diff --git a/releasenotes/notes/os-keystone-bypass-webserver-aa1ae9f33c58e9d7.yaml b/releasenotes/notes/os-keystone-bypass-webserver-aa1ae9f33c58e9d7.yaml new file mode 100644 index 00000000..091dbe09 --- /dev/null +++ b/releasenotes/notes/os-keystone-bypass-webserver-aa1ae9f33c58e9d7.yaml @@ -0,0 +1,13 @@ +--- +issues: + - | + If the protocol of either the keystone admin or internal endpoints is + 'https' and SSL is being terminated at a load balancer, tasks which verify + that services are responsive and perform the initial service setup through + through the keystone hosts' web server ports may fail. + + Set ``keystone_mod_wsgi_enabled`` to ``false`` to deploy Keystone under + Uwsgi and allow the web server to be bypassed during these tasks. + + See `Launchpad Bug 1699191 `_ + for more details. diff --git a/tasks/keystone_service_setup.yml b/tasks/keystone_service_setup.yml index d57df7c3..71ee63c8 100644 --- a/tasks/keystone_service_setup.yml +++ b/tasks/keystone_service_setup.yml @@ -20,9 +20,17 @@ method: "HEAD" status_code: 300 with_items: - - url: "{{ keystone_service_adminuri_proto }}://{{ ansible_host }}:{{ keystone_admin_port }}" + - url: >- + {{ keystone_mod_wsgi_enabled | ternary( + keystone_service_adminuri_proto + '://' + ansible_host + ':' + keystone_admin_port | string, + 'http://' + ansible_host + ':' + keystone_uwsgi_ports['keystone-wsgi-admin']['http'] | string) + }} validate_certs: "{{ not keystone_service_adminuri_insecure | bool }}" - - url: "{{ keystone_service_internaluri_proto }}://{{ ansible_host }}:{{ keystone_service_port }}" + - url: >- + {{ keystone_mod_wsgi_enabled | ternary( + keystone_service_internaluri_proto + '://' + ansible_host + ':' + keystone_service_port | string, + 'http://' + ansible_host + ':' + keystone_uwsgi_ports['keystone-wsgi-admin']['http'] | string) + }} validate_certs: "{{ not keystone_service_internaluri_insecure | bool }}" register: _wait_check until: _wait_check | success @@ -56,7 +64,11 @@ login_user: "{{ keystone_admin_user_name }}" login_password: "{{ keystone_auth_admin_password }}" login_project_name: "{{ keystone_admin_tenant_name }}" - endpoint: "{{ keystone_service_adminuri_proto }}://{{ ansible_host }}:{{ keystone_admin_port }}/v3" + endpoint: >- + {{ keystone_mod_wsgi_enabled | ternary( + keystone_service_adminuri_proto + '://' + ansible_host + ':' + keystone_admin_port | string + '/v3', + 'http://' + ansible_host + ':' + keystone_uwsgi_ports['keystone-wsgi-admin']['http'] | string + '/v3') + }} ignore_catalog: True tenant_name: "{{ keystone_service_tenant_name }}" description: "{{ keystone_service_description }}" @@ -73,7 +85,11 @@ login_user: "{{ keystone_admin_user_name }}" login_password: "{{ keystone_auth_admin_password }}" login_project_name: "{{ keystone_admin_tenant_name }}" - endpoint: "{{ keystone_service_adminuri_proto }}://{{ ansible_host }}:{{ keystone_admin_port }}/v3" + endpoint: >- + {{ keystone_mod_wsgi_enabled | ternary( + keystone_service_adminuri_proto + '://' + ansible_host + ':' + keystone_admin_port | string + '/v3', + 'http://' + ansible_host + ':' + keystone_uwsgi_ports['keystone-wsgi-admin']['http'] | string + '/v3') + }} ignore_catalog: True role_name: "{{ keystone_default_role_name }}" insecure: "{{ keystone_service_adminuri_insecure }}" @@ -90,7 +106,11 @@ login_user: "{{ keystone_admin_user_name }}" login_password: "{{ keystone_auth_admin_password }}" login_project_name: "{{ keystone_admin_tenant_name }}" - endpoint: "{{ keystone_service_adminuri_proto }}://{{ ansible_host }}:{{ keystone_admin_port }}/v3" + endpoint: >- + {{ keystone_mod_wsgi_enabled | ternary( + keystone_service_adminuri_proto + '://' + ansible_host + ':' + keystone_admin_port | string + '/v3', + 'http://' + ansible_host + ':' + keystone_uwsgi_ports['keystone-wsgi-admin']['http'] | string + '/v3') + }} ignore_catalog: True service_name: "{{ keystone_service_name }}" service_type: "{{ keystone_service_type }}" @@ -108,7 +128,11 @@ login_user: "{{ keystone_admin_user_name }}" login_password: "{{ keystone_auth_admin_password }}" login_project_name: "{{ keystone_admin_tenant_name }}" - endpoint: "{{ keystone_service_adminuri_proto }}://{{ ansible_host }}:{{ keystone_admin_port }}/v3" + endpoint: >- + {{ keystone_mod_wsgi_enabled | ternary( + keystone_service_adminuri_proto + '://' + ansible_host + ':' + keystone_admin_port | string + '/v3', + 'http://' + ansible_host + ':' + keystone_uwsgi_ports['keystone-wsgi-admin']['http'] | string + '/v3') + }} ignore_catalog: True user_name: "{{ keystone_service_user_name }}" tenant_name: "{{ keystone_service_tenant_name }}" @@ -126,7 +150,11 @@ login_user: "{{ keystone_admin_user_name }}" login_password: "{{ keystone_auth_admin_password }}" login_project_name: "{{ keystone_admin_tenant_name }}" - endpoint: "{{ keystone_service_adminuri_proto }}://{{ ansible_host }}:{{ keystone_admin_port }}/v3" + endpoint: >- + {{ keystone_mod_wsgi_enabled | ternary( + keystone_service_adminuri_proto + '://' + ansible_host + ':' + keystone_admin_port | string + '/v3', + 'http://' + ansible_host + ':' + keystone_uwsgi_ports['keystone-wsgi-admin']['http'] | string + '/v3') + }} ignore_catalog: True user_name: "{{ keystone_service_user_name }}" tenant_name: "{{ keystone_service_tenant_name }}"