Further Keystone-related cleanups

Per comments on [1]. [1] https://review.opendev.org/c/openstack/kolla-ansible/+/843727 Change-Id: I60162b54bc06e158534d29311d4474b34750c64d
2022-05-29 17:53:13 +02:00 · 2022-05-29 17:53:13 +02:00 · 72b63dfee7
commit 72b63dfee7
parent 92f8e93bb3
25 changed files with 44 additions and 49 deletions
--- a/ansible/roles/aodh/templates/aodh.conf.j2
+++ b/ansible/roles/aodh/templates/aodh.conf.j2
@ -40,7 +40,7 @@ policy_file = {{ aodh_policy_file }}
 {% endif %}

 [service_credentials]
-auth_url = {{ keystone_internal_url }}/v3
+auth_url = {{ keystone_internal_url }}
 region_name = {{ openstack_region_name }}
 password = {{ aodh_keystone_password }}
 username = {{ aodh_keystone_user }}
--- a/ansible/roles/blazar/templates/blazar.conf.j2
+++ b/ansible/roles/blazar/templates/blazar.conf.j2
@ -7,7 +7,6 @@ port = {{ blazar_api_port }}
 os_auth_host = {{ keystone_internal_fqdn }}
 os_auth_port = {{ keystone_public_port }}
 os_auth_protocol = {{ internal_protocol }}
-os_auth_version = v3
 os_admin_username = {{ blazar_keystone_user }}
 os_admin_password = {{ blazar_keystone_password }}
 os_admin_project_name = service
@ -21,8 +20,8 @@ plugins = virtual.instance.plugin,physical.host.plugin

 [keystone_authtoken]
 service_type = reservation
-www_authenticate_uri = {{ keystone_internal_url }}/v3
-auth_url = {{ keystone_internal_url }}/v3
+www_authenticate_uri = {{ keystone_internal_url }}
+auth_url = {{ keystone_internal_url }}
 auth_type = password
 project_domain_id = default
 user_domain_id = default
--- a/ansible/roles/ceilometer/templates/ceilometer.conf.j2
+++ b/ansible/roles/ceilometer/templates/ceilometer.conf.j2
@ -10,7 +10,7 @@ hypervisor_inspector = vsphere
 {% endif %}

 [service_credentials]
-auth_url = {{ keystone_internal_url }}/v3
+auth_url = {{ keystone_internal_url }}
 region_name = {{ openstack_region_name }}
 password = {{ ceilometer_keystone_password }}
 username = {{ ceilometer_keystone_user }}
--- a/ansible/roles/common/templates/admin-openrc.sh.j2
+++ b/ansible/roles/common/templates/admin-openrc.sh.j2
@ -8,7 +8,7 @@ export OS_PROJECT_NAME={{ keystone_admin_project }}
 export OS_TENANT_NAME={{ keystone_admin_project }}
 export OS_USERNAME={{ keystone_admin_user }}
 export OS_PASSWORD={{ keystone_admin_password }}
-export OS_AUTH_URL={{ keystone_internal_url }}/v3
+export OS_AUTH_URL={{ keystone_internal_url }}
 export OS_INTERFACE=internal
 export OS_ENDPOINT_TYPE=internalURL
 {% if enable_manila | bool %}
--- a/ansible/roles/freezer/templates/freezer.conf.j2
+++ b/ansible/roles/freezer/templates/freezer.conf.j2
@ -14,7 +14,7 @@ jobs_dir = /etc/freezer/scheduler/conf.d

 os_username = {{ openstack_auth.username }}
 os_password = {{ openstack_auth.password }}
-os_auth_url = {{ openstack_auth.auth_url }}/v3
+os_auth_url = {{ openstack_auth.auth_url }}
 os_project_name = {{ keystone_admin_project }}
 os_project_domain_name = {{ openstack_auth.domain_name }}
 # TODO: transition to system scoped token when freezer supports that
--- a/ansible/roles/glance/templates/glance-swift.conf.j2
+++ b/ansible/roles/glance/templates/glance-swift.conf.j2
@ -1,6 +1,6 @@
 [swift]
 auth_version = 3
-auth_address = {{ openstack_auth.auth_url }}/v3
+auth_address = {{ openstack_auth.auth_url }}
 user = service:{{ glance_keystone_user }}
 key = {{ glance_keystone_password }}
 project_domain_id = default
--- a/ansible/roles/gnocchi/templates/gnocchi.conf.j2
+++ b/ansible/roles/gnocchi/templates/gnocchi.conf.j2
@ -45,7 +45,7 @@ url = mysql+pymysql://{{ gnocchi_database_user }}:{{ gnocchi_database_password }

