Further Keystone-related cleanups

Per comments on [1].

[1] https://review.opendev.org/c/openstack/kolla-ansible/+/843727

Change-Id: I60162b54bc06e158534d29311d4474b34750c64d
This commit is contained in:
Radosław Piliszek 2022-05-29 17:53:13 +02:00
parent 92f8e93bb3
commit 72b63dfee7
25 changed files with 44 additions and 49 deletions

View File

@ -40,7 +40,7 @@ policy_file = {{ aodh_policy_file }}
{% endif %}
[service_credentials]
auth_url = {{ keystone_internal_url }}/v3
auth_url = {{ keystone_internal_url }}
region_name = {{ openstack_region_name }}
password = {{ aodh_keystone_password }}
username = {{ aodh_keystone_user }}

View File

@ -7,7 +7,6 @@ port = {{ blazar_api_port }}
os_auth_host = {{ keystone_internal_fqdn }}
os_auth_port = {{ keystone_public_port }}
os_auth_protocol = {{ internal_protocol }}
os_auth_version = v3
os_admin_username = {{ blazar_keystone_user }}
os_admin_password = {{ blazar_keystone_password }}
os_admin_project_name = service
@ -21,8 +20,8 @@ plugins = virtual.instance.plugin,physical.host.plugin
[keystone_authtoken]
service_type = reservation
www_authenticate_uri = {{ keystone_internal_url }}/v3
auth_url = {{ keystone_internal_url }}/v3
www_authenticate_uri = {{ keystone_internal_url }}
auth_url = {{ keystone_internal_url }}
auth_type = password
project_domain_id = default
user_domain_id = default

View File

@ -10,7 +10,7 @@ hypervisor_inspector = vsphere
{% endif %}
[service_credentials]
auth_url = {{ keystone_internal_url }}/v3
auth_url = {{ keystone_internal_url }}
region_name = {{ openstack_region_name }}
password = {{ ceilometer_keystone_password }}
username = {{ ceilometer_keystone_user }}

View File

@ -8,7 +8,7 @@ export OS_PROJECT_NAME={{ keystone_admin_project }}
export OS_TENANT_NAME={{ keystone_admin_project }}
export OS_USERNAME={{ keystone_admin_user }}
export OS_PASSWORD={{ keystone_admin_password }}
export OS_AUTH_URL={{ keystone_internal_url }}/v3
export OS_AUTH_URL={{ keystone_internal_url }}
export OS_INTERFACE=internal
export OS_ENDPOINT_TYPE=internalURL
{% if enable_manila | bool %}

View File

@ -14,7 +14,7 @@ jobs_dir = /etc/freezer/scheduler/conf.d
os_username = {{ openstack_auth.username }}
os_password = {{ openstack_auth.password }}
os_auth_url = {{ openstack_auth.auth_url }}/v3
os_auth_url = {{ openstack_auth.auth_url }}
os_project_name = {{ keystone_admin_project }}
os_project_domain_name = {{ openstack_auth.domain_name }}
# TODO: transition to system scoped token when freezer supports that

View File

@ -1,6 +1,6 @@
[swift]
auth_version = 3
auth_address = {{ openstack_auth.auth_url }}/v3
auth_address = {{ openstack_auth.auth_url }}
user = service:{{ glance_keystone_user }}
key = {{ glance_keystone_password }}
project_domain_id = default

View File

@ -45,7 +45,7 @@ url = mysql+pymysql://{{ gnocchi_database_user }}:{{ gnocchi_database_password }
[keystone_authtoken]
service_type = metric
www_authenticate_uri = {{ keystone_internal_url }}/v3
www_authenticate_uri = {{ keystone_internal_url }}
project_domain_id = {{ default_project_domain_id }}
project_name = service
user_domain_id = {{ default_user_domain_id }}
@ -83,7 +83,7 @@ ceph_keyring = /etc/ceph/{{ ceph_gnocchi_keyring }}
ceph_conffile = /etc/ceph/ceph.conf
{% elif gnocchi_backend_storage == 'swift' %}
driver = swift
swift_authurl = {{ keystone_internal_url }}/v3
swift_authurl = {{ keystone_internal_url }}
swift_auth_version = 3
swift_user = service:{{ swift_keystone_user }}
swift_key = {{ swift_keystone_password }}

