openstack
/
openstack-ansible-os_keystone
Code Issues Proposed changes

Bypass web server during service setup 

When connecting directly to a keystone host during service setup, use
the UWSGI ports instead of going through the web server to avoid any
potential errors with differing URI protocols or SSL certs not including
the hostnames of individual hosts.

mod_wsgi was the default deployment pre-Pike so that configuration will
still need to be catered for. A release note has been included for those
effected by the bug.

 Conflicts:
	tasks/keystone_service_setup.yml

Change-Id: Ie5b33f9d0210a23badb63cab72c481b027790be3
Closes-Bug: 1699191
(cherry picked from commit cabd7e9cef)
This commit is contained in:
Jimmy McCrory 2017-10-09 10:09:24 -07:00
parent 82306cc2b3
commit a23292b8ab
2 changed files with 48 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
releasenotes/notes/os-keystone-bypass-webserver-aa1ae9f33c58e9d7.yaml Normal file
View File

@ -0,0 +1,13 @@
---
issues:
- |
If the protocol of either the keystone admin or internal endpoints is
'https' and SSL is being terminated at a load balancer, tasks which verify
that services are responsive and perform the initial service setup through
through the keystone hosts' web server ports may fail.
Set ``keystone_mod_wsgi_enabled`` to ``false`` to deploy Keystone under
Uwsgi and allow the web server to be bypassed during these tasks.
See `Launchpad Bug 1699191 <https://bugs.launchpad.net/openstack-ansible/+bug/1699191>`_
for more details.

42
tasks/keystone_service_setup.yml
View File

@ -20,9 +20,17 @@
method: "HEAD"
status_code: 300
with_items:
- url: "{{ keystone_service_adminuri_proto }}://{{ ansible_host }}:{{ keystone_admin_port }}"
- url: >-
{{ keystone_mod_wsgi_enabled | ternary(
keystone_service_adminuri_proto + '://' + ansible_host + ':' + keystone_admin_port | string,
'http://' + ansible_host + ':' + keystone_uwsgi_ports['keystone-wsgi-admin']['http'] | string)
}}
validate_certs: "{{ not keystone_service_adminuri_insecure | bool }}"
- url: "{{ keystone_service_internaluri_proto }}://{{ ansible_host }}:{{ keystone_service_port }}"
- url: >-
{{ keystone_mod_wsgi_enabled | ternary(
keystone_service_internaluri_proto + '://' + ansible_host + ':' + keystone_service_port | string,
'http://' + ansible_host + ':' + keystone_uwsgi_ports['keystone-wsgi-admin']['http'] | string)
}}
validate_certs: "{{ not keystone_service_internaluri_insecure | bool }}"
register: _wait_check
until: _wait_check | success
@ -56,7 +64,11 @@
login_user: "{{ keystone_admin_user_name }}"
login_password: "{{ keystone_auth_admin_password }}"
login_project_name: "{{ keystone_admin_tenant_name }}"
endpoint: "{{ keystone_service_adminuri_proto }}://{{ ansible_host }}:{{ keystone_admin_port }}/v3"
endpoint: >-
{{ keystone_mod_wsgi_enabled | ternary(
keystone_service_adminuri_proto + '://' + ansible_host + ':' + keystone_admin_port | string + '/v3',
'http://' + ansible_host + ':' + keystone_uwsgi_ports['keystone-wsgi-admin']['http'] | string + '/v3')
}}
ignore_catalog: True
tenant_name: "{{ keystone_service_tenant_name }}"
description: "{{ keystone_service_description }}"
@ -73,7 +85,11 @@
login_user: "{{ keystone_admin_user_name }}"
login_password: "{{ keystone_auth_admin_password }}"
login_project_name: "{{ keystone_admin_tenant_name }}"
endpoint: "{{ keystone_service_adminuri_proto }}://{{ ansible_host }}:{{ keystone_admin_port }}/v3"
endpoint: >-
{{ keystone_mod_wsgi_enabled | ternary(
keystone_service_adminuri_proto + '://' + ansible_host + ':' + keystone_admin_port | string + '/v3',
'http://' + ansible_host + ':' + keystone_uwsgi_ports['keystone-wsgi-admin']['http'] | string + '/v3')
}}
ignore_catalog: True
role_name: "{{ keystone_default_role_name }}"
insecure: "{{ keystone_service_adminuri_insecure }}"
@ -90,7 +106,11 @@
login_user: "{{ keystone_admin_user_name }}"
login_password: "{{ keystone_auth_admin_password }}"
login_project_name: "{{ keystone_admin_tenant_name }}"
endpoint: "{{ keystone_service_adminuri_proto }}://{{ ansible_host }}:{{ keystone_admin_port }}/v3"
endpoint: >-
{{ keystone_mod_wsgi_enabled | ternary(
keystone_service_adminuri_proto + '://' + ansible_host + ':' + keystone_admin_port | string + '/v3',
'http://' + ansible_host + ':' + keystone_uwsgi_ports['keystone-wsgi-admin']['http'] | string + '/v3')
}}
ignore_catalog: True
service_name: "{{ keystone_service_name }}"
service_type: "{{ keystone_service_type }}"
@ -108,7 +128,11 @@
login_user: "{{ keystone_admin_user_name }}"
login_password: "{{ keystone_auth_admin_password }}"
login_project_name: "{{ keystone_admin_tenant_name }}"
endpoint: "{{ keystone_service_adminuri_proto }}://{{ ansible_host }}:{{ keystone_admin_port }}/v3"
endpoint: >-
{{ keystone_mod_wsgi_enabled | ternary(
keystone_service_adminuri_proto + '://' + ansible_host + ':' + keystone_admin_port | string + '/v3',
'http://' + ansible_host + ':' + keystone_uwsgi_ports['keystone-wsgi-admin']['http'] | string + '/v3')
}}
ignore_catalog: True
user_name: "{{ keystone_service_user_name }}"
tenant_name: "{{ keystone_service_tenant_name }}"
@ -126,7 +150,11 @@
login_user: "{{ keystone_admin_user_name }}"
login_password: "{{ keystone_auth_admin_password }}"
login_project_name: "{{ keystone_admin_tenant_name }}"
endpoint: "{{ keystone_service_adminuri_proto }}://{{ ansible_host }}:{{ keystone_admin_port }}/v3"
endpoint: >-
{{ keystone_mod_wsgi_enabled | ternary(
keystone_service_adminuri_proto + '://' + ansible_host + ':' + keystone_admin_port | string + '/v3',
'http://' + ansible_host + ':' + keystone_uwsgi_ports['keystone-wsgi-admin']['http'] | string + '/v3')
}}
ignore_catalog: True
user_name: "{{ keystone_service_user_name }}"
tenant_name: "{{ keystone_service_tenant_name }}"