]["region"] %>.compute.name = Compute Service
|
||||
catalog.<%= node['openstack']['identity']['region'] %>.compute.publicURL = <%= @uris['compute'].to_s %>
|
||||
catalog.<%= node['openstack']['identity']['region'] %>.compute.adminURL = <%= @uris['compute'].to_s %>
|
||||
catalog.<%= node['openstack']['identity']['region'] %>.compute.internalURL = <%= @uris['compute'].to_s %>
|
||||
catalog.<%= node['openstack']['identity']['region'] %>.compute.name = Compute Service
|
||||
|
||||
catalog.<%= node["openstack"]["identity"]["region"] %>.volume.publicURL = <%= @uris["volume"].to_s %>
|
||||
catalog.<%= node["openstack"]["identity"]["region"] %>.volume.adminURL = <%= @uris["volume"].to_s %>
|
||||
catalog.<%= node["openstack"]["identity"]["region"] %>.volume.internalURL = <%= @uris["volume"].to_s %>
|
||||
catalog.<%= node["openstack"]["identity"]["region"] %>.volume.name = Volume Service
|
||||
catalog.<%= node['openstack']['identity']['region'] %>.volume.publicURL = <%= @uris['volume'].to_s %>
|
||||
catalog.<%= node['openstack']['identity']['region'] %>.volume.adminURL = <%= @uris['volume'].to_s %>
|
||||
catalog.<%= node['openstack']['identity']['region'] %>.volume.internalURL = <%= @uris['volume'].to_s %>
|
||||
catalog.<%= node['openstack']['identity']['region'] %>.volume.name = Volume Service
|
||||
|
||||
catalog.<%= node["openstack"]["identity"]["region"] %>.ec2.publicURL = <%= @uris["ec2"].to_s %>
|
||||
catalog.<%= node["openstack"]["identity"]["region"] %>.ec2.adminURL = <%= @uris["ec2"].to_s %>
|
||||
catalog.<%= node["openstack"]["identity"]["region"] %>.ec2.internalURL = <%= @uris["ec2"].to_s %>
|
||||
catalog.<%= node["openstack"]["identity"]["region"] %>.ec2.name = EC2 Service
|
||||
catalog.<%= node['openstack']['identity']['region'] %>.ec2.publicURL = <%= @uris['ec2'].to_s %>
|
||||
catalog.<%= node['openstack']['identity']['region'] %>.ec2.adminURL = <%= @uris['ec2'].to_s %>
|
||||
catalog.<%= node['openstack']['identity']['region'] %>.ec2.internalURL = <%= @uris['ec2'].to_s %>
|
||||
catalog.<%= node['openstack']['identity']['region'] %>.ec2.name = EC2 Service
|
||||
|
||||
catalog.<%= node["openstack"]["identity"]["region"] %>.image.publicURL = <%= @uris["image"].to_s %>
|
||||
catalog.<%= node["openstack"]["identity"]["region"] %>.image.adminURL = <%= @uris["image"].to_s %>
|
||||
catalog.<%= node["openstack"]["identity"]["region"] %>.image.internalURL = <%= @uris["image"].to_s %>
|
||||
catalog.<%= node["openstack"]["identity"]["region"] %>.image.name = Image Service
|
||||
catalog.<%= node['openstack']['identity']['region'] %>.image.publicURL = <%= @uris['image'].to_s %>
|
||||
catalog.<%= node['openstack']['identity']['region'] %>.image.adminURL = <%= @uris['image'].to_s %>
|
||||
catalog.<%= node['openstack']['identity']['region'] %>.image.internalURL = <%= @uris['image'].to_s %>
|
||||
catalog.<%= node['openstack']['identity']['region'] %>.image.name = Image Service
|
||||
|
||||
catalog.<%= node["openstack"]["identity"]["region"] %>.network.publicURL = <%= @uris["network"].to_s %>
|
||||
catalog.<%= node["openstack"]["identity"]["region"] %>.network.adminURL = <%= @uris["network"].to_s %>
|
||||
catalog.<%= node["openstack"]["identity"]["region"] %>.network.internalURL = <%= @uris["network"].to_s %>
|
||||
catalog.<%= node["openstack"]["identity"]["region"] %>.network.name = Network Service
|
||||
catalog.<%= node['openstack']['identity']['region'] %>.network.publicURL = <%= @uris['network'].to_s %>
|
||||
catalog.<%= node['openstack']['identity']['region'] %>.network.adminURL = <%= @uris['network'].to_s %>
|
||||
catalog.<%= node['openstack']['identity']['region'] %>.network.internalURL = <%= @uris['network'].to_s %>
|
||||
catalog.<%= node['openstack']['identity']['region'] %>.network.name = Network Service
|
||||
|
|
Loading…
Reference in New Issue