View File

@ -61,7 +61,7 @@ username = {{ heat_keystone_user }}
password = {{ heat_keystone_password }}
[ec2authtoken]
auth_uri = {{ keystone_internal_url }}/v3
auth_uri = {{ keystone_internal_url }}
[oslo_messaging_notifications]
transport_url = {{ notify_transport_url }}

View File

@ -122,7 +122,7 @@ horizon_extra_volumes: "{{ default_extra_volumes }}"
# OpenStack
####################
horizon_logging_debug: "{{ openstack_logging_debug }}"
horizon_keystone_url: "{{ keystone_public_url if horizon_use_keystone_public_url | bool else keystone_internal_url }}/v3"
horizon_keystone_url: "{{ keystone_public_url if horizon_use_keystone_public_url | bool else keystone_internal_url }}"
####################

View File

@ -224,7 +224,7 @@ WEBSSO_ENABLED = True
# Do not remove the mandatory credentials mechanism.
# Note: The last two tuples are sample mapping keys to a identity provider
# and federation protocol combination (WEBSSO_IDP_MAPPING).
WEBSSO_KEYSTONE_URL = "{{ keystone_public_url }}/v3"
WEBSSO_KEYSTONE_URL = "{{ keystone_public_url }}"
WEBSSO_CHOICES = (
("credentials", _("Keystone Credentials")),
{% for idp in keystone_identity_providers %}
@ -856,7 +856,7 @@ REST_API_REQUIRED_SETTINGS = [
{% if enable_murano | bool and enable_barbican | bool %}
KEY_MANAGER = {
'auth_url': '{{ keystone_internal_url }}/v3',
'auth_url': '{{ keystone_internal_url }}',
'username': '{{ murano_keystone_user }}',
'user_domain_name': '{{ default_project_domain_name }}',
'password': '{{ murano_keystone_password }}',

View File

@ -65,7 +65,7 @@ endpoint_type = internalURL
ca_file = {{ openstack_cacert }}
[keystone_auth]
auth_url = {{ keystone_internal_url }}/v3
auth_url = {{ keystone_internal_url }}
user_domain_name = {{ default_user_domain_name }}
project_domain_name = {{ default_project_domain_name }}
project_name = service
@ -76,8 +76,7 @@ cafile = {{ openstack_cacert }}
[keystone_authtoken]
service_type = container-infra
auth_version = v3
www_authenticate_uri = {{ keystone_internal_url }}/v3
www_authenticate_uri = {{ keystone_internal_url }}
auth_url = {{ keystone_internal_url }}
auth_type = password
project_domain_name = {{ default_project_domain_name }}

View File

@ -10,7 +10,7 @@ os_region_name = {{ openstack_region_name }}
os_user_domain_name = {{ default_user_domain_id }}
os_project_domain_name = {{ default_project_domain_id }}
os_privileged_user_tenant = service
os_privileged_user_auth_url = {{ keystone_internal_url }}/v3
os_privileged_user_auth_url = {{ keystone_internal_url }}
os_privileged_user_name = {{ nova_keystone_user }}
os_privileged_user_password = {{ nova_keystone_password }}
nova_ca_certificates_file = {{ openstack_cacert }}
@ -23,7 +23,7 @@ max_retries = -1
[keystone_authtoken]
service_type = instance-ha
www_authenticate_uri = {{ keystone_internal_url }}/v3
www_authenticate_uri = {{ keystone_internal_url }}
auth_url = {{ keystone_internal_url }}
auth_type = password
project_domain_name = {{ default_project_domain_name }}

View File

@ -40,8 +40,8 @@ max_retries = -1
[keystone_authtoken]
service_type = workflow
www_authenticate_uri = {{ keystone_internal_url }}/v3
auth_url = {{ keystone_internal_url }}/v3
www_authenticate_uri = {{ keystone_internal_url }}
auth_url = {{ keystone_internal_url }}
auth_type = password
project_domain_id = {{ default_project_domain_id }}
user_domain_id = {{ default_user_domain_id }}

