From dc7008d9a5b72fdd256dd0e5813b9e5fdf14e734 Mon Sep 17 00:00:00 2001 From: Pete Birley Date: Thu, 26 Jul 2018 14:05:54 -0500 Subject: [PATCH] Keystone: enable external access to admin endpoint This PS moves to use port 80 by default for the keystone asdmin endpoint, and adjusts paths accordingly. Change-Id: Iccae704dadc17eba269e857301654782f64763c9 Signed-off-by: Pete Birley --- barbican/values.yaml | 3 +- ceilometer/values.yaml | 3 +- ceph-client/values.yaml | 3 +- cinder/values.yaml | 3 +- congress/values.yaml | 3 +- glance/values.yaml | 3 +- gnocchi/values.yaml | 3 +- heat/values.yaml | 3 +- ironic/values.yaml | 3 +- keystone/templates/deployment-api.yaml | 10 +++++-- .../templates/etc/_wsgi-keystone.conf.tpl | 29 ++++++++++++++++--- keystone/templates/service-api.yaml | 24 ++++++++------- keystone/values.yaml | 4 ++- magnum/values.yaml | 3 +- mistral/values.yaml | 3 +- neutron/values.yaml | 3 +- nova/values.yaml | 3 +- rally/values.yaml | 3 +- senlin/values.yaml | 3 +- tempest/values.yaml | 3 +- tools/deployment/common/setup-client.sh | 2 +- 21 files changed, 82 insertions(+), 35 deletions(-) diff --git a/barbican/values.yaml b/barbican/values.yaml index 5bbe35eb..8837d906 100644 --- a/barbican/values.yaml +++ b/barbican/values.yaml @@ -546,12 +546,13 @@ endpoints: default: null path: default: /v3 + public: /identity/v3 + admin: /identity_admin/v3 scheme: default: http port: api: default: 80 - admin: 35357 key_manager: name: barbican hosts: diff --git a/ceilometer/values.yaml b/ceilometer/values.yaml index 7d43bc67..a59ecbb5 100644 --- a/ceilometer/values.yaml +++ b/ceilometer/values.yaml @@ -1707,12 +1707,13 @@ endpoints: default: null path: default: /v3 + public: /identity/v3 + admin: /identity_admin/v3 scheme: default: 'http' port: api: default: 80 - admin: 35357 metering: name: ceilometer hosts: diff --git a/ceph-client/values.yaml b/ceph-client/values.yaml index 4617aea1..88d8b129 100644 --- a/ceph-client/values.yaml +++ b/ceph-client/values.yaml @@ -451,12 +451,13 @@ endpoints: default: null path: default: /v3 + public: /identity/v3 + admin: /identity_admin/v3 scheme: default: http port: api: default: 80 - admin: 35357 object_store: name: swift namespace: null diff --git a/cinder/values.yaml b/cinder/values.yaml index 48205228..cbaf1540 100644 --- a/cinder/values.yaml +++ b/cinder/values.yaml @@ -1070,12 +1070,13 @@ endpoints: default: null path: default: /v3 + public: /identity/v3 + admin: /identity_admin/v3 scheme: default: http port: api: default: 80 - admin: 35357 image: name: glance hosts: diff --git a/congress/values.yaml b/congress/values.yaml index ded5e503..581d73e6 100644 --- a/congress/values.yaml +++ b/congress/values.yaml @@ -245,12 +245,13 @@ endpoints: default: null path: default: /v3 + public: /identity/v3 + admin: /identity_admin/v3 scheme: default: http port: api: default: 80 - admin: 35357 policy: name: congress hosts: diff --git a/glance/values.yaml b/glance/values.yaml index f6694a11..378ff0fd 100644 --- a/glance/values.yaml +++ b/glance/values.yaml @@ -575,12 +575,13 @@ endpoints: default: null path: default: /v3 + public: /identity/v3 + admin: /identity_admin/v3 scheme: default: http port: api: default: 80 - admin: 35357 image: name: glance hosts: diff --git a/gnocchi/values.yaml b/gnocchi/values.yaml index a8300922..b4c66078 100644 --- a/gnocchi/values.yaml +++ b/gnocchi/values.yaml @@ -486,12 +486,13 @@ endpoints: default: null path: default: /v3 + public: /identity/v3 + admin: /identity_admin/v3 scheme: default: 'http' port: api: default: 80 - admin: 35357 metric: name: gnocchi hosts: diff --git a/heat/values.yaml b/heat/values.yaml index d0401aac..3f26f116 100644 --- a/heat/values.yaml +++ b/heat/values.yaml @@ -812,12 +812,13 @@ endpoints: default: null path: default: /v3 + public: /identity/v3 + admin: /identity_admin/v3 scheme: default: 'http' port: api: default: 80 - admin: 35357 orchestration: name: heat hosts: diff --git a/ironic/values.yaml b/ironic/values.yaml index 1faa575e..27da1520 100644 --- a/ironic/values.yaml +++ b/ironic/values.yaml @@ -400,12 +400,13 @@ endpoints: default: null path: default: /v3 + public: /identity/v3 + admin: /identity_admin/v3 scheme: default: http port: api: default: 80 - admin: 35357 baremetal: name: ironic hosts: diff --git a/keystone/templates/deployment-api.yaml b/keystone/templates/deployment-api.yaml index b4825ec0..f5fad6e9 100644 --- a/keystone/templates/deployment-api.yaml +++ b/keystone/templates/deployment-api.yaml @@ -65,15 +65,19 @@ spec: - /tmp/keystone-api.sh - stop ports: + {{- $portInt := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} + {{- $portAdm := tuple "identity" "admin" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} - name: ks-pub - containerPort: {{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} + containerPort: {{ $portInt }} + {{- if not ( eq $portInt $portAdm ) }} - name: ks-adm - containerPort: {{ tuple "identity" "admin" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} + containerPort: {{ $portAdm }} + {{- end }} readinessProbe: httpGet: scheme: HTTP path: / - port: {{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} + port: {{ $portInt }} initialDelaySeconds: 15 periodSeconds: 10 volumeMounts: diff --git a/keystone/templates/etc/_wsgi-keystone.conf.tpl b/keystone/templates/etc/_wsgi-keystone.conf.tpl index 12079808..878d364f 100644 --- a/keystone/templates/etc/_wsgi-keystone.conf.tpl +++ b/keystone/templates/etc/_wsgi-keystone.conf.tpl @@ -14,8 +14,13 @@ See the License for the specific language governing permissions and limitations under the License. */}} -Listen 0.0.0.0:{{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} -Listen 0.0.0.0:{{ tuple "identity" "admin" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} +{{- $portInt := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} +{{- $portAdm := tuple "identity" "admin" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} + +Listen 0.0.0.0:{{ $portInt }} +{{- if not ( eq $portInt $portAdm ) }} +Listen 0.0.0.0:{{ $portAdm }} +{{- end }} LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy @@ -24,7 +29,7 @@ SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded CustomLog /dev/stdout combined env=!forwarded CustomLog /dev/stdout proxy env=forwarded - + WSGIDaemonProcess keystone-public processes=1 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-public WSGIScriptAlias / /var/www/cgi-bin/keystone/keystone-wsgi-public @@ -40,7 +45,8 @@ CustomLog /dev/stdout proxy env=forwarded CustomLog /dev/stdout proxy env=forwarded - +{{- if not ( eq $portInt $portAdm ) }} + WSGIDaemonProcess keystone-admin processes=1 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-admin WSGIScriptAlias / /var/www/cgi-bin/keystone/keystone-wsgi-admin @@ -55,6 +61,21 @@ CustomLog /dev/stdout proxy env=forwarded CustomLog /dev/stdout combined env=!forwarded CustomLog /dev/stdout proxy env=forwarded +{{- else }} +WSGIDaemonProcess keystone-admin processes=1 threads=1 user=keystone group=keystone display-name=%{GROUP} +WSGIProcessGroup keystone-admin +WSGIScriptAlias / /var/www/cgi-bin/keystone/keystone-wsgi-admin +WSGIApplicationGroup %{GLOBAL} +WSGIPassAuthorization On += 2.4> + ErrorLogFormat "%{cu}t %M" + +ErrorLog /dev/stderr + +SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded +CustomLog /dev/stdout combined env=!forwarded +CustomLog /dev/stdout proxy env=forwarded +{{- end }} Alias /identity /var/www/cgi-bin/keystone/keystone-wsgi-public diff --git a/keystone/templates/service-api.yaml b/keystone/templates/service-api.yaml index 3c0dbe9a..717cf0f3 100644 --- a/keystone/templates/service-api.yaml +++ b/keystone/templates/service-api.yaml @@ -23,16 +23,20 @@ metadata: name: {{ tuple "identity" "internal" . | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} spec: ports: - - name: ks-pub - port: {{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} - {{ if .Values.network.api.node_port.enabled }} - nodePort: {{ .Values.network.api.node_port.port }} - {{ end }} - - name: ks-adm - port: {{ tuple "identity" "admin" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} - {{ if .Values.network.admin.node_port.enabled }} - nodePort: {{ .Values.network.admin.node_port.port }} - {{ end }} + {{- $portInt := tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} + {{- $portAdm := tuple "identity" "admin" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} + - name: ks-pub + port: {{ tuple "identity" "internal" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} + {{ if .Values.network.api.node_port.enabled }} + nodePort: {{ .Values.network.api.node_port.port }} + {{ end }} + {{- if not ( eq $portInt $portAdm ) }} + - name: ks-adm + port: {{ tuple "identity" "admin" "api" . | include "helm-toolkit.endpoints.endpoint_port_lookup" }} + {{ if .Values.network.admin.node_port.enabled }} + nodePort: {{ .Values.network.admin.node_port.port }} + {{ end }} + {{- end }} selector: {{ tuple $envAll "keystone" "api" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} {{ if or (.Values.network.api.node_port.enabled) (.Values.network.admin.node_port.enabled) }} diff --git a/keystone/values.yaml b/keystone/values.yaml index 5e72c58a..cb5a1218 100644 --- a/keystone/values.yaml +++ b/keystone/values.yaml @@ -915,6 +915,7 @@ endpoints: hosts: default: keystone-api public: keystone + admin: keystone host_fqdn_override: default: null # NOTE(portdirect): this chart supports TLS for fqdn over-ridden public @@ -926,12 +927,13 @@ endpoints: # key: null path: default: /v3 + public: /identity/v3 + admin: /identity_admin/v3 scheme: default: http port: api: default: 80 - admin: 35357 oslo_db: namespace: null auth: diff --git a/magnum/values.yaml b/magnum/values.yaml index c0f008e3..2f52f234 100644 --- a/magnum/values.yaml +++ b/magnum/values.yaml @@ -358,12 +358,13 @@ endpoints: default: null path: default: /v3 + public: /identity/v3 + admin: /identity_admin/v3 scheme: default: http port: api: default: 80 - admin: 35357 container_infra: name: magnum hosts: diff --git a/mistral/values.yaml b/mistral/values.yaml index c2f26c50..99bf6bac 100644 --- a/mistral/values.yaml +++ b/mistral/values.yaml @@ -242,12 +242,13 @@ endpoints: default: null path: default: /v3 + public: /identity/v3 + admin: /identity_admin/v3 scheme: default: http port: api: default: 80 - admin: 35357 workflowv2: name: mistral hosts: diff --git a/neutron/values.yaml b/neutron/values.yaml index 5be8ea15..db3fa076 100644 --- a/neutron/values.yaml +++ b/neutron/values.yaml @@ -1776,12 +1776,13 @@ endpoints: default: null path: default: /v3 + public: /identity/v3 + admin: /identity_admin/v3 scheme: default: http port: api: default: 80 - admin: 35357 network: name: neutron hosts: diff --git a/nova/values.yaml b/nova/values.yaml index 2f391845..84e753ae 100644 --- a/nova/values.yaml +++ b/nova/values.yaml @@ -1395,12 +1395,13 @@ endpoints: default: null path: default: /v3 + public: /identity/v3 + admin: /identity_admin/v3 scheme: default: http port: api: default: 80 - admin: 35357 image: name: glance hosts: diff --git a/rally/values.yaml b/rally/values.yaml index f93ceb16..345df13c 100644 --- a/rally/values.yaml +++ b/rally/values.yaml @@ -255,12 +255,13 @@ endpoints: default: null path: default: /v3 + public: /identity/v3 + admin: /identity_admin/v3 scheme: default: http port: api: default: 80 - admin: 35357 benchmark: name: rally hosts: diff --git a/senlin/values.yaml b/senlin/values.yaml index 2ed1b609..04e78bdc 100644 --- a/senlin/values.yaml +++ b/senlin/values.yaml @@ -407,12 +407,13 @@ endpoints: default: null path: default: /v3 + public: /identity/v3 + admin: /identity_admin/v3 scheme: default: http port: api: default: 80 - admin: 35357 clustering: name: senlin hosts: diff --git a/tempest/values.yaml b/tempest/values.yaml index 9a922692..58ea165c 100644 --- a/tempest/values.yaml +++ b/tempest/values.yaml @@ -250,12 +250,13 @@ endpoints: default: null path: default: /v3 + public: /identity/v3 + admin: /identity_admin/v3 scheme: default: http port: api: default: 80 - admin: 35357 manifests: configmap_bin: true diff --git a/tools/deployment/common/setup-client.sh b/tools/deployment/common/setup-client.sh index 400c5b62..73a3e1d2 100755 --- a/tools/deployment/common/setup-client.sh +++ b/tools/deployment/common/setup-client.sh @@ -32,7 +32,7 @@ clouds: project_name: 'admin' project_domain_name: 'default' user_domain_name: 'default' - auth_url: 'http://keystone.openstack.svc.cluster.local/v3' + auth_url: 'http://keystone.openstack.svc.cluster.local/identity/v3' EOF #NOTE: Build charts