Further Keystone-related cleanups

Per comments on [1].

[1] https://review.opendev.org/c/openstack/kolla-ansible/+/843727

Change-Id: I60162b54bc06e158534d29311d4474b34750c64d

ansible/roles/aodh/templates/aodh.conf.j2

@@ -40,7 +40,7 @@ policy_file = {{ aodh_policy_file }}
 {% endif %}
 
 [service_credentials]
-auth_url = {{ keystone_internal_url }}/v3
+auth_url = {{ keystone_internal_url }}
 region_name = {{ openstack_region_name }}
 password = {{ aodh_keystone_password }}
 username = {{ aodh_keystone_user }}

ansible/roles/blazar/templates/blazar.conf.j2

@@ -7,7 +7,6 @@ port = {{ blazar_api_port }}
 os_auth_host = {{ keystone_internal_fqdn }}
 os_auth_port = {{ keystone_public_port }}
 os_auth_protocol = {{ internal_protocol }}
-os_auth_version = v3
 os_admin_username = {{ blazar_keystone_user }}
 os_admin_password = {{ blazar_keystone_password }}
 os_admin_project_name = service
@@ -21,8 +20,8 @@ plugins = virtual.instance.plugin,physical.host.plugin
 
 [keystone_authtoken]
 service_type = reservation
-www_authenticate_uri = {{ keystone_internal_url }}/v3
-auth_url = {{ keystone_internal_url }}/v3
+www_authenticate_uri = {{ keystone_internal_url }}
+auth_url = {{ keystone_internal_url }}
 auth_type = password
 project_domain_id = default
 user_domain_id = default

ansible/roles/ceilometer/templates/ceilometer.conf.j2

@@ -10,7 +10,7 @@ hypervisor_inspector = vsphere
 {% endif %}
 
 [service_credentials]
-auth_url = {{ keystone_internal_url }}/v3
+auth_url = {{ keystone_internal_url }}
 region_name = {{ openstack_region_name }}
 password = {{ ceilometer_keystone_password }}
 username = {{ ceilometer_keystone_user }}

ansible/roles/common/templates/admin-openrc.sh.j2

@@ -8,7 +8,7 @@ export OS_PROJECT_NAME={{ keystone_admin_project }}
 export OS_TENANT_NAME={{ keystone_admin_project }}
 export OS_USERNAME={{ keystone_admin_user }}
 export OS_PASSWORD={{ keystone_admin_password }}
-export OS_AUTH_URL={{ keystone_internal_url }}/v3
+export OS_AUTH_URL={{ keystone_internal_url }}
 export OS_INTERFACE=internal
 export OS_ENDPOINT_TYPE=internalURL
 {% if enable_manila | bool %}

ansible/roles/freezer/templates/freezer.conf.j2

@@ -14,7 +14,7 @@ jobs_dir = /etc/freezer/scheduler/conf.d
 
 os_username = {{ openstack_auth.username }}
 os_password = {{ openstack_auth.password }}
-os_auth_url = {{ openstack_auth.auth_url }}/v3
+os_auth_url = {{ openstack_auth.auth_url }}
 os_project_name = {{ keystone_admin_project }}
 os_project_domain_name = {{ openstack_auth.domain_name }}
 # TODO: transition to system scoped token when freezer supports that

ansible/roles/glance/templates/glance-swift.conf.j2

@@ -1,6 +1,6 @@
 [swift]
 auth_version = 3
-auth_address = {{ openstack_auth.auth_url }}/v3
+auth_address = {{ openstack_auth.auth_url }}
 user = service:{{ glance_keystone_user }}
 key = {{ glance_keystone_password }}
 project_domain_id = default

ansible/roles/gnocchi/templates/gnocchi.conf.j2

@@ -45,7 +45,7 @@ url = mysql+pymysql://{{ gnocchi_database_user }}:{{ gnocchi_database_password }
 
 [keystone_authtoken]
 service_type = metric
-www_authenticate_uri = {{ keystone_internal_url }}/v3
+www_authenticate_uri = {{ keystone_internal_url }}
 project_domain_id = {{ default_project_domain_id }}
 project_name = service
 user_domain_id = {{ default_user_domain_id }}
@@ -83,7 +83,7 @@ ceph_keyring = /etc/ceph/{{ ceph_gnocchi_keyring }}
 ceph_conffile = /etc/ceph/ceph.conf
 {% elif gnocchi_backend_storage == 'swift' %}
 driver = swift
-swift_authurl = {{ keystone_internal_url }}/v3
+swift_authurl = {{ keystone_internal_url }}
 swift_auth_version = 3
 swift_user = service:{{ swift_keystone_user }}
 swift_key = {{ swift_keystone_password }}

ansible/roles/heat/templates/heat.conf.j2

@@ -61,7 +61,7 @@ username = {{ heat_keystone_user }}
 password = {{ heat_keystone_password }}
 