View File

@ -38,7 +38,7 @@ memcache_secret_key = {{ memcache_secret_key }}
memcached_servers = {% for host in groups['memcached'] %}{{ 'api' | kolla_address(host) | put_address_in_context('memcache') }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
[murano_auth]
auth_uri = {{ keystone_internal_url }}/v3
auth_uri = {{ keystone_internal_url }}
auth_url = {{ keystone_internal_url }}
auth_type = password
project_domain_name = {{ default_project_domain_name }}
@ -86,7 +86,7 @@ virtual_host = {{ murano_agent_rabbitmq_vhost }}
{% if enable_barbican | bool %}
[key_manager]
auth_type = keystone_password
auth_url = {{ keystone_internal_url }}/v3
auth_url = {{ keystone_internal_url }}
username = {{ murano_keystone_user }}
password = {{ murano_keystone_password }}
user_domain_name = {{ default_project_domain_name }}

View File

@ -84,7 +84,7 @@ proxyclient_address = {{ api_interface_address }}
[ironic]
username = {{ ironic_keystone_user }}
password = {{ ironic_keystone_password }}
auth_url = {{ openstack_auth.auth_url }}/v3
auth_url = {{ openstack_auth.auth_url }}
cafile = {{ openstack_cacert }}
auth_type = password
project_name = service

View File

@ -5,6 +5,6 @@ export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME={{ octavia_service_auth_project }}
export OS_USERNAME={{ octavia_keystone_user }}
export OS_PASSWORD={{ octavia_keystone_password }}
export OS_AUTH_URL={{ keystone_internal_url }}/v3
export OS_AUTH_URL={{ keystone_internal_url }}
export OS_INTERFACE=internal
export OS_ENDPOINT_TYPE=internalURL

View File

@ -11,4 +11,4 @@ clouds:
project_domain_name: 'Default'
user_domain_name: 'Default'
cacert: {{ openstack_cacert }}
auth_url: {{ keystone_internal_url }}/v3
auth_url: {{ keystone_internal_url }}

View File

@ -61,5 +61,5 @@ project_name = service
user_domain_name = {{ default_user_domain_name }}
username = {{ sahara_keystone_user }}
password = {{ sahara_keystone_password }}
auth_url = {{ keystone_internal_url }}/v3
auth_url = {{ keystone_internal_url }}
cafile = {{ openstack_cacert }}

View File

@ -47,7 +47,7 @@ agent:
### TODO migrate from tenant_name to system_scope when supported in skydive
neutron:
auth_url: {{ keystone_internal_url }}/v3
auth_url: {{ keystone_internal_url }}
username: {{ openstack_auth['username'] }}
password: {{ openstack_auth['password'] }}
tenant_name: {{ skydive_admin_tenant_name }}

View File

@ -4,7 +4,7 @@
auth:
keystone:
type: keystone
auth_url: {{ keystone_internal_url }}/v3
auth_url: {{ keystone_internal_url }}
region_name: {{ openstack_region_name }}
tenant_name: {{ skydive_admin_tenant_name }}
domain_name: Default

View File

@ -99,5 +99,5 @@ use = egg:swift#s3api
[filter:s3token]
use = egg:swift#s3token
auth_uri = {{ keystone_internal_url }}/v3
auth_uri = {{ keystone_internal_url }}
{% endif %}

View File

@ -35,7 +35,7 @@ network_driver = trove.network.neutron.NeutronDriver
control_exchange = trove
[service_credentials]
auth_url = {{ keystone_internal_url }}/v3
auth_url = {{ keystone_internal_url }}
region_name = {{ openstack_region_name }}
project_name = service
password = {{ trove_keystone_password }}

View File

@ -45,7 +45,7 @@ memcache_secret_key = {{ memcache_secret_key }}
memcached_servers = {% for host in groups['memcached'] %}{{ 'api' | kolla_address(host) | put_address_in_context('memcache') }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
[service_credentials]
auth_url = {{ keystone_internal_url }}/v3
auth_url = {{ keystone_internal_url }}
region_name = {{ openstack_region_name }}
auth_type = password
project_domain_id = {{ default_project_domain_id }}

