From 94319bc92605833085f9fbb8b54c4f58ae3fbdbb Mon Sep 17 00:00:00 2001 From: josebb Date: Wed, 1 Dec 2021 18:59:26 +0200 Subject: [PATCH] Distinguish between port number of internal endpoint and binding port number in keystone Now binding ports of service and pod spec are configured using internal endpoint values. To support reverse proxy for internalUrl, need to distinguish between binding ports and internal endpoint ports. I added `service` section in endpoint items apart from admin,public ,internal and default. Change-Id: I79b867a4e6771e07d1eebec89235352d7613e8eb --- keystone/Chart.yaml | 2 +- keystone/templates/deployment-api.yaml | 6 +++--- keystone/templates/service-api.yaml | 3 +-- keystone/values.yaml | 4 +++- .../values_overrides/internal-reverse-proxy.yaml | 16 ++++++++++++++++ keystone/values_overrides/tls.yaml | 6 +++--- releasenotes/notes/keystone.yaml | 1 + 7 files changed, 28 insertions(+), 10 deletions(-) create mode 100644 keystone/values_overrides/internal-reverse-proxy.yaml diff --git a/keystone/Chart.yaml b/keystone/Chart.yaml index e3a9ce64ad..968bfcac98 100644 --- a/keystone/Chart.yaml +++ b/keystone/Chart.yaml @@ -14,7 +14,7 @@ apiVersion: v1 appVersion: v1.0.0 description: OpenStack-Helm Keystone name: keystone -version: 0.2.29 +version: 0.2.30 home: https://docs.openstack.org/keystone/latest/ icon: https://www.openstack.org/themes/openstack/images/project-mascots/Keystone/OpenStack_Project_Keystone_vertical.png sources: diff --git a/keystone/templates/deployment-api.yaml b/keystone/templates/deployment-api.yaml index 94e705b817..c9e8d0f908 100644 --- a/keystone/templates/deployment-api.yaml +++ b/keystone/templates/deployment-api.yaml @@ -14,9 +14,9 @@ limitations under the License. {{- define "apiProbeTemplate" }} httpGet: - scheme: {{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }} + scheme: {{ tuple "identity" "service" "api" . | include "helm-toolkit.endpoints.keystone_endpoint_scheme_lookup" | upper }} path: /v3/ - port: {{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} + port: {{ tuple "identity" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} {{- end }} {{- if .Values.manifests.deployment_api }} @@ -80,7 +80,7 @@ spec: - stop ports: - name: ks-pub - containerPort: {{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} + containerPort: {{ tuple "identity" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} {{ dict "envAll" $envAll "component" "api" "container" "api" "type" "readiness" "probeTemplate" (include "apiProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | trim | indent 10 }} {{ dict "envAll" $envAll "component" "api" "container" "api" "type" "liveness" "probeTemplate" (include "apiProbeTemplate" $envAll | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | trim | indent 10 }} volumeMounts: diff --git a/keystone/templates/service-api.yaml b/keystone/templates/service-api.yaml index 5fb0112354..21f9f3c441 100644 --- a/keystone/templates/service-api.yaml +++ b/keystone/templates/service-api.yaml @@ -21,9 +21,8 @@ metadata: name: {{ tuple "identity" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} spec: ports: - {{- $portInt := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} - name: ks-pub - port: {{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} + port: {{ tuple "identity" "service" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} {{ if .Values.network.api.node_port.enabled }} nodePort: {{ .Values.network.api.node_port.port }} {{ end }} diff --git a/keystone/values.yaml b/keystone/values.yaml index d5c5bc7631..69546b56b8 100644 --- a/keystone/values.yaml +++ b/keystone/values.yaml @@ -772,7 +772,7 @@ conf: ThreadLimit 720 wsgi_keystone: | - {{- $portInt := tuple "identity" "internal" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }} + {{- $portInt := tuple "identity" "service" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }} Listen 0.0.0.0:{{ $portInt }} @@ -972,12 +972,14 @@ endpoints: default: /v3 scheme: default: http + service: http port: api: default: 80 # NOTE(portdirect): to retain portability across images, and allow # running under a unprivileged user simply, we default to a port > 1000. internal: 5000 + service: 5000 oslo_db: namespace: null auth: diff --git a/keystone/values_overrides/internal-reverse-proxy.yaml b/keystone/values_overrides/internal-reverse-proxy.yaml new file mode 100644 index 0000000000..35a5a539b6 --- /dev/null +++ b/keystone/values_overrides/internal-reverse-proxy.yaml @@ -0,0 +1,16 @@ +--- +endpoints: + identity: + host_fqdn_override: + public: example.com + scheme: + default: https + public: https + internal: https + service: http + port: + api: + default: 443 + internal: 443 + service: 5000 +... diff --git a/keystone/values_overrides/tls.yaml b/keystone/values_overrides/tls.yaml index a9f2fe722c..416194ab9b 100644 --- a/keystone/values_overrides/tls.yaml +++ b/keystone/values_overrides/tls.yaml @@ -26,8 +26,7 @@ conf: ssl_cert_file: /etc/rabbitmq/certs/tls.crt ssl_key_file: /etc/rabbitmq/certs/tls.key wsgi_keystone: | - {{- $portInt := tuple "identity" "internal" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }} - {{- $vh := tuple "identity" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} + {{- $portInt := tuple "identity" "service" "api" $ | include "helm-toolkit.endpoints.endpoint_port_lookup" }} Listen 0.0.0.0:{{ $portInt }} @@ -38,7 +37,7 @@ conf: CustomLog /dev/stdout combined env=!forwarded CustomLog /dev/stdout proxy env=forwarded - + ServerName {{ printf "%s.%s.svc.%s" "keystone-api" .Release.Namespace .Values.endpoints.cluster_domain_suffix }} WSGIDaemonProcess keystone-public processes=1 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-public @@ -78,6 +77,7 @@ endpoints: scheme: default: https public: https + service: https port: api: default: 443 diff --git a/releasenotes/notes/keystone.yaml b/releasenotes/notes/keystone.yaml index d5699f3160..72b46af8eb 100644 --- a/releasenotes/notes/keystone.yaml +++ b/releasenotes/notes/keystone.yaml @@ -45,4 +45,5 @@ keystone: - 0.2.27 Use LOG.warning instead of deprecated LOG.warn - 0.2.28 Added OCI registry authentication - 0.2.29 Support TLS endpoints + - 0.2.30 Distinguish between port number of internal endpoint and binding port number ...