From a39cd2c85d737c2283b5686a106043e0d3c866fe Mon Sep 17 00:00:00 2001
From: Samuel Cassiba <s@cassiba.com>
Date: Tue, 12 Jun 2018 21:55:40 -0700
Subject: [PATCH] Simplify identity endpoint

Per the Keystone Install Guide[1] the admin endpoint is superseded in
favor of a single public endpoint. As a result, the admin endpoint is no
longer deployed by default.

[1] https://docs.openstack.org/keystone/queens/install/keystone-install-ubuntu.html#install-and-configure-components

Depends-On: I47fa53ce6a0e4d43e3de726f07b3c1d415fc303a
Change-Id: I1adb3066c83aaffe8b22f2f2553f634483371974
Implements: blueprint simplify-identity-endpoint
---
 recipes/common.rb                | 10 ++++------
 recipes/dashboard.rb             |  2 +-
 recipes/identity_registration.rb |  5 ++---
 recipes/neutron_int.rb           |  3 +--
 4 files changed, 8 insertions(+), 12 deletions(-)

diff --git a/recipes/common.rb b/recipes/common.rb
index ead8a33..35d87cf 100644
--- a/recipes/common.rb
+++ b/recipes/common.rb
@@ -67,20 +67,18 @@ end
 db_user = node['openstack']['db']['dns']['username']
 db_pass = get_password 'db', 'designate'
 
-public_identity_endpoint = identity_uri_transform(public_endpoint('identity'))
-identity_endpoint = internal_endpoint 'identity'
-
 bind_services = node['openstack']['bind_service']['all']
 api_bind = bind_services['dns-api']
 
-auth_url = auth_uri_transform identity_endpoint.to_s, node['openstack']['dns']['api']['auth']['version']
+internal_identity_endpoint = internal_endpoint 'identity'
+public_identity_endpoint = public_endpoint 'identity'
 
 # define attributes that are needed in designate.conf
 node.default['openstack']['dns']['conf'].tap do |conf|
   conf['service:api']['api_host'] = bind_address api_bind
   conf['service:api']['api_port'] = api_bind['port']
-  conf['keystone_authtoken']['auth_uri'] = public_identity_endpoint
-  conf['keystone_authtoken']['auth_url'] = auth_url
+  conf['keystone_authtoken']['auth_url'] = internal_identity_endpoint.to_s
+  conf['keystone_authtoken']['www_authenticate_uri'] = public_identity_endpoint.to_s
 end
 
 # define secrets that are needed in designate.conf
diff --git a/recipes/dashboard.rb b/recipes/dashboard.rb
index f6ba110..209bc9c 100644
--- a/recipes/dashboard.rb
+++ b/recipes/dashboard.rb
@@ -18,7 +18,7 @@
 # limitations under the License.
 #
 
-class ::Chef::Recipe # rubocop:disable Documentation
+class ::Chef::Recipe
   include ::Openstack
 end
 
diff --git a/recipes/identity_registration.rb b/recipes/identity_registration.rb
index 71c45ea..33327bb 100644
--- a/recipes/identity_registration.rb
+++ b/recipes/identity_registration.rb
@@ -24,9 +24,8 @@ class ::Chef::Recipe
   include ::Openstack
 end
 
-identity_admin_endpoint = admin_endpoint 'identity'
-
-auth_url = ::URI.decode identity_admin_endpoint.to_s
+identity_endpoint = internal_endpoint 'identity'
+auth_url = auth_uri_transform identity_endpoint.to_s, node['openstack']['api']['auth']['version']
 
 internal_designate_endpoint = internal_endpoint 'dns-api'
 public_designate_endpoint = public_endpoint 'dns-api'
diff --git a/recipes/neutron_int.rb b/recipes/neutron_int.rb
index 015417d..f5014c6 100644
--- a/recipes/neutron_int.rb
+++ b/recipes/neutron_int.rb
@@ -23,11 +23,10 @@ class ::Chef::Recipe
 end
 
 dns_endpoint = internal_endpoint 'dns-api'
-# TODO(jh): Make this more intelligent
 dns_url = dns_endpoint.to_s + '/v2'
 
 identity_endpoint = internal_endpoint 'identity'
-auth_url = auth_uri_transform identity_endpoint.to_s, node['openstack']['dns']['api']['auth']['version']
+auth_url = auth_uri_transform identity_endpoint.to_s, node['openstack']['api']['auth']['version']
 
 node.default['openstack']['network']['conf'].tap do |conf|
   conf['DEFAULT']['external_dns_driver'] = 'designate'