Bypass web server during service setup
When connecting directly to a keystone host during service setup, use
the UWSGI ports instead of going through the web server to avoid any
potential errors with differing URI protocols or SSL certs not including
the hostnames of individual hosts.
mod_wsgi was the default deployment pre-Pike so that configuration will
still need to be catered for. A release note has been included for those
effected by the bug.
Conflicts:
tasks/keystone_service_setup.yml
Change-Id: Ie5b33f9d0210a23badb63cab72c481b027790be3
Closes-Bug: 1699191
(cherry picked from commit cabd7e9cef
)
This commit is contained in:
parent
82306cc2b3
commit
a23292b8ab
|
@ -0,0 +1,13 @@
|
|||
---
|
||||
issues:
|
||||
- |
|
||||
If the protocol of either the keystone admin or internal endpoints is
|
||||
'https' and SSL is being terminated at a load balancer, tasks which verify
|
||||
that services are responsive and perform the initial service setup through
|
||||
through the keystone hosts' web server ports may fail.
|
||||
|
||||
Set ``keystone_mod_wsgi_enabled`` to ``false`` to deploy Keystone under
|
||||
Uwsgi and allow the web server to be bypassed during these tasks.
|
||||
|
||||
See `Launchpad Bug 1699191 <https://bugs.launchpad.net/openstack-ansible/+bug/1699191>`_
|
||||
for more details.
|
|
@ -20,9 +20,17 @@
|
|||
method: "HEAD"
|
||||
status_code: 300
|
||||
with_items:
|
||||
- url: "{{ keystone_service_adminuri_proto }}://{{ ansible_host }}:{{ keystone_admin_port }}"
|
||||
- url: >-
|
||||
{{ keystone_mod_wsgi_enabled | ternary(
|
||||
keystone_service_adminuri_proto + '://' + ansible_host + ':' + keystone_admin_port | string,
|
||||
'http://' + ansible_host + ':' + keystone_uwsgi_ports['keystone-wsgi-admin']['http'] | string)
|
||||
}}
|
||||
validate_certs: "{{ not keystone_service_adminuri_insecure | bool }}"
|
||||
- url: "{{ keystone_service_internaluri_proto }}://{{ ansible_host }}:{{ keystone_service_port }}"
|
||||
- url: >-
|
||||
{{ keystone_mod_wsgi_enabled | ternary(
|
||||
keystone_service_internaluri_proto + '://' + ansible_host + ':' + keystone_service_port | string,
|
||||
'http://' + ansible_host + ':' + keystone_uwsgi_ports['keystone-wsgi-admin']['http'] | string)
|
||||
}}
|
||||
validate_certs: "{{ not keystone_service_internaluri_insecure | bool }}"
|
||||
register: _wait_check
|
||||
until: _wait_check | success
|
||||
|
@ -56,7 +64,11 @@
|
|||
login_user: "{{ keystone_admin_user_name }}"
|
||||
login_password: "{{ keystone_auth_admin_password }}"
|
||||
login_project_name: "{{ keystone_admin_tenant_name }}"
|
||||
endpoint: "{{ keystone_service_adminuri_proto }}://{{ ansible_host }}:{{ keystone_admin_port }}/v3"
|
||||
endpoint: >-
|
||||
{{ keystone_mod_wsgi_enabled | ternary(
|
||||
keystone_service_adminuri_proto + '://' + ansible_host + ':' + keystone_admin_port | string + '/v3',
|
||||
'http://' + ansible_host + ':' + keystone_uwsgi_ports['keystone-wsgi-admin']['http'] | string + '/v3')
|
||||
}}
|
||||
ignore_catalog: True
|
||||
tenant_name: "{{ keystone_service_tenant_name }}"