 [ec2authtoken]
-auth_uri = {{ keystone_internal_url }}/v3
+auth_uri = {{ keystone_internal_url }}
 
 [oslo_messaging_notifications]
 transport_url = {{ notify_transport_url }}

ansible/roles/horizon/defaults/main.yml

@@ -122,7 +122,7 @@ horizon_extra_volumes: "{{ default_extra_volumes }}"
 # OpenStack
 ####################
 horizon_logging_debug: "{{ openstack_logging_debug }}"
-horizon_keystone_url: "{{ keystone_public_url if horizon_use_keystone_public_url | bool else keystone_internal_url }}/v3"
+horizon_keystone_url: "{{ keystone_public_url if horizon_use_keystone_public_url | bool else keystone_internal_url }}"
 
 
 ####################

ansible/roles/horizon/templates/local_settings.j2

@@ -224,7 +224,7 @@ WEBSSO_ENABLED = True
 # Do not remove the mandatory credentials mechanism.
 # Note: The last two tuples are sample mapping keys to a identity provider
 # and federation protocol combination (WEBSSO_IDP_MAPPING).
-WEBSSO_KEYSTONE_URL = "{{ keystone_public_url }}/v3"
+WEBSSO_KEYSTONE_URL = "{{ keystone_public_url }}"
 WEBSSO_CHOICES = (
     ("credentials", _("Keystone Credentials")),
     {% for idp in keystone_identity_providers %}
@@ -856,7 +856,7 @@ REST_API_REQUIRED_SETTINGS = [
 
 {% if enable_murano | bool and enable_barbican | bool %}
 KEY_MANAGER = {
-        'auth_url': '{{ keystone_internal_url }}/v3',
+        'auth_url': '{{ keystone_internal_url }}',
         'username': '{{ murano_keystone_user }}',
         'user_domain_name': '{{ default_project_domain_name }}',
         'password': '{{ murano_keystone_password }}',

ansible/roles/magnum/templates/magnum.conf.j2

@@ -65,7 +65,7 @@ endpoint_type = internalURL
 ca_file = {{ openstack_cacert }}
 
 [keystone_auth]
-auth_url = {{ keystone_internal_url }}/v3
+auth_url = {{ keystone_internal_url }}
 user_domain_name = {{ default_user_domain_name }}
 project_domain_name = {{ default_project_domain_name }}
 project_name = service
@@ -76,8 +76,7 @@ cafile = {{ openstack_cacert }}
 
 [keystone_authtoken]
 service_type = container-infra
-auth_version = v3
-www_authenticate_uri = {{ keystone_internal_url }}/v3
+www_authenticate_uri = {{ keystone_internal_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password
 project_domain_name = {{ default_project_domain_name }}

ansible/roles/masakari/templates/masakari.conf.j2

@@ -10,7 +10,7 @@ os_region_name = {{ openstack_region_name }}
 os_user_domain_name = {{ default_user_domain_id }}
 os_project_domain_name = {{ default_project_domain_id }}
 os_privileged_user_tenant = service
-os_privileged_user_auth_url = {{ keystone_internal_url }}/v3
+os_privileged_user_auth_url = {{ keystone_internal_url }}
 os_privileged_user_name = {{ nova_keystone_user }}
 os_privileged_user_password = {{ nova_keystone_password }}
 nova_ca_certificates_file = {{ openstack_cacert }}
@@ -23,7 +23,7 @@ max_retries = -1
 
 [keystone_authtoken]
 service_type = instance-ha
-www_authenticate_uri = {{ keystone_internal_url }}/v3
+www_authenticate_uri = {{ keystone_internal_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password
 project_domain_name = {{ default_project_domain_name }}

ansible/roles/mistral/templates/mistral.conf.j2

@@ -40,8 +40,8 @@ max_retries = -1
 
 [keystone_authtoken]
 service_type = workflow
-www_authenticate_uri = {{ keystone_internal_url }}/v3
-auth_url = {{ keystone_internal_url }}/v3
+www_authenticate_uri = {{ keystone_internal_url }}
+auth_url = {{ keystone_internal_url }}
 auth_type = password
 project_domain_id = {{ default_project_domain_id }}
 user_domain_id = {{ default_user_domain_id }}

ansible/roles/murano/templates/murano.conf.j2

@@ -38,7 +38,7 @@ memcache_secret_key = {{ memcache_secret_key }}
 memcached_servers = {% for host in groups['memcached'] %}{{ 'api' | kolla_address(host) | put_address_in_context('memcache') }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
 
