From 42c2520144e4361d7da6a7b2b339061b96359785 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rados=C5=82aw=20Piliszek?= Date: Fri, 6 May 2022 15:30:52 +0200 Subject: [PATCH] Do not use a different port for Keystone admin endpoint Docs and reno included. Change-Id: I5099b08953789b280c915a6b7a22bdd4e3404076 --- ansible/group_vars/all.yml | 4 +++- ansible/roles/blazar/templates/blazar.conf.j2 | 2 +- ansible/roles/keystone/defaults/main.yml | 4 +++- ansible/roles/keystone/tasks/precheck.yml | 11 ----------- .../keystone/templates/wsgi-keystone.conf.j2 | 8 ++++++++ ansible/roles/loadbalancer/tasks/precheck.yml | 13 ------------- ansible/roles/venus/templates/venus.conf.j2 | 2 +- doc/source/user/multi-regions.rst | 2 +- doc/source/user/operating-kolla.rst | 17 +++++++++++++++++ ...ystone-admin-port-gone-1a28302df63aa70b.yaml | 8 ++++++++ tests/upgrade.sh | 5 +++++ 11 files changed, 47 insertions(+), 29 deletions(-) create mode 100644 releasenotes/notes/keystone-admin-port-gone-1a28302df63aa70b.yaml diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml index 70996cccf4..ee9f981b21 100644 --- a/ansible/group_vars/all.yml +++ b/ansible/group_vars/all.yml @@ -351,6 +351,8 @@ kafka_port: "9092" keystone_public_port: "5000" keystone_public_listen_port: "{{ keystone_public_port }}" +# NOTE(yoctozepto): Admin port settings are kept only for upgrade compatibility. +# TODO(yoctozepto): Remove after Zed. keystone_admin_port: "35357" keystone_admin_listen_port: "{{ keystone_admin_port }}" keystone_ssh_port: "8023" @@ -844,7 +846,7 @@ kibana_log_prefix: "flog" keystone_internal_fqdn: "{{ kolla_internal_fqdn }}" keystone_external_fqdn: "{{ kolla_external_fqdn }}" -keystone_admin_url: "{{ admin_protocol }}://{{ keystone_internal_fqdn | put_address_in_context('url') }}:{{ keystone_admin_port }}" +keystone_admin_url: "{{ admin_protocol }}://{{ keystone_internal_fqdn | put_address_in_context('url') }}:{{ keystone_public_port }}" keystone_internal_url: "{{ internal_protocol }}://{{ keystone_internal_fqdn | put_address_in_context('url') }}:{{ keystone_public_port }}" keystone_public_url: "{{ public_protocol }}://{{ keystone_external_fqdn | put_address_in_context('url') }}:{{ keystone_public_port }}" diff --git a/ansible/roles/blazar/templates/blazar.conf.j2 b/ansible/roles/blazar/templates/blazar.conf.j2 index b997fa0c42..07545371fd 100644 --- a/ansible/roles/blazar/templates/blazar.conf.j2 +++ b/ansible/roles/blazar/templates/blazar.conf.j2 @@ -5,7 +5,7 @@ transport_url = {{ rpc_transport_url }} host = {{ api_interface_address }} port = {{ blazar_api_port }} os_auth_host = {{ keystone_internal_fqdn }} -os_auth_port = {{ keystone_admin_port }} +os_auth_port = {{ keystone_public_port }} os_auth_protocol = {{ admin_protocol }} os_auth_version = v3 os_admin_username = {{ blazar_keystone_user }} diff --git a/ansible/roles/keystone/defaults/main.yml b/ansible/roles/keystone/defaults/main.yml index 5593fcf64f..541dd41dc1 100644 --- a/ansible/roles/keystone/defaults/main.yml +++ b/ansible/roles/keystone/defaults/main.yml @@ -25,8 +25,10 @@ keystone_services: port: "{{ keystone_public_port }}" listen_port: "{{ keystone_public_listen_port }}" backend_http_extra: "{{ ['balance source'] if enable_keystone_federation | bool else [] }}" + # NOTE(yoctozepto): Admin port settings are kept only for upgrade