|
||||
description: "{{ keystone_service_description }}"
|
||||
|
@ -73,7 +85,11 @@
|
|||
login_user: "{{ keystone_admin_user_name }}"
|
||||
login_password: "{{ keystone_auth_admin_password }}"
|
||||
login_project_name: "{{ keystone_admin_tenant_name }}"
|
||||
endpoint: "{{ keystone_service_adminuri_proto }}://{{ ansible_host }}:{{ keystone_admin_port }}/v3"
|
||||
endpoint: >-
|
||||
{{ keystone_mod_wsgi_enabled | ternary(
|
||||
keystone_service_adminuri_proto + '://' + ansible_host + ':' + keystone_admin_port | string + '/v3',
|
||||
'http://' + ansible_host + ':' + keystone_uwsgi_ports['keystone-wsgi-admin']['http'] | string + '/v3')
|
||||
}}
|
||||
ignore_catalog: True
|
||||
role_name: "{{ keystone_default_role_name }}"
|
||||
insecure: "{{ keystone_service_adminuri_insecure }}"
|
||||
|
@ -90,7 +106,11 @@
|
|||
login_user: "{{ keystone_admin_user_name }}"
|
||||
login_password: "{{ keystone_auth_admin_password }}"
|
||||
login_project_name: "{{ keystone_admin_tenant_name }}"
|
||||
endpoint: "{{ keystone_service_adminuri_proto }}://{{ ansible_host }}:{{ keystone_admin_port }}/v3"
|
||||
endpoint: >-
|
||||
{{ keystone_mod_wsgi_enabled | ternary(
|
||||
keystone_service_adminuri_proto + '://' + ansible_host + ':' + keystone_admin_port | string + '/v3',
|
||||
'http://' + ansible_host + ':' + keystone_uwsgi_ports['keystone-wsgi-admin']['http'] | string + '/v3')
|
||||
}}
|
||||
ignore_catalog: True
|
||||
service_name: "{{ keystone_service_name }}"
|
||||
service_type: "{{ keystone_service_type }}"
|
||||
|
@ -108,7 +128,11 @@
|
|||
login_user: "{{ keystone_admin_user_name }}"
|
||||
login_password: "{{ keystone_auth_admin_password }}"
|
||||
login_project_name: "{{ keystone_admin_tenant_name }}"
|
||||
endpoint: "{{ keystone_service_adminuri_proto }}://{{ ansible_host }}:{{ keystone_admin_port }}/v3"
|
||||
endpoint: >-
|
||||
{{ keystone_mod_wsgi_enabled | ternary(
|
||||
keystone_service_adminuri_proto + '://' + ansible_host + ':' + keystone_admin_port | string + '/v3',
|
||||
'http://' + ansible_host + ':' + keystone_uwsgi_ports['keystone-wsgi-admin']['http'] | string + '/v3')
|
||||
}}
|
||||
ignore_catalog: True
|
||||
user_name: "{{ keystone_service_user_name }}"
|
||||
tenant_name: "{{ keystone_service_tenant_name }}"
|
||||
|
@ -126,7 +150,11 @@
|
|||
login_user: "{{ keystone_admin_user_name }}"
|
||||
login_password: "{{ keystone_auth_admin_password }}"
|
||||
login_project_name: "{{ keystone_admin_tenant_name }}"
|
||||
endpoint: "{{ keystone_service_adminuri_proto }}://{{ ansible_host }}:{{ keystone_admin_port }}/v3"
|
||||
endpoint: >-
|
||||
{{ keystone_mod_wsgi_enabled | ternary(
|
||||
keystone_service_adminuri_proto + '://' + ansible_host + ':' + keystone_admin_port | string + '/v3',
|
||||
'http://' + ansible_host + ':' + keystone_uwsgi_ports['keystone-wsgi-admin']['http'] | string + '/v3')
|
||||
}}
|
||||
ignore_catalog: True
|
||||
user_name: "{{ keystone_service_user_name }}"
|
||||
tenant_name: "{{ keystone_service_tenant_name }}"
|
||||
|
|
Loading…
Reference in New Issue