View File

@ -114,19 +114,18 @@ additional configuration:
.. code-block:: yaml
keystone_admin_url: "http://172.28.128.254:35357"
keystone_internal_url: "http://172.28.128.254:5000"
monasca_openstack_auth:
auth_url: "{{ keystone_admin_url }}"
auth_url: "{{ keystone_internal_url }}"
username: "admin"
password: "{{ external_keystone_admin_password }}"
project_name: "admin"
domain_name: "default"
user_domain_name: "default"
In this example it is assumed that the external Keystone admin and internal
URLs are `http://172.28.128.254:35357` and `http://172.28.128.254:5000`
respectively, and that the external Keystone admin password is defined by
In this example it is assumed that the external Keystone's internal URL is
`http://172.28.128.254:5000`, and that the external Keystone's admin password
is defined by
the variable `external_keystone_admin_password` which you will most likely
want to save in `/etc/kolla/passwords.yml`. Note that the Keystone URLs can
be obtained from the external OpenStack CLI, for example:
@ -134,13 +133,12 @@ be obtained from the external OpenStack CLI, for example:
.. code-block:: console
openstack endpoint list --service identity
+----------------------------------+-----------+--------------+--------------+---------+-----------+-----------------------------+
| ID | Region | Service Name | Service Type | Enabled | Interface | URL |
+----------------------------------+-----------+--------------+--------------+---------+-----------+-----------------------------+
| 162365440e6c43d092ad6069f0581a57 | RegionOne | keystone | identity | True | admin | http://172.28.128.254:35357 |
| 6d768ee2ce1c4302a49e9b7ac2af472c | RegionOne | keystone | identity | True | public | http://172.28.128.254:5000 |
| e02067a58b1946c7ae53abf0cfd0bf11 | RegionOne | keystone | identity | True | internal | http://172.28.128.254:5000 |
+----------------------------------+-----------+--------------+--------------+---------+-----------+-----------------------------+
+----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------+
| ID | Region | Service Name | Service Type | Enabled | Interface | URL |
+----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------+
| 6d768ee2ce1c4302a49e9b7ac2af472c | RegionOne | keystone | identity | True | public | http://172.28.128.254:5000 |
| e02067a58b1946c7ae53abf0cfd0bf11 | RegionOne | keystone | identity | True | internal | http://172.28.128.254:5000 |
+----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------+
If you are also using Kolla Ansible to manage the external OpenStack
installation, the external Keystone admin password will most likely

View File

@ -9,7 +9,7 @@ with Kolla. A basic multiple region deployment consists of separate
OpenStack installations in two or more regions (RegionOne, RegionTwo, ...)
with a shared Keystone and Horizon. The rest of this documentation assumes
Keystone and Horizon are deployed in RegionOne, and other regions have
access to the admin endpoint (for example, ``kolla_internal_fqdn``) of
access to the internal endpoint (for example, ``kolla_internal_fqdn``) of
RegionOne.
It also assumes that the operator knows the name of all OpenStack regions
in advance, and considers as many Kolla deployments as there are regions.
@ -69,11 +69,10 @@ the value of ``kolla_internal_fqdn`` in RegionOne:
kolla_internal_fqdn_r1: 10.10.10.254
keystone_admin_url: "{{ admin_protocol }}://{{ kolla_internal_fqdn_r1 }}:{{ keystone_public_port }}"
keystone_internal_url: "{{ internal_protocol }}://{{ kolla_internal_fqdn_r1 }}:{{ keystone_public_port }}"
openstack_auth:
auth_url: "{{ keystone_admin_url }}"
auth_url: "{{ keystone_internal_url }}"
username: "{{ keystone_admin_user }}"
password: "{{ keystone_admin_password }}"
user_domain_name: "{{ default_user_domain_name }}"
@ -97,7 +96,7 @@ create a ``global.conf`` file with the following content:
[keystone_authtoken]
www_authenticate_uri = {{ keystone_internal_url }}
auth_url = {{ keystone_admin_url }}
auth_url = {{ keystone_internal_url }}
The Placement API section inside the nova configuration file also has
to be updated to contact RegionOne's Keystone. So create, in the same
@ -106,7 +105,7 @@ directory, a ``nova.conf`` file with below content:
.. code-block:: ini
[placement]
auth_url = {{ keystone_admin_url }}
auth_url = {{ keystone_internal_url }}
The Heat section inside the configuration file also
has to be updated to contact RegionOne's Keystone. So create, in the same