compatibility. + # TODO(yoctozepto): Remove after Zed. keystone_admin: - enabled: "{{ enable_keystone }}" + enabled: "{{ enable_keystone and kolla_action == 'upgrade' }}" mode: "http" external: false tls_backend: "{{ keystone_enable_tls_backend }}" diff --git a/ansible/roles/keystone/tasks/precheck.yml b/ansible/roles/keystone/tasks/precheck.yml index ffcb39850e..7801f2175f 100644 --- a/ansible/roles/keystone/tasks/precheck.yml +++ b/ansible/roles/keystone/tasks/precheck.yml @@ -13,17 +13,6 @@ - keystone_ssh register: container_facts -- name: Checking free port for Keystone Admin - wait_for: - host: "{{ api_interface_address }}" - port: "{{ keystone_admin_listen_port }}" - connect_timeout: 1 - timeout: 1 - state: stopped - when: - - container_facts['keystone'] is not defined - - inventory_hostname in groups['keystone'] - - name: Checking free port for Keystone Public wait_for: host: "{{ api_interface_address }}" diff --git a/ansible/roles/keystone/templates/wsgi-keystone.conf.j2 b/ansible/roles/keystone/templates/wsgi-keystone.conf.j2 index 017ce78d64..d2a31abd7d 100644 --- a/ansible/roles/keystone/templates/wsgi-keystone.conf.j2 +++ b/ansible/roles/keystone/templates/wsgi-keystone.conf.j2 @@ -8,7 +8,11 @@ LoadModule ssl_module /usr/lib/apache2/modules/mod_ssl.so {% endif %} {% endif %} Listen {{ api_interface_address | put_address_in_context('url') }}:{{ keystone_public_listen_port }} +{% if kolla_action == 'upgrade' %} +# NOTE(yoctozepto): Admin port settings are kept only for upgrade compatibility. +# TODO(yoctozepto): Remove after Zed. Listen {{ api_interface_address | put_address_in_context('url') }}:{{ keystone_admin_listen_port }} +{% endif %} ServerSignature Off ServerTokens Prod @@ -104,6 +108,9 @@ LogLevel info {% endif %} +{% if kolla_action == 'upgrade' %} +# NOTE(yoctozepto): Admin port settings are kept only for upgrade compatibility. +# TODO(yoctozepto): Remove after Zed. WSGIDaemonProcess keystone-admin processes={{ openstack_service_workers }} threads=1 user=keystone group=keystone display-name=keystone-admin WSGIProcessGroup keystone-admin @@ -123,3 +130,4 @@ LogLevel info SSLCertificateKeyFile /etc/keystone/certs/keystone-key.pem {% endif %} +{% endif %} diff --git a/ansible/roles/loadbalancer/tasks/precheck.yml b/ansible/roles/loadbalancer/tasks/precheck.yml index 6f5b2742f1..b81dcf28e2 100644 --- a/ansible/roles/loadbalancer/tasks/precheck.yml +++ b/ansible/roles/loadbalancer/tasks/precheck.yml @@ -404,19 +404,6 @@ - haproxy_stat.find('ironic_inspector') == -1 - haproxy_vip_prechecks -- name: Checking free port for Keystone Admin HAProxy - wait_for: - host: "{{ kolla_internal_vip_address }}" - port: "{{ keystone_admin_port }}" - connect_timeout: 1 - timeout: 1 - state: stopped - when: - - enable_keystone | bool - - inventory_hostname in groups['loadbalancer'] - - haproxy_stat.find('keystone_admin') == -1 - - haproxy_vip_prechecks - - name: Checking free port for Keystone Internal HAProxy wait_for: host: "{{ kolla_internal_vip_address }}" diff --git a/ansible/roles/venus/templates/venus.conf.j2 b/ansible/roles/venus/templates/venus.conf.j2 index f593008815..89039d7816 100644 --- a/ansible/roles/venus/templates/venus.conf.j2 +++ b/ansible/roles/venus/templates/venus.conf.j2 @@ -23,7 +23,7 @@ cafile = {{ openstack_cacert }} project_name = service password = {{ venus_keystone_password }} username = {{ venus_keystone_user }} -auth_url = {{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_admin_port }} +auth_url = {{ internal_protocol }}://{{ kolla_internal_fqdn }}:{{ keystone_public_port }} project_domain_id = {{ default_project_domain_id }} user_domain_id = {{ default_user_domain_id }} auth_type = password diff --git a/doc/source/user/multi-regions.rst b/doc/source/user/multi-regions.rst index 98fd5a7599..166c39991c 100644 --- a/doc/source/user/multi-regions.rst +++ b/doc/source/user/multi-regions.rst @@ -69,7 +69,7 @@ the value of ``kolla_internal_fqdn`` in RegionOne: kolla_internal_fqdn_r1: 10.10.10.254 - keystone_admin_url: "{{ admin_protocol }}://{{ kolla_internal_fqdn_r1 }}:{{ keystone_admin_port }}" + keystone_admin_url: "{{ admin_protocol }}://{{ kolla_internal_fqdn_r1 }}:{{ keystone_public_port }}" keystone_internal_url: "{{ internal_protocol }}://{{ kolla_internal_fqdn_r1 }}:{{ keystone_public_port }}" openstack_auth: diff --git a/doc/source/user/operating-kolla.rst b/doc/source/user/operating-kolla.rst index b4b9b3206e..5ddc224864 100644 --- a/doc/source/user/operating-kolla.rst +++ b/doc/source/user/operating-kolla.rst @@ -189,6 +189,23 @@ After this command is complete, the containers will have been recreated from the new images and all database schema upgrades and similar actions performed for you. +Cleanup the Keystone admin port (Zed only) +------------------------------------------ + +The Keystone admin port is no longer used in Zed. The admin interface points +to the common port. However, during upgrade, the port is preserved for +intermediate compatibility. To clean up the port, it is necessary to run +the ``deploy`` action for Keystone. Additionally, the generated +``admin-openrc.sh`` file may need regeneration as it used the admin +port: + +.. code-block:: console + + kolla-ansible deploy --tags keystone + kolla-ansible post-deploy + +After these commands are complete, there are no leftovers of the admin port. + Tips and Tricks ~~~~~~~~~~~~~~~ diff --git a/releasenotes/notes/keystone-admin-port-gone-1a28302df63aa70b.yaml b/releasenotes/notes/keystone-admin-port-gone-1a28302df63aa70b.yaml new file mode 100644 index 0000000000..b7721da54d --- /dev/null +++ b/releasenotes/notes/keystone-admin-port-gone-1a28302df63aa70b.yaml @@ -0,0 +1,8 @@ +--- +upgrade: + - | + Keystone's admin interface no longer points to a separate port. + On upgrade, the port is preserved to maintain the intermediate + compatibility. Users are advised to run the deploy and post-deploy + commands afterwards to ensure port's cleanup. + For more information, please refer to the docs. diff --git a/tests/upgrade.sh b/tests/upgrade.sh index 2b5d6cb37c..b6ddf492f2 100755 --- a/tests/upgrade.sh +++ b/tests/upgrade.sh @@ -13,6 +13,11 @@ function upgrade { kolla-ansible -i ${RAW_INVENTORY} -vvv prechecks &> /tmp/logs/ansible/upgrade-prechecks kolla-ansible -i ${RAW_INVENTORY} -vvv pull &> /tmp/logs/ansible/pull-upgrade kolla-ansible -i ${RAW_INVENTORY} -vvv upgrade &> /tmp/logs/ansible/upgrade + + # NOTE(yoctozepto): These actions remove the leftovers of the admin port. + # TODO(yoctozepto): Remove after Zed. + kolla-ansible -i ${RAW_INVENTORY} -vvv deploy --tags keystone &> /tmp/logs/ansible/upgrade-deploy + kolla-ansible -i ${RAW_INVENTORY} -vvv post-deploy &> /tmp/logs/ansible/upgrade-post-deploy }