 [keystone_authtoken]
 service_type = metric
-www_authenticate_uri = {{ keystone_internal_url }}/v3
+www_authenticate_uri = {{ keystone_internal_url }}
 project_domain_id = {{ default_project_domain_id }}
 project_name = service
 user_domain_id = {{ default_user_domain_id }}
@ -83,7 +83,7 @@ ceph_keyring = /etc/ceph/{{ ceph_gnocchi_keyring }}
 ceph_conffile = /etc/ceph/ceph.conf
 {% elif gnocchi_backend_storage == 'swift' %}
 driver = swift
-swift_authurl = {{ keystone_internal_url }}/v3
+swift_authurl = {{ keystone_internal_url }}
 swift_auth_version = 3
 swift_user = service:{{ swift_keystone_user }}
 swift_key = {{ swift_keystone_password }}
--- a/ansible/roles/heat/templates/heat.conf.j2
+++ b/ansible/roles/heat/templates/heat.conf.j2
@ -61,7 +61,7 @@ username = {{ heat_keystone_user }}
 password = {{ heat_keystone_password }}

 [ec2authtoken]
-auth_uri = {{ keystone_internal_url }}/v3
+auth_uri = {{ keystone_internal_url }}

 [oslo_messaging_notifications]
 transport_url = {{ notify_transport_url }}
--- a/ansible/roles/horizon/defaults/main.yml
+++ b/ansible/roles/horizon/defaults/main.yml
@ -122,7 +122,7 @@ horizon_extra_volumes: "{{ default_extra_volumes }}"
 # OpenStack
 ####################
 horizon_logging_debug: "{{ openstack_logging_debug }}"
-horizon_keystone_url: "{{ keystone_public_url if horizon_use_keystone_public_url | bool else keystone_internal_url }}/v3"
+horizon_keystone_url: "{{ keystone_public_url if horizon_use_keystone_public_url | bool else keystone_internal_url }}"


 ####################
--- a/ansible/roles/horizon/templates/local_settings.j2
+++ b/ansible/roles/horizon/templates/local_settings.j2
@ -224,7 +224,7 @@ WEBSSO_ENABLED = True
 # Do not remove the mandatory credentials mechanism.
 # Note: The last two tuples are sample mapping keys to a identity provider
 # and federation protocol combination (WEBSSO_IDP_MAPPING).
-WEBSSO_KEYSTONE_URL = "{{ keystone_public_url }}/v3"
+WEBSSO_KEYSTONE_URL = "{{ keystone_public_url }}"
 WEBSSO_CHOICES = (
    ("credentials", _("Keystone Credentials")),
    {% for idp in keystone_identity_providers %}
@ -856,7 +856,7 @@ REST_API_REQUIRED_SETTINGS = [

 {% if enable_murano | bool and enable_barbican | bool %}
 KEY_MANAGER = {
-        'auth_url': '{{ keystone_internal_url }}/v3',
+        'auth_url': '{{ keystone_internal_url }}',
        'username': '{{ murano_keystone_user }}',
        'user_domain_name': '{{ default_project_domain_name }}',
        'password': '{{ murano_keystone_password }}',
--- a/ansible/roles/magnum/templates/magnum.conf.j2
+++ b/ansible/roles/magnum/templates/magnum.conf.j2
@ -65,7 +65,7 @@ endpoint_type = internalURL
 ca_file = {{ openstack_cacert }}

 [keystone_auth]
-auth_url = {{ keystone_internal_url }}/v3
+auth_url = {{ keystone_internal_url }}
 user_domain_name = {{ default_user_domain_name }}
 project_domain_name = {{ default_project_domain_name }}
 project_name = service
@ -76,8 +76,7 @@ cafile = {{ openstack_cacert }}

