From 6ceb425f0549b23e07f65b813197a013a3b06708 Mon Sep 17 00:00:00 2001 From: Jimmy McCrory Date: Mon, 9 Oct 2017 10:09:24 -0700 Subject: [PATCH] Bypass web server during service setup When connecting directly to a keystone host during service setup, use the UWSGI ports instead of going through the web server to avoid any potential errors with differing URI protocols or SSL certs not including the hostnames of individual hosts. mod_wsgi was the default deployment pre-Pike so that configuration will still need to be catered for. A release note has been included for those effected by the bug. Conflicts: tasks/keystone_service_setup.yml Change-Id: Ie5b33f9d0210a23badb63cab72c481b027790be3 Closes-Bug: 1699191 (cherry picked from commit cabd7e9cef8c35df08958677892a82551b210c97) --- ...one-bypass-webserver-aa1ae9f33c58e9d7.yaml | 13 ++++++ tasks/keystone_service_setup.yml | 42 +++++++++++++++---- 2 files changed, 48 insertions(+), 7 deletions(-) create mode 100644 releasenotes/notes/os-keystone-bypass-webserver-aa1ae9f33c58e9d7.yaml diff --git a/releasenotes/notes/os-keystone-bypass-webserver-aa1ae9f33c58e9d7.yaml b/releasenotes/notes/os-keystone-bypass-webserver-aa1ae9f33c58e9d7.yaml new file mode 100644 index 00000000..091dbe09 --- /dev/null +++ b/releasenotes/notes/os-keystone-bypass-webserver-aa1ae9f33c58e9d7.yaml @@ -0,0 +1,13 @@ +--- +issues: + - | + If the protocol of either the keystone admin or internal endpoints is + 'https' and SSL is being terminated at a load balancer, tasks which verify + that services are responsive and perform the initial service setup through + through the keystone hosts' web server ports may fail. + + Set ``keystone_mod_wsgi_enabled`` to ``false`` to deploy Keystone under + Uwsgi and allow the web server to be bypassed during these tasks. + + See `Launchpad Bug 1699191 `_ + for more details. diff --git a/tasks/keystone_service_setup.yml b/tasks/keystone_service_setup.yml index bec42293..ee020f1e 100644 --- a/tasks/keystone_service_setup.yml +++ b/tasks/keystone_service_setup.yml @@ -20,9 +20,17 @@ method: "HEAD" status_code: 300 with_items: - - url: "{{ keystone_service_adminuri_proto }}://{{ ansible_host }}:{{ keystone_admin_port }}" + - url: >- + {{ keystone_mod_wsgi_enabled | ternary( + keystone_service_adminuri_proto + '://' + ansible_host + ':' + keystone_admin_port | string, + 'http://' + ansible_host + ':' + keystone_uwsgi_ports['keystone-wsgi-admin']['http'] | string) + }} validate_certs: "{{ not keystone_service_adminuri_insecure | bool }}" - - url: "{{ keystone_service_internaluri_proto }}://{{ ansible_host }}:{{ keystone_service_port }}" + - url: >- + {{ keystone_mod_wsgi_enabled | ternary( + keystone_service_internaluri_proto + '://' + ansible_host + ':' + keystone_service_port | string, + 'http://' + ansible_host + ':' + keystone_uwsgi_ports['keystone-wsgi-admin']['http'] | string) + }} validate_certs: "{{ not keystone_service_internaluri_insecure | bool }}" register: _wait_check until: _wait_check | success @@ -55,7 +63,11 @@ login_user: "{{ keystone_admin_user_name }}" login_password: "{{ keystone_auth_admin_password }}" login_project_name: "{{ keystone_admin_tenant_name }}" - endpoint: "{{ keystone_service_adminuri_proto }}://{{ ansible_host }}:{{ keystone_admin_port }}/v3" + endpoint: >- + {{ keystone_mod_wsgi_enabled | ternary( + keystone_service_adminuri_proto + '://' + ansible_host + ':' + keystone_admin_port | string + '/v3', + 'http://' + ansible_host + ':' + keystone_uwsgi_ports['keystone-wsgi-admin']['http'] | string + '/v3') + }} ignore_catalog: True tenant_name: "{{ keystone_service_tenant_name }}" description: "{{ keystone_service_description }}" @@ -72,7 +84,11 @@ login_user: "{{ keystone_admin_user_name }}" login_password: "{{ keystone_auth_admin_password }}" login_project_name: "{{ keystone_admin_tenant_name }}" - endpoint: "{{ keystone_service_adminuri_proto }}://{{ ansible_host }}:{{ keystone_admin_port }}/v3" + endpoint: >- + {{ keystone_mod_wsgi_enabled | ternary( + keystone_service_adminuri_proto + '://' + ansible_host + ':' + keystone_admin_port | string + '/v3', + 'http://' + ansible_host + ':' + keystone_uwsgi_ports['keystone-wsgi-admin']['http'] | string + '/v3') + }} ignore_catalog: True role_name: "{{ keystone_default_role_name }}" insecure: "{{ keystone_service_adminuri_insecure }}" @@ -89,7 +105,11 @@ login_user: "{{ keystone_admin_user_name }}" login_password: "{{ keystone_auth_admin_password }}" login_project_name: "{{ keystone_admin_tenant_name }}" - endpoint: "{{ keystone_service_adminuri_proto }}://{{ ansible_host }}:{{ keystone_admin_port }}/v3" + endpoint: >- + {{ keystone_mod_wsgi_enabled | ternary( + keystone_service_adminuri_proto + '://' + ansible_host + ':' + keystone_admin_port | string + '/v3', + 'http://' + ansible_host + ':' + keystone_uwsgi_ports['keystone-wsgi-admin']['http'] | string + '/v3') + }} ignore_catalog: True service_name: "{{ keystone_service_name }}" service_type: "{{ keystone_service_type }}" @@ -107,7 +127,11 @@ login_user: "{{ keystone_admin_user_name }}" login_password: "{{ keystone_auth_admin_password }}" login_project_name: "{{ keystone_admin_tenant_name }}" - endpoint: "{{ keystone_service_adminuri_proto }}://{{ ansible_host }}:{{ keystone_admin_port }}/v3" + endpoint: >- + {{ keystone_mod_wsgi_enabled | ternary( + keystone_service_adminuri_proto + '://' + ansible_host + ':' + keystone_admin_port | string + '/v3', + 'http://' + ansible_host + ':' + keystone_uwsgi_ports['keystone-wsgi-admin']['http'] | string + '/v3') + }} ignore_catalog: True user_name: "{{ keystone_service_user_name }}" tenant_name: "{{ keystone_service_tenant_name }}" @@ -125,7 +149,11 @@ login_user: "{{ keystone_admin_user_name }}" login_password: "{{ keystone_auth_admin_password }}" login_project_name: "{{ keystone_admin_tenant_name }}" - endpoint: "{{ keystone_service_adminuri_proto }}://{{ ansible_host }}:{{ keystone_admin_port }}/v3" + endpoint: >- + {{ keystone_mod_wsgi_enabled | ternary( + keystone_service_adminuri_proto + '://' + ansible_host + ':' + keystone_admin_port | string + '/v3', + 'http://' + ansible_host + ':' + keystone_uwsgi_ports['keystone-wsgi-admin']['http'] | string + '/v3') + }} ignore_catalog: True user_name: "{{ keystone_service_user_name }}" tenant_name: "{{ keystone_service_tenant_name }}"