Keystone: deprecate the separate admin service

It's not needed since Identity v3 and only consumes resources. Deprecate it with the intention to drop it in Yoga. Change-Id: I477042af86263422ea12f6e9bf710bfff89e36c4
2021-08-26 11:26:02 +02:00 · 2021-08-26 11:26:02 +02:00 · 05c13dfd9e
commit 05c13dfd9e
parent d4ddc05399
5 changed files with 16 additions and 5 deletions
--- a/playbooks/roles/bifrost-ironic-install/defaults/main.yml
+++ b/playbooks/roles/bifrost-ironic-install/defaults/main.yml
@ -350,7 +350,7 @@ keystone:
    username: "{{ admin_username }}"
    password: "{{ admin_password }}"
    project_name: admin
-    admin_url: "{{ api_protocol }}://{{ internal_ip }}:35357/v3/"
+    admin_url: "{{ keystone_api_url }}"
    public_url: "{{ keystone_api_url }}"
    internal_url: "{{ api_protocol }}://127.0.0.1:5000/v3/"
    region_name: "RegionOne"
--- a/playbooks/roles/bifrost-keystone-install/README.md
+++ b/playbooks/roles/bifrost-keystone-install/README.md
@ -56,9 +56,9 @@ Below is the full data structure.
      username: admin
      password: ChangeThisPa55w0rd
      project_name: admin
-      admin_url: "http://127.0.0.1:35357/v2.0/"
-      public_url: "http://127.0.0.1:5000/v2.0/"
-      internal_url: "http://127.0.0.1:5000/v2.0/"
+      admin_url: "http://127.0.0.1:5000/v3/"
+      public_url: "http://127.0.0.1:5000/v3/"
+      internal_url: "http://127.0.0.1:5000/v3/"
      region_name: "RegionOne"
    message_queue:
      username: keystone
--- a/playbooks/roles/bifrost-keystone-install/defaults/main.yml
+++ b/playbooks/roles/bifrost-keystone-install/defaults/main.yml
@ -69,7 +69,7 @@ keystone:
    username: "{{ admin_username }}"
    password: "{{ admin_password }}"
    project_name: admin
-    admin_url: "{{ api_protocol }}://{{ internal_ip }}:35357/v3/"
+    admin_url: "{{ keystone_api_url }}"
    public_url: "{{ keystone_api_url }}"
    internal_url: "{{ api_protocol }}://127.0.0.1:5000/v3/"
    region_name: "RegionOne"
--- a/playbooks/roles/bifrost-keystone-install/templates/nginx_conf.d_bifrost-keystone.conf.j2
+++ b/playbooks/roles/bifrost-keystone-install/templates/nginx_conf.d_bifrost-keystone.conf.j2
@ -15,6 +15,7 @@ server {
        uwsgi_param SCRIPT_NAME '';
    }
 }
+{# TODO(dtantsur): remove the separate admin endpoint after Xena #}
 server {
 {% if enable_tls | bool %}
    listen 35357 ssl;
--- a/releasenotes/notes/keystone-admin-9eadd531de3f20ce.yaml
+++ b/releasenotes/notes/keystone-admin-9eadd531de3f20ce.yaml
@ -0,0 +1,10 @@
+---
+upgrade:
+  - |
+    The ``admin`` Keystone endpoint will be upgraded from using port 35357
+    (a separate admin API) to use port 5000 (the default Identity API).
+deprecations:
+  - |
+    The separate Keystone admin API (served at port 35357) is deprecated and
+    will be removed in a future release. Please update your applications to
+    refer to port 5000 only for Keystone operations.