 [keystone_authtoken]
 service_type = container-infra
-auth_version = v3
-www_authenticate_uri = {{ keystone_internal_url }}/v3
+www_authenticate_uri = {{ keystone_internal_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password
 project_domain_name = {{ default_project_domain_name }}
--- a/ansible/roles/masakari/templates/masakari.conf.j2
+++ b/ansible/roles/masakari/templates/masakari.conf.j2
@ -10,7 +10,7 @@ os_region_name = {{ openstack_region_name }}
 os_user_domain_name = {{ default_user_domain_id }}
 os_project_domain_name = {{ default_project_domain_id }}
 os_privileged_user_tenant = service
-os_privileged_user_auth_url = {{ keystone_internal_url }}/v3
+os_privileged_user_auth_url = {{ keystone_internal_url }}
 os_privileged_user_name = {{ nova_keystone_user }}
 os_privileged_user_password = {{ nova_keystone_password }}
 nova_ca_certificates_file = {{ openstack_cacert }}
@ -23,7 +23,7 @@ max_retries = -1

 [keystone_authtoken]
 service_type = instance-ha
-www_authenticate_uri = {{ keystone_internal_url }}/v3
+www_authenticate_uri = {{ keystone_internal_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password
 project_domain_name = {{ default_project_domain_name }}
--- a/ansible/roles/mistral/templates/mistral.conf.j2
+++ b/ansible/roles/mistral/templates/mistral.conf.j2
@ -40,8 +40,8 @@ max_retries = -1

 [keystone_authtoken]
 service_type = workflow
-www_authenticate_uri = {{ keystone_internal_url }}/v3
-auth_url = {{ keystone_internal_url }}/v3
+www_authenticate_uri = {{ keystone_internal_url }}
+auth_url = {{ keystone_internal_url }}
 auth_type = password
 project_domain_id = {{ default_project_domain_id }}
 user_domain_id = {{ default_user_domain_id }}
--- a/ansible/roles/murano/templates/murano.conf.j2
+++ b/ansible/roles/murano/templates/murano.conf.j2
@ -38,7 +38,7 @@ memcache_secret_key = {{ memcache_secret_key }}
 memcached_servers = {% for host in groups['memcached'] %}{{ 'api' | kolla_address(host) | put_address_in_context('memcache') }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}

 [murano_auth]
-auth_uri = {{ keystone_internal_url }}/v3
+auth_uri = {{ keystone_internal_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password
 project_domain_name = {{ default_project_domain_name }}
@ -86,7 +86,7 @@ virtual_host = {{ murano_agent_rabbitmq_vhost }}
 {% if enable_barbican | bool %}
 [key_manager]
 auth_type = keystone_password
-auth_url = {{ keystone_internal_url }}/v3
+auth_url = {{ keystone_internal_url }}
 username = {{ murano_keystone_user }}
 password = {{ murano_keystone_password }}
 user_domain_name = {{ default_project_domain_name }}
--- a/ansible/roles/nova-cell/templates/nova.conf.j2
+++ b/ansible/roles/nova-cell/templates/nova.conf.j2
@ -84,7 +84,7 @@ proxyclient_address = {{ api_interface_address }}
 [ironic]
 username = {{ ironic_keystone_user }}
 password = {{ ironic_keystone_password }}
-auth_url = {{ openstack_auth.auth_url }}/v3
+auth_url = {{ openstack_auth.auth_url }}
 cafile = {{ openstack_cacert }}
 auth_type = password
 project_name = service
--- a/ansible/roles/octavia/templates/octavia-openrc.sh.j2
+++ b/ansible/roles/octavia/templates/octavia-openrc.sh.j2
@ -5,6 +5,6 @@ export OS_USER_DOMAIN_NAME=Default
 export OS_PROJECT_NAME={{ octavia_service_auth_project }}
 export OS_USERNAME={{ octavia_keystone_user }}
 export OS_PASSWORD={{ octavia_keystone_password }}
-export OS_AUTH_URL={{ keystone_internal_url }}/v3
+export OS_AUTH_URL={{ keystone_internal_url }}
 export OS_INTERFACE=internal
 export OS_ENDPOINT_TYPE=internalURL
--- a/ansible/roles/prometheus/templates/clouds.yml.j2
+++ b/ansible/roles/prometheus/templates/clouds.yml.j2
@ -11,4 +11,4 @@ clouds:
     project_domain_name: 'Default'
     user_domain_name: 'Default'
     cacert: {{ openstack_cacert }}
-     auth_url: {{ keystone_internal_url }}/v3
+     auth_url: {{ keystone_internal_url }}
--- a/ansible/roles/sahara/templates/sahara.conf.j2
+++ b/ansible/roles/sahara/templates/sahara.conf.j2
@ -61,5 +61,5 @@ project_name = service
 user_domain_name = {{ default_user_domain_name }}
 username = {{ sahara_keystone_user }}
 password = {{ sahara_keystone_password }}
-auth_url = {{ keystone_internal_url }}/v3
+auth_url = {{ keystone_internal_url }}
 cafile = {{ openstack_cacert }}
--- a/ansible/roles/skydive/templates/skydive-agent.conf.j2
+++ b/ansible/roles/skydive/templates/skydive-agent.conf.j2
@ -47,7 +47,7 @@ agent:

 ### TODO migrate from tenant_name to system_scope when supported in skydive
    neutron:
-      auth_url: {{ keystone_internal_url }}/v3
+      auth_url: {{ keystone_internal_url }}
      username: {{ openstack_auth['username'] }}
      password: {{ openstack_auth['password'] }}
      tenant_name: {{ skydive_admin_tenant_name }}
--- a/ansible/roles/skydive/templates/skydive-analyzer.conf.j2
+++ b/ansible/roles/skydive/templates/skydive-analyzer.conf.j2
@ -4,7 +4,7 @@
 auth:
  keystone:
    type: keystone
-    auth_url: {{ keystone_internal_url }}/v3
+    auth_url: {{ keystone_internal_url }}
    region_name: {{ openstack_region_name }}
    tenant_name: {{ skydive_admin_tenant_name }}
    domain_name: Default
--- a/ansible/roles/swift/templates/proxy-server.conf.j2
+++ b/ansible/roles/swift/templates/proxy-server.conf.j2
@ -99,5 +99,5 @@ use = egg:swift#s3api

 [filter:s3token]
 use = egg:swift#s3token
-auth_uri = {{ keystone_internal_url }}/v3
+auth_uri = {{ keystone_internal_url }}
 {% endif %}
--- a/ansible/roles/trove/templates/trove.conf.j2
+++ b/ansible/roles/trove/templates/trove.conf.j2
@ -35,7 +35,7 @@ network_driver = trove.network.neutron.NeutronDriver
 control_exchange = trove

 [service_credentials]
-auth_url = {{ keystone_internal_url }}/v3
+auth_url = {{ keystone_internal_url }}
 region_name = {{ openstack_region_name }}
 project_name = service
 password = {{ trove_keystone_password }}
--- a/ansible/roles/vitrage/templates/vitrage.conf.j2
+++ b/ansible/roles/vitrage/templates/vitrage.conf.j2
@ -45,7 +45,7 @@ memcache_secret_key = {{ memcache_secret_key }}
 memcached_servers = {% for host in groups['memcached'] %}{{ 'api' | kolla_address(host) | put_address_in_context('memcache') }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}

 [service_credentials]
-auth_url = {{ keystone_internal_url }}/v3
+auth_url = {{ keystone_internal_url }}
 region_name = {{ openstack_region_name }}
 auth_type = password
 project_domain_id = {{ default_project_domain_id }}
--- a/doc/source/reference/logging-and-monitoring/monasca-guide.rst
+++ b/doc/source/reference/logging-and-monitoring/monasca-guide.rst
@ -114,19 +114,18 @@ additional configuration:

 .. code-block:: yaml

-   keystone_admin_url: "http://172.28.128.254:35357"
   keystone_internal_url: "http://172.28.128.254:5000"
   monasca_openstack_auth:
-     auth_url: "{{ keystone_admin_url }}"
+     auth_url: "{{ keystone_internal_url }}"
     username: "admin"
     password: "{{ external_keystone_admin_password }}"
     project_name: "admin"
     domain_name: "default"
     user_domain_name: "default"