 [murano_auth]
-auth_uri = {{ keystone_internal_url }}/v3
+auth_uri = {{ keystone_internal_url }}
 auth_url = {{ keystone_internal_url }}
 auth_type = password
 project_domain_name = {{ default_project_domain_name }}
@@ -86,7 +86,7 @@ virtual_host = {{ murano_agent_rabbitmq_vhost }}
 {% if enable_barbican | bool %}
 [key_manager]
 auth_type = keystone_password
-auth_url = {{ keystone_internal_url }}/v3
+auth_url = {{ keystone_internal_url }}
 username = {{ murano_keystone_user }}
 password = {{ murano_keystone_password }}
 user_domain_name = {{ default_project_domain_name }}

ansible/roles/nova-cell/templates/nova.conf.j2

@@ -84,7 +84,7 @@ proxyclient_address = {{ api_interface_address }}
 [ironic]
 username = {{ ironic_keystone_user }}
 password = {{ ironic_keystone_password }}
-auth_url = {{ openstack_auth.auth_url }}/v3
+auth_url = {{ openstack_auth.auth_url }}
 cafile = {{ openstack_cacert }}
 auth_type = password
 project_name = service

ansible/roles/octavia/templates/octavia-openrc.sh.j2

@@ -5,6 +5,6 @@ export OS_USER_DOMAIN_NAME=Default
 export OS_PROJECT_NAME={{ octavia_service_auth_project }}
 export OS_USERNAME={{ octavia_keystone_user }}
 export OS_PASSWORD={{ octavia_keystone_password }}
-export OS_AUTH_URL={{ keystone_internal_url }}/v3
+export OS_AUTH_URL={{ keystone_internal_url }}
 export OS_INTERFACE=internal
 export OS_ENDPOINT_TYPE=internalURL

ansible/roles/prometheus/templates/clouds.yml.j2

@@ -11,4 +11,4 @@ clouds:
      project_domain_name: 'Default'
      user_domain_name: 'Default'
      cacert: {{ openstack_cacert }}
-     auth_url: {{ keystone_internal_url }}/v3
+     auth_url: {{ keystone_internal_url }}

ansible/roles/sahara/templates/sahara.conf.j2

@@ -61,5 +61,5 @@ project_name = service
 user_domain_name = {{ default_user_domain_name }}
 username = {{ sahara_keystone_user }}
 password = {{ sahara_keystone_password }}
-auth_url = {{ keystone_internal_url }}/v3
+auth_url = {{ keystone_internal_url }}
 cafile = {{ openstack_cacert }}

ansible/roles/skydive/templates/skydive-agent.conf.j2

@@ -47,7 +47,7 @@ agent:
 
 ### TODO migrate from tenant_name to system_scope when supported in skydive
     neutron:
-      auth_url: {{ keystone_internal_url }}/v3
+      auth_url: {{ keystone_internal_url }}
       username: {{ openstack_auth['username'] }}
       password: {{ openstack_auth['password'] }}
       tenant_name: {{ skydive_admin_tenant_name }}

ansible/roles/skydive/templates/skydive-analyzer.conf.j2

@@ -4,7 +4,7 @@
 auth:
   keystone:
     type: keystone
-    auth_url: {{ keystone_internal_url }}/v3
+    auth_url: {{ keystone_internal_url }}
     region_name: {{ openstack_region_name }}
     tenant_name: {{ skydive_admin_tenant_name }}
     domain_name: Default

ansible/roles/swift/templates/proxy-server.conf.j2

@@ -99,5 +99,5 @@ use = egg:swift#s3api
 
 [filter:s3token]
 use = egg:swift#s3token
-auth_uri = {{ keystone_internal_url }}/v3
+auth_uri = {{ keystone_internal_url }}
 {% endif %}

ansible/roles/trove/templates/trove.conf.j2

@@ -35,7 +35,7 @@ network_driver = trove.network.neutron.NeutronDriver
 control_exchange = trove
 
 [service_credentials]
-auth_url = {{ keystone_internal_url }}/v3
+auth_url = {{ keystone_internal_url }}
 region_name = {{ openstack_region_name }}
 project_name = service
 password = {{ trove_keystone_password }}

ansible/roles/vitrage/templates/vitrage.conf.j2

@@ -45,7 +45,7 @@ memcache_secret_key = {{ memcache_secret_key }}
 memcached_servers = {% for host in groups['memcached'] %}{{ 'api' | kolla_address(host) | put_address_in_context('memcache') }}:{{ memcached_port }}{% if not loop.last %},{% endif %}{% endfor %}
 
 [service_credentials]
-auth_url = {{ keystone_internal_url }}/v3
+auth_url = {{ keystone_internal_url }}
 region_name = {{ openstack_region_name }}
 auth_type = password
 project_domain_id = {{ default_project_domain_id }}

doc/source/reference/logging-and-monitoring/monasca-guide.rst

@@ -114,19 +114,18 @@ additional configuration:
 
