Merge "Drop Admin API from Keystone"

2018-09-14 21:22:26 +00:00 · 2018-09-14 21:22:26 +00:00 · 8ebdbb2bc2
parent 130c1339e7 0fbba8a708
commit 8ebdbb2bc2
6 changed files with 45 additions and 65 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -157,7 +157,6 @@ keystone_role_name: admin
 keystone_default_role_name: _member_

 ## Admin info
-keystone_admin_port: 35357
 keystone_admin_user_name: admin
 keystone_admin_tenant_name: admin
 keystone_admin_description: Admin Tenant
@ -182,7 +181,7 @@ keystone_service_adminuri_insecure: false

 keystone_service_publicuri: "{{ keystone_service_publicuri_proto }}://{{ external_lb_vip_address }}:{{ keystone_service_port }}"
 keystone_service_internaluri: "{{ keystone_service_internaluri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_service_port }}"
-keystone_service_adminuri: "{{ keystone_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_admin_port }}"
+keystone_service_adminuri: "{{ keystone_service_adminuri_proto }}://{{ internal_lb_vip_address }}:{{ keystone_service_port }}"

 ## Set this value to override the "public_endpoint" keystone.conf variable
 #keystone_public_endpoint: "{{ keystone_service_publicuri }}"
@ -223,7 +222,6 @@ keystone_nginx_access_log_format_combined: '$remote_addr - $remote_user [$time_l
 keystone_nginx_access_log_format_extras: '$request_time $upstream_response_time'
 keystone_nginx_ports:
  keystone-wsgi-public: "{{ keystone_service_port }}"
-  keystone-wsgi-admin: "{{ keystone_admin_port }}"
 keystone_nginx_extra_conf:
  - keepalive_timeout   70;

@ -237,9 +235,6 @@ keystone_uwsgi_ports:
  keystone-wsgi-public:
    http: 37358
    socket: 35358
-  keystone-wsgi-admin:
-    http: 37359
-    socket: 5001

 keystone_uwsgi_ini_overrides: {}

@ -503,10 +498,6 @@ keystone_services:
    service_name: "keystone-wsgi-public"
    init_config_overrides: "{{ keystone_uwsgi_init_overrides }}"
    execstarts: "{{ keystone_uwsgi_bin }}/uwsgi --autoload --ini /etc/uwsgi/keystone-wsgi-public.ini"
-  keystone-wsgi-admin:
-    service_name: "keystone-wsgi-admin"
-    init_config_overrides: "{{ keystone_uwsgi_init_overrides }}"
-    execstarts: "{{ keystone_uwsgi_bin }}/uwsgi --autoload --ini /etc/uwsgi/keystone-wsgi-admin.ini"

 ## Extra HTTP headers for Keystone
 # Add any additional headers here that Keystone should return.
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -33,7 +33,6 @@
    delay: 10
  with_items:
    - "{{ keystone_service_port }}"
-    - "{{ keystone_admin_port }}"
  register: _wait_check
  until: _wait_check is success
  retries: 5
@ -55,6 +54,46 @@
    - "venv changed"
    - "Restart uWSGI"

+# NOTE(mnaser): This should be removed in the Stein cycle
+- name: Stop and disable keystone-wsgi-admin
+  shell: |
+    return_code=0
+    if [[ "$(systemctl is-active keystone-wsgi-admin)" == "active" ]]; then
+      systemctl stop keystone-wsgi-admin
+      return_code=2
+    fi
+    if [[ "$(systemctl is-enabled keystone-wsgi-admin)" == "enabled" ]]; then
+      systemctl disable keystone-wsgi-admin
+      return_code=2
+    fi
+    exit ${return_code}
+  args:
+    executable: /bin/bash
+  register: _remove_admin_service
+  changed_when: _remove_admin_service.rc == 2
+  failed_when: _remove_admin_service.rc not in [0, 2]
+  listen: "Restart uWSGI"
+  # This task causes ansible-lint to give a ANSIBLE0014
+  # error, which does not make much sense given how the
+  # environment variable is used in this case.
+  # TODO(odyssey4me):
+  # Try to understand the issue ansible-lint is trying
+  # to highlight and address it.
+  tags:
+    - skip_ansible_lint
+
+# NOTE(mnaser): This should be removed in the Stein cycle
+- name: Clean up keystone-wsgi-admin service files
+  file:
+    path: "{{ item }}"
+    state: absent
+  with_items:
+    - "/etc/tmpfiles.d/openstack-keystone-wsgi-admin.conf"
+    - "/etc/systemd/system/keystone-wsgi-admin.service"
+    - "/etc/uwsgi/keystone-wsgi-admin.ini"
+    - "/var/www/cgi-bin/keystone/admin"
+  listen: "Restart uWSGI"
+
 # Note (odyssey4me):
 # The policy.json file is currently read continually by the services
 # and is not only read on service start. We therefore cannot template
@ -106,7 +145,6 @@
    timeout: 25
    delay: 10
  with_items:
-    - "{{ keystone_uwsgi_ports['keystone-wsgi-admin']['socket'] }}"
    - "{{ keystone_uwsgi_ports['keystone-wsgi-public']['socket'] }}"
  register: _wait_check
  until: _wait_check is success
--- a/tasks/keystone_install.yml
+++ b/tasks/keystone_install.yml
@ -146,15 +146,10 @@