-In this example it is assumed that the external Keystone admin and internal
-URLs are `http://172.28.128.254:35357` and `http://172.28.128.254:5000`
-respectively, and that the external Keystone admin password is defined by
+In this example it is assumed that the external Keystone's internal URL is
+`http://172.28.128.254:5000`, and that the external Keystone's admin password
+is defined by
 the variable `external_keystone_admin_password` which you will most likely
 want to save in `/etc/kolla/passwords.yml`. Note that the Keystone URLs can
 be obtained from the external OpenStack CLI, for example:
@ -134,13 +133,12 @@ be obtained from the external OpenStack CLI, for example:
 .. code-block:: console

   openstack endpoint list --service identity
-   +----------------------------------+-----------+--------------+--------------+---------+-----------+-----------------------------+
+   +----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------+
   | ID                               | Region    | Service Name | Service Type | Enabled | Interface | URL                        |
-   +----------------------------------+-----------+--------------+--------------+---------+-----------+-----------------------------+
-   | 162365440e6c43d092ad6069f0581a57 | RegionOne | keystone     | identity     | True    | admin     | http://172.28.128.254:35357 |
+   +----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------+
   | 6d768ee2ce1c4302a49e9b7ac2af472c | RegionOne | keystone     | identity     | True    | public    | http://172.28.128.254:5000 |
   | e02067a58b1946c7ae53abf0cfd0bf11 | RegionOne | keystone     | identity     | True    | internal  | http://172.28.128.254:5000 |
-   +----------------------------------+-----------+--------------+--------------+---------+-----------+-----------------------------+
+   +----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------+

 If you are also using Kolla Ansible to manage the external OpenStack
 installation, the external Keystone admin password will most likely
--- a/doc/source/user/multi-regions.rst
+++ b/doc/source/user/multi-regions.rst
@ -9,7 +9,7 @@ with Kolla. A basic multiple region deployment consists of separate
 OpenStack installations in two or more regions (RegionOne, RegionTwo, ...)
 with a shared Keystone and Horizon. The rest of this documentation assumes
 Keystone and Horizon are deployed in RegionOne, and other regions have
-access to the admin endpoint (for example, ``kolla_internal_fqdn``) of
+access to the internal endpoint (for example, ``kolla_internal_fqdn``) of
 RegionOne.
 It also assumes that the operator knows the name of all OpenStack regions
 in advance, and considers as many Kolla deployments as there are regions.
@ -69,11 +69,10 @@ the value of ``kolla_internal_fqdn`` in RegionOne:

   kolla_internal_fqdn_r1: 10.10.10.254

-   keystone_admin_url: "{{ admin_protocol }}://{{ kolla_internal_fqdn_r1 }}:{{ keystone_public_port }}"
   keystone_internal_url: "{{ internal_protocol }}://{{ kolla_internal_fqdn_r1 }}:{{ keystone_public_port }}"

   openstack_auth:
-       auth_url: "{{ keystone_admin_url }}"
+       auth_url: "{{ keystone_internal_url }}"
       username: "{{ keystone_admin_user }}"
       password: "{{ keystone_admin_password }}"
       user_domain_name: "{{ default_user_domain_name }}"
@ -97,7 +96,7 @@ create a ``global.conf`` file with the following content:

   [keystone_authtoken]
   www_authenticate_uri = {{ keystone_internal_url }}
-   auth_url = {{ keystone_admin_url }}
+   auth_url = {{ keystone_internal_url }}

 The Placement API section inside the nova configuration file also has
 to be updated to contact RegionOne's Keystone. So create, in the same
@ -106,7 +105,7 @@ directory, a ``nova.conf`` file with below content:
 .. code-block:: ini

   [placement]
-   auth_url = {{ keystone_admin_url }}
+   auth_url = {{ keystone_internal_url }}

 The Heat section inside the configuration file also
 has to be updated to contact RegionOne's Keystone. So create, in the same