 .. code-block:: yaml
 
-   keystone_admin_url: "http://172.28.128.254:35357"
    keystone_internal_url: "http://172.28.128.254:5000"
    monasca_openstack_auth:
-     auth_url: "{{ keystone_admin_url }}"
+     auth_url: "{{ keystone_internal_url }}"
      username: "admin"
      password: "{{ external_keystone_admin_password }}"
      project_name: "admin"
      domain_name: "default"
      user_domain_name: "default"
 
-In this example it is assumed that the external Keystone admin and internal
-URLs are `http://172.28.128.254:35357` and `http://172.28.128.254:5000`
-respectively, and that the external Keystone admin password is defined by
+In this example it is assumed that the external Keystone's internal URL is
+`http://172.28.128.254:5000`, and that the external Keystone's admin password
+is defined by
 the variable `external_keystone_admin_password` which you will most likely
 want to save in `/etc/kolla/passwords.yml`. Note that the Keystone URLs can
 be obtained from the external OpenStack CLI, for example:
@@ -134,13 +133,12 @@ be obtained from the external OpenStack CLI, for example:
 .. code-block:: console
 
    openstack endpoint list --service identity
-   +----------------------------------+-----------+--------------+--------------+---------+-----------+-----------------------------+
-   | ID                               | Region    | Service Name | Service Type | Enabled | Interface | URL                         |
-   +----------------------------------+-----------+--------------+--------------+---------+-----------+-----------------------------+
-   | 162365440e6c43d092ad6069f0581a57 | RegionOne | keystone     | identity     | True    | admin     | http://172.28.128.254:35357 |
-   | 6d768ee2ce1c4302a49e9b7ac2af472c | RegionOne | keystone     | identity     | True    | public    | http://172.28.128.254:5000  |
-   | e02067a58b1946c7ae53abf0cfd0bf11 | RegionOne | keystone     | identity     | True    | internal  | http://172.28.128.254:5000  |
-   +----------------------------------+-----------+--------------+--------------+---------+-----------+-----------------------------+
+   +----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------+
+   | ID                               | Region    | Service Name | Service Type | Enabled | Interface | URL                        |
+   +----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------+
+   | 6d768ee2ce1c4302a49e9b7ac2af472c | RegionOne | keystone     | identity     | True    | public    | http://172.28.128.254:5000 |
+   | e02067a58b1946c7ae53abf0cfd0bf11 | RegionOne | keystone     | identity     | True    | internal  | http://172.28.128.254:5000 |
+   +----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------+
 
 If you are also using Kolla Ansible to manage the external OpenStack
 installation, the external Keystone admin password will most likely

doc/source/user/multi-regions.rst

@@ -9,7 +9,7 @@ with Kolla. A basic multiple region deployment consists of separate
 OpenStack installations in two or more regions (RegionOne, RegionTwo, ...)
 with a shared Keystone and Horizon. The rest of this documentation assumes
 Keystone and Horizon are deployed in RegionOne, and other regions have
-access to the admin endpoint (for example, ``kolla_internal_fqdn``) of
+access to the internal endpoint (for example, ``kolla_internal_fqdn``) of
 RegionOne.
 It also assumes that the operator knows the name of all OpenStack regions
 in advance, and considers as many Kolla deployments as there are regions.
@@ -69,11 +69,10 @@ the value of ``kolla_internal_fqdn`` in RegionOne:
 
    kolla_internal_fqdn_r1: 10.10.10.254
 
-   keystone_admin_url: "{{ admin_protocol }}://{{ kolla_internal_fqdn_r1 }}:{{ keystone_public_port }}"
    keystone_internal_url: "{{ internal_protocol }}://{{ kolla_internal_fqdn_r1 }}:{{ keystone_public_port }}"
 
    openstack_auth:
-       auth_url: "{{ keystone_admin_url }}"
+       auth_url: "{{ keystone_internal_url }}"
        username: "{{ keystone_admin_user }}"
        password: "{{ keystone_admin_password }}"
        user_domain_name: "{{ default_user_domain_name }}"
@@ -97,7 +96,7 @@ create a ``global.conf`` file with the following content:
 
    [keystone_authtoken]
    www_authenticate_uri = {{ keystone_internal_url }}
-   auth_url = {{ keystone_admin_url }}
+   auth_url = {{ keystone_internal_url }}
 
 The Placement API section inside the nova configuration file also has
 to be updated to contact RegionOne's Keystone. So create, in the same
@@ -106,7 +105,7 @@ directory, a ``nova.conf`` file with below content:
 .. code-block:: ini
 
    [placement]
-   auth_url = {{ keystone_admin_url }}
+   auth_url = {{ keystone_internal_url }}
 
 The Heat section inside the configuration file also
 has to be updated to contact RegionOne's Keystone. So create, in the same