 - name: Create WSGI symlinks
  file:
-    src: "{{ item.src }}"
-    dest: "/var/www/cgi-bin/keystone/{{ item.dest }}"
+    src: "{{ keystone_bin }}/keystone-wsgi-public"
+    dest: "/var/www/cgi-bin/keystone/main"
    state: link
    force: yes
-  with_items:
-    - src: "{{ keystone_bin }}/keystone-wsgi-admin"
-      dest: admin
-    - src: "{{ keystone_bin }}/keystone-wsgi-public"
-      dest: main
  notify:
    - Manage LB
    - Restart web server
--- a/tasks/keystone_service_bootstrap.yml
+++ b/tasks/keystone_service_bootstrap.yml
@ -13,14 +13,11 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.

- name: Wait for services to be up
+- name: Wait for service to be up
  uri:
-    url: "{{ item }}"
+    url: "http://{{ ansible_host }}:{{ keystone_uwsgi_ports['keystone-wsgi-public']['http'] }}"
    method: "HEAD"
    status_code: 300
-  with_items:
-    - "http://{{ ansible_host }}:{{ keystone_uwsgi_ports['keystone-wsgi-admin']['http'] }}"
-    - "http://{{ ansible_host }}:{{ keystone_uwsgi_ports['keystone-wsgi-public']['http'] }}"
  register: _wait_check
  until: _wait_check  is success
  retries: 12
--- a/templates/keystone-httpd.conf.j2
+++ b/templates/keystone-httpd.conf.j2
@ -69,44 +69,4 @@ Listen {{ keystone_service_port }}

 </VirtualHost>

-Listen {{ keystone_admin_port }}
-<VirtualHost *:{{ keystone_admin_port }}>
-
-    <IfVersion >= 2.4>
-      ErrorLogFormat "%{cu}t %M"
-    </IfVersion>
-
-    LogLevel  {{  keystone_apache_log_level }}
-    # NOTE(Cloudnull): Log files can changed to use "mod_journal" when Apache 2.5 is released
-    ErrorLog  {{ keystone_apache_default_log_folder }}/keystone-apache-error.log
-    CustomLog {{ keystone_apache_default_log_folder }}/ssl_access.log {{ keystone_apache_custom_log_format }}
-    Options +FollowSymLinks
-
-
-    {% if keystone_ssl | bool and keystone_service_adminuri_proto == "https" -%}
-    SSLEngine on
-    SSLCertificateFile    {{ keystone_ssl_cert }}
-    SSLCertificateKeyFile {{ keystone_ssl_key }}
-    {% if keystone_user_ssl_ca_cert is defined -%}
-    SSLCACertificateFile  {{ keystone_ssl_ca_cert }}
-    {% endif -%}
-    SSLCompression Off
-    SSLProtocol {{ keystone_ssl_protocol }}
-    SSLHonorCipherOrder On
-    SSLCipherSuite {{ keystone_ssl_cipher_suite }}
-    SSLOptions +StdEnvVars +ExportCertData
-    {% endif %}
-
-    <Directory /var/www/cgi-bin/keystone>
-        Options Indexes FollowSymLinks MultiViews
-        AllowOverride All
-        Order allow,deny
-        allow from all
-    </Directory>
-
-    ProxyPass / uwsgi://127.0.0.1:{{ keystone_uwsgi_ports['keystone-wsgi-admin']["socket"] }}/
-
-</VirtualHost>
-
 ProxyPass /identity uwsgi://127.0.0.1:{{ keystone_uwsgi_ports['keystone-wsgi-public']['socket'] }}/
-ProxyPass /identity_admin uwsgi://127.0.0.1:{{ keystone_uwsgi_ports['keystone-wsgi-admin']['socket'] }}/
--- a/templates/keystone.conf.j2
+++ b/templates/keystone.conf.j2
@ -139,7 +139,6 @@ idp_contact_type = {{ keystone_idp.contact_type }}

 [eventlet_server]
 admin_bind_host = {{ keystone_bind_address }}
-admin_port = {{ keystone_admin_port }}
 public_port = {{ keystone_service_port